CN103761481A - Method and device for automatically processing malicious code sample - Google Patents
Method and device for automatically processing malicious code sample Download PDFInfo
- Publication number
- CN103761481A CN103761481A CN201410032004.8A CN201410032004A CN103761481A CN 103761481 A CN103761481 A CN 103761481A CN 201410032004 A CN201410032004 A CN 201410032004A CN 103761481 A CN103761481 A CN 103761481A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- code sample
- dynamic behaviour
- sample
- static nature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and device for automatically processing a malicious code sample. The method includes the steps of obtaining the malicious code sample, extracting static characteristics from the obtained malicious code sample, matching the static characteristics of the malicious code sample with known static characteristics in a static characteristic library, continuing to extract dynamic behavior characteristics from the malicious code sample if it cannot be judged that the obtained malicious code sample is a malicious code according to the static characteristic library, matching the dynamic behavior characteristics of the malicious code sample with known dynamic behavior characteristics in a dynamic behavior characteristic library, and conducting false alarm feedback if it can be judged that the obtained malicious code sample is not a malicious code according to the dynamic behavior characteristic library so as to prompt that the malicious code sample is a non-malicious code. The malicious code sample can be accurately recognized, and the false alarm rate of the malicious code is lowered.
Description
Technical field
The invention belongs to field of computer technology, relate in particular to method and device that a kind of malicious code sample is processed automatically.
Background technology
Malicious code (Malicious code) is also referred to as Malware (Malware).Malicious code is " moving on computers one group of instruction that system is executed the task according to assailant's wish ".Malicious code, by instruction is embedded in other codes under hidden self condition, destroys the integrality of the data message on infected computing machine, the object that operation has the program of invasion property thereby reach.The type of malicious code comprises computer virus (Virus), worm (Worm), Trojan Horse (Trojan horse), Botnet (Botnet), spy's network (spyware), back door (Backdoor), Rootkitsd etc.
Current computer malicious code spreads and comes just with surprising rapidity, and the safety of computer system has been formed to serious threat.Early stage anti-viral software utilizes this static nature of condition code of malicious code to identify the malicious code in system with detection of concealed, has played certain effect, but needs the condition code database of real-time update malicious code, serious occupying system resources.Helpless especially for emerging unknown malicious code.Reason is that new malicious code emerges in an endless stream on the one hand; On the other hand, many malicious codes are not also stopping the derivative mutation making new advances.
Summary of the invention
In view of the above problems, the present invention has been proposed so that method and the device that provides a kind of malicious code sample that overcomes the problems referred to above or address the above problem at least in part automatically to process.
According to one aspect of the present invention, a kind of method that provides malicious code sample automatically to process, comprises
Obtain malicious code sample;
From the described malicious code sample obtaining, extract static nature;
The static nature of described malicious code sample is mated with the known quiescent state feature in static nature storehouse;
If cannot judge that according to described static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from described malicious code sample;
The dynamic behaviour feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database;
If judging according to described dynamic behaviour feature database the malicious code sample obtaining is not malicious code, report feedback by mistake, to point out described malicious code sample as non-malicious code.
Alternatively, described method also comprises:
If judging according to described dynamic behaviour feature database the malicious code sample obtaining is malicious code, described malicious code sample is designated to malicious code.
Alternatively, after described malicious code sample is designated to malicious code, described method also comprises:
Calculating is designated the proof test value of the described malicious code sample of malicious code;
The proof test value of the described malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of described malicious code sample.
Alternatively, described static nature at least comprises with lower any one: at least part of character string of the binary file of described malicious code sample, the function structure of described malicious code sample, described malicious code sample and icon corresponding to described malicious code sample;
The described step that the static nature of described malicious code sample is mated with the known quiescent state feature in static nature storehouse comprises:
The binary file of described malicious code sample is mated with the known malicious code binary file in static nature storehouse; Or
The function structure of described malicious code sample is mated with the known malicious code function structure in static nature storehouse; Or
At least part of character string of described malicious code sample is mated with the known malicious code character string in static nature storehouse; Or
Icon corresponding described malicious code sample is mated with the known malicious code icon in static nature storehouse.
Alternatively, the dynamic behaviour feature of described malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample;
The described step that the dynamic behaviour feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database comprises:
Behavioural characteristic when the virtual behavior of described malicious code sample is inspired is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
The network behavior feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Behavioural characteristic during by the moving in sandbox of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database.
According to another aspect of the present invention, the device that also provides a kind of malicious code sample automatically to process, comprising:
Acquisition module, for obtaining malicious code sample;
Static nature extraction module, for extracting static nature from the described malicious code sample obtaining;
Static nature matching module, for mating the static nature of described malicious code sample with the known quiescent state feature in static nature storehouse;
Dynamic behaviour characteristic extracting module, if for judging that according to described static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from described malicious code sample;
Dynamic behaviour characteristic matching module, for mating the dynamic behaviour feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database;
Wrong report feedback module, if be not malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, reports feedback by mistake, to point out described malicious code sample as non-malicious code.
Alternatively, described device also comprises:
Malicious code identification module, if be malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, is designated malicious code by described malicious code sample.
Alternatively, described device also comprises:
Proof test value computing module, for calculating the proof test value of the described malicious code sample that is designated malicious code;
Sending module, for the proof test value of the described malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of described malicious code sample.
Alternatively, described static nature at least comprises with lower any one: at least part of character string of the binary file of described malicious code sample, the function structure of described malicious code sample, described malicious code sample and icon corresponding to described malicious code sample;
Described static nature matching module comprises:
Binary file matching unit, for mating the binary file of described malicious code sample with the known malicious code binary file in static nature storehouse; Or
Function structure matching unit, for mating the function structure of described malicious code sample with the known malicious code function structure in static nature storehouse; Or
String matching unit, for mating at least part of character string of described malicious code sample with the known malicious code character string in static nature storehouse; Or
Icon matching unit, for mating icon corresponding described malicious code sample with the known malicious code icon in static nature storehouse.
Alternatively, the dynamic behaviour feature of described malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample;
Described dynamic behaviour characteristic matching module comprises:
Virtual behavior matching unit, the behavioural characteristic when the virtual behavior of described malicious code sample is inspired is mated with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Network behavior matching unit, for mating the network behavior feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Sandbox behavior matching unit, for mating the behavioural characteristic when sandbox moves of described malicious code sample with the known dynamic behaviour feature in dynamic behaviour feature database.
As shown from the above technical solution, whether embodiments of the invention have following beneficial effect: by the static nature identification malicious code sample of malicious code sample, be first malicious code, if whether cannot identify this malicious code sample by static nature is malicious code, by the dynamic behaviour feature of malicious code sample, identify again, if judging according to dynamic behaviour feature database the malicious code sample obtaining is not malicious code, report feedback by mistake, take prompting malicious code sample as non-malicious code, and then the accurate identification of realization to malicious code sample, reduce the rate of false alarm of malicious code.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows one of process flow diagram of the method for automatically processing according to malicious code sample in embodiments of the invention;
Fig. 2 shows according to the schematic diagram of client-server architecture in embodiments of the invention;
Fig. 3 shows according to two of the process flow diagram of the automatic method of processing of malicious code sample in embodiments of the invention;
Fig. 4 shows one of schematic diagram of the device of automatically processing according to malicious code sample in embodiments of the invention;
Fig. 5 shows according to two of the schematic diagram of the automatic device of processing of malicious code sample in embodiments of the invention; And
Fig. 6 shows the schematic diagram of automatically processing according to malicious code sample in embodiments of the invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, but should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can be by the those skilled in the art that conveys to complete the scope of the present disclosure.
As shown in Figure 1, one of process flow diagram of the method for automatically processing for malicious code sample in embodiments of the invention, the method 100 that this malicious code sample is processed automatically, comprises
Step S101, obtain malicious code sample.
Above-mentioned malicious code sample refers to the document entity form of depositing malicious code, it can be malicious code carrier file independently, the metainfective file object of infected type malicious code can be also the file mirror image (including but not limited to file mirror image, the file mirror image of internal memory malicious code and the packet file of network malicious code of boot viruses) of non-document carrier malicious code.In an embodiment of the present invention, this malicious code sample can be the partial code being extracted from software to be detected by analyst, and set it as the object that malicious code is identified, then by follow-up step S103~step S111, judge whether to exist the situation of malicious code wrong report.
In an embodiment of the present invention, can obtain malicious code sample by client-server (Client-Server) framework.As shown in Figure 2, the behavior of collecting various programs by a large amount of client computers 202 (can be single behavior, also can be the combination of one group of behavior), the particularly behavior of suspicious program, and program behavior is associated with to the feature of this program, in the database 204 of server end, can record feature and the corresponding behavior record thereof of a program.Like this, at server end, can, according to program behavior or performance of program or batch processing behavior and performance of program, in database, using suspicious program as malicious code sample, conclude and analyze, thereby contribute to software or program to carry out the discriminant classification of black and white.Further, can also formulate corresponding removal or restoration measure for the Malware in blacklist.
Said procedure behavior, can be for example drive load behavior, file generated behavior, and the loading behavior of journey logic bomb, the behavior of add-on system startup item, or the act of revision of file or program etc., or the combination of a series of behaviors.
Said procedure feature can be via MD5(Message-Digest Algorithm 5, md5-challenge) the MD5 identifying code that draws of computing, or SHA1 code, or CRC(Cyclic Redundancy Check, cyclic redundancy check (CRC)) code wait can unique identification original program condition code.
Extract after the feature in the present invention, record can be joined in database.Owing to having recorded performance of program and behavior record corresponding to this feature in database, therefore can to unknown program, analyze in conjunction with known black/white list.
For example, if unknown program feature is identical with the known procedure feature in existing black/white list, all list this unknown program feature and program behavior thereof in black/white list.If unknown program behavior is identical or approximate with the known procedure behavior in existing black/white list, all list this unknown program behavior and performance of program thereof in black/white list.
Step S103, from the malicious code sample obtaining, extract static nature.
Particularly, by being analyzed, malicious code sample extracts effective information generation static nature.Alternatively, malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed and extracted effective information generation static nature, to avoid shell or the interference of bag to malicious code sample coupling.
In an embodiment of the present invention, static nature at least comprises with lower any one: at least part of character string of the binary file of malicious code sample, the function structure of malicious code sample, malicious code sample and icon corresponding to malicious code sample.
Step S105, the static nature of malicious code sample is mated with the known quiescent state feature in static nature storehouse.
Particularly, by the mode of pattern match, the static nature of malicious code sample is mated with the known quiescent state feature in static nature storehouse.
Alternatively, in an embodiment of the present invention, step S105 comprises:
Step S1051, the binary file of malicious code sample is mated with the known malicious code binary file in static nature storehouse; Or
Step S1053 mates the function structure of malicious code sample with the known malicious code function structure in static nature storehouse; Or
Step S1055 mates at least part of character string of malicious code sample with the known malicious code character string in static nature storehouse; Or
Step S1057 mates icon corresponding malicious code sample with the known malicious code icon in static nature storehouse.
If step S107 cannot judge that according to static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from malicious code sample.
Particularly, by being analyzed, malicious code sample extracts effective information generation dynamic behaviour feature.
In an embodiment of the present invention, the dynamic behaviour feature of malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample.
The api function that the dynamic behaviour feature of malicious code is equivalent to malicious code in an embodiment of the present invention calls feature, the operation of software utilizes the various api functions that operating system provides to realize the set function of program substantially, for example by API Calls to the data allocations in operating system memory, read-write, clear, mobile etc.; By API Calls and remote server, connect, monitor the network information of certain port etc.And the api function of polymorphic and mutation malicious code entirety when operation to call be similarly, therefore extract after the dynamic behaviour feature of malicious code, just can be for detection of other similar the unknowns and mutation malicious code.
In an embodiment of the present invention, can by the behavior of trace routine, for example, with Hook, SSDT, show, DebugAPI, or the platform WDK providing with Microsoft obtains API Calls behavior.
Step S109, the dynamic behaviour feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database.
Particularly, by the mode of pattern match, the dynamic behaviour feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database.
Alternatively, step S109 comprises:
Step S1091, behavioural characteristic when the virtual behavior of malicious code sample is inspired are mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Step S1093, the network behavior feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Step S1095, the behavioural characteristic during by the moving in sandbox of malicious code sample are mated with the known dynamic behaviour feature in dynamic behaviour feature database.
Heuristic testing tool is dynamic height or the decompiler of realizing with ad hoc fashion, by associated instruction sequences decompiling, thereby determines its hiding real motive behind.The heuristic detection technique creating has static heuristic detection, dynamic heuristic to detect and the heuristic detection based on neural network.
Sandbox (Sandbox) can simulation code the true environment of operation, and move the safety problem that malicious code brings with security mechanism isolation correspondingly.By sandbox technology, code analysis personnel can assess malicious code.Virtual machine is a kind of typical sandbox.It is by the main frame in software emulation physical significance, and this main frame is just as start operation in real machine.Common virtual machine comprises VMware.
If it is not malicious code that step S111 judges according to dynamic behaviour feature database the malicious code sample obtaining, report feedback by mistake, to point out malicious code sample as non-malicious code.
If judging according to dynamic behaviour feature database the malicious code sample obtaining is malicious code, obtain after malicious code, follow-uply can detect that the rogue program that similarly contains this malicious code feature is for killing PE(Portable Execute by viral engine, portable is carried out body) the cloud killing engine of type file, and/or QVM(Qihoo Virtual Machine, artificial intelligence engine) engine.
In an embodiment of the present invention, first by the static nature identification malicious code sample of malicious code sample, whether be malicious code, if whether cannot identify this malicious code sample by static nature is malicious code, by the dynamic behaviour feature of malicious code sample, identify again, if judging according to dynamic behaviour feature database the malicious code sample obtaining is not malicious code, report feedback by mistake, take prompting malicious code sample as non-malicious code, and then realize the accurate identification to malicious code sample, reduce the rate of false alarm of malicious code.
Fig. 3 shows according to two of the process flow diagram of the automatic method of processing of malicious code sample in embodiments of the invention, and the method 300 that this malicious code sample is processed automatically, comprises
Step S301, obtain malicious code sample;
Above-mentioned malicious code sample refers to the document entity form of depositing malicious code, it can be malicious code carrier file independently, the metainfective file object of infected type malicious code can be also the file mirror image (including but not limited to file mirror image, the file mirror image of internal memory malicious code and the packet file of network malicious code of boot viruses) of non-document carrier malicious code.In an embodiment of the present invention, this malicious code sample can be the partial code being extracted from software to be detected by analyst, and sets it as the object of malicious code identification.
Step S303, from the malicious code sample obtaining, extract static nature.
Particularly, by being analyzed, malicious code sample extracts effective information generation static nature.Alternatively, malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed and extracted effective information generation static nature, to avoid shell or the interference of bag to malicious code sample coupling.
In an embodiment of the present invention, static nature at least comprises with lower any one: at least part of character string of the binary file of malicious code sample, the function structure of malicious code sample, malicious code sample and icon corresponding to malicious code sample.
Step S305, the static nature of malicious code sample is mated with the known quiescent state feature in static nature storehouse;
Particularly, by the mode of pattern match, the static nature of malicious code sample is mated with the known quiescent state feature in static nature storehouse.
Alternatively, in an embodiment of the present invention, step S305 comprises:
Step S3051, the binary file of malicious code sample is mated with the known malicious code binary file in static nature storehouse; Or
Step S3053, the function structure of malicious code sample is mated with the known malicious code function structure in static nature storehouse; Or
Step S3055, at least part of character string of malicious code sample is mated with the known malicious code character string in static nature storehouse; Or
Step S3057, icon corresponding malicious code sample is mated with the known malicious code icon in static nature storehouse.
If step S307 cannot judge that according to static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from malicious code sample;
Particularly, by being analyzed, malicious code sample extracts effective information generation dynamic behaviour feature.
In an embodiment of the present invention, the dynamic behaviour feature of malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample.
The api function that the dynamic behaviour feature of malicious code is equivalent to malicious code in an embodiment of the present invention calls feature, the operation of software utilizes the various api functions that operating system provides to realize the set function of program substantially, for example by API Calls to the data allocations in operating system memory, read-write, clear, mobile etc.; By API Calls and remote server, connect, monitor the network information of certain port etc.And the api function of polymorphic and mutation malicious code entirety when operation to call be similarly, therefore extract after the dynamic behaviour feature of malicious code, just can be for detection of other similar the unknowns and mutation malicious code.
In an embodiment of the present invention, can by the behavior of trace routine, for example, with Hook, SSDT, show, DebugAPI, or the platform WDK providing with Microsoft obtains API Calls behavior.
Step S309, the dynamic behaviour feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database;
Particularly, by the mode of pattern match, the dynamic behaviour feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database.
Alternatively, step S309 comprises:
Step S3091, behavioural characteristic when the virtual behavior of malicious code sample is inspired are mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Step S3093, the network behavior feature of malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Step S3095, the behavioural characteristic during by the moving in sandbox of malicious code sample are mated with the known dynamic behaviour feature in dynamic behaviour feature database.
Heuristic testing tool is dynamic height or the decompiler of realizing with ad hoc fashion, by associated instruction sequences decompiling, thereby determines its hiding real motive behind.The heuristic detection technique creating has static heuristic detection, dynamic heuristic to detect and the heuristic detection based on neural network.
Sandbox (Sandbox) can simulation code the true environment of operation, and move the safety problem that malicious code brings with security mechanism isolation correspondingly.By sandbox technology, code analysis personnel can assess malicious code.Virtual machine is a kind of typical sandbox.It is by the main frame in software emulation physical significance, and this main frame is just as start operation in real machine.Common virtual machine comprises VMware.
If it is not malicious code that step S311 judges according to dynamic behaviour feature database the malicious code sample obtaining, report feedback by mistake, to point out malicious code sample as non-malicious code.
Step S313, calculating are designated the proof test value of the malicious code sample of malicious code.
Particularly, proof test value can calculate in the following ways: adopt hash algorithm to calculate the MD5 value of this malicious code sample, be certainly also not limited to this.
Step S315, the proof test value of the malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of malicious code sample.
Particularly, by the proof test value of malicious code sample is sent to cloud server, can be according to the storage of classifying of the MD5 value of malicious code sample.
Alternatively, in an embodiment of the present invention, if judge according to dynamic behaviour feature database the malicious code sample obtaining, be malicious code, malicious code sample is designated to malicious code.
As shown in Figure 4, one of schematic diagram of the device of automatically processing for malicious code sample in embodiments of the invention, the device 400 that this malicious code sample is processed automatically comprises:
Static nature extraction module 403, for extracting static nature from the malicious code sample obtaining.Particularly, by being analyzed, malicious code sample extracts effective information generation static nature.Alternatively, malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed and extracted effective information generation static nature, to avoid shell or the interference of bag to malicious code sample coupling.In an embodiment of the present invention, static nature at least comprises with lower any one: at least part of character string of the binary file of malicious code sample, the function structure of malicious code sample, malicious code sample and icon corresponding to malicious code sample.
Static nature matching module 405, for mating the static nature of malicious code sample with the known quiescent state feature in static nature storehouse.
Dynamic behaviour characteristic extracting module 407, if for judging that according to described static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from described malicious code sample.In an embodiment of the present invention, the dynamic behaviour feature of malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample.
Dynamic behaviour characteristic matching module 409, for mating the dynamic behaviour feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database;
Wrong report feedback module 411, if be not malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, reports feedback by mistake, to point out described malicious code sample as non-malicious code.
Alternatively, in an embodiment of the present invention, static nature matching module 405 comprises:
Binary file matching unit, for mating the binary file of described malicious code sample with the known malicious code binary file in static nature storehouse; Or
Function structure matching unit, for mating the function structure of described malicious code sample with the known malicious code function structure in static nature storehouse; Or
String matching unit, for mating at least part of character string of described malicious code sample with the known malicious code character string in static nature storehouse; Or
Icon matching unit, for mating icon corresponding described malicious code sample with the known malicious code icon in static nature storehouse.
Alternatively, in an embodiment of the present invention, dynamic behaviour characteristic matching module 409 comprises:
Virtual behavior matching unit, the behavioural characteristic when the virtual behavior of described malicious code sample is inspired is mated with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Network behavior matching unit, for mating the network behavior feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Sandbox behavior matching unit, for mating the behavioural characteristic when sandbox moves of described malicious code sample with the known dynamic behaviour feature in dynamic behaviour feature database.
As shown in Figure 5, two of the schematic diagram of the device of automatically processing for malicious code sample in embodiments of the invention, different from the device 400 shown in Fig. 4, in Fig. 5, install 400 and also comprise:
Proof test value computing module 413, for calculating the proof test value of the described malicious code sample that is designated malicious code;
Sending module 415, for the proof test value of the described malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of described malicious code sample.
Alternatively, in an embodiment of the present invention, device 400 also comprises:
Malicious code identification module, if be malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, is designated malicious code by described malicious code sample.
As shown in Figure 6, for the schematic diagram of processing automatically of malicious code sample in embodiments of the invention, obtain the Virus Sample of Trojan.QQPass.a, to this sample extraction feature, sort out, enter QVM(Qihoo Virtual Machine, artificial intelligence engine) training set, the new sample of collecting by robot according to the rule of each analysis module, sample is processed automatically, wherein this sample is put forward feature, sorted out, enters QVM training set and refer to: unknown program is inputted respectively in one or more training patterns that generated and corresponding decision machine and judged; Weight according to the every kind of tagsort setting in advance in each training pattern, the result that each training pattern and corresponding decision machine are judged described unknown program is weighted; The recognition result of described output unknown program is specially: according to the result of described weighted calculation, export the recognition result to described unknown program.Analyze each program file, from described program file, extract predefined feature; According to extracted feature generating feature vector, and the black and white attribute of each proper vector.
Particularly, analysis module comprises in an embodiment of the present invention:
Binary file matching unit, for mating the binary file of malicious code sample with the known malicious code binary file in static nature storehouse.Alternatively, first malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed to the binary file of extracting effective information generation malicious code sample, to avoid shell or the interference of bag to malicious code sample coupling.
Function structure matching unit, for mating the function structure of malicious code sample with the known malicious code function structure in static nature storehouse.Alternatively, first malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed to the function structure of extracting effective information generation malicious code sample, to avoid shell or the interference of bag to malicious code sample coupling.
String matching unit, for mating at least part of character string of malicious code sample with the known malicious code character string in static nature storehouse.Alternatively, first malicious code sample is shelled or drawn off after (dump), then malicious code sample is analyzed to the character string of extracting effective information generation malicious code sample, to avoid shell or the interference of bag to malicious code sample coupling.
Virtual behavior matching unit, the behavioural characteristic when the virtual behavior of malicious code sample is inspired is mated with the known dynamic behaviour feature of dynamic behaviour feature database.Particularly, malicious code sample simulation is carried out, analyzed malicious code sample behavior and whether mate malicious code rule.
Network behavior matching unit, for mating the network behavior feature of malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database.Particularly, by simulation carry out or virtual machine in carry out, matching network packet rule.
Sandbox behavior matching unit, for mating the behavioural characteristic when sandbox moves of malicious code sample with the known dynamic behaviour feature in dynamic behaviour feature database.Particularly, malicious code sample is put into VMware or Sandbox execution automatically, observe malicious code sample and whether trigger malicious code rule.
Characteristic matching unit, backstage, for by malicious code sample the backstage behavioural characteristic when the virtual operation mate with the known dynamic behaviour feature of dynamic behaviour feature database.For example backstage behavior can be backstage upgrading behavior.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the instructions that provided herein, a large amount of details have been described.But, can understand, embodiments of the invention can be put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.But, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them in addition multiple submodules or subelement or sub-component.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or similar object alternative features replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module of moving on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize the some or all functions according to the some or all parts in the device of the embodiment of the present invention.The present invention can also be embodied as part or all equipment or the device program (for example, computer program and computer program) for carrying out method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the case of not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has multiple such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim of having enumerated some equipment, several in these equipment can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
Claims (10)
1. the method that malicious code sample is processed automatically, comprises
Obtain malicious code sample;
From the described malicious code sample obtaining, extract static nature;
The static nature of described malicious code sample is mated with the known quiescent state feature in static nature storehouse;
If cannot judge that according to described static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from described malicious code sample;
The dynamic behaviour feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database;
If judging according to described dynamic behaviour feature database the malicious code sample obtaining is not malicious code, report feedback by mistake, to point out described malicious code sample as non-malicious code.
2. method according to claim 1, described method also comprises:
If judging according to described dynamic behaviour feature database the malicious code sample obtaining is malicious code, described malicious code sample is designated to malicious code.
3. method according to claim 2, wherein, after described malicious code sample is designated to malicious code, described method also comprises:
Calculating is designated the proof test value of the described malicious code sample of malicious code;
The proof test value of the described malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of described malicious code sample.
4. method according to claim 1, wherein, described static nature at least comprises with lower any one: at least part of character string of the binary file of described malicious code sample, the function structure of described malicious code sample, described malicious code sample and icon corresponding to described malicious code sample;
The described step that the static nature of described malicious code sample is mated with the known quiescent state feature in static nature storehouse comprises:
The binary file of described malicious code sample is mated with the known malicious code binary file in static nature storehouse; Or
The function structure of described malicious code sample is mated with the known malicious code function structure in static nature storehouse; Or
At least part of character string of described malicious code sample is mated with the known malicious code character string in static nature storehouse; Or
Icon corresponding described malicious code sample is mated with the known malicious code icon in static nature storehouse.
5. method according to claim 4, wherein, the dynamic behaviour feature of described malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample;
The described step that the dynamic behaviour feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database comprises:
Behavioural characteristic when the virtual behavior of described malicious code sample is inspired is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
The network behavior feature of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database; Or
Behavioural characteristic during by the moving in sandbox of described malicious code sample is mated with the known dynamic behaviour feature in dynamic behaviour feature database.
6. the device that malicious code sample is processed automatically, comprising:
Acquisition module, for obtaining malicious code sample;
Static nature extraction module, for extracting static nature from the described malicious code sample obtaining;
Static nature matching module, for mating the static nature of described malicious code sample with the known quiescent state feature in static nature storehouse;
Dynamic behaviour characteristic extracting module, if for judging that according to described static nature storehouse the malicious code sample obtaining is malicious code, continue to extract dynamic behaviour feature from described malicious code sample;
Dynamic behaviour characteristic matching module, for mating the dynamic behaviour feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database;
Wrong report feedback module, if be not malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, reports feedback by mistake, to point out described malicious code sample as non-malicious code.
7. device according to claim 6, described device also comprises:
Malicious code identification module, if be malicious code for judging according to described dynamic behaviour feature database the malicious code sample obtaining, is designated malicious code by described malicious code sample.
8. device according to claim 7, described device also comprises:
Proof test value computing module, for calculating the proof test value of the described malicious code sample that is designated malicious code;
Sending module, for the proof test value of the described malicious code sample obtaining is sent to cloud server, by described cloud server to the storage of classifying of the proof test value of described malicious code sample.
9. device according to claim 6, wherein, described static nature at least comprises with lower any one: at least part of character string of the binary file of described malicious code sample, the function structure of described malicious code sample, described malicious code sample and icon corresponding to described malicious code sample;
Described static nature matching module comprises:
Binary file matching unit, for mating the binary file of described malicious code sample with the known malicious code binary file in static nature storehouse; Or
Function structure matching unit, for mating the function structure of described malicious code sample with the known malicious code function structure in static nature storehouse; Or
String matching unit, for mating at least part of character string of described malicious code sample with the known malicious code character string in static nature storehouse; Or
Icon matching unit, for mating icon corresponding described malicious code sample with the known malicious code icon in static nature storehouse.
10. device according to claim 9, wherein, the dynamic behaviour feature of described malicious code sample at least comprises with lower any one: behavioural characteristic during the moving in sandbox of behavioural characteristic when the virtual behavior of described malicious code sample inspires, the network behavior feature of described malicious code sample and described malicious code sample;
Described dynamic behaviour characteristic matching module comprises:
Virtual behavior matching unit, the behavioural characteristic when the virtual behavior of described malicious code sample is inspired is mated with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Network behavior matching unit, for mating the network behavior feature of described malicious code sample with the known dynamic behaviour feature of dynamic behaviour feature database; Or
Sandbox behavior matching unit, for mating the behavioural characteristic when sandbox moves of described malicious code sample with the known dynamic behaviour feature in dynamic behaviour feature database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410032004.8A CN103761481A (en) | 2014-01-23 | 2014-01-23 | Method and device for automatically processing malicious code sample |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410032004.8A CN103761481A (en) | 2014-01-23 | 2014-01-23 | Method and device for automatically processing malicious code sample |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103761481A true CN103761481A (en) | 2014-04-30 |
Family
ID=50528717
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410032004.8A Pending CN103761481A (en) | 2014-01-23 | 2014-01-23 | Method and device for automatically processing malicious code sample |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103761481A (en) |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104113841A (en) * | 2014-07-11 | 2014-10-22 | 北京信息科技大学 | Virtualization detection system and detection method for mobile internet Botnet |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
| CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
| CN105491002A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Advanced threat tracing method and system |
| CN105574408A (en) * | 2014-10-11 | 2016-05-11 | 安一恒通(北京)科技有限公司 | Characteristic acquisition method used for file virus detection, and file virus detection method |
| CN106101086A (en) * | 2016-06-02 | 2016-11-09 | 北京奇虎科技有限公司 | The cloud detection method of optic of program file and system, client, cloud server |
| CN106407807A (en) * | 2016-08-31 | 2017-02-15 | 福建省天奕网络科技有限公司 | Malicious thread detection method and system |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN106557689A (en) * | 2015-09-25 | 2017-04-05 | 纬创资通股份有限公司 | malicious program code analysis method and system, data processing device and electronic device |
| CN106709352A (en) * | 2015-11-12 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
| CN106789899A (en) * | 2016-11-22 | 2017-05-31 | ***股份有限公司 | A kind of cross-domain message method and device based on HTML5 |
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
| CN107292168A (en) * | 2016-03-30 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Detect method and device, the server of program code |
| CN108038378A (en) * | 2017-12-28 | 2018-05-15 | 厦门服云信息科技有限公司 | High in the clouds detection function is by the method for malicious modification, terminal device and storage medium |
| CN108304721A (en) * | 2018-03-21 | 2018-07-20 | 河北师范大学 | A kind of malicious code detection system |
| CN108563951A (en) * | 2018-04-13 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Method for detecting virus and device |
| CN108898018A (en) * | 2018-07-23 | 2018-11-27 | 南方电网科学研究院有限责任公司 | A kind of program code safety detection method, equipment and readable storage medium storing program for executing |
| CN109145604A (en) * | 2018-08-21 | 2019-01-04 | 成都网思科平科技有限公司 | One kind extorting software intelligent detecting method and system |
| CN109558272A (en) * | 2017-09-26 | 2019-04-02 | 北京国双科技有限公司 | The fault recovery method and device of server |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
| CN109871686A (en) * | 2019-01-31 | 2019-06-11 | 中国人民解放军战略支援部队信息工程大学 | Rogue program recognition methods and device based on icon representation and software action consistency analysis |
| CN110232277A (en) * | 2019-04-23 | 2019-09-13 | 平安科技(深圳)有限公司 | Detection method, device and the computer equipment at webpage back door |
| WO2019242441A1 (en) * | 2018-06-20 | 2019-12-26 | 深信服科技股份有限公司 | Dynamic feature-based malware recognition method and system and related apparatus |
| CN110868421A (en) * | 2019-11-19 | 2020-03-06 | 泰康保险集团股份有限公司 | Malicious code identification method, device, equipment and storage medium |
| WO2020199905A1 (en) * | 2019-03-29 | 2020-10-08 | 腾讯科技(深圳)有限公司 | Command detection method and device, computer apparatus, and storage medium |
| CN112084497A (en) * | 2020-09-11 | 2020-12-15 | 国网山西省电力公司营销服务中心 | Method and device for detecting malicious program of embedded Linux system |
| CN112347479A (en) * | 2020-10-21 | 2021-02-09 | 北京天融信网络安全技术有限公司 | False alarm correction method, device, equipment and storage medium for malicious software detection |
| CN112580047A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
| CN113127870A (en) * | 2021-04-08 | 2021-07-16 | 重庆电子工程职业学院 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
| CN113254837A (en) * | 2021-06-17 | 2021-08-13 | 北京智胜新格科技有限公司 | Application program evaluation method, device, system, equipment and medium |
| CN113746841A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | High-safety heterogeneous redundancy structure with intelligent learning capacity |
| CN113779583A (en) * | 2021-11-10 | 2021-12-10 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
| CN114679331A (en) * | 2022-04-11 | 2022-06-28 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
| WO2022199292A1 (en) * | 2021-03-26 | 2022-09-29 | 支付宝(杭州)信息技术有限公司 | Detection of malicious behavior of applet |
| EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848092A (en) * | 2009-03-25 | 2010-09-29 | 华为技术有限公司 | Malicious code detection method and device |
| CN102664884A (en) * | 2012-04-18 | 2012-09-12 | 南京邮电大学 | Malicious code recognition method based on cloud computing |
-
2014
- 2014-01-23 CN CN201410032004.8A patent/CN103761481A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848092A (en) * | 2009-03-25 | 2010-09-29 | 华为技术有限公司 | Malicious code detection method and device |
| CN102664884A (en) * | 2012-04-18 | 2012-09-12 | 南京邮电大学 | Malicious code recognition method based on cloud computing |
Non-Patent Citations (1)
| Title |
|---|
| 郑吉飞: "Android恶意代码的静态检测研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (51)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104113841A (en) * | 2014-07-11 | 2014-10-22 | 北京信息科技大学 | Virtualization detection system and detection method for mobile internet Botnet |
| CN104113841B (en) * | 2014-07-11 | 2017-08-08 | 北京信息科技大学 | A kind of virtualization detecting system and detection method for mobile Internet Botnet |
| CN104966020A (en) * | 2014-07-24 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Eigenvector-based anti-virus detection method and system |
| CN105574408A (en) * | 2014-10-11 | 2016-05-11 | 安一恒通(北京)科技有限公司 | Characteristic acquisition method used for file virus detection, and file virus detection method |
| CN105574408B (en) * | 2014-10-11 | 2018-04-17 | 安一恒通(北京)科技有限公司 | Method for the characteristic-acquisition method and file virus detection of file virus detection |
| CN104598824B (en) * | 2015-01-28 | 2016-04-06 | 国家计算机网络与信息安全管理中心 | A kind of malware detection methods and device thereof |
| CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
| CN105491002A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Advanced threat tracing method and system |
| CN106557689B (en) * | 2015-09-25 | 2019-06-07 | 纬创资通股份有限公司 | Malicious program code analysis method and system, data processing device and electronic device |
| US10599851B2 (en) | 2015-09-25 | 2020-03-24 | Wistron Corporation | Malicious code analysis method and system, data processing apparatus, and electronic apparatus |
| CN106557689A (en) * | 2015-09-25 | 2017-04-05 | 纬创资通股份有限公司 | malicious program code analysis method and system, data processing device and electronic device |
| CN106709352A (en) * | 2015-11-12 | 2017-05-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
| CN106709352B (en) * | 2015-11-12 | 2019-09-24 | 阿里巴巴集团控股有限公司 | Sample processing method, apparatus and system |
| CN105447388B (en) * | 2015-12-17 | 2016-12-07 | 福建六壬网安股份有限公司 | A kind of Android malicious code detection system based on weight and method |
| CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
| CN107292168A (en) * | 2016-03-30 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Detect method and device, the server of program code |
| CN106101086A (en) * | 2016-06-02 | 2016-11-09 | 北京奇虎科技有限公司 | The cloud detection method of optic of program file and system, client, cloud server |
| CN106407807A (en) * | 2016-08-31 | 2017-02-15 | 福建省天奕网络科技有限公司 | Malicious thread detection method and system |
| CN106407807B (en) * | 2016-08-31 | 2019-01-22 | 福建省天奕网络科技有限公司 | A kind of malice thread detection method and system |
| CN106789899A (en) * | 2016-11-22 | 2017-05-31 | ***股份有限公司 | A kind of cross-domain message method and device based on HTML5 |
| CN106549980B (en) * | 2016-12-30 | 2020-04-07 | 北京神州绿盟信息安全科技股份有限公司 | Malicious C & C server determination method and device |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN107247902B (en) * | 2017-05-10 | 2021-07-06 | 深信服科技股份有限公司 | Malicious software classification system and method |
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
| CN109558272A (en) * | 2017-09-26 | 2019-04-02 | 北京国双科技有限公司 | The fault recovery method and device of server |
| CN108038378A (en) * | 2017-12-28 | 2018-05-15 | 厦门服云信息科技有限公司 | High in the clouds detection function is by the method for malicious modification, terminal device and storage medium |
| CN108304721A (en) * | 2018-03-21 | 2018-07-20 | 河北师范大学 | A kind of malicious code detection system |
| CN108563951A (en) * | 2018-04-13 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Method for detecting virus and device |
| CN110619211A (en) * | 2018-06-20 | 2019-12-27 | 深信服科技股份有限公司 | Malicious software identification method, system and related device based on dynamic characteristics |
| WO2019242441A1 (en) * | 2018-06-20 | 2019-12-26 | 深信服科技股份有限公司 | Dynamic feature-based malware recognition method and system and related apparatus |
| CN108898018A (en) * | 2018-07-23 | 2018-11-27 | 南方电网科学研究院有限责任公司 | A kind of program code safety detection method, equipment and readable storage medium storing program for executing |
| CN109145604A (en) * | 2018-08-21 | 2019-01-04 | 成都网思科平科技有限公司 | One kind extorting software intelligent detecting method and system |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
| CN109871686A (en) * | 2019-01-31 | 2019-06-11 | 中国人民解放军战略支援部队信息工程大学 | Rogue program recognition methods and device based on icon representation and software action consistency analysis |
| EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
| WO2020199905A1 (en) * | 2019-03-29 | 2020-10-08 | 腾讯科技(深圳)有限公司 | Command detection method and device, computer apparatus, and storage medium |
| CN110232277A (en) * | 2019-04-23 | 2019-09-13 | 平安科技(深圳)有限公司 | Detection method, device and the computer equipment at webpage back door |
| CN110868421A (en) * | 2019-11-19 | 2020-03-06 | 泰康保险集团股份有限公司 | Malicious code identification method, device, equipment and storage medium |
| CN112084497A (en) * | 2020-09-11 | 2020-12-15 | 国网山西省电力公司营销服务中心 | Method and device for detecting malicious program of embedded Linux system |
| CN112347479A (en) * | 2020-10-21 | 2021-02-09 | 北京天融信网络安全技术有限公司 | False alarm correction method, device, equipment and storage medium for malicious software detection |
| CN112347479B (en) * | 2020-10-21 | 2021-08-24 | 北京天融信网络安全技术有限公司 | False alarm correction method, device, equipment and storage medium for malicious software detection |
| CN112580047B (en) * | 2020-12-23 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
| CN112580047A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
| WO2022199292A1 (en) * | 2021-03-26 | 2022-09-29 | 支付宝(杭州)信息技术有限公司 | Detection of malicious behavior of applet |
| CN113127870A (en) * | 2021-04-08 | 2021-07-16 | 重庆电子工程职业学院 | Rapid intelligent comparison and safety detection method for mobile malicious software big data |
| CN113254837A (en) * | 2021-06-17 | 2021-08-13 | 北京智胜新格科技有限公司 | Application program evaluation method, device, system, equipment and medium |
| CN113746841A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | High-safety heterogeneous redundancy structure with intelligent learning capacity |
| CN113779583A (en) * | 2021-11-10 | 2021-12-10 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
| CN113779583B (en) * | 2021-11-10 | 2022-02-22 | 北京微步在线科技有限公司 | Behavior detection method and device, storage medium and electronic equipment |
| CN114679331A (en) * | 2022-04-11 | 2022-06-28 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
| CN114679331B (en) * | 2022-04-11 | 2024-02-02 | 北京国联天成信息技术有限公司 | AI technology-based malicious code passive detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103761481A (en) | Method and device for automatically processing malicious code sample | |
| Gibert et al. | The rise of machine learning for detection and classification of malware: Research developments, trends and challenges | |
| Sihwail et al. | A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis | |
| CN101373502B (en) | Automatic analysis system of virus behavior based on Win32 platform | |
| Li et al. | Large-scale identification of malicious singleton files | |
| AU2014213584B2 (en) | Method and product for providing a predictive security product and evaluating existing security products | |
| Santos et al. | Opem: A static-dynamic approach for machine-learning-based malware detection | |
| EP2940957B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN106326737B (en) | System and method for detecting the harmful file that can be executed on virtual stack machine | |
| CN103810428B (en) | Method and device for detecting macro virus | |
| CN103839003A (en) | Malicious file detection method and device | |
| KR20120073018A (en) | System and method for detecting malicious code | |
| CN109033839A (en) | A kind of malware detection method based on dynamic multiple features | |
| Javaheri et al. | A novel method for detecting future generations of targeted and metamorphic malware based on genetic algorithm | |
| CN110399720A (en) | A kind of method and relevant apparatus of file detection | |
| Bostani et al. | Evadedroid: A practical evasion attack on machine learning for black-box android malware detection | |
| Eskandari et al. | To incorporate sequential dynamic features in malware detection engines | |
| Pomorova et al. | A technique for detection of bots which are using polymorphic code | |
| Gray et al. | Identifying authorship style in malicious binaries: techniques, challenges & datasets | |
| EP3800570B1 (en) | Methods and systems for genetic malware analysis and classification using code reuse patterns | |
| Sartea et al. | Secur-ama: active malware analysis based on monte carlo tree search for android systems | |
| CN110210216A (en) | A kind of method and relevant apparatus of viral diagnosis | |
| Wolsey | The State-of-the-Art in AI-Based Malware Detection Techniques: A Review | |
| CN114925369A (en) | Static analysis method and system for business system container safety | |
| Liu et al. | Automated binary analysis: A survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Bian Liang Inventor before: Bian Liang Inventor before: Yu Chungong |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: BIAN LIANG YU CHUNGONG TO: BIAN LIANG |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140430 |
|
| RJ01 | Rejection of invention patent application after publication |