CN103501294B - The determining program whether method of malice - Google Patents
The determining program whether method of malice Download PDFInfo
- Publication number
- CN103501294B CN103501294B CN201310446501.8A CN201310446501A CN103501294B CN 103501294 B CN103501294 B CN 103501294B CN 201310446501 A CN201310446501 A CN 201310446501A CN 103501294 B CN103501294 B CN 103501294B
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- white list
- feature
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 230000006399 behavior Effects 0.000 claims description 99
- 238000012545 processing Methods 0.000 claims description 16
- 230000003068 static effect Effects 0.000 claims description 6
- 241000239290 Araneae Species 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004140 cleaning Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of determining program whether method of malice, including:The white list of the Database legal procedure of server end is simultaneously collected updating;Client is collected and is sent to server end inquiring about to the performance of program of a program and/or program behavior, server end is analyzed in the white list comparing according to described program feature and/or program behavior, is judged and fed back to the client according to comparison result to the legitimacy of described program or trust value.By the present invention in that being judged to legal procedure with white list, the non-legally programmed decision so as to will not belong to white list category is rogue program, carries out the determining and killing of rogue program from another angle.
Description
Present patent application is the applying date for August in 2010 18 days, Application No. 201010256973.3, entitled
A kind of divisional application of the Chinese invention patent application of " method for carrying out rogue program detection according to white list ".
Technical field
The invention belongs to network safety filed, specifically, it is related to a kind of determining program whether method of malice.
Background technology
Anti- the killing of traditional rogue program depends on feature database pattern.Feature database is the rogue program that is collected by manufacturer
The condition code composition of sample, and condition code to be then analysis project be an apprentice of in rogue program the difference found with proprietary software,
Intercept one section of program code similar to " search keyword ".During killing, engine can read file and with feature database in
All condition codes " keyword " mated, if it find that file routine code is hit, it is possible to judge this document program
For rogue program.
The mode in locally heuristic antivirus is derived afterwards again, has been the dynamic height device or anti-that realizes in a specific way
Compiler, by being progressively understood and determined by its real motive that contains to the decompiling about command sequence.Rogue program and just
The difference of Chang Chengxu can embody in many aspects, such as:A usual application program, in initial instruction, is to check order line
Input has or not parameter item, cls and preserves original screen and shows, and the generally initial instruction of rogue program is then directly to write disk
The associative operation command sequences such as operation, solution code instruction, or the executable program that searches under certain path.These significant differences
Place, skilled programmer need to only take a glance in a debug state just can be very clear.Heuristic code scans technology is actually
Exactly this experience and knowledge is transplanted to the specific procedure in a killing bogusware to embody.
But the method for above-mentioned killing Malware is all based on malicious act and/or malice feature, first to a program
Judge which, whether as rogue program, then decides whether to carry out killing or cleaning again.This just inevitably result in occur in that as
Lower drawback.
According to statistics, global rogue program quantity increases in geometry level now, based on the speedup of this explosion type, feature database
It is often delayed to generate and update, and in feature database, the supplement of the condition code of rogue program does not catch up with the unknown malice for emerging in an endless stream
Program.
In addition, in recent years, with application of the rogue program producer to technology free to kill, by rogue program shell adding or repairing
The gimmick for changing the condition code of the rogue program more and more occurs;And many trojan horse programs employ more frequent quick
Auto Deformation, these result in difficulty rogue program judged by malicious act and/or malice feature increasingly
Greatly, so as to cause the difficulty of the killing to rogue program or cleaning.
Content of the invention
In view of this, the technical problem to be solved there is provided a kind of foundation white list and carry out rogue program inspection
The method of survey, does not rely on local data base, and reversely judges rogue program based on to the identification of legal procedure.
In order to solve above-mentioned technical problem, the invention discloses a kind of side for carrying out rogue program detection according to white list
Method, including:The white list of the Database legal procedure of server end is simultaneously collected updating;Journey of the client to a program
Sequence characteristics and/or program behavior are collected and are sent to server end being inquired about, and server end is according to described program feature
And/or program behavior is analyzed in the white list comparing, according to legitimacy or trust of the comparison result to described program
Value is judged and is fed back to the client.
Further, the server end is preserved according in described program feature and/or program behavior, with the white list
Legal procedure feature and/or legal procedure behavior compare, if hit, judge described program as legal procedure, and
Feed back to the client;If not hitting, described program judged as rogue program, and feeding back to the client.
Further, the server end is according to batch processing feature and/or the batch processing behavior of program, white with described
In list, the legal procedure feature for preserving and/or legal procedure behavior are compared, and according to the degree of hit, described program are assigned
A trust value is given, and the trust value is fed back to the client;The client presets a threshold value, according to the trust value
Compare with the threshold value, if the trust value is not less than the threshold value, the described program is judged as legal procedure,
If the trust value is less than the threshold value, judge described program as rogue program.
Further, if the batch processing feature and/or batch processing behavior are all hit in the white list,
Then the server end gives a highest trust value to described program;If the batch processing feature and/or batch processing row
It is all miss in the white list, then the server end gives a minimum trust value to described program.
Further, also include:The client determines rogue program behavior is carried out intercepting according to the result of determination,
Terminate executing the rogue program and/or the rogue program is cleared up, recovery system environment.
Further, also include:The client according to the result of determination and combine the rogue program attribute, certainly
Fixed the rogue program whether is carried out intercepting, terminates executing the rogue program and/or is cleared up to the rogue program behavior.
Further, the attribute, including:Whether the rogue program is self-triggered program and/or the rogue program
Whether there is in system directory.
Further, the database of the server end is collected the step of updating, bag to the white list of legal procedure
Include:Periodically through craft, legal procedure is collected using spider or web crawlers and/or user's upload;By craft
Or the performance of program of the legal procedure and/or program behavior screened automatically by instrument and is stored in the white list.
Further, the database of the server end is collected the step of updating, bag to the white list of legal procedure
Include:According to the legal procedure feature in existing known white list and its corresponding program behavior, to unknown program feature and program
Behavior is analyzed, to update white list.
Further, described program feature, including:Static nature in program file and/or static nature string.
Further, described the step of be analyzed to unknown program feature and its program behavior, including:If unknown journey
Sequence characteristics are identical with the known procedure feature in existing white list, then list the unknown program feature and its program behavior in white name
Single;If unknown program behavior is identical or approximate with the known procedure behavior in existing white list, by the unknown program behavior
And its performance of program lists white list in;When certain program behavior is put into white list, the program behavior is corresponded in database
Performance of program list white list in, and other program behaviors relevant with the program behavior and performance of program are also listed in
White list;And/or when certain performance of program is put into white list, corresponding for performance of program program behavior is arranged in database
Enter white list, and other program behaviors relevant with the performance of program and performance of program are also listed in white list.
Further, also include:Associating for behavior and feature is set up between the program with identical or approximate behavior
System, according to the incidence relation between the program with identical or approximate behavior, enters to unknown program feature and program behavior
Row analysis, to update white list.
Compared with currently existing scheme, the technique effect obtained by the present invention:
By the present invention in that legal procedure is judged with white list, so as to will not belong to the non-legally of white list category
Programmed decision is rogue program, carries out the determining and killing of rogue program from another angle;
Cloud security framework is simultaneously introduced, will be owned " cloud security " client and be connected with " cloud security " server in real time, will close
The decision analysis of method program is placed on server end and completes;
In addition, the present invention also by the behavior of client collection procedure and is associated with performance of program, so as to remember in database
Record performance of program and its corresponding program behavior, according to the program behavior that collects and the incidence relation of performance of program, Ke Yi
Sample is analyzed concluding in database, so as to contribute to carrying out legal differentiation to software or program.
Description of the drawings
Fig. 1 is the enforcement pattern diagram of the present invention;
The foundation white list of Fig. 2 present invention carries out the method flow diagram of rogue program detection;
Fig. 3 is the incidence relation schematic diagram according to the embodiment of the present invention.
Specific embodiment
Describe embodiments of the present invention below in conjunction with schema and embodiment in detail, thereby how the present invention is applied
Technological means is solving technical problem and reach realizing process and fully understanding and implement according to this for technology effect.
The core idea of the present invention is:The white list of the Database legal procedure of server end is simultaneously collected more
Newly;Client is collected and is sent to server end inquiring about to the performance of program of a program and/or program behavior, service
Device end is analyzed in the white list comparing according to described program feature and/or program behavior, according to comparison result to institute
The program of stating is judged and is fed back to the client.
Examine below for the white list under Yunan County's syntype being made up of a large amount of client computer 102- server ends 104
Survey rogue program method to illustrate.Cloud structure is exactly a large-scale client/server(CS)Framework, as shown in figure 1, be
The enforcement pattern diagram of the present invention.
The method flow diagram of rogue program detection is carried out with reference to Fig. 2 for the foundation white list of the present invention, including:
S1, the white list of the Database legal procedure of server end are simultaneously collected updating;
S2, client are collected and are sent to server end carrying out to the performance of program of a program and/or program behavior
Inquiry;
S3, server end are analyzed in the white list comparing according to described program feature and/or program behavior, root
The client is judged and is fed back to according to comparison result to described program;
S4, the client determine rogue program behavior is carried out intercepting, terminates executing the evil according to the result of determination
Meaning program and/or the rogue program is cleared up, recovery system environment;Or
The client according to the result of determination and combine the rogue program attribute, decide whether to the malice journey
Sequence behavior carries out intercepting, terminate executing the rogue program and/or clear up the rogue program;
The attribute, including:Whether the rogue program is self-triggered program and/or the rogue program whether there is in
In system directory.
For step S3, specifically can be realized by the following manner.
First method:The server end is preserved according in described program feature and/or program behavior, with the white list
Legal procedure feature and/or legal procedure behavior compare, if hit, judge described program as legal procedure, and
Feed back to the client;If not hitting, described program judged as rogue program, and feeding back to the client.
Second method:The server end is according to batch processing feature and/or the batch processing behavior of program, white with described
In list, the legal procedure feature for preserving and/or legal procedure behavior are compared, and according to the degree of hit, described program are assigned
A trust value is given, and the trust value is fed back to the client;The client presets a threshold value, according to the trust value
Compare with the threshold value, if the trust value is not less than the threshold value, the described program is judged as legal procedure,
If the trust value is less than the threshold value, judge described program as rogue program.
For the setting of trust value, if the batch processing feature and/or batch processing behavior are in the white list
All hit, then the server end gives a highest trust value to described program;If the batch processing feature and/or one
Group program behavior is all miss in the white list, then the server end gives a minimum trust value to described program;
Program between above-mentioned two hit rate is set by the above-mentioned trend.
For step S1, the database of the server end is collected, to the white list of legal procedure, the step of updating,
Can be realized by the following manner.
First method:Pairing is uploaded by technical staff periodically through craft, using spider or web crawlers and/or user
Method program is collected;By screening automatically the performance of program of the legal procedure and/or program behavior manually or by instrument simultaneously
It is stored in the white list.
Second method:According to the legal procedure feature in existing known white list and its corresponding program behavior, to unknown
Performance of program and program behavior are analyzed, to update white list.
Described program feature, can be the static nature in program file, such as via MD5(Message-Digest
Algorithm5, md5-challenge)The MD5 identifying code that computing draws, or SHA1 code, or CRC(Cyclic Redundancy
Check, CRC)Code etc. can unique mark original program condition code;It can also be the static nature in program file
String.
Lower explanation is carried out below for the structure of the database white list of server end and Dynamic Maintenance in second method.
Its roadmap is mainly:According to the performance of program in existing known white list and its corresponding program behavior, right
Unknown program feature and program behavior are analyzed, to update white list.This comparative analysis sometimes need not be to program
Follow-up analysis are done in behavior in itself, it is only necessary to simply with existing white list in known procedure behavior compare i.e. can determine that unknown
The property of program.
Due to have recorded performance of program and the corresponding behavior record of this feature in database, therefore can be in conjunction with known white
Name single pair of unknown program is analyzed.
For example, if unknown program feature is identical with the known procedure feature in existing white list, by the unknown program
Feature and its program behavior all list white list in.
If unknown program behavior is identical or approximate with the known procedure behavior in existing white list, by the unknown program
Behavior and its performance of program all list white list in.
By the record analysis in database, we are it is found that there is the behavior of some programs identical or approximate, but program
Feature is different, at this moment, as long as we set up the incidence relation of behavior and feature between the program with identical or approximate behavior,
And according to this incidence relation, it is possible to more easily unknown program feature and program behavior are analyzed, to update white name
Single.
As shown in figure 3, being the incidence relation schematic diagram according to the embodiment of the present invention.Assume unknown program A, B and C
Feature is respectively A, B and C, and its each self-corresponding program behavior is A1~A4, B1~B4, C1~C4.If the analysis found that
Program behavior A1~A4, B1~B4, substantially the same or very approximate between C1~C4, then just can feature A, B, C and
Behavior A1~A4, B1~B4, sets up the incidence relation of feature and behavior between C1~C4.
By this incidence relation, more efficiently database can be safeguarded from extended under certain conditions.
For example, when the program behavior B1~B4 of program B is confirmed to be legal procedure behavior and is put into white list, can be in database
In automatically performance of program B corresponding with the program behavior is listed in white list, meanwhile, according to incidence relation, can automatically by with
The program behavior relevant program behavior A1~A4, C1~C4 and corresponding performance of program A, feature C also list white name in
Single.
Again for example, if program A, B and C belong to the unknown program of black and white when initial, and via other checking and killing virus ways
Footpath, performance of program B are confirmed to be the feature for belonging to legal procedure first, then can be automatically by behavior B1~B4's in database
White list is listed in combination in, also can also list feature A with identical or approximate behavior and C in white list according to incidence relation,
And program behavior A1~A4, C1~C4 are also listed in white list.
Due to have recorded the corresponding behavior of performance of program in database, this allows for the behavior to unknown program to the present invention
Analysis provides great convenience.The above-mentioned analysis method not limited to this of the present invention, can also utilize similar to decision tree, Bayes
Algorithm, the method such as neural domain calculating, or simple Threshold Analysis are used, can obtain in the Basis of Database of the present invention
To application well.
Described above illustrate and describes some preferred embodiments of the present invention, but as previously mentioned, it should be understood that the present invention
Be not limited to form disclosed herein, be not to be taken as the exclusion to other embodiment, and can be used for various other combinations,
Modification and environment, and can be in invention contemplated scope described herein, by the technology or knowledge of above-mentioned teaching or association area
It is modified.And change that those skilled in the art are carried out and change be without departing from the spirit and scope of the present invention, then all should be at this
In the protection domain of bright claims.
Claims (8)
1. a kind of determining program whether method of malice, which includes:
The white list of the Database legal procedure of server end is simultaneously collected updating;
The white list preserves the performance of program of legal procedure and/or program behavior;
Set up the incidence relation of behavior and feature between the program with identical or approximate behavior, according to described with identical or
Incidence relation between the program of approximate behavior, is analyzed to unknown program feature and program behavior, to update white list;
Client is collected and is sent to server end inquiring about to the performance of program of a program and/or program behavior, clothes
Business device end is analyzed in the white list comparing according to described program feature and/or program behavior, according to comparison result pair
The legitimacy of described program or trust value are judged and are fed back to the client.
2. the method for claim 1, wherein the server end according to described program feature and/or program behavior, with
In the white list, the legal procedure feature for preserving and/or legal procedure behavior are compared, if hit, judges the journey
Sequence is legal procedure, and feeds back to the client;If not hitting, described program judged as rogue program, and feeding back
To the client.
3. method as claimed in claim 2, wherein, the server end is according to the batch processing feature of program and/or one group
In program behavior, with the white list, the legal procedure feature for preserving and/or legal procedure behavior are compared, according to hit
Degree, gives a trust value to described program, and the trust value is fed back to the client;
The client presets a threshold value, is compared with the threshold value according to the trust value, if the trust value is not little
In the threshold value, then the described program is judged as legal procedure, if the trust value is less than the threshold value, judge described
Program is rogue program.
4. method as claimed in claim 3, wherein, if the batch processing feature and/or batch processing behavior are described
All hit in white list, then the server end gives a highest trust value to described program;If the batch processing is special
Levy and/or batch processing behavior is all miss in the white list, then the server end gives one most to described program
Low trust value.
5. method as claimed in claim 4, wherein, the database of the server end is received to the white list of legal procedure
The step of collection updates, further includes:
Periodically through craft, legal procedure is collected using spider or web crawlers and/or user's upload;
By screening automatically the performance of program of the legal procedure and/or program behavior manually or by instrument and being stored in described
In white list.
6. method as claimed in claim 5, wherein, the database of the server end is received to the white list of legal procedure
The step of collection updates, further includes:
According to the legal procedure feature in existing known white list and its corresponding program behavior, to unknown program feature and program
Behavior is analyzed, to update white list.
7. the method as described in claim 5 or 6, wherein, described program feature, including:Static nature in program file and/
Or static nature string.
8. method as claimed in claim 7, wherein, the step are analyzed by unknown program feature and its program behavior
Suddenly, including:
If unknown program feature is identical with the known procedure feature in existing white list, by the unknown program feature and its journey
White list is listed in sequence behavior in;
If unknown program behavior is identical or approximate with the known procedure behavior in existing white list, by the unknown program behavior
And its performance of program lists white list in;
When certain program behavior is put into white list, corresponding for program behavior performance of program is listed in white name in database
Single, and other program behaviors relevant with the program behavior and performance of program are also listed in white list;And/or
When certain performance of program is put into white list, corresponding for performance of program program behavior is listed in white name in database
Single, and other program behaviors relevant with the performance of program and performance of program are also listed in white list.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310446501.8A CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2010102569733A CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
CN201310446501.8A CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2010102569733A Division CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103501294A CN103501294A (en) | 2014-01-08 |
CN103501294B true CN103501294B (en) | 2017-03-08 |
Family
ID=49866466
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310446501.8A Active CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103501294B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015131324A1 (en) * | 2014-03-04 | 2015-09-11 | 华为技术有限公司 | Software security detection method, apparatus and device |
CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
CN108989304A (en) * | 2018-07-05 | 2018-12-11 | 北京广成同泰科技有限公司 | A kind of trusted software white list construction method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
US7640589B1 (en) * | 2009-06-19 | 2009-12-29 | Kaspersky Lab, Zao | Detection and minimization of false positives in anti-malware processing |
CN100585534C (en) * | 2004-10-29 | 2010-01-27 | 微软公司 | Be used for determining whether file is the computer system and method for Malware |
CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
US7743419B1 (en) * | 2009-10-01 | 2010-06-22 | Kaspersky Lab, Zao | Method and system for detection and prediction of computer virus-related epidemics |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8935789B2 (en) * | 2008-07-21 | 2015-01-13 | Jayant Shukla | Fixing computer files infected by virus and other malware |
-
2010
- 2010-08-18 CN CN201310446501.8A patent/CN103501294B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100585534C (en) * | 2004-10-29 | 2010-01-27 | 微软公司 | Be used for determining whether file is the computer system and method for Malware |
CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
US7640589B1 (en) * | 2009-06-19 | 2009-12-29 | Kaspersky Lab, Zao | Detection and minimization of false positives in anti-malware processing |
CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
US7743419B1 (en) * | 2009-10-01 | 2010-06-22 | Kaspersky Lab, Zao | Method and system for detection and prediction of computer virus-related epidemics |
Non-Patent Citations (1)
Title |
---|
基于智能手机恶意代码防范模型的研究;桂佳平;《计算机技术与发展》;20100110;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103501294A (en) | 2014-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101924761B (en) | Method for detecting malicious program according to white list | |
CN103607381B (en) | White list generation method, malicious program detection method, client and server | |
Galal et al. | Behavior-based features model for malware detection | |
US9916447B2 (en) | Active defense method on the basis of cloud security | |
CN103475671B (en) | Malware detection methods | |
US10110619B2 (en) | Method and product for providing a predictive security product and evaluating existing security products | |
KR101693370B1 (en) | Fuzzy whitelisting anti-malware systems and methods | |
Zheng et al. | Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware | |
CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
US8151352B1 (en) | Anti-malware emulation systems and methods | |
EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
US9762593B1 (en) | Automatic generation of generic file signatures | |
CN104573515A (en) | Virus processing method, device and system | |
Alsulami et al. | Behavioral malware classification using convolutional recurrent neural networks | |
RU2427890C2 (en) | System and method to compare files based on functionality templates | |
WO2016058403A1 (en) | Processing method, system and device for virus file | |
KR102120200B1 (en) | Malware Crawling Method and System | |
CN102867038A (en) | Method and device for determining type of file | |
CN113935033A (en) | Feature-fused malicious code family classification method and device and storage medium | |
CN103501294B (en) | The determining program whether method of malice | |
US20220201011A1 (en) | Method and apparatus for classifying exploit attack type | |
Gennari et al. | Defining malware families based on analyst insights | |
KR20170018791A (en) | Apparatus and method for detecting malicious code using cultivation of malware | |
Mora | Feature Selection and Improving Classification Performance for Malware Detection | |
Cepeda Mora | Feature Selection and Improving Classification Performance for Malware Detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220706 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
TR01 | Transfer of patent right |