CN112613034B - Malicious document detection method and system, electronic device and storage medium - Google Patents
Malicious document detection method and system, electronic device and storage medium Download PDFInfo
- Publication number
- CN112613034B CN112613034B CN202011503210.4A CN202011503210A CN112613034B CN 112613034 B CN112613034 B CN 112613034B CN 202011503210 A CN202011503210 A CN 202011503210A CN 112613034 B CN112613034 B CN 112613034B
- Authority
- CN
- China
- Prior art keywords
- malicious
- document
- target document
- preset
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a malicious document detection method and system, electronic equipment and a storage medium, wherein the malicious document detection method comprises the following steps: performing anti-confusion processing on a target document to obtain anti-confusion data of the target document; searching whether a preset characteristic string exists in the anti-aliasing data; and if the preset feature string exists, determining that the malicious execution code exists in the target document. Aiming at the characteristic that shellcode codes in malicious documents cannot be too long, the confusion transformation cannot realize too complex operation, so that an intrusion detection system applying the technology can deal with the malicious documents with constantly changing expression forms and can detect the unknown malicious documents after confusion change, thereby solving the problem of network security threat in the industry and avoiding the threat of the unknown malicious documents to users.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a malicious document detection method and system, electronic equipment and a storage medium.
Background
In high-strength network security countermeasure, high-level persistent threat attack (APT attack) has become an important means, in which malicious documents are more easily trusted than general executable programs, and thus play an important role in the attack.
The malicious document is a document in which a malicious function is embedded in a normal formatted document (such as an Office document, a pdf document and the like), and the malicious function is executed by using vulnerabilities of a formatted document parser (such as software of Microsoft Office, adobe Acrobat Reader and the like). When a user opens a malicious document by using a leaky parser, a malicious function is executed, and the purpose of an attacker is achieved. The malicious document has a plurality of varieties according to different document formats and different analysis program vulnerabilities, but most of the malicious documents are attacked by using shellcode as a carrier, and the detection of the malicious document can be realized by depending on the detection of the shellcode in the document to a great extent.
Each formatted text document has its own characteristics, and the way of generating a vulnerability is different according to the difference of document structures, but the triggering way is basically similar and can be divided into five steps:
(1) When a user opens a formatted document, a file format analysis program can analyze the document;
(2) A leak is triggered due to data exception at a place with a leak;
(3) Abnormal data triggering the vulnerability can be used as codes to be executed, and the execution flow of the analysis program is taken over, so that the program jumps to the shellcode constructed by an attacker;
(4) After a series of instructions are executed, the malicious behavior wanted by an attacker can be completed, and generally, a Trojan horse virus program is released or downloaded;
(5) Finally, a normal text document content is generated and displayed, so as to achieve the purpose of deceiving the user to conceal the attack.
The existing malicious document detection technology is mainly based on a shellcode feature library, and whether malicious codes exist is judged by comparing a target to be detected with known feature codes, so that related research works are numerous. For example:
(1) Based on the detection of the NOP field, if continuous NOP instructions appear in the target to be detected and the continuous NOP instructions exceed a threshold value, judging that the shellcode exists;
(2) The method is based on the detection of ROP attack, the ROP attack is a means for protecting shellcode by bypassing DEP, but has some characteristics of the ROP attack, such as the switching of execution codes between binary short sections based on POP-JMP instructions and the like, and the characteristics are used as a detection means of shellcode;
(3) Based on detection of the shellcode space vector, the shellcode is subjected to statistical analysis to form the space vector, an included angle is calculated with the vector formed by the target to be detected, and the shellcode is judged to exist when the included angle exceeds a certain threshold value.
The technology based on the feature code detection has high detection speed, but due to the limitation of detection features, the detection rate of missing report and false report are higher.
The malicious document is a document in which a malicious function is embedded in a normal formatted document (such as an Office document, a pdf document and the like), and the malicious function is executed by using vulnerabilities of a formatted document parser (such as software of Microsoft Office, adobe Acrobat Reader and the like). When a user opens a malicious document by using a leaky parser, a malicious function is executed, and the purpose of an attacker is achieved. The malicious document has a plurality of varieties according to different document formats and different analysis program vulnerabilities, but most of the malicious documents are attacked by using shellcode as a carrier, and the detection of the malicious document can be realized by depending on the detection of the shellcode in the document to a great extent.
(1) Highly dependent on the rule base, it cannot work in the face of new malicious documents, such as by means of a zero-day vulnerability or a new version of the document format that never occurs.
(2) The existing malicious document detection accuracy is not very high, and false alarm is often caused. Excessive false alarms increase the workload of network security managers, so that real intrusion behavior is ignored.
Disclosure of Invention
The invention provides a malicious document detection method and system, electronic equipment and a storage medium, which can cope with malicious documents with constantly changing expression forms and can detect unknown malicious documents which are subjected to confusion change.
The invention provides a malicious document detection method, which comprises the following steps:
performing anti-confusion processing on a target document to obtain anti-confusion data of the target document;
searching whether a preset characteristic string exists in the anti-aliasing data;
and if the preset feature string exists, determining that the malicious execution code exists in the target document.
Preferably, the malicious document detection method includes:
performing first anti-aliasing processing on a target document to obtain first anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the first anti-confusion data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset feature string does not exist, continuing to perform second anti-aliasing processing on the target document to obtain second anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the second anti-aliasing data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset feature string does not exist, continuing to perform third anti-aliasing processing on the target document to obtain third anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the third anti-aliasing data;
and if the preset characteristic string exists, determining that the target document has a malicious execution code.
Preferably, the malicious document detection method, wherein the performing a first anti-obfuscation process on the target document to obtain first anti-obfuscating data of the target document specifically includes:
and performing exclusive OR processing on every two adjacent bytes in the target document to obtain first anti-confusion data of the target document.
Preferably, the malicious document detection method, wherein the performing a second anti-obfuscation process on the target document to obtain second anti-obfuscating data of the target document specifically includes:
and if the characteristic values determined in the preset area accord with the gradual increasing rule, performing second anti-aliasing processing based on the increasing values of every two adjacent bytes to obtain second anti-aliasing data of the target document.
Preferably, the malicious document detection method, wherein the performing of the third anti-obfuscation processing on the target document to obtain third anti-obfuscation data of the target document specifically includes:
and if the characteristic values determined in the preset area accord with a gradual decreasing rule, performing third anti-aliasing processing based on the decreasing values of every two adjacent bytes to obtain third anti-aliasing data of the target document.
Preferably, in the malicious document detection method, the preset feature string is a This program candot run in DOS mode.
Preferably, the malicious document detection method includes that the target document includes an Office document and a pdf document.
The invention provides a malicious document detection system, which comprises:
the anti-confusion processing module is used for carrying out anti-confusion processing on the target document to obtain anti-confusion data of the target document;
the searching module is used for searching whether a preset characteristic string exists in the anti-confusion data;
and the determining module is used for determining that the malicious execution codes exist in the target document when the preset characteristic string exists.
The invention provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the steps of the malicious document detection method.
The present invention provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the malicious document detection method described herein.
Aiming at the characteristic that shellcode codes existing in malicious documents can not be too long, the confusion transformation can not realize too complex operation, so that an intrusion detection system applying the technology can deal with malicious documents with continuously changing expression forms and can detect unknown malicious documents which are subjected to confusion change, thereby solving the problem of network security threat in the industry and avoiding the threat brought to users by the occurrence of unknown malicious documents.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a malicious document detection method provided by the present invention;
FIG. 2 is a schematic diagram of a malicious document detection system provided by the present invention;
fig. 3 is a schematic diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic diagram of a malicious document detection method provided by the present invention, and as shown in fig. 1, the method includes:
performing anti-confusion processing on a target document to obtain anti-confusion data of the target document;
searching whether a preset characteristic string exists in the anti-aliasing data;
and if the preset feature string exists, determining that the malicious execution code exists in the target document.
The attack ability of the malicious document mainly depends on shellcode to start an executable Trojan program, the Trojan program is usually in a standard exe format and comprises a characteristic string of 'This program cancel be in DOS mode', an attacker performs confusion transformation on the Trojan program in order to hide the characteristic string, the shellcode code quantity is limited, and the execution of too complicated transformation function is impossible. The method adds the possible variable factors of the confused malicious behaviors aiming at the characteristics of the executable file, and immediately starts the corresponding security policy such as alarm, blocking, back detection and the like once the abnormity is found.
The detection method specifically comprises the following steps:
performing first anti-aliasing processing on a target document to obtain first anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the first anti-aliasing data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset feature string does not exist, continuing to perform second anti-aliasing processing on the target document to obtain second anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the second anti-confusion data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset feature string does not exist, continuing to perform third anti-aliasing processing on the target document to obtain third anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the third anti-aliasing data;
and if the preset feature string exists, determining that the malicious execution code exists in the target document.
In other words, for possible transformation modes, the method and the device adopt different coping schemes and strategies to realize detection of the characteristic strings of the obfuscated executable file, so that the malicious file is further detected. The target documents include Office documents and pdf documents.
The performing a first anti-aliasing process on the target document to obtain first anti-aliasing data of the target document specifically includes: and performing mutual exclusive OR processing on every two adjacent bytes in the target document to obtain first anti-confusion data of the target document.
(1) Obfuscation against fixed values:
the binary string for the feature string "This program candot be run in DOS mode" is as follows:
defined as s [1] s [2] s [3]. S [ n ], after being obfuscated by a fixed value (assumed to be 0 xAA), the feature string becomes s '[1] s' [2] s '[3]. S' [ n ], where s [1] s [2], s [2] s [3], s [3] s [4]. Is the original fixed string value, and s '[1] s' [2], s '[2] s' [3], s '[3]. S'. 4.. Is the transformed fixed string value, which will be embedded at a specific location in the document, one can obtain:
s'[1]^s'[2]
=(s[1]^0xAA)^(s[2]^0xAA)
=(s[1]^s[2])^(0xAA^0xAA)
=(s[1]^s[2])
from the derivation process, it can be seen that, when a suspicious target document is detected, no matter which fixed value is used by shellcode for the trojan program to perform exclusive or, a method of performing exclusive or on two adjacent bytes is used, and whether the document is a malicious document containing the trojan program can be determined.
The performing a second anti-aliasing process on the target document to obtain second anti-aliasing data of the target document specifically includes:
and if the characteristic values determined in the preset area accord with the gradual increasing rule, performing second anti-confusion processing based on the gradual increasing values of every two adjacent bytes to obtain second anti-confusion data of the target document.
(2) For incremental value confusion:
to avoid detection of aliasing with fixed values, an attacker also performs an aliasing transformation on the trojan program using an incremental value. In general, 0x00,0x01,0x02, 0xFF is used, and in this case, we use the second detection method.
We take advantage of another string feature of the trojan program, namely that there are more regions of 0x00 in the header: determining a section of characteristic value in a preset area similar to the above area, judging the existence of the confusion transformation once the coincidence is gradually increased, and simultaneously, being compatible with the non-zero bytes included in 0x00, the specific operation method is as follows: firstly, judging whether an incremental phenomenon exists by utilizing 4 bytes, then sequentially adding up the incremental phenomenon, counting 20 bytes, calculating the ratio of the number of bytes meeting the incremental phenomenon, judging that the confusion transformation possibly exists, meanwhile, taking the position as a starting point, continuing to calculate backwards, searching a feature string 'This program clone in DOS mode' after transformation, and determining that the document is a malicious document containing a Trojan horse program if the feature string is found.
Performing a third anti-aliasing process on the target document to obtain third anti-aliasing data of the target document specifically includes:
and if the characteristic values determined in the preset area accord with a gradual decreasing rule, performing third anti-aliasing processing based on the decreasing values of every two adjacent bytes to obtain third anti-aliasing data of the target document.
(3) Obfuscating for decreasing values:
similar to the incremental values, we used 0xFF,0xFE, 0.0 x02,0x01,0x00 incremental value aliasing as the detection method to find the existence of malicious documents.
And determining a section of characteristic value when the head has more than 0x00 area, judging the existence of the aliasing transformation once the characteristic value is gradually decreased, and simultaneously, compatible with the non-zero bytes mixed in 0x 00. Firstly, judging whether a descending phenomenon exists or not by utilizing 4 bytes, then sequentially descending, counting 20 bytes, calculating the ratio which accords with the descending byte number and is more than 80 percent, namely judging the possibility, meanwhile, taking the position as a starting point, continuously calculating backwards, searching a feature string 'This program candot run in DOS mode' after transformation, and determining that the document is a malicious document containing a Trojan program if the feature string is existed.
The three types of anti-aliasing processing can be sequentially performed, and the three types of anti-aliasing processing are not sequentially performed until a feature string 'This program cancel be run in DOS mode' is found in anti-aliasing data of a certain anti-aliasing processing, so that the document can be determined to be a malicious document containing a Trojan program. If the feature string "This program canot be run in DOS mode" cannot be found after the three types of anti-aliasing processing are performed in sequence, it is probable that the document does not include the Trojan horse program.
Aiming at the characteristic that shellcode codes existing in malicious documents can not be too long, the confusion transformation can not realize too complex operation, so that an intrusion detection system applying the technology can deal with malicious documents with continuously changing expression forms and can detect unknown malicious documents which are subjected to confusion change, thereby solving the problem of network security threat in the industry and avoiding the threat brought to users by the occurrence of unknown malicious documents.
The malicious document detection system provided by the present invention is described below, and the malicious document detection system described below and the malicious document detection method described above may be referred to in a corresponding manner.
Fig. 2 is a schematic diagram of a malicious document detection system provided in the present invention, and as shown in fig. 2, the system includes:
the anti-confusion processing module 10 is configured to perform anti-confusion processing on a target document to obtain anti-confusion data of the target document;
a searching module 20, configured to search whether a preset feature string exists in the anti-aliasing data;
the determining module 30 is configured to determine that malicious execution code exists in the target document when the preset feature string exists.
Fig. 3 illustrates a physical structure diagram of an electronic device, which may include: a processor (processor) 310, a communication Interface (Communications Interface) 320, a memory (memory) 330 and a communication bus 340, wherein the processor 310, the communication Interface 320 and the memory 330 communicate with each other via the communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform a malicious document detection method comprising:
performing anti-confusion processing on a target document to obtain anti-confusion data of the target document;
searching whether a preset characteristic string exists in the anti-confusion data;
and if the preset feature string exists, determining that the malicious execution code exists in the target document.
In addition, the logic instructions in the memory 330 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, the computer is capable of performing a malicious document detection method, the method comprising:
performing anti-confusion processing on a target document to obtain anti-confusion data of the target document;
searching whether a preset characteristic string exists in the anti-aliasing data;
and if the preset characteristic string exists, determining that the target document has a malicious execution code.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program that, when executed by a processor, is implemented to perform a malicious document detection method, the method comprising:
performing anti-confusion processing on a target document to obtain anti-confusion data of the target document;
searching whether a preset characteristic string exists in the anti-aliasing data;
and if the preset characteristic string exists, determining that the target document has a malicious execution code.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on the understanding, the above technical solutions substantially or otherwise contributing to the prior art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (5)
1. A malicious document detection method, comprising:
performing exclusive OR processing on every two adjacent bytes in a target document to obtain first anti-confusion data of the target document;
searching whether a preset characteristic string exists in the first anti-confusion data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset characteristic string does not exist, the characteristic values determined in the preset area accord with an increasing rule one by one, and second anti-aliasing processing is carried out on the basis of the increasing values of every two adjacent bytes to obtain second anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the second anti-aliasing data;
if the preset feature string exists, determining that a malicious execution code exists in the target document;
if the preset characteristic string does not exist, the characteristic values determined in the preset area accord with a gradual decrease rule, and third anti-aliasing processing is carried out on the basis of the decrease values of every two adjacent bytes to obtain third anti-aliasing data of the target document;
searching whether a preset characteristic string exists in the third anti-aliasing data;
and if the preset feature string exists, determining that the malicious execution code exists in the target document.
2. The malicious document detection method according to claim 1, wherein the preset feature string is a This program canot bernin DOS mode.
3. The malicious document detection method according to claim 1, wherein the target document includes an Office document and a pdf document.
4. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the malicious document detection method according to any of claims 1 to 3 are implemented when the program is executed by the processor.
5. A non-transitory computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, is adapted to carry out the steps of the malicious document detection method according to any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011503210.4A CN112613034B (en) | 2020-12-18 | 2020-12-18 | Malicious document detection method and system, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011503210.4A CN112613034B (en) | 2020-12-18 | 2020-12-18 | Malicious document detection method and system, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112613034A CN112613034A (en) | 2021-04-06 |
| CN112613034B true CN112613034B (en) | 2022-12-02 |
Family
ID=75240484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011503210.4A Active CN112613034B (en) | 2020-12-18 | 2020-12-18 | Malicious document detection method and system, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112613034B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116303290B (en) * | 2023-05-16 | 2023-08-04 | 北京安天网络安全技术有限公司 | Office document detection method, device, equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446686A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting malicious document |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014089744A1 (en) * | 2012-12-10 | 2014-06-19 | 华为技术有限公司 | Method and apparatus for detecting malicious code |
| US20150169508A1 (en) * | 2013-12-13 | 2015-06-18 | Konica Minolta Laboratory U.S.A., Inc. | Obfuscating page-description language output to thwart conversion to an editable format |
| EP3404572B1 (en) * | 2016-02-24 | 2020-09-23 | Nippon Telegraph And Telephone Corporation | Attack code detection device, attack code detection method, and attack code detection program |
| CN108804921A (en) * | 2018-05-29 | 2018-11-13 | 中国科学院信息工程研究所 | The going of a kind of PowerShell codes obscures method and device |
-
2020
- 2020-12-18 CN CN202011503210.4A patent/CN112613034B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106446686A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting malicious document |
Non-Patent Citations (1)
| Title |
|---|
| 技术分享:几种常见的JavaScript混淆和反混淆工具分析实战;GJQ112;《csdn论坛》;20200312;第1,3-4页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112613034A (en) | 2021-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sung et al. | Static analyzer of vicious executables (save) | |
| CA2759279C (en) | Digital dna sequence | |
| US8769692B1 (en) | System and method for detecting malware by transforming objects and analyzing different views of objects | |
| Stolfo et al. | Towards stealthy malware detection | |
| Shhadat et al. | The use of machine learning techniques to advance the detection and classification of unknown malware | |
| KR101212553B1 (en) | Apparatus and method for detecting malicious files | |
| Sihag et al. | BLADE: Robust malware detection against obfuscation in android | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| CN105247532A (en) | Unsupervised anomaly-based malware detection using hardware features | |
| EP2284752B1 (en) | Intrusion detection systems and methods | |
| US10594705B2 (en) | Systems and methods for instructions-based detection of sophisticated obfuscation and packing | |
| Yücel et al. | Imaging and evaluating the memory access for malware | |
| Stolfo et al. | Fileprint analysis for malware detection | |
| Zhao et al. | A feature extraction method of hybrid gram for malicious behavior based on machine learning | |
| Kaur et al. | Efficient hybrid technique for detecting zero-day polymorphic worms | |
| CN112613034B (en) | Malicious document detection method and system, electronic device and storage medium | |
| EP3800570B1 (en) | Methods and systems for genetic malware analysis and classification using code reuse patterns | |
| Bragen | Malware detection through opcode sequence analysis using machine learning | |
| Soja Rani et al. | A survey on different approaches for malware detection using machine learning techniques | |
| Hu et al. | Research on Android ransomware protection technology | |
| KR101908517B1 (en) | Method for malware detection and unpack of malware using string and code signature | |
| Hajarnis et al. | A comprehensive solution for obfuscation detection and removal based on comparative analysis of deobfuscation tools | |
| Payer et al. | Similarity-based matching meets malware diversity | |
| Helmer et al. | Anomalous intrusion detection system for hostile Java applets | |
| Aslan et al. | Malware detection method based on file and registry operations using machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |