CN102867038A - Method and device for determining type of file - Google Patents
Method and device for determining type of file Download PDFInfo
- Publication number
- CN102867038A CN102867038A CN2012103171169A CN201210317116A CN102867038A CN 102867038 A CN102867038 A CN 102867038A CN 2012103171169 A CN2012103171169 A CN 2012103171169A CN 201210317116 A CN201210317116 A CN 201210317116A CN 102867038 A CN102867038 A CN 102867038A
- Authority
- CN
- China
- Prior art keywords
- file
- attributive character
- type
- crc
- determined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a device for determining the type of a file. The method comprises the following steps of: extracting the attribute characteristic information of a file to be determined; comparing the extracted attribute characteristic information with attribute characteristic information which is pre-stored in a rule set and corresponds to files of each type; and determining a type corresponding to attribute characteristic information in line with the attribute characteristic information of the file to be determined in the rule set as the type of the file to be determined. The attribute characteristic information of the file to be determined is extracted, and is compared with the attribute characteristic information which is pre-stored in the rule set and corresponds to the files of each type, and the type corresponding to the attribute characteristic information in line with the attribute characteristic information of the file to be determined in the rule set is determined as the type of the file to be determined, so that the type of the file can be determined according to the attribute characteristic information of the file to be determined.
Description
Technical field
The present invention relates to computer realm, and especially, relate to a kind of definite method and apparatus of file type.
Background technology
In recent years, rogue program quantity in the global range is how much levels and increases, speedup based on this explosion type, there is hysteresis quality in the generation that is used for the feature database of killing rogue program often with renewal, that is to say that replenishing of the condition code of rogue program can't be caught up with the unknown rogue program that emerges in an endless stream in the feature database.
Along with the application of rogue program wright to technology free to kill, occur by the gimmick that rogue program is added shell or revise the condition code of this rogue program; In addition, present many trojan horse programs have adopted more mainly with reaching more frequent fast auto Deformation.Therefore, above-mentioned processing to rogue program all can cause the difficulty rogue program judged by malicious act and/or malice feature increasing, thereby increase the difficulty that rogue program is carried out killing or cleaning.
Portable executable (Portable Execute, referred to as PE) file is a kind of common file, for example, EXE, DLL, OCX, SYS, COM are the PE files, the PE file is the program file (may indirectly be performed, such as DLL) on the Windows of the Microsoft operating system
For traditional antivirus software, when file was scanned, it only extracted virus characteristic, can't put forward the attributive character of normal file, and, traditional antivirus software to put forward feature mode more passive, find feature of a feature extraction, and the feature of extracting most popular feature not necessarily.And, because the feature of extracting is the special characteristic of particular malicious program, therefore, in the feature mode of traditional extraction executable file, class sample in a feature can only solve among a small circle, have hysteresis quality and one-sidedness, thereby cause determining that processing poor accuracy, the efficient of file type are low.
Process poor accuracy, inefficient problem when determining file type in the correlation technique, not yet propose at present effective solution.
Summary of the invention
Process poor accuracy, inefficient problem when determining file type in the correlation technique, the present invention proposes a kind of definite method and apparatus of file type, can determine according to the attributive character of file to be determined the type of file.
Technical scheme of the present invention is achieved in that
According to an aspect of the present invention, provide a kind of definite method of file type, the method comprises:
Extract the attributive character information of file to be determined;
The corresponding attributive character information of file of each type of pre-save in the attributive character information extracted and the rule set is compared;
The corresponding type of attributive character information that is consistent with the attributive character information of file to be determined in the rule set is defined as the type of file to be determined.
Wherein, the method further comprises:
Total attributive character to a plurality of files given in advance is extracted, with the attributive character information of the total attributive character extracted as the corresponding attributive character information of the type of file given in advance and be stored in the rule set.
And, the total attributive character of file given in advance extracted comprise:
To a plurality of files given in advance, extract the attributive character of user's appointment, and determine the type of these a plurality of files according to the attributive character of extracting.
When whether definite a plurality of files given in advance belong to the malicious file type, judge with reference to the attributive character of an extraction or the combination of many attributive character that according to circumstances the attributive character of this extraction comprises following table and/or the code segment cyclic redundancy check (CRC) code CRC of importing and exporting one of at least;
When whether definite a plurality of files to be determined belonged to the ordinary file type, the attributive character of extraction comprised code segment CRC at least.
In addition, in the rule set the corresponding attributive character of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, program entry point value, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, author's development environment, make the regular step of CRC and description.
Preferably, file to be determined is portable and executable file.
Preferably, file to be determined is the class file with same alike result characteristic information.
According to another aspect of the present invention, provide a kind of definite device of file type, this device comprises:
Extraction module is for the attributive character information of extracting file to be determined;
Comparison module, the corresponding attributive character information of file that is used for each type of the attributive character information that will extract and rule set pre-save compares;
Determination module is used for the corresponding type of attributive character information that rule set is consistent with the attributive character information of file to be determined is defined as the type of file to be determined.
And, in the rule set the corresponding attributive character of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, author's development environment, make the regular step of CRC and description.
In addition, alternatively, file to be determined is portable and executable file.
The present invention is by extracting the attributive character information of file to be determined, there is the rule set of the corresponding attributive character information of file of each type to compare itself and pre-save, determine the type of file according to attributive character information, because attributive character information is the attribute of file itself, be not to be the special characteristic of file, therefore, the judgement of carrying out file type by attributive character information need to be by up-to-date feature database, hysteresis quality and inaccuracy in the time of can avoiding malicious file to determine, and the extraction of the attributive character of file and comparison are comparatively easy, therefore, the efficient that file type is determined can be improved, in addition, malicious file not only can be used for judging, for ordinary file, can adopt equally the solution of the present invention to determine file type.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use among the embodiment, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the process flow diagram according to definite method of the file type of the embodiment of the invention;
Fig. 2 is the block diagram according to definite device of the file type of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain belongs to the scope of protection of the invention.
According to embodiments of the invention, provide a kind of definite method of file type.
As shown in Figure 1, the definite method according to the file type of the embodiment of the invention comprises:
Step S101 extracts the attributive character information of file to be determined;
Step S103 compares the corresponding attributive character information of file of each type of pre-save in the attributive character information extracted and the rule set;
Step S105 is defined as the corresponding type of attributive character information that is consistent with the attributive character information of file to be determined in the rule set type of file to be determined.
Wherein, the method further comprises the step that pre-determines rule set.Can preserve a plurality of samples in the rule set, sample source be the file of uploading by the cloud plan target of software and artificially collect and network on the file downloaded, also have by monitoring the software that needs renewal is arranged on certain computing machine, so just can go to download the AKU of this software, how the embodiment of the invention is to obtaining not restriction of file.As long as can get access to file, can use the technical scheme of the embodiment of the invention.
Program has special extraction module automatically to extract all properties feature of each file to be determined.After collecting a new samples, can and existing feature database carry out matching ratio, if the match is successful then automatically put appropriate level.If not coupling can by information and compiler information, version information, digital signature in tens PE of the place structures such as program entry point of the automatic extraction document of extraction module, comprise code segment each joint CRC, import and export the much informations such as table CRC, Section CRC, additional data skew, Tls value, icon CRC, author's development environment.
When making rule set, can extract the total attributive character of a plurality of files given in advance, as the corresponding attributive character information of the type of file given in advance and be stored in the rule set, the rule set that obtains thus can be used for the judgement of step S103 and step S105 with the attributive character information of the total attribute that extracts.
In said process, these a plurality of files are to be classified as the file of a class by automated procedures according to a certain common trait, and at this moment the analyst can rule of thumb optionally find out the common trait of this class file, and can be one also can be many common traits.Understand the common trait that has found in page selection after finding one or more common trait, and extract all samples of feature in backstage coupling, if the result who matches is the major part of these a plurality of files all to be hit then to think a class, and select appropriate level according to the analysis experience at the page.
Therefore, in fact preserved corresponding relation (for attributive character, in rule set, preserving with the form of attributive character information) between the combination of file type and a kind of attributive character/multiple attributive character in the rule set that the application adopts.In case attributive character information that file to be determined is extracted has been hit attributive character information corresponding to a kind of file type in the rule set or the combination of a plurality of attributive character information, determines that then this document belongs to the corresponding type of combination of this attributive character information or attributive character information.
And when pre-determining rule set, a plurality of files to given in advance can extract the attributive character of user's appointment, and determine the type of these a plurality of files according to the attributive character of extracting.
And, when whether definite a plurality of files to be determined belong to the malicious file type, the attributive character of extracting can be decided according to actual conditions, that is, can extract an attributive character and judge, also can extract many attributive character and judge, similarly, when whether definite a plurality of files to be determined belong to the ordinary file type, can according to actual conditions, extract one or more attributive character and judge equally.Alternatively, when judging whether a file is malicious file, the attributive character of extracting can comprise importing and exporting at least shows CRC (Cyclical Redundancy Check is referred to as CRC) (crc value of virus exists large similar even identical); The registration table development environment.
Alternatively, when whether definite a plurality of files to be determined belonged to the ordinary file type, the attributive character of extraction comprised code segment CRC (code segment of file trusty should be complete, if be modified, just there is risk in explanation) at least.
In addition, in the rule set the corresponding attributive character of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, program entry point value, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, author's development environment, make the regular step of CRC and description.
The application considers that the file of same authors, identical development environment, identical/similar CRC etc. often has identical type, therefore, the attributive character (can be the combination of the one or more attributive character in the above-mentioned attributive character) of determining the file of type is compared with the attributive character of unknown file, if the attributive character that the attributive character of unknown file and the file of determining type are compared is identical or conform to, just can determine the type of unknown file.
Preferably, file to be determined is portable and executable file.
Preferably, file to be determined is the class file with same alike result characteristic information.
Generally, because the class sample that same manufacturer makes, same instrument discharge the program that the file that generates or same author make (the sample here, file, program comprise polytype files such as wooden horse etc., ordinary file) identical attribute characteristic is arranged to a great extent.
If above file has common feature can appear in the TOP sorted lists of attributive character in attributive character, such as: code segment is the same will to be appeared in the code segment TOP tabulation, icon CRC equally can appear in the TOP tabulation of icon CRC, and importing table CRC equally can appear in the TOP tabulation of importing table CRC etc.Certainly these TOP sorted lists can and be trusted number of times and sort according to number of users.That is to say if there is not common attributive character just can not appear in the TOP tabulation.The analyst clicks a certain item in the TOP tabulation when doing practical business; will list the All Files that meets this attributive character; the analyst seeks other public characteristics of this class sample by experience, continues to judge malice or normal or nonsensical sample by the analyst after optionally selecting public characteristic.The program of that is to say can accurately be classified according to certain category feature, and the analyst judges the black and white (for example, judge a class file whether malicious file or file trusty) of a class sample that meets these common traits.
Therefore, from this class sample file, extract the denominators such as PE structure, compiler, version, digital signature, comprehensive above general character is made ad hoc rules (namely, corresponding to above-mentioned rule set), so that judge in batches a class file sample whether be rogue program (namely, judge whether paper sample is rogue program, and black paper sample is rogue program).Carry out the file that file type is determined for new needs, if this document meets the rule of above-mentioned making, do not need manual intervention can automatically identify whether malicious file or the file trusty of file.In actual applications, the attribute of file can comprise PE structure and other integrated informations, its quantity can be above 60, wherein, important attributive character comprises: program entry point value, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, the regular step of icon making CRC and description etc.
When judging first, need the artificial rule of making, that is, generate above-mentioned rule set.For example, sample for a collection of UNKNOWN TYPE, operating personnel can select one or more attributive character, so that the result that system sorts to these samples according to selected attributive character and show ordering by tabulation, and according to the result who sorts, operating personnel just can determine which sample has identical attributive character (attributive character of extraction); Afterwards, operating personnel can carry out artificial judgment (manual intervention) to the part sample, determine its type, and then also just are equivalent to have determined have the type of such all samples of same alike result feature, thus Effective Raise the efficient of judging.
In actual applications, can the attributive character of file be shown by the mode of tabulation, for example, can comprise that in form following list item: Value row (code segment CRC), count are listed as (sample size with corresponding above-mentioned code segment CRC), weight (trust total degree), peinfo (compiler information) etc.The user can carry out sample statistics, and begins to make rule, at this moment, can demonstrate all MD5 corresponding to this code segment CRC and rank and distribute.Can greatly reduce match time when mating by the MD5 value, guarantee fast contrast coupling also to have guaranteed the security of file simultaneously.
Wherein, other method to set up of level comprises multiple, and for example, rank can be distributed with text of an annotated book spare, black file, excessive risk and plug-in private and take these 4 kinds.
By the mode of above-mentioned tabulation, just the attributive character of a collection of sample file can be shown, so that operating personnel judge first, that is, make the rule of judging.
For example, for the PE structure, extract and be used for judging that the attribute of file type can include but not limited to following attribute:
Sections.crc: section name character string CRC;
Modules.crc: import module CRC
Apis.crc: import API CRC
Symbols.crc: derived table CRC
Icon.crc: icon CRC
Overlay.offset: additional data skew
Tls.exists: whether have the tls value
Tls.crc: calculate CRC by the tls value
File.size: file size
.text .data .rsrc: each saves CRC
PDB: author's development environment
InternalName, FileVersion, CompanyName, Productname, ProductVersion, OriginalFIlename: version information
Peinfo: compiler information
Sign_corp: digital signature
Operating personnel can rule of thumb carry out subjective judgement, choose option and preservation in the rule, like this, as long as emerging sample meets the rule of choosing and can automatically put the file type of appropriate level (namely also can be understood as, determine the rank of its type file) afterwards.
In addition, for regular, searched page can also be set, can search for the strictly all rules of having made according to the search condition of input; In addition, statistical rules can also be set, in order to be condition with certain time period, search for the new samples number of rule match in this time period.Can know every number of samples of having done rule match in certain time period by this page, the number of samples by coupling as can be known in certain time period popular sample what is.
According to embodiments of the invention, provide a kind of definite device of file type.
As shown in Figure 2, follow the definite device according to the file type of the embodiment of the invention to comprise:
The display module (not shown) shows the TOP tabulation of nearest popular sample according to a certain attributive character.
This attributive character can be the various attributes of PE structure and comprise code segment at interior Section CRC, import and export some or all of in table CRC, icon CRC etc. all properties feature;
Flyback module (not shown), put corresponding accurate rank to the sample of all rules of hitting with existing all samples of strictly all rules flyback of having carried every night.
Concrete file is to be kept in the Cloud Server, and the MD5 that specific features and every feature are hit is kept in the database of design.
Wherein, by the automatic program identification PE file of writing and the file attribute information that extracts described PE class file.File attribute information comprises: the size of file structure, compiler information, file, version information, digital signature, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon CRC, author's translation and compiling environment, the regular step of making CRC and description.
And, in the rule set the corresponding attributive character of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, the regular step of making CRC and description.
Wherein, file to be determined can be portable and executable file (PE file).
Technique scheme of the present invention can be passed through CRC rule judgment file type, not only can grab black sample (malicious file), can also grab sample trusty (ordinary file).In addition, the application's scheme can adopt code segment CRC, import and export table CRC, Section CRC, make the attributive character such as CRC rule step and description and judge file type as foundation, because the CRC of same type can access identical crc value after calculating, by crc value carry out than scheme to having higher accuracy, therefore, this employing CRC rule is carried out the definite scheme of file type and can be eliminated the possibility of wrong report (to unknown sample, if this sample is popular, for code segment CRC, import and export table CRC, Section CRC can sort respectively, can check this sample).After adopting the CRC rule, can initiatively find popular black sample and sample trusty, thereby solve first most popular sample.For example, if in the TOP tabulation, find virus, illustrate popular recently; If find file trusty, so this class software is popular recently, and current list trusty is not yet collected.In addition, all historical sample of flyback are put accurate rank with the sample of omitting in history automatically.As long as meet rule for emerging sample, automatically put rank without the analyst, reduce and improve real-time when analyzing pressure.
The realization of the solution of the present invention can be tabulated by means of TOP, TOP tabulation be according to the number of samples of some characteristic matching and by the users to trust total degree of all MD5 make from many to few sorted lists.From many popularity orderings that are equivalent to sample to few ordering.
Automatically the flyback historical sample is that (for example, every night) hit all samples of rule and automatically put appropriate level by all existing historical sample of strictly all rules flyback of having carried of flyback module at the appointed time.
In sum, by means of technique scheme of the present invention, by extracting the attributive character information of file to be determined, there is the rule set of the corresponding attributive character information of file of each type to compare itself and pre-save, determine the type of file according to attributive character information, because attributive character information is the attribute of file itself, be not to be the special characteristic of file, therefore, the judgement of carrying out file type by attributive character information need to be by up-to-date feature database, hysteresis quality and inaccuracy in the time of can avoiding malicious file to determine, and the extraction of the attributive character of file and the comparison comparatively easy, therefore, the efficient that file type is determined can be improved, in addition, malicious file not only can be used for judging, for ordinary file, can adopt equally the solution of the present invention to determine file type.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. definite method of a file type is characterized in that, comprising:
Extract the attributive character information of file to be determined;
The corresponding attributive character information of file of each type of pre-save in the described attributive character information extracted and the rule set is compared;
The corresponding type of attributive character information that is consistent with the attributive character information of file to be determined in the described rule set is defined as the type of described file to be determined.
2. definite method according to claim 1 is characterized in that, further comprises:
Total attributive character to a plurality of files given in advance is extracted, with the attributive character information of the total attributive character extracted as the corresponding attributive character information of type of described file given in advance and be stored in the described rule set.
3. definite method according to claim 2 is characterized in that, the total attributive character of file given in advance is extracted comprise:
To a plurality of files given in advance, extract the attributive character of user's appointment, and determine the type of these a plurality of files according to the attributive character of extracting.
4. definite method according to claim 3 is characterized in that,
When whether definite a plurality of files given in advance belong to the malicious file type, judge with reference to the attributive character of an extraction or the combination of many attributive character that according to circumstances the attributive character of this extraction comprises following table and/or the code segment cyclic redundancy check (CRC) code CRC of importing and exporting one of at least;
When whether definite a plurality of files to be determined belonged to the ordinary file type, the attributive character of extraction comprised code segment CRC at least.
5. described definite method according to claim 1-4, it is characterized in that, in the described rule set the corresponding attributive character information of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, author's development environment, make the regular step of CRC and description.
6. each described definite method is characterized in that according to claim 1-4, and file to be determined is portable and executable file.
7. each described definite method is characterized in that according to claim 1-4, and described file to be determined is the class file with same alike result feature.
8. definite device of a file type is characterized in that, comprising:
Extraction module is for the attributive character information of extracting file to be determined;
Comparison module, the corresponding attributive character information of file that is used for each type of the described attributive character information that will extract and rule set pre-save compares;
Determination module is used for the corresponding type of attributive character information that described rule set is consistent with the attributive character information of file to be determined is defined as the type of described file to be determined.
9. definite device according to claim 8, it is characterized in that, in the described rule set the corresponding attributive character information of the file of each type of pre-save comprise following one of at least: file structure, compiler information, version information, digital signature, author's development environment, code segment CRC, import and export table CRC, Section CRC, additional data skew, Tls value, icon, the regular step of making CRC and description.
10. according to claim 8 or 9 described definite devices, it is characterized in that file to be determined is portable and executable file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103171169A CN102867038A (en) | 2012-08-30 | 2012-08-30 | Method and device for determining type of file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103171169A CN102867038A (en) | 2012-08-30 | 2012-08-30 | Method and device for determining type of file |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102867038A true CN102867038A (en) | 2013-01-09 |
Family
ID=47445907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012103171169A Pending CN102867038A (en) | 2012-08-30 | 2012-08-30 | Method and device for determining type of file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102867038A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761247A (en) * | 2013-12-20 | 2014-04-30 | 北京奇虎科技有限公司 | Processing method and device for error files |
| CN103870547A (en) * | 2014-02-26 | 2014-06-18 | 华为技术有限公司 | Grouping processing method and device of contact persons |
| CN104252531A (en) * | 2014-09-11 | 2014-12-31 | 北京优特捷信息技术有限公司 | File type identification method and device |
| CN104268249A (en) * | 2014-09-30 | 2015-01-07 | 珠海市君天电子科技有限公司 | System file identification method and system |
| CN104680065A (en) * | 2015-01-26 | 2015-06-03 | 安一恒通(北京)科技有限公司 | Virus detection method, virus detection device and virus detection equipment |
| CN104899509A (en) * | 2014-03-03 | 2015-09-09 | 珠海市君天电子科技有限公司 | File sample attribute determining method and apparatus |
| CN104899009A (en) * | 2014-03-03 | 2015-09-09 | 可牛网络技术(北京)有限公司 | Identification method and device of Android application |
| CN108804917A (en) * | 2017-12-22 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | A kind of file test method, device, electronic equipment and storage medium |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
| CN110620940A (en) * | 2019-09-19 | 2019-12-27 | 四川天邑康和通信股份有限公司 | System, method and processing device for IPTV to rapidly make set-top box OTA upgrade package |
| CN112445760A (en) * | 2020-11-13 | 2021-03-05 | 北京鸿腾智能科技有限公司 | File classification method, equipment, storage medium and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753570A (en) * | 2008-12-18 | 2010-06-23 | 赛门铁克公司 | methods and systems for detecting malware |
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN101924761A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Method for detecting malicious program according to white list |
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
-
2012
- 2012-08-30 CN CN2012103171169A patent/CN102867038A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753570A (en) * | 2008-12-18 | 2010-06-23 | 赛门铁克公司 | methods and systems for detecting malware |
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN101924761A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Method for detecting malicious program according to white list |
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761247A (en) * | 2013-12-20 | 2014-04-30 | 北京奇虎科技有限公司 | Processing method and device for error files |
| CN103761247B (en) * | 2013-12-20 | 2017-12-05 | 北京奇虎科技有限公司 | A kind of processing method and processing device of error file |
| CN103870547A (en) * | 2014-02-26 | 2014-06-18 | 华为技术有限公司 | Grouping processing method and device of contact persons |
| WO2015127739A1 (en) * | 2014-02-26 | 2015-09-03 | 华为技术有限公司 | Method and apparatus for grouping contacts |
| CN104899509B (en) * | 2014-03-03 | 2018-07-10 | 珠海市君天电子科技有限公司 | The determining method and device of paper sample attribute |
| CN104899509A (en) * | 2014-03-03 | 2015-09-09 | 珠海市君天电子科技有限公司 | File sample attribute determining method and apparatus |
| CN104899009A (en) * | 2014-03-03 | 2015-09-09 | 可牛网络技术(北京)有限公司 | Identification method and device of Android application |
| CN104252531A (en) * | 2014-09-11 | 2014-12-31 | 北京优特捷信息技术有限公司 | File type identification method and device |
| CN104252531B (en) * | 2014-09-11 | 2017-12-08 | 北京优特捷信息技术有限公司 | A kind of file type identification method and device |
| CN104268249A (en) * | 2014-09-30 | 2015-01-07 | 珠海市君天电子科技有限公司 | System file identification method and system |
| CN104268249B (en) * | 2014-09-30 | 2018-04-27 | 珠海市君天电子科技有限公司 | A kind of recognition methods of system file and system |
| CN104680065A (en) * | 2015-01-26 | 2015-06-03 | 安一恒通(北京)科技有限公司 | Virus detection method, virus detection device and virus detection equipment |
| CN108804917A (en) * | 2017-12-22 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | A kind of file test method, device, electronic equipment and storage medium |
| CN108804917B (en) * | 2017-12-22 | 2022-03-18 | 安天科技集团股份有限公司 | File detection method and device, electronic equipment and storage medium |
| CN109446809A (en) * | 2018-10-31 | 2019-03-08 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
| CN110620940A (en) * | 2019-09-19 | 2019-12-27 | 四川天邑康和通信股份有限公司 | System, method and processing device for IPTV to rapidly make set-top box OTA upgrade package |
| CN112445760A (en) * | 2020-11-13 | 2021-03-05 | 北京鸿腾智能科技有限公司 | File classification method, equipment, storage medium and device |
| CN112445760B (en) * | 2020-11-13 | 2024-05-14 | 三六零数字安全科技集团有限公司 | File classification method, device, storage medium and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102867038A (en) | Method and device for determining type of file | |
| Sebastián et al. | Avclass2: Massive malware tag extraction from av labels | |
| EP2916256B1 (en) | Systems and methods for behavior-based automated malware analysis and classification | |
| CN101924761B (en) | Method for detecting malicious program according to white list | |
| CN106557695B (en) | A kind of malicious application detection method and system | |
| Laskov et al. | Static detection of malicious JavaScript-bearing PDF documents | |
| CN108920954B (en) | Automatic malicious code detection platform and method | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| US10789366B2 (en) | Security information management system and security information management method | |
| CN107368856B (en) | Malicious software clustering method and device, computer device and readable storage medium | |
| CN104520871A (en) | Vulnerability vector information analysis | |
| WO2019061664A1 (en) | Electronic device, user's internet surfing data-based product recommendation method, and storage medium | |
| CN110177114A (en) | The recognition methods of network security threats index, unit and computer readable storage medium | |
| CN109104421B (en) | Website content tampering detection method, device, equipment and readable storage medium | |
| CN103607381A (en) | White list generation method, malicious program detection method, client and server | |
| CN103475671B (en) | Malware detection methods | |
| US11727704B2 (en) | Systems and methods for processing a table of information in a document | |
| CN113221032A (en) | Link risk detection method, device and storage medium | |
| CN112148305A (en) | Application detection method and device, computer equipment and readable storage medium | |
| CN110023938A (en) | The system and method for determining file similarity are counted using function length | |
| US8903754B2 (en) | Programmatically identifying branding within assets | |
| CN109064067B (en) | Financial risk operation subject determination method and device based on Internet | |
| CN110472416A (en) | A kind of web virus detection method and relevant apparatus | |
| CN111382383A (en) | Method, device, medium and computer equipment for determining sensitive type of webpage content | |
| CN104794397A (en) | Virus detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130109 |