CN110414233A - Malicious code detection method and device - Google Patents
Malicious code detection method and device Download PDFInfo
- Publication number
- CN110414233A CN110414233A CN201910577148.4A CN201910577148A CN110414233A CN 110414233 A CN110414233 A CN 110414233A CN 201910577148 A CN201910577148 A CN 201910577148A CN 110414233 A CN110414233 A CN 110414233A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- code
- dynamic
- sample
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 230000006399 behavior Effects 0.000 claims abstract description 83
- 238000000034 method Methods 0.000 claims abstract description 50
- 238000010801 machine learning Methods 0.000 claims abstract description 29
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 20
- 238000012549 training Methods 0.000 claims abstract description 5
- 244000035744 Hura crepitans Species 0.000 claims description 22
- 239000000284 extract Substances 0.000 claims description 16
- 238000000605 extraction Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 230000003542 behavioural effect Effects 0.000 claims description 4
- 230000001052 transient effect Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 239000011800 void material Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a malicious code detection method and a malicious code detection device, wherein the method comprises the following steps: acquiring a target code, and extracting dynamic behavior data of the target code; inputting the dynamic behavior data of the target code into a malicious code recognition model, and detecting whether the target code is a malicious code; the malicious code recognition model is generated by training dynamic behavior data extracted from a malicious code sample by utilizing a machine learning algorithm. The embodiment of the invention can detect whether the target code is a malicious code, and the detection result is more accurate.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of malicious code detecting methods and device.
Background technique
With the rapid development of information technology, malicious code becomes the important threat of information security.How to quickly detect
Malicious code in acquired code is highly important for guaranteeing network security.
Currently, providing using machine learning the method for detecting malicious code in the prior art, these utilize engineering
The method for practising detecting malicious code is all based on malicious code static file to carry out.
But the detection accuracy of the existing method that malicious code is detected using machine learning is lower, especially pair
In the code using the protection techniques such as shell adding, encryption, it more difficult to accurately detect whether the code is malicious code.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of malicious code detecting method and device.
The embodiment of the present invention provides a kind of malicious code detecting method, comprising:
Object code is obtained, the dynamic behaviour data of the object code are extracted;
The dynamic behaviour data of the object code are inputted into malicious code identification model, detect that the object code is
No is malicious code;
Wherein, the malicious code identification model is extracted using machine learning algorithm, to from malicious code sample
What dynamic behaviour data generated after being trained.
The embodiment of the present invention provides a kind of Malicious Code Detection device, comprising:
First acquisition module extracts the dynamic behaviour data of the object code for obtaining object code;
Detection module is detected for the dynamic behaviour data of the object code to be inputted malicious code identification model
Whether the object code is malicious code;
Wherein, the malicious code identification model is extracted using machine learning algorithm, to from malicious code sample
What dynamic behaviour data generated after being trained.
The embodiment of the present invention provides a kind of electronic equipment, including memory, processor and storage are on a memory and can be
The computer program run on processor, the processor are realized when executing described program such as the step of the above method.
Malicious code detecting method and device provided in an embodiment of the present invention, by by the dynamic behaviour data of object code
Malicious code identification model is inputted, detects whether the object code is malicious code;Wherein, malicious code identification model is
Using machine learning algorithm, to what is generated after being trained from the dynamic behaviour data extracted in malicious code sample, as a result, can
Enough detect whether object code is malicious code, and testing result is more accurate.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow diagram for malicious code detecting method that one embodiment of the invention provides;
Fig. 2 is a kind of structural schematic diagram for Malicious Code Detection device that one embodiment of the invention provides;
Fig. 3 is the entity structure schematic diagram for the electronic equipment that one embodiment of the invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 shows a kind of flow diagram of malicious code detecting method of one embodiment of the invention offer, such as Fig. 1 institute
Show, the malicious code detecting method of the present embodiment, comprising:
S1, object code is obtained, extracts the dynamic behaviour data of the object code.
It is understood that the dynamic behaviour data of the object code be the object code in the process of running, it is right
The API (Application Programming Interface, application programming interface) of operating system is called each
The data of kind dynamic behaviour.For example, the dynamic behaviour in the dynamic behaviour data, may include: read file, create into
Journey and registration table etc. is write, the present embodiment is not illustrated one by one.
S2, the dynamic behaviour data of the object code are inputted into malicious code identification model, detects the target generation
Whether code is malicious code;
Wherein, the malicious code identification model is extracted using machine learning algorithm, to from malicious code sample
What dynamic behaviour data generated after being trained.
It is understood that malicious code identification model described in the present embodiment can be based on the dynamic row of the object code
For data, automatically identify whether the object code is malicious code.
It is understood that the dynamic behaviour data extracted from malicious code sample are the malicious code samples
In the process of running, to the data of the API of the operating system various dynamic behaviours being called;For example, the dynamic row
It may include: to read file, creation process and write registration table etc., the present embodiment is not lifted one by one for the dynamic behaviour in data
Example.
It is understood that, there are many machine learning algorithm, the present embodiment does not limit it in artificial intelligence field
System.
It is understood that malicious code is also known as Malware, it is that can carry out unauthorized behaviour in computer systems
The code of work.Writing for malicious code is for business or to detect the purposes of other people data mostly, such as publicizes some product, provides
Network tolling service directly carries out intentional destruction etc. to other people computer, and generally speaking, it has the mesh of malicious sabotage
, itself be program, and had an effect 3 features by executing.How evil in acquired code is quickly detected
Meaning code, is highly important for guaranteeing network security.
It is understood that the prior art is all based on malicious code using the method for machine learning detection malicious code
What static file carried out, and the present embodiment carries out analysis detection, inspection using machine learning algorithm, based on dynamic behaviour data
Survey result is more accurate, especially for the code using the protection techniques such as shell adding, encryption, can more accurately detect the generation
Whether code is malicious code.
Malicious code detecting method provided in this embodiment extracts the dynamic of the object code by obtaining object code
The dynamic behaviour data of the object code are inputted malicious code identification model, detect the target generation by state behavioral data
Whether code is malicious code, wherein malicious code identification model is mentioned using machine learning algorithm, to from malicious code sample
What the dynamic behaviour data taken generated after being trained, thereby, it is possible to detect whether the object code is malicious code, inspection
Survey result is more accurate, especially for the code using the protection techniques such as shell adding, encryption, can more accurately detect the generation
Whether code is malicious code.
Further, on the basis of the above embodiments, " dynamic row of the object code is extracted in the step S1
For data ", may include:
The object code is run in the virtual opetrating system layer of dynamic sandbox, is simulated in the process of running to operation
The operation that all API of system are called triggers and extracts the dynamic behaviour data that the object code generates;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing meter
The virtualization of calculation machine physical hardware, the virtual opetrating system layer is for running and analyzing sample.
It is understood that sandbox refers generally to " virtual machine "+" analysis means " in malicious code analysis field.Dynamic is husky
Case is usually to install what assistant analysis tool was realized in virtual opetrating system, therefore the hierarchical relationship of dynamic sandbox should be:
Virtual machine layer (for realizing virtualization)+virtual opetrating system layer (for running sample and analysis).For the dynamic of the present embodiment
State sandbox, is provided with four layers on a terminal device: physical hardware layer, host operating system layer, virtual hardware layer, virtual behaviour
Make system layer.Wherein, the physical hardware layer is real hardware, i.e., on server insert CPU (central processing unit), memory,
Hard disk etc.;The host operating system layer is mounted in the operating system on server, that is, after pressing power knob, server
The operating system launched into, such as linux;The virtual hardware layer is the journey run in host operating system
Sequence, this program can go out a series of hardware such as CPU, memory, hard disk with the form simulation of pure software, i.e. realization virtual hardware layer,
The function of virtual machine (i.e. virtual machine layer) is namely realized, because being that pure software is simulated, can be simulated and really
The completely different virtual hardware of physical hardware layer, such as the void on the server of the CPU in x86 framework, in virtual hardware layer
Quasi- CPU can be ARM framework;Virtual opetrating system layer, that is, the VME operating system, is directly installed on virtual hardware layer
On, it can be linux, windows, android etc., wish what system operated in depending on sample program to be analyzed
In.
Further, on the basis of the above embodiments, before the step S2, the present embodiment the method can be with
Include the steps that P1-P3 is not shown in the figure:
P1, malicious code sample is obtained.
P2, the dynamic behaviour data for extracting the malicious code sample.
In a particular application, the present embodiment can by the malicious code sample dynamic sandbox virtual opetrating system layer
The operation being called to all API of operating system is simulated in middle operation in the process of running, is triggered and is extracted the malice generation
The dynamic behaviour data that code sample generates.
P3, using machine learning algorithm, the dynamic behaviour data are trained, generate malicious code identification model.
In a particular application, extracted dynamic behaviour data can record file for dynamic behaviour, can use text
The model of machine learning is trained the dynamic behaviour data, generates malicious code identification model;Extracted dynamic row
It is also possible to record the picture that file is converted by dynamic behaviour for data, can use the model of picture machine learning, to institute
It states dynamic behaviour data to be trained, generates malicious code identification model.
Malicious code detecting method provided in this embodiment is capable of detecting when whether the object code is malicious code,
Testing result is more accurate, especially for the code using the protection techniques such as shell adding, encryption, can more accurately detect this
Whether code is malicious code.
Fig. 2 shows a kind of structural schematic diagrams for Malicious Code Detection device that one embodiment of the invention provides, such as Fig. 2 institute
Show, the Malicious Code Detection device of the present embodiment, comprising: first obtains module 21 and detection module 22;Wherein:
The first acquisition module 21 extracts the dynamic behaviour data of the object code for obtaining object code;
The detection module 22, for the dynamic behaviour data of the object code to be inputted malicious code identification model,
Detect whether the object code is malicious code;
Wherein, the malicious code identification model is extracted using machine learning algorithm, to from malicious code sample
What dynamic behaviour data generated after being trained.
Specifically, described first the acquisition object code of module 21 is obtained, extracts the dynamic behaviour data of the object code;
The dynamic behaviour data of the object code are inputted malicious code identification model by the detection module 22, detect the target
Whether code is malicious code;Wherein, the malicious code identification model is using machine learning algorithm, to from malicious code sample
What the dynamic behaviour data extracted in this generated after being trained.
It is understood that malicious code identification model described in the present embodiment can be based on the dynamic row of the object code
For data, automatically identify whether the object code is malicious code.
It is understood that the dynamic behaviour data of the object code be the object code in the process of running, it is right
The data for the various dynamic behaviours that the API of operating system is called.For example, the dynamic row in the dynamic behaviour data
To may include: to read file, creation process and write registration table etc., the present embodiment is not illustrated one by one.
It is understood that the dynamic behaviour data extracted from malicious code sample are the malicious code samples
In the process of running, to the data of the API of the operating system various dynamic behaviours being called;For example, the dynamic row
It may include: to read file, creation process and write registration table etc., the present embodiment is not lifted one by one for the dynamic behaviour in data
Example.
It is understood that, there are many machine learning algorithm, the present embodiment does not limit it in artificial intelligence field
System.
It is understood that malicious code is also known as Malware, it is that can carry out unauthorized behaviour in computer systems
The code of work.Writing for malicious code is for business or to detect the purposes of other people data mostly, such as publicizes some product, provides
Network tolling service directly carries out intentional destruction etc. to other people computer, and generally speaking, it has the mesh of malicious sabotage
, itself be program, and had an effect 3 features by executing.How evil in acquired code is quickly detected
Meaning code, is highly important for guaranteeing network security.
It is understood that the prior art is all based on malicious code using the method for machine learning detection malicious code
What static file carried out, and the present embodiment described device is analyzed using machine learning algorithm, based on dynamic behaviour data
Detection, testing result is more accurate, can be more accurate especially for the code using the protection techniques such as shell adding, encryption
Ground detects whether the code is malicious code.
Malicious Code Detection device provided in this embodiment obtains module by first and obtains object code, described in extraction
The dynamic behaviour data input malicious code of the object code is identified mould by the dynamic behaviour data of object code, detection module
Type detects whether the object code is malicious code, wherein the malicious code identification model is calculated using machine learning
Method, to what is generated after being trained from the dynamic behaviour data extracted in malicious code sample, thereby, it is possible to detect the mesh
Mark whether code is malicious code, testing result is more accurate, especially for the generation using the protection techniques such as shell adding, encryption
Code, can more accurately detect whether the code is malicious code.
Further, on the basis of the above embodiments, described first module 21 is obtained, can be specifically used for
Obtain object code;The object code is run in the virtual opetrating system layer of dynamic sandbox, was being run
The operation being called to all application programming interface API of operating system is simulated in journey, is triggered and is extracted the target
The dynamic behaviour data that code generates;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing meter
The virtualization of calculation machine physical hardware, the virtual opetrating system layer is for running and analyzing sample.
It is understood that sandbox refers generally to " virtual machine "+" analysis means " in malicious code analysis field.Dynamic is husky
Case is usually to install what assistant analysis tool was realized in virtual opetrating system, therefore the hierarchical relationship of dynamic sandbox should be:
Virtual machine layer (for realizing virtualization)+virtual opetrating system layer (for running sample and analysis).For the dynamic of the present embodiment
State sandbox, is provided with four layers on a terminal device: physical hardware layer, host operating system layer, virtual hardware layer, virtual behaviour
Make system layer.Wherein, the physical hardware layer is real hardware, i.e., on server insert CPU (central processing unit), memory,
Hard disk etc.;The host operating system layer is mounted in the operating system on server, that is, after pressing power knob, server
The operating system launched into, such as linux;The virtual hardware layer is the journey run in host operating system
Sequence, this program can go out a series of hardware such as CPU, memory, hard disk with the form simulation of pure software, i.e. realization virtual hardware layer,
The function of virtual machine (i.e. virtual machine layer) is namely realized, because being that pure software is simulated, can be simulated and really
The completely different virtual hardware of physical hardware layer, such as the void on the server of the CPU in x86 framework, in virtual hardware layer
Quasi- CPU can be ARM framework;Virtual opetrating system layer, that is, the VME operating system, is directly installed on virtual hardware layer
On, it can be linux, windows, android etc., wish what system operated in depending on sample program to be analyzed
In.
Further, on the basis of the above embodiments, the present embodiment described device can also include not shown in the figure:
Second obtains module, for obtaining malicious code sample;
Extraction module, for extracting the dynamic behaviour data of the malicious code sample;
Training module is trained the dynamic behaviour data, generates malicious code for utilizing machine learning algorithm
Identification model.
In a particular application, the extraction module can be specifically used for
The malicious code sample is run in the virtual opetrating system layer of dynamic sandbox, in the process of running simulation pair
The operation that all API of operating system are called triggers and extracts the dynamic behaviour data that the malicious code sample generates;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing meter
The virtualization of calculation machine physical hardware, the virtual opetrating system layer is for running and analyzing sample.
It is understood that the present embodiment can use the dynamic behaviour number that dynamic sandbox extracts the malicious code sample
According to.
In a particular application, extracted dynamic behaviour data can record file, the training module for dynamic behaviour
The model that can use text machine learning is trained the dynamic behaviour data, generates malicious code identification model;Institute
The dynamic behaviour data of extraction are also possible to record the picture that file is converted by dynamic behaviour, and the training module can use
The model of picture machine learning is trained the dynamic behaviour data, generates malicious code identification model.
Malicious Code Detection device provided in this embodiment is capable of detecting when whether the object code is malicious code,
Testing result is more accurate, especially for the code using the protection techniques such as shell adding, encryption, can more accurately detect this
Whether code is malicious code.
Malicious Code Detection device provided in an embodiment of the present invention, can be used for executing the technical side of preceding method embodiment
Case, it is similar that the realization principle and technical effect are similar, and details are not described herein again.
Fig. 3 shows the entity structure schematic diagram of a kind of electronic equipment of one embodiment of the invention offer, as shown in figure 3,
The electronic equipment may include memory 302, processor 301 and be stored on memory 302 and can run on processor 301
Computer program, the step of processor 301 realizes the above method when executing described program, for example, obtain target
Code extracts the dynamic behaviour data of the object code;The dynamic behaviour data of the object code are inputted into malicious code
Identification model detects whether the object code is malicious code;Wherein, the malicious code identification model is to utilize machine
Learning algorithm, to what is generated after being trained from the dynamic behaviour data extracted in malicious code sample.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should
The step of above method is realized when computer program is executed by processor, for example, obtain object code, extract the target
The dynamic behaviour data of code;The dynamic behaviour data of the object code are inputted into malicious code identification model, detect institute
State whether object code is malicious code;Wherein, the malicious code identification model is using machine learning algorithm, to from maliciously
What the dynamic behaviour data extracted in code sample generated after being trained.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of malicious code detecting method characterized by comprising
Object code is obtained, the dynamic behaviour data of the object code are extracted;
The dynamic behaviour data of the object code are inputted into malicious code identification model, detect the object code whether be
Malicious code;
Wherein, the malicious code identification model is using machine learning algorithm, to the dynamic extracted from malicious code sample
What behavioral data generated after being trained.
2. malicious code detecting method according to claim 1, which is characterized in that described to extract the dynamic of the object code
State behavioral data, comprising:
The object code is run in the virtual opetrating system layer of dynamic sandbox, is simulated in the process of running to operating system
The operation that is called of all application programming interface API, trigger and extract the dynamic behaviour that the object code generates
Data;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing computer
The virtualization of physical hardware, the virtual opetrating system layer is for running and analyzing sample.
3. malicious code detecting method according to claim 1, which is characterized in that by the dynamic row of the object code
Malicious code identification model is inputted for data, before detecting whether the object code is malicious code, the method is also wrapped
It includes:
Obtain malicious code sample;
Extract the dynamic behaviour data of the malicious code sample;
Using machine learning algorithm, the dynamic behaviour data are trained, generate malicious code identification model.
4. malicious code detecting method according to claim 3, which is characterized in that described to extract the malicious code sample
Dynamic behaviour data, comprising:
The malicious code sample is run in the virtual opetrating system layer of dynamic sandbox, is simulated in the process of running to operation
The operation that all API of system are called triggers and extracts the dynamic behaviour data that the malicious code sample generates;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing computer
The virtualization of physical hardware, the virtual opetrating system layer is for running and analyzing sample.
5. a kind of Malicious Code Detection device characterized by comprising
First acquisition module extracts the dynamic behaviour data of the object code for obtaining object code;
Detection module detects described for the dynamic behaviour data of the object code to be inputted malicious code identification model
Whether object code is malicious code;
Wherein, the malicious code identification model is using machine learning algorithm, to the dynamic extracted from malicious code sample
What behavioral data generated after being trained.
6. Malicious Code Detection device according to claim 5, which is characterized in that described first obtains module, specific to use
In
Obtain object code;The object code is run in the virtual opetrating system layer of dynamic sandbox, in the process of running
The operation being called to all application programming interface API of operating system is simulated, triggers and extracts the object code
The dynamic behaviour data of generation;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing computer
The virtualization of physical hardware, the virtual opetrating system layer is for running and analyzing sample.
7. Malicious Code Detection device according to claim 5, which is characterized in that described device further include:
Second obtains module, for obtaining malicious code sample;
Extraction module, for extracting the dynamic behaviour data of the malicious code sample;
Training module is trained the dynamic behaviour data, generates malicious code identification for utilizing machine learning algorithm
Model.
8. Malicious Code Detection device according to claim 7, which is characterized in that the extraction module is specifically used for
The malicious code sample is run in the virtual opetrating system layer of dynamic sandbox, is simulated in the process of running to operation
The operation that all API of system are called triggers and extracts the dynamic behaviour data that the malicious code sample generates;
Wherein, the dynamic sandbox includes: virtual machine layer and virtual opetrating system layer, and the virtual machine layer is for realizing computer
The virtualization of physical hardware, the virtual opetrating system layer is for running and analyzing sample.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes the malice generation as described in any one of Claims 1-4 when executing described program
The step of code detection method.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer
It is realized when program is executed by processor as described in any one of Claims 1-4 the step of malicious code detecting method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910577148.4A CN110414233A (en) | 2019-06-28 | 2019-06-28 | Malicious code detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910577148.4A CN110414233A (en) | 2019-06-28 | 2019-06-28 | Malicious code detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110414233A true CN110414233A (en) | 2019-11-05 |
Family
ID=68358507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910577148.4A Pending CN110414233A (en) | 2019-06-28 | 2019-06-28 | Malicious code detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110414233A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111460446A (en) * | 2020-03-06 | 2020-07-28 | 奇安信科技集团股份有限公司 | Malicious file detection method and device based on model |
| CN112699371A (en) * | 2020-12-31 | 2021-04-23 | 上海戎磐网络科技有限公司 | System and method for matching dynamic behavior characteristics with software genes |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN106096415A (en) * | 2016-06-24 | 2016-11-09 | 康佳集团股份有限公司 | A kind of malicious code detecting method based on degree of depth study and system |
| CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
| CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
| CN107657176A (en) * | 2017-09-26 | 2018-02-02 | 四川长虹电器股份有限公司 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
| US10007786B1 (en) * | 2015-11-28 | 2018-06-26 | Symantec Corporation | Systems and methods for detecting malware |
-
2019
- 2019-06-28 CN CN201910577148.4A patent/CN110414233A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| US10007786B1 (en) * | 2015-11-28 | 2018-06-26 | Symantec Corporation | Systems and methods for detecting malware |
| CN106096415A (en) * | 2016-06-24 | 2016-11-09 | 康佳集团股份有限公司 | A kind of malicious code detecting method based on degree of depth study and system |
| CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
| CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
| CN107657176A (en) * | 2017-09-26 | 2018-02-02 | 四川长虹电器股份有限公司 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111460446A (en) * | 2020-03-06 | 2020-07-28 | 奇安信科技集团股份有限公司 | Malicious file detection method and device based on model |
| CN111460446B (en) * | 2020-03-06 | 2023-04-11 | 奇安信科技集团股份有限公司 | Malicious file detection method and device based on model |
| CN112699371A (en) * | 2020-12-31 | 2021-04-23 | 上海戎磐网络科技有限公司 | System and method for matching dynamic behavior characteristics with software genes |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11188789B2 (en) | Detecting poisoning attacks on neural networks by activation clustering | |
| US11481492B2 (en) | Method and system for static behavior-predictive malware detection | |
| US11645515B2 (en) | Automatically determining poisonous attacks on neural networks | |
| US11487963B2 (en) | Automatically determining whether an activation cluster contains poisonous data | |
| CN110618854B (en) | Virtual machine behavior analysis system based on deep learning and memory mirror image analysis | |
| CN107944274A (en) | A kind of Android platform malicious application off-line checking method based on width study | |
| Zhao et al. | Maldeep: A deep learning classification framework against malware variants based on texture visualization | |
| CN110096878A (en) | A kind of detection method of Malware | |
| CN110414234A (en) | Malicious code family identification method and device | |
| CN104715190B (en) | A kind of monitoring method and system of the program execution path based on deep learning | |
| CN110958263B (en) | Network attack detection method, device, equipment and storage medium | |
| Alarifi et al. | Anomaly detection for ephemeral cloud IaaS virtual machines | |
| US11625483B2 (en) | Fast identification of trustworthy deep neural networks | |
| CN111651768B (en) | Method and device for identifying link library function name of computer binary program | |
| CN110414233A (en) | Malicious code detection method and device | |
| CN114036531A (en) | Multi-scale code measurement-based software security vulnerability detection method | |
| US10990669B2 (en) | Vehicle intrusion detection system training data generation | |
| CN110581857B (en) | Virtual execution malicious software detection method and system | |
| CN108985052A (en) | A kind of rogue program recognition methods, device and storage medium | |
| Pektaş et al. | Runtime-behavior based malware classification using online machine learning | |
| Taubmann et al. | Architecture for resource-aware vmi-based cloud malware analysis | |
| CN113885896A (en) | Application software package installation method and device, computer equipment and storage medium | |
| Sethi | Classification of malware models | |
| Zoppi et al. | Detect adversarial attacks against deep neural networks with GPU monitoring | |
| Pierdomenico | Applied Feature Extraction for Novel Malicious Software Identification Using Convolutional Neural Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |