CN103761483A - Method and device for detecting malicious codes - Google Patents
Method and device for detecting malicious codes Download PDFInfo
- Publication number
- CN103761483A CN103761483A CN201410040500.8A CN201410040500A CN103761483A CN 103761483 A CN103761483 A CN 103761483A CN 201410040500 A CN201410040500 A CN 201410040500A CN 103761483 A CN103761483 A CN 103761483A
- Authority
- CN
- China
- Prior art keywords
- code
- summary info
- detected
- malicious code
- icon file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The invention provides a method and device for detecting malicious codes. The method includes the steps of obtaining at least one icon file of codes to be detected, obtaining first summary information of at least one icon file, and judging whether the codes to be detected are the malicious codes according to the first summary information of at least one icon file. According to the method for detecting the malicious codes, the icon files of the codes to be detected can be obtained, whether the codes to be detected are the malicious codes can be detected according to first summary information of the icon files, and the method can be used for recognizing family malicious codes or variant malicious codes which can not be recognized through a traditional detecting method, and improves the detection rate and accurate rate of the malicious codes.
Description
Technical field
The present invention relates to field of computer technology, relate in particular to a kind of detection method and device of malicious code.
Background technology
Along with the fast development of Internet technology, the black interests chain of malicious code forms, and development fast.Therefore industrialization is progressively moved towards in the making of malicious code, the wright of malicious code can constantly safeguard malicious code, thereby the malicious code that forms one group of different editions based on same basic malicious code version, also can be called family's malicious code or mutation malicious code.
For this type of malicious code, correlation technique can adopt following two kinds of modes to detect: a kind of method is static feature coupling: thus scanning malicious code obtains the feature of malicious code, and mate with default feature, if the match is successful, be defined as malicious code; Another kind method is behavioural characteristic coupling: analyze the dynamic behaviour of malicious code, and mate with default dynamic behaviour, if the match is successful, be defined as malicious code.
But, there is following problem in correlation technique: the wright of malicious code is in to the continuous maintenance process of malicious code, used more encryption, obscure etc. resisted processing means, and above-mentioned two kinds of methods are all restricted, and even some malicious code cannot detect at all.
Summary of the invention
The present invention is intended to solve at least to a certain extent one of technical matters in correlation technique.
For this reason, one object of the present invention is to propose a kind of detection method of malicious code.The method can improve recall rate and the accuracy rate of malicious code, ensures information safety.
Second object of the present invention is to propose a kind of pick-up unit of malicious code.
To achieve these goals, the detection method of the malicious code of first aspect present invention embodiment, comprising: at least one icon file that obtains code to be detected; Obtain the first summary info of described at least one icon file; And judge according to the first summary info of described at least one icon file whether described code to be detected is malicious code.
The detection method of the malicious code of the embodiment of the present invention, according to the icon file of code to be detected, obtain the first summary info of icon file, whether and according to the first summary info of icon file, to detect code to be detected be malicious code, can identify family's malicious code or the mutation malicious code of traditional detection method institute None-identified, recall rate and the accuracy rate of malicious code have been improved, ensure information security, promoted user's experience.
To achieve these goals, the pick-up unit of the malicious code of second aspect present invention embodiment, comprising: the first acquisition module, for obtaining at least one icon file of code to be detected; The second acquisition module, for obtaining the first summary info of described at least one icon file; And judge module, for judging according to the first summary info of described at least one icon file whether described code to be detected is malicious code.
The pick-up unit of the malicious code of the embodiment of the present invention, according to the icon file of code to be detected, obtain the first summary info of icon file, whether and according to the first summary info of icon file, to detect code to be detected be malicious code, can identify family's malicious code or the mutation malicious code of traditional detection method institute None-identified, recall rate and the accuracy rate of malicious code have been improved, ensure information security, promoted user's experience.
The aspect that the present invention is additional and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Accompanying drawing explanation
Above-mentioned and/or the additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments and obviously and easily understand, wherein,
Fig. 1 is the process flow diagram of the detection method of malicious code according to an embodiment of the invention;
Fig. 2 is the process flow diagram of the detection method of the malicious code of another embodiment according to the present invention;
Fig. 3 is the process flow diagram of the detection method of malicious code in accordance with another embodiment of the present invention;
Fig. 4 is the structured flowchart of the pick-up unit of malicious code according to an embodiment of the invention; And
Fig. 5 is the structured flowchart of the pick-up unit of the malicious code of another embodiment according to the present invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Below by the embodiment being described with reference to the drawings, be exemplary, be intended to for explaining the present invention, and can not be interpreted as limitation of the present invention.On the contrary, embodiments of the invention comprise spirit and all changes within the scope of intension, modification and the equivalent that falls into additional claims.
In description of the invention, it will be appreciated that, term " first ", " second " etc. are only for describing object, and can not be interpreted as indication or hint relative importance.In description of the invention, it should be noted that, unless otherwise clearly defined and limited, term " is connected ", " connection " should be interpreted broadly, and for example, can be to be fixedly connected with, and can be also to removably connect, or connects integratedly; Can be mechanical connection, can be to be also electrically connected to; Can be to be directly connected, also can indirectly be connected by intermediary.For the ordinary skill in the art, can concrete condition understand above-mentioned term concrete meaning in the present invention.In addition,, in description of the invention, except as otherwise noted, the implication of " a plurality of " is two or more.
In process flow diagram or any process of otherwise describing at this or method describe and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of the step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.
Below with reference to accompanying drawing, describe according to the detection method of the malicious code of the embodiment of the present invention and device.
Because the wright of malicious code is in to the continuous maintenance process of malicious code, used increasing encryption, obscure etc. resisted processing means, thereby produce a large amount of family's malicious codes or mutation malicious code, if detected by the detection method that feature is mated and behavioural characteristic is mated, can be restricted, even a lot of family's malicious codes or mutation malicious code all cannot detect, and are difficult to guarantee safety.
In order to ensure family's malicious code or mutation malicious code being detected, the present invention proposes a kind of detection method of malicious code, comprise the following steps: at least one icon file that obtains code to be detected; Obtain the first summary info of at least one icon file; And judge according to the first summary info of at least one icon file whether code to be detected is malicious code.
Fig. 1 is the detection method of malicious code according to an embodiment of the invention.
As shown in Figure 1, the detection method of malicious code comprises:
S101, obtains at least one icon file of code to be detected.
Wherein, code to be detected can be PE(Portable Execute, executable file) file.Particularly, in one embodiment of the invention, first, need to treat detection of code and carry out pre-service, as decompress(ion), identification etc., for example, if there is new PE file, first this PE file be carried out to decompress(ion), and identify file type.After pre-service, obtain again at least one icon file of this PE file, for example, find the resource file folder that this PE file is corresponding, and from resource file folder, read corresponding at least one icon file.
S102, obtains the first summary info of at least one icon file.
In one embodiment of the invention, the first summary info generates based on icon file, for example the first summary info is MD5(Message-Digest Algorithm5, message digest algorithm the 5th edition) value, SHA-1(Secure Hash Algorithm, Secure Hash Algorithm) value, RIPEMD(RACE Integrity Primitives Evaluation Message Digest, RACE original complete verification message summary) one or more in value etc.It should be understood that the first summary info is the unique and extremely compact numerical value of one piece of data, any algorithm that can realize this numerical value can be used for obtaining the first summary info of at least one icon file, and this is no longer going to repeat them.
In concrete acquisition process, first extract the binary content of this at least one icon file, and calculate the first summary info according to the binary content extracting.
S103, judges according to the first summary info of at least one icon file whether code to be detected is malicious code.
The detection method of the malicious code of the embodiment of the present invention, according to the icon file of code to be detected, obtain the first summary info of icon file, whether and according to the first summary info of icon file, to detect code to be detected be malicious code, can identify family's malicious code or the mutation malicious code of traditional detection method institute None-identified, recall rate and the accuracy rate of malicious code have been improved, ensure information security, promoted user's experience.
Introduce and judge according to the first summary info of at least one icon file whether code to be detected is the specific implementation process of malicious code below.
Fig. 2 is the process flow diagram of the detection method of the malicious code of another embodiment according to the present invention.
As shown in Figure 2, the detection method of malicious code comprises:
S201, obtains at least one icon file of code to be detected.
S202, obtains the first summary info of at least one icon file.
S203 searches the first summary info of at least one icon file in the first default Sample Storehouse.
S204, if find the first summary info of at least one icon file in the first default Sample Storehouse, judges that code to be detected is malicious code.
Wherein, the first default Sample Storehouse comprises icon file and the first corresponding summary info thereof of malicious code sample, these malicious code samples can detect according to existing detection method in advance, can be also that professional collects, and the present invention does not limit this.From these malicious code samples, obtain corresponding icon file, and obtain the first summary info of icon file, thereby set up the first default Sample Storehouse.Should be understood that, in the first default Sample Storehouse, can constantly increase, upgrade, thereby the malicious code that makes it possible to identify also can increase accordingly.
In one embodiment of the invention, the detection method of malicious code also comprises:
S205, if do not find the first summary info of at least one icon file in the first default Sample Storehouse, further obtains the second summary info of at least one icon file.
In one embodiment of the invention, the burst content of the second summary info based on icon file generates.For example, the second summary info is fuzzy cryptographic hash.Particularly, fuzzy cryptographic hash is calculated and is obtained by fuzzy hash algorithm, the ultimate principle of fuzzy hash algorithm is content-based cutting apart icon file to be carried out to burst, calculate respectively the cryptographic hash of each burst, again the cryptographic hash of each burst is combined to obtain fuzzy cryptographic hash, fuzzy hash algorithm also has many branching algorithms at present, and in this not go into detail.
The fuzzy cryptographic hash obtaining according to fuzzy hash algorithm is insensitive to variations in detail, inserts, deletes, revises after a small amount of byte in raw data, little on the impact of fuzzy cryptographic hash, and therefore fuzzy cryptographic hash is mainly used to carry out similarity detection.In one embodiment of the invention, can apply the software that fuzzy hash algorithm detects document similarity by SSdeep() calculate the fuzzy cryptographic hash of at least one icon file, should be understood that, can also adopt other softwares or program to calculate, the present invention does not limit this.
S206, judges according to the second summary info of at least one icon file whether code to be detected is malicious code.
The detection method of the malicious code of the embodiment of the present invention, if find the first summary info in the first default Sample Storehouse, can determine that code to be detected is malicious code, due to the uniqueness of the first summary info, can determine very soon whether code to be detected is existing family malicious code or mutation malicious code; In addition, if do not find the first summary info in the first default Sample Storehouse, further according to the second summary info, determine whether code to be detected is malicious code, because the change of icon file details is little on the impact of the second summary info, can further determine whether code to be detected is existing family malicious code or the relevant malicious code of mutation malicious code according to the second summary info, thereby further improve recall rate and the accuracy rate of malicious code.
Introduce and judge according to the second summary info of at least one icon file whether code to be detected is the specific implementation process of malicious code below.
Fig. 3 is the process flow diagram of the detection method of malicious code in accordance with another embodiment of the present invention.
As shown in Figure 3, the detection method of malicious code comprises:
S301, obtains at least one icon file of code to be detected.
S302, obtains the first summary info of at least one icon file.
S303 searches the first summary info of at least one icon file in the first default Sample Storehouse.
S304, if find the first summary info of at least one icon file in the first default Sample Storehouse, judges that code to be detected is malicious code.
S305, if do not find the first summary info of at least one icon file in the first default Sample Storehouse, further obtains the second summary info of at least one icon file.
S306, obtains the similarity of presetting the second summary info of summary info and at least one icon file in the second default Sample Storehouse.
Wherein, the second default Sample Storehouse comprises icon file and the second corresponding summary info thereof of malicious code sample, these malicious code samples can detect according to existing detection method in advance, can be also that professional collects, and the present invention does not limit this.From these malicious code samples, obtain corresponding icon file, and obtain the second summary info of icon file, thereby set up the second default Sample Storehouse.Should be understood that, in the second default Sample Storehouse, can constantly increase, upgrade, thereby the malicious code that makes it possible to identify also can increase accordingly.
S307, if exist similarity to surpass the default summary info of preset value, judges that code to be detected is malicious code.
Wherein, preset value is the percent value that represents similarity, can default setting, also can manually change.For example, preset value is 90%, when the second summary info similarity that is present in code to be detected in the second default Sample Storehouse surpasses 90% default summary info, judges that code to be detected is malicious code.
In addition, if there is no similarity surpasses the default summary info of preset value, judges that code to be detected is normal code.
The detection method of the malicious code of the embodiment of the present invention, because the change of icon file details is little on the impact of the second summary info, if the malicious code of therefore revising a little on the basis of existing family malicious code or mutation malicious code, by the second summary info, can detect, thereby further improve recall rate and the accuracy rate of malicious code.
In another embodiment of the present invention, before S101, S201 or S301, the detection method of malicious code also comprises (not shown): first, obtain characteristic content and/or the behavioral trait information of code to be detected, particularly, treat detection of code and carry out after pre-service, obtain characteristic content (as condition code etc.) and/or the behavioral trait information (as revised critical file, control process etc.) of code to be detected; Afterwards, in default characteristic content and/or behavioral trait message sample storehouse, search characteristic content and/or the behavioral trait information of code to be detected, particularly, characteristic information Sample Storehouse comprises malicious code sample and malicious code sample characteristic content and/or behavioral trait information; Then, if do not find characteristic content and/or the behavioral trait information of code to be detected in default characteristic content and/or behavioral trait message sample storehouse, obtain at least one icon file of code to be detected, take and further judge that current file, whether as malicious code or its updating file of known similar family, continues execution step S101, S201 or S301.Thus, by first detecting according to the characteristic content of code to be detected and/or behavioral trait information, again by the code to be detected of None-identified according to the first summary info and the second summary info further to detect, improved detection efficiency, the advantage of utilizing fuzzy cryptographic hash to detect, improves recognition efficiency.
In order to realize above-described embodiment, embodiments of the invention also propose a kind of pick-up unit of malicious code.
A pick-up unit for malicious code, comprising: the first acquisition module, for obtaining at least one icon file of code to be detected; The second acquisition module, for obtaining the first summary info of at least one icon file; And judge module, for judging according to the first summary info of at least one icon file whether code to be detected is malicious code.
Fig. 4 is the structured flowchart of the pick-up unit of malicious code according to an embodiment of the invention.
As shown in Figure 4, the pick-up unit of malicious code comprises: the first acquisition module 100, the second acquisition module 200 and judge module 300.
Particularly, the first acquisition module 100 is for obtaining at least one icon file of code to be detected.Wherein, code to be detected can be PE(Portable Execute, executable file) file.More specifically, in one embodiment of the invention, first, need to treat detection of code and carry out pre-service, as decompress(ion), identification etc., for example, if there is new PE file, first this PE file be carried out to decompress(ion), and identify file type.After pre-service, the first acquisition module 100 obtains at least one icon file of this PE file, for example, finds the resource file folder that this PE file is corresponding, and from resource file folder, reads corresponding at least one icon file.
The second acquisition module 200 is for obtaining the first summary info of at least one icon file.In one embodiment of the invention, the first summary info generates based on icon file, for example the first summary info is MD5(Message-Digest Algorithm5, message digest algorithm the 5th edition) value, SHA-1(Secure Hash Algorithm, Secure Hash Algorithm) value, RIPEMD(RACE Integrity Primitives Evaluation Message Digest, RACE original complete verification message summary) one or more in value etc.It should be understood that the first summary info is the unique and extremely compact numerical value of one piece of data, any algorithm that can realize this numerical value can be used for obtaining the first summary info of at least one icon file, and this is no longer going to repeat them.In concrete acquisition process, the second acquisition module 200 can first extract the binary content of this at least one icon file, and calculates the first summary info according to the binary content extracting.
Judge module 300 is for judging according to the first summary info of at least one icon file whether code to be detected is malicious code.
The pick-up unit of the malicious code of the embodiment of the present invention, can obtain according to the icon file of code to be detected the first summary info of icon file, whether and according to the first summary info of icon file, to detect code to be detected be malicious code, can identify family's malicious code or the mutation malicious code of traditional detection method institute None-identified, recall rate and the accuracy rate of malicious code have been improved, ensure information security, promoted user's experience.
Fig. 5 is the structured flowchart of the pick-up unit of the malicious code of another embodiment according to the present invention.
As shown in Figure 5, the pick-up unit of malicious code comprises: the first acquisition module 100, the second acquisition module 200, judge module 300, search unit 310, the first judging unit 320, acquiring unit 330, the second judging unit 340, obtain subelement 341, judgment sub-unit 342, the 3rd acquisition module 400 and search module 500.Wherein, judge module 300 comprises that searching unit 310, the first judging unit 320, acquiring unit 330 and the second judging unit 340, the second judging units 340 comprises and obtain subelement 341 and judgment sub-unit 342.
Particularly, search unit 310 for search the first summary info of at least one icon file at the first default Sample Storehouse.
The first judging unit 320, for when the first default Sample Storehouse finds the first summary info of at least one icon file, judges that code to be detected is malicious code.
Wherein, the first default Sample Storehouse comprises icon file and the first corresponding summary info thereof of malicious code sample, these malicious code samples can detect according to existing detection method in advance, can be also that professional collects, and the present invention does not limit this.From these malicious code samples, obtain corresponding icon file, and obtain the first summary info of icon file, thereby set up the first default Sample Storehouse.Should be understood that, in the first default Sample Storehouse, can constantly increase, upgrade, thereby the malicious code that makes it possible to identify also can increase accordingly.
Acquiring unit 330, for when the first default Sample Storehouse does not find the first summary info of at least one icon file, further obtains the second summary info of at least one icon file.In one embodiment of the invention, the burst content of the second summary info based on icon file generates.For example, the second summary info is fuzzy cryptographic hash.More specifically, acquiring unit 330 can be calculated and be obtained fuzzy cryptographic hash by fuzzy hash algorithm.The ultimate principle of fuzzy hash algorithm is content-based cutting apart icon file to be carried out to burst, calculate respectively the cryptographic hash of each burst, again the cryptographic hash of each burst is combined to obtain fuzzy cryptographic hash, fuzzy hash algorithm also has many branching algorithms at present, and in this not go into detail.
The fuzzy cryptographic hash obtaining according to fuzzy hash algorithm is insensitive to variations in detail, inserts, deletes, revises after a small amount of byte in raw data, little on the impact of fuzzy cryptographic hash, and therefore fuzzy cryptographic hash is mainly used to carry out similarity detection.In one embodiment of the invention, can apply the software that fuzzy hash algorithm detects document similarity by SSdeep() calculate the fuzzy cryptographic hash of at least one icon file, should be understood that, can also adopt other softwares or program to calculate, the present invention does not limit this.
The second judging unit 340 is for judging according to the second summary info of at least one icon file whether code to be detected is malicious code.
The pick-up unit of the malicious code of the embodiment of the present invention, if search unit, in the first default Sample Storehouse, find the first summary info, the first judging unit can determine that code to be detected is malicious code, due to the uniqueness of the first summary info, can determine very soon whether code to be detected is existing family malicious code or mutation malicious code; In addition, if search unit, in the first default Sample Storehouse, do not find the first summary info, acquiring unit further obtains the second summary info, the second judging unit determines according to the second summary info whether code to be detected is malicious code, because the change of icon file details is little on the impact of the second summary info, can further determine whether code to be detected is existing family malicious code or the relevant malicious code of mutation malicious code according to the second summary info, thereby further improve recall rate and the accuracy rate of malicious code.
Further, in one embodiment of the invention, the second judging unit 340 specifically comprises:
Obtain subelement 341 for obtaining the similarity of the second summary info of the second default summary info of default Sample Storehouse and at least one icon file.Wherein, the second default Sample Storehouse comprises icon file and the second corresponding summary info thereof of malicious code sample, these malicious code samples can detect according to existing detection method in advance, can be also that professional collects, and the present invention does not limit this.From these malicious code samples, obtain corresponding icon file, and obtain the second summary info of icon file, thereby set up the second default Sample Storehouse.Should be understood that, in the second default Sample Storehouse, can constantly increase, upgrade, thereby the malicious code that makes it possible to identify also can increase accordingly.
Judgment sub-unit 342 when existing similarity to surpass the default summary info of preset value, judges that code to be detected is malicious code.Wherein, preset value is the percent value that represents similarity, can default setting, also can manually change.For example, preset value is 90%, and when the second summary info similarity that is present in code to be detected in the second default Sample Storehouse surpasses 90% default summary info, judgment sub-unit 342 judgement code to be detected is malicious code.On the contrary, if there is no similarity surpasses the default summary info of preset value, and 342 judgement codes to be detected of judgment sub-unit are normal code.
The pick-up unit of the malicious code of the embodiment of the present invention, because the change of icon file details is little on the impact of the second summary info, even the malicious code of therefore revising a little on the basis of existing family malicious code or mutation malicious code, by the second summary info, can detect, thereby further improve recall rate and the accuracy rate of malicious code.
In another embodiment of the present invention, the pick-up unit of malicious code also comprises:
The 3rd acquisition module 400 is for obtaining characteristic content and/or the behavioral trait information of code to be detected.More specifically, treating detection of code carries out after pre-service, obtain at least one icon file of code to be detected at the first acquisition module 100 before, can be first by the 3rd acquisition module 400, obtain characteristic content (as condition code etc.) and/or the behavioral trait information (as revised critical file, control process etc.) of code to be detected.
Search module 500 and for the characteristic content default and/or behavioral trait message sample storehouse, search characteristic content and/or the behavioral trait information of code to be detected.Wherein, characteristic information Sample Storehouse comprises malicious code sample and malicious code sample characteristic content and/or behavioral trait information.
Judge module 300 also finds characteristic content and/or the behavioral trait information of code to be detected for the characteristic content default and/or behavioral trait message sample storehouse, judge that code to be detected is malicious code.More specifically, if search module 500, in default characteristic content and/or behavioral trait message sample storehouse, find characteristic content and/or the behavioral trait information of code to be detected, judge module 300 judgement code to be detected is malicious code, otherwise, if search module 500, in default characteristic content and/or behavioral trait message sample storehouse, do not find characteristic content and/or the behavioral trait information of code to be detected, the first acquisition module 100 obtains at least one icon file of code to be detected, take and further judge that whether current file is malicious code or its updating file of known similar family.Thus, the pick-up unit of the malicious code of the embodiment of the present invention, by first detecting according to the characteristic content of code to be detected and/or behavioral trait information, again by the code of None-identified according to the first summary info and the second summary info further to detect, improved detection efficiency, the advantage of utilizing fuzzy cryptographic hash to detect, improves recognition efficiency.
In description of the invention, it will be appreciated that, term " " center ", " longitudinally ", " laterally ", " length ", " width ", " thickness ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end " " interior ", " outward ", " clockwise ", " counterclockwise ", " axially ", " radially ", orientation or the position relationship of indications such as " circumferentially " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, rather than device or the element of indication or hint indication must have specific orientation, with specific orientation structure and operation, therefore can not be interpreted as limitation of the present invention.
In addition, term " first ", " second " be only for describing object, and can not be interpreted as indication or hint relative importance or the implicit quantity that indicates indicated technical characterictic.Thus, one or more these features can be expressed or impliedly be comprised to the feature that is limited with " first ", " second ".In description of the invention, the implication of " a plurality of " is two or more, unless otherwise expressly limited specifically.
In the present invention, unless otherwise clearly defined and limited, the terms such as term " installation ", " being connected ", " connection ", " fixing " should be interpreted broadly, and for example, can be to be fixedly connected with, and can be also to removably connect, or be integral; Can be mechanical connection, can be to be also electrically connected to; Can be to be directly connected, also can indirectly be connected by intermediary, can be the connection of two element internals or the interaction relationship of two elements.For the ordinary skill in the art, can understand as the case may be above-mentioned term concrete meaning in the present invention.
In the present invention, unless otherwise clearly defined and limited, First Characteristic Second Characteristic " on " or D score can be that the first and second features directly contact, or the first and second features are by intermediary indirect contact.And, First Characteristic Second Characteristic " on ", " top " and " above " but First Characteristic directly over Second Characteristic or oblique upper, or only represent that First Characteristic level height is higher than Second Characteristic.First Characteristic Second Characteristic " under ", " below " and " below " can be First Characteristic under Second Characteristic or tiltedly, or only represent that First Characteristic level height is less than Second Characteristic.
In the description of this instructions, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, to the schematic statement of above-mentioned term not must for be identical embodiment or example.And, the specific features of description, structure, material or feature can one or more embodiment in office or example in suitable mode combination.In addition,, not conflicting in the situation that, those skilled in the art can carry out combination and combination by the feature of the different embodiment that describe in this instructions or example and different embodiment or example.
Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, modification, replacement and modification.
Claims (10)
1. a detection method for malicious code, is characterized in that, comprising:
Obtain at least one icon file of code to be detected;
Obtain the first summary info of described at least one icon file; And
According to the first summary info of described at least one icon file, judge whether described code to be detected is malicious code.
2. the detection method of malicious code according to claim 1, is characterized in that, described the first summary info according at least one icon file judges whether described code to be detected is that malicious code comprises:
In the first default Sample Storehouse, search the first summary info of described at least one icon file; And
If find the first summary info of described at least one icon file in the described first default Sample Storehouse, judge that described code to be detected is malicious code.
3. the detection method of malicious code according to claim 2, is characterized in that, also comprises:
If do not find the first summary info of described at least one icon file in the described first default Sample Storehouse, further obtain the second summary info of described at least one icon file, wherein, described the first summary info generates based on described icon file, and the burst content of described the second summary info based on described icon file generates; And
According to the second summary info of described at least one icon file, judge whether described code to be detected is malicious code.
4. the detection method of malicious code according to claim 3, is characterized in that, described the second summary info according at least one icon file judges whether described code to be detected is that malicious code comprises:
Obtain the similarity of presetting the second summary info of summary info and described at least one icon file in the second default Sample Storehouse; And
If exist described similarity to surpass the described default summary info of preset value, judge that described code to be detected is malicious code.
5. according to the detection method of the malicious code described in any one in claim 1 to 4, it is characterized in that, before described at least one icon file that obtains code to be detected, also comprise:
Obtain characteristic content and/or the behavioral trait information of described code to be detected;
In default characteristic content and/or behavioral trait message sample storehouse, search characteristic content and/or the behavioral trait information of described code to be detected; And
If find characteristic content and/or the behavioral trait information of described code to be detected in described default characteristic content and/or behavioral trait message sample storehouse, judge that described code to be detected is malicious code.
6. a pick-up unit for malicious code, is characterized in that, comprising:
The first acquisition module, for obtaining at least one icon file of code to be detected;
The second acquisition module, for obtaining the first summary info of described at least one icon file; And
Judge module, for judging according to the first summary info of described at least one icon file whether described code to be detected is malicious code.
7. the pick-up unit of malicious code according to claim 6, is characterized in that, described judge module comprises:
Search unit, for search the first summary info of described at least one icon file at the first default Sample Storehouse; And
The first judging unit, for when the described first default Sample Storehouse finds the first summary info of described at least one icon file, judges that described code to be detected is malicious code.
8. the pick-up unit of malicious code according to claim 7, is characterized in that, described judge module also comprises:
Acquiring unit, for when the described first default Sample Storehouse does not find the first summary info of described at least one icon file, further obtain the second summary info of described at least one icon file, wherein, described the first summary info generates based on described icon file, and the burst content of described the second summary info based on described icon file generates; And
The second judging unit, for judging according to the second summary info of described at least one icon file whether described code to be detected is malicious code.
9. the pick-up unit of malicious code according to claim 8, is characterized in that, described the second judging unit comprises:
Obtain subelement, for obtaining the similarity of the second summary info of the second default summary info of default Sample Storehouse and described at least one icon file; And
Judgment sub-unit, when existing described similarity to surpass the described default summary info of preset value, judges that described code to be detected is malicious code.
10. according to the pick-up unit of the malicious code described in any one in claim 6 to 9, it is characterized in that, also comprise:
The 3rd acquisition module, for obtaining characteristic content and/or the behavioral trait information of described code to be detected;
Search module, characteristic content and/or the behavioral trait information of for the characteristic content default and/or behavioral trait message sample storehouse, searching described code to be detected; And
Described judge module also, for find characteristic content and/or the behavioral trait information of described code to be detected in described default characteristic content and/or behavioral trait message sample storehouse, judges that described code to be detected is malicious code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410040500.8A CN103761483A (en) | 2014-01-27 | 2014-01-27 | Method and device for detecting malicious codes |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410040500.8A CN103761483A (en) | 2014-01-27 | 2014-01-27 | Method and device for detecting malicious codes |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103761483A true CN103761483A (en) | 2014-04-30 |
Family
ID=50528719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410040500.8A Pending CN103761483A (en) | 2014-01-27 | 2014-01-27 | Method and device for detecting malicious codes |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103761483A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104751058A (en) * | 2015-03-16 | 2015-07-01 | 联想(北京)有限公司 | File scan method and electronic equipment |
| CN104991893A (en) * | 2014-11-06 | 2015-10-21 | 哈尔滨安天科技股份有限公司 | Heuristic detection method and system for self-extracting package and installation package |
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105488084A (en) * | 2014-12-24 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Tree isomorphism based software installation package classification method and system |
| CN106453320A (en) * | 2016-10-14 | 2017-02-22 | 北京奇虎科技有限公司 | Malicious sample identification method and device |
| WO2018054217A1 (en) * | 2016-09-21 | 2018-03-29 | 中国科学院信息工程研究所 | Method, system, and apparatus for monitoring network traffic and generating summary |
| CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
| CN108171054A (en) * | 2016-12-05 | 2018-06-15 | 中国科学院软件研究所 | The detection method and system of a kind of malicious code for social deception |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| CN113032783A (en) * | 2021-03-11 | 2021-06-25 | 北京顶象技术有限公司 | Virus detection method and system based on non-code characteristics |
| CN113609246A (en) * | 2021-08-04 | 2021-11-05 | 上海犇众信息技术有限公司 | Webpage similarity detection method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101887457A (en) * | 2010-07-02 | 2010-11-17 | 杭州电子科技大学 | Content-based copy image detection method |
| CN102222199A (en) * | 2011-06-03 | 2011-10-19 | 奇智软件(北京)有限公司 | Method and system for identifying identification of application program |
| CN102622366A (en) * | 2011-01-28 | 2012-08-01 | 阿里巴巴集团控股有限公司 | Similar picture identification method and similar picture identification device |
| CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
| CN102902915A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | System for detecting behavior feature of file |
| CN102930200A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Progress identifying method and device as well as terminal equipment |
| CN103336890A (en) * | 2013-06-08 | 2013-10-02 | 东南大学 | Method for quickly computing similarity of software |
-
2014
- 2014-01-27 CN CN201410040500.8A patent/CN103761483A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101887457A (en) * | 2010-07-02 | 2010-11-17 | 杭州电子科技大学 | Content-based copy image detection method |
| CN102622366A (en) * | 2011-01-28 | 2012-08-01 | 阿里巴巴集团控股有限公司 | Similar picture identification method and similar picture identification device |
| CN102222199A (en) * | 2011-06-03 | 2011-10-19 | 奇智软件(北京)有限公司 | Method and system for identifying identification of application program |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
| CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
| CN102902915A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | System for detecting behavior feature of file |
| CN102930200A (en) * | 2012-09-29 | 2013-02-13 | 北京奇虎科技有限公司 | Progress identifying method and device as well as terminal equipment |
| CN103336890A (en) * | 2013-06-08 | 2013-10-02 | 东南大学 | Method for quickly computing similarity of software |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104991893A (en) * | 2014-11-06 | 2015-10-21 | 哈尔滨安天科技股份有限公司 | Heuristic detection method and system for self-extracting package and installation package |
| CN105488084A (en) * | 2014-12-24 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Tree isomorphism based software installation package classification method and system |
| CN105488394A (en) * | 2014-12-27 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and system for carrying out intrusion behavior identification and classification on hotpot system |
| CN105488394B (en) * | 2014-12-27 | 2018-06-12 | 哈尔滨安天科技股份有限公司 | A kind of method and system that intrusion behavior identification and classification are carried out towards honey pot system |
| CN104751058A (en) * | 2015-03-16 | 2015-07-01 | 联想(北京)有限公司 | File scan method and electronic equipment |
| CN104751058B (en) * | 2015-03-16 | 2018-08-31 | 联想(北京)有限公司 | A kind of file scanning method and electronic equipment |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| WO2018054217A1 (en) * | 2016-09-21 | 2018-03-29 | 中国科学院信息工程研究所 | Method, system, and apparatus for monitoring network traffic and generating summary |
| CN106453320A (en) * | 2016-10-14 | 2017-02-22 | 北京奇虎科技有限公司 | Malicious sample identification method and device |
| CN106453320B (en) * | 2016-10-14 | 2019-06-18 | 北京奇虎科技有限公司 | The recognition methods of malice sample and device |
| CN108171054A (en) * | 2016-12-05 | 2018-06-15 | 中国科学院软件研究所 | The detection method and system of a kind of malicious code for social deception |
| CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
| CN108073815B (en) * | 2017-12-29 | 2022-02-15 | 安天科技集团股份有限公司 | Family judgment method and system based on code slice and storage medium |
| CN113032783A (en) * | 2021-03-11 | 2021-06-25 | 北京顶象技术有限公司 | Virus detection method and system based on non-code characteristics |
| CN113032783B (en) * | 2021-03-11 | 2024-03-19 | 北京顶象技术有限公司 | Virus detection method and system based on non-code characteristics |
| CN113609246A (en) * | 2021-08-04 | 2021-11-05 | 上海犇众信息技术有限公司 | Webpage similarity detection method and system |
| CN113609246B (en) * | 2021-08-04 | 2024-04-12 | 奇安盘古(上海)信息技术有限公司 | Webpage similarity detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103761483A (en) | Method and device for detecting malicious codes | |
| KR101162051B1 (en) | Using string comparison malicious code detection and classification system and method | |
| KR101620931B1 (en) | Similar malicious code retrieval apparatus and method based on malicious code feature information | |
| KR101383010B1 (en) | Method of obtaining signature of apk files for android operating system, and computer-readable recording medium for the same | |
| KR101337874B1 (en) | System and method for detecting malwares in a file based on genetic map of the file | |
| KR101472321B1 (en) | Malignant code detect method and system for application in the mobile | |
| CN103020521B (en) | Wooden horse scan method and system | |
| KR101589656B1 (en) | System and method for detecting and inquiring metamorphic malignant code based on action | |
| KR102317833B1 (en) | method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME | |
| KR101138748B1 (en) | Apparatus, system and method for preventing malicious codes | |
| CN104700033A (en) | Virus detection method and virus detection device | |
| CN102592080A (en) | Flash malicious file detection method and flash malicious file detection device | |
| CN110071924B (en) | Big data analysis method and system based on terminal | |
| KR20110008854A (en) | Method, system and computer readable recording medium for detecting exploit code | |
| CN109543408A (en) | A kind of Malware recognition methods and system | |
| CN105718795A (en) | Malicious code evidence obtaining method and system on the basis of feature code under Linux | |
| CN102682237A (en) | Virus judging method and system aiming at network downloading file | |
| KR20180133726A (en) | Appratus and method for classifying data using feature vector | |
| JP6880891B2 (en) | Malware judgment method, malware judgment device and malware judgment program | |
| CN110135326B (en) | Identity authentication method, electronic equipment and computer readable storage medium | |
| KR20160031589A (en) | Malicious application detecting method and computer program executing the method | |
| CN105138918A (en) | Recognition method and device for secure file | |
| KR102086749B1 (en) | Measuring Similarity System and Method of Android Application Using Text Mining | |
| CN109670305A (en) | A kind of virus document recognition methods | |
| JP6591832B2 (en) | Software tampering detection system and network security system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140430 |
|
| RJ01 | Rejection of invention patent application after publication |