CN104252447A - File behavior analysis method and device - Google Patents
File behavior analysis method and device Download PDFInfo
- Publication number
- CN104252447A CN104252447A CN201310263717.0A CN201310263717A CN104252447A CN 104252447 A CN104252447 A CN 104252447A CN 201310263717 A CN201310263717 A CN 201310263717A CN 104252447 A CN104252447 A CN 104252447A
- Authority
- CN
- China
- Prior art keywords
- file
- sample
- information
- sample file
- snapshot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Automatic Analysis And Handling Materials Therefor (AREA)
Abstract
The invention provides a file behavior analysis method and a device, wherein the method comprises the following steps: obtaining operation record information of the sample file, wherein the operation record information comprises at least one of the following: an Application Programming Interface (API) call record during the running of a sample file and file snapshots before and after the running of the sample file, wherein the sample file is a file to be analyzed, and the file snapshot is a snapshot of a file in a system where the sample file is located; and acquiring operation behavior information of the sample file for operating one or more files in the system according to the operation record information so as to analyze the behavior of the sample file. The invention solves the problems of the analysis of the file behaviors in the related technology, and further can accurately analyze the operation behaviors of the file.
Description
Technical field
The present invention relates to computer realm, in particular to a kind of file behavior analysis method and device.
Background technology
Because the virus of distorting system file or infection user file at present constantly occurs always, the safety of this virus to operating system constitutes threat.
In correlation technique, the analysis whether file being infected to virus is by file characteristic value match cognization virus or infected file.This file analysis method is by comparing the characteristic information of the part or all of program in program, code, data, code, data and existing characteristic information, and whether come determining program, code, data is virus.When program, code, data are the script virus occurred, carry out coupling by file characteristic value and accurately can identify and namely match.This mode is a kind of mode of plaintext comparison.
But, by file characteristic value match cognization virus or infected file there are the following problems: because it is compared based on existing characteristic information, therefore, this alignments depends on the integrality of existing characteristic information.Such as, this method None-identified virus mutation, shell is added for identification division, adds flower or obscure the virus document of process and also have very large difficulty for the identification of new virus, wherein, add shell to refer to and compress executable file resource, automatically decompress during operation operation, and static disassembly cannot be checked by the information compressed; Adding flower and refer to the instruction of inserting in the middle of regular program instruction and running for disturbing disassembler still not affect program, may be some redirects or some invalid codes; Obscure process and refer to the content some inside that may exist of program inside being replaced with meaningless information with the content of semantic information, such as some built-in variable or function names etc. are replaced with not readable information.In addition, the mode due to condition code extraction is the code segment feature of some or all of extraction in Extraction parts known sample, therefore may miss the key feature of virus, even extract normal file feature.
For in correlation technique to the analysis Problems existing of file behavior, at present effective solution is not yet proposed.
Summary of the invention
Fundamental purpose of the present invention is to provide a kind of file behavior analysis method and device, to solve the analysis Problems existing to file behavior in correlation technique.
To achieve these goals, according to an aspect of the present invention, provide a kind of file behavior analysis method, the method comprises: the operation note information obtaining sample file, described operation note information comprise following one of at least: application programming interface (the Application Programming Interface of described sample file run duration, be called for short API) call record, File Snapshot before and after described sample file runs, wherein, described sample file is file to be analyzed, described File Snapshot is the snapshot of the file in system residing for described sample file, the operation behavior information that sample file operates the one or more files in the file in described system according to described operation note acquisition of information, to analyze the behavior of described sample file.
Preferably, according to described operation note acquisition of information, sample file comprises the operation behavior information that the one or more files in the file in described system operate: determine according to described API Calls record described one or more file that described sample file operates; The fileinfo change of described one or more file is determined according to the comparison of the File Snapshot described sample file being run to front and back; According to the operation behavior information that the described sample file of described fileinfo change acquisition operates described one or more file.
Preferably, described API Calls record comprise following one of at least: API parameter, API rreturn value, API combines, and API flows; And/or described operation behavior information comprise following one of at least: action type, file type, file path, infection order, mode of infection, Infection label, wherein, described action type comprise following one of at least: read operation, retouching operation, compare operation.
Preferably, the change of described fileinfo comprise following one of at least: file path changes, file Hash changes, and file date changes, and file size changes, executable file joint information change, the entry point information change of executable file, executable file resource information changes, and file content changes, the listed files change of compressed package files, the fileinfo change of institute's include file.
Preferably, before obtaining the operation note information of described sample file, described method also comprises: place probe file in the system, wherein, described probe file is the user file that analog subscriber is deposited, for souning out the operation behavior of described sample file, the file in described system comprises described probe file and/or system file.
Preferably, described probe file comprise following one of at least: executable file, autoexec, script file, text markup language file, compressed file, office documents file.
Preferably, after the operation behavior information that sample file operates the one or more files in the file in described system according to described operation note acquisition of information, described method also comprises: determine whether described sample file is virus according to described operation behavior information.
Preferably, described method also comprises: when determining that described sample file is virus, identify the mode of infection of described sample file, and determine the killing mode of described sample file and/or the anti-reparation reduction mode releasing described one or more file according to described mode of infection.
According to another aspect of the present invention, provide a kind of file behavior analytical equipment, comprise acquisition module, for obtaining the operation note information of sample file, described operation note information comprise following one of at least: the application programming interface API Calls record of described sample file run duration, the File Snapshot before and after described sample file runs, wherein, described sample file is file to be analyzed, and described File Snapshot is the snapshot of the file in system residing for described sample file; Analysis module, for the operation behavior information that sample file according to described operation note acquisition of information operates the one or more files in the file in described system, to analyze the behavior of described sample file.
Preferably, described analysis module is also for determining according to described API Calls record described one or more file that described sample file operates, the fileinfo change of described one or more file is determined, according to the operation behavior information that the described sample file of described fileinfo change acquisition operates described one or more file according to the comparison of the File Snapshot described sample file being run to front and back.
Preferably, described device also comprises probe module, for placing probe file in the system, wherein, described probe file is the user file that analog subscriber is deposited, and for souning out the operation behavior of described sample file, the file in described system comprises described probe file and/or system file.
Preferably, described device also comprises determination module, for determining according to described operation behavior information whether described sample file is virus.
Preferably, described device also comprises reparation module, for when determining that described sample file is virus, identify the mode of infection of described sample file, and determine the killing mode of described sample file and/or the anti-reparation reduction mode releasing described one or more file according to described mode of infection.
Pass through the embodiment of the present invention, obtain the operation note information of sample file, this operation note information comprise following one of at least: the application programming interface API Calls record of sample file run duration, File Snapshot before and after sample file runs, wherein, sample file is file to be analyzed, File Snapshot is the snapshot of the file in system residing for sample file, according to the operation behavior information that operation note acquisition of information sample file operates the one or more files in the file in system, with the behavior of analyzing samples file, solve the analysis Problems existing to file behavior in correlation technique, and then reach the effect that can analyze the operation behavior of file more exactly.
Accompanying drawing explanation
The accompanying drawing forming a application's part is used to provide a further understanding of the present invention, and schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the process flow diagram of a kind of file behavior analysis method according to the embodiment of the present invention;
Fig. 2 is the process flow diagram of a kind of document protection method according to the embodiment of the present invention;
Fig. 3 is the structural representation of a kind of file behavior analytical equipment according to the embodiment of the present invention;
Fig. 4 is the structural representation of a kind of file protection device according to the embodiment of the present invention;
Fig. 5 is the process flow diagram of file behavior analysis method according to the preferred embodiment of the invention;
Fig. 6 is the schematic diagram of the file scale-of-two comparative result according to the embodiment of the present invention;
Fig. 7 be according to the embodiment of the present invention by API Calls record determination sample file to the method flow diagram of the operation behavior of one or more file; And
Fig. 8 be according to the embodiment of the present invention by File Snapshot determination sample file to the method flow diagram of the operation behavior of one or more file.
Embodiment
It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.Below with reference to the accompanying drawings and describe the present invention in detail in conjunction with the embodiments.
In order to have clearer understanding to the technical term in the embodiment of the present application, following present the definition of the technical term related in the embodiment of the present application:
File: comprise system file and user file.
API combines: the unordered combination referring to multiple API.
API flows: the sequential combination referring to multiple API.
System file: be the file relevant to system in sample file institute operational system.
Sample file: be file to be analyzed.It can be virus document, but is not limited to virus document, and also can be anyly has the file distorting user file or system file behavior.
Probe file: be the user file that analog subscriber is deposited, for souning out the operation behavior of sample file.Specifically, refer to the user file that the Reality simulation user placed in system may deposit, whether this file type and content through special tectonic, can be used for souning out sample file and can search, reads or revise and how to revise user file.Here, probe file can be through the file of special tectonic, mainly according to the experience accumulated before, part sample file can ignore the executable file in some documents occurring some content or some structure or path, thus does not modify to this class file.Therefore the file that normal users may exist simulated by the file that the different path of some contents of structure as much as possible is different, to trigger the infection risk of sample file as far as possible.
Embodiments provide a kind of file behavior analysis method, as shown in Figure 1, the method comprises the following steps:
Step S102, obtain the operation note information of sample file, this operation note information comprise following one of at least: the application programming interface API Calls record of sample file run duration, File Snapshot before and after sample file runs, wherein, sample file is file to be analyzed, and File Snapshot is the snapshot of the file in system residing for sample file.
Step S104, according to the operation behavior information that operation note acquisition of information sample file operates the one or more files in the file in system, with the behavior of analyzing samples file.
By above-mentioned steps, can according to the behavior of this sample file of operation note information analysis of sample file.Wherein, operation note information can be obtained by the record that calls of API, also can be obtained by the comparison of File Snapshot, or be obtained by both combinations.It should be noted that, no matter adopt which kind of or which operation note information, all the behaviors being obtained sample file by operation note information, compared in correlation technique by the mode of file characteristic value analyzing samples file, it is all advantageously in the behavior identifying sample file.
In the present embodiment, the operation behavior information of sample file can have a variety of, such as, operation behavior information can comprise following one of at least: action type is (such as, read operation, retouching operation, compare operation), file type, file path, infection order, mode of infection, Infection label.These operation behavior information are only a kind of citings, are not limited to this in the present embodiment, as long as the operation behavior information that can be gone out by operation note information analysis is all within the protection domain of the present embodiment.
For operation note information, provide in the present embodiment and severally preferred embodiment to how obtaining operation note information to be described respectively.
In preferred implementation one, determine by API Calls record the operation behavior information that sample file operates one or more file.In the preferred embodiment, API Calls record can comprise following one of at least: API parameter, API rreturn value, API combines, and API flows.So just, the more multioperation behavioural information of sample file can be obtained according to API Calls record.Such as, following content can be recorded: call the title of API, this API rreturn value, Function return addresses, abnormality processing pointer, each central processing unit (referred to as CPU) register value etc., these are only the content citings that can record, the content of record can comprise above one of at least, but be not limited to this.
In preferred implementation two, determine by comparison File Snapshot the operation behavior information that sample file operates one or more file.In the preferred embodiment, can a certain moment All Files of mirror-image system, and any file read in any time historical snapshot can be provided, then adopt comparison algorithm, the difference of comprehensive comparison document, file rapidly, and then obtain the change of file content.Such as can obtain content of text difference, scale-of-two difference, executable file joint difference, executable file resource differential etc.Such as, can All Files before sample file runs in mirror-image system, can All Files again in mirror-image system in sample file, by the comparison to these two mirror images, determine the file of period change, just can obtain sample file by the file change information of these files is all to which file change, thus can determine the behavior of this sample file.
In this preferred implementation two, fileinfo change can comprise a variety of, preferably, can comprise following one of at least: file path changes, file Hash changes, and file date changes, and file size changes, executable file joint information change, the entry point information change of executable file, executable file resource information changes, and file content changes, the listed files change of compressed package files, the fileinfo change of institute's include file.
Above-mentioned two preferred embodiments are to determine the behavior of sample file separately through the mode of API or File Snapshot comparison of calling.A preferred embodiment is following embodiment three, in this preferred implementation three, combines and calls API information analysis and File Snapshot compare of analysis.Below preferred implementation three is described.
In this preferred implementation three, first, can according to one or more files of API Calls record determination sample file operation, determine the fileinfo change of this one or more file again according to the comparison of File Snapshot sample file being run to front and back, then change the operation behavior information obtaining sample file and one or more file is operated according to fileinfo.Relative to preferred implementation two, first can determine by API Calls record the file that sample file operates in preferred implementation three, like this, one or more files of sample file operation can be directly targeted to, then by carrying out the comparison that sample file runs the File Snapshot of front and back to navigated to one or more files, and then the operation behavior information of sample file can more accurately be determined more quickly.
In the present embodiment and in above-mentioned three kinds of preferred implementations, in order to get the operation note information of sample file more exactly, can before the operation note information obtaining sample file, place probe file in systems in which, probe file can be the user file that analog subscriber is deposited, for souning out the operation behavior of sample file.In the system that sample file runs, only can there is system file, but by placing probe file, can the operation behavior information of analyzing samples file more accurately.Probe file can select dissimilar file as required, such as, ratio more preferably, probe file can comprise following one of at least: executable file, autoexec, script file, text markup language file is html file such as, compressed file, office documents file such as Word/Excel/PowerPoint file etc.
Preferably, the scheme in the present embodiment can be used for determining virus, such as, can after the operation behavior information determining sample file, whether the operation behavior information determination sample file according to sample file is virus.Whether by above-mentioned steps, user can be made to be well understood to sample file has harm to its system or file, and then can determine next step disposal to sample file.More excellent a kind of processing mode is, when determining that this sample file is virus, the mode of infection of this sample file can also be identified further, and according to the killing mode of mode of infection determination sample file and/or the reparation reduction mode of the one or more file of anti-release.
Fig. 2 is the process flow diagram of a kind of document protection method according to the embodiment of the present invention, and as shown in Figure 2, the method comprises the following steps:
Step S202, when determining that sample file is virus, identifies the mode of infection of this sample file.
When being virus when adopting above-mentioned file behavior analysis method determination sample file, identify the mode of infection of this sample file.
Step S204, according to killing mode and/or the anti-reparation reduction mode releasing one or more file of mode of infection determination sample file.
Above-mentioned steps can be automatically performed by one or one group of server, and server can adopt B/S framework, and user can upload file to be analyzed and sample file by browser, and server can automatically perform above-mentioned steps.Sample file can certainly be obtained by other channels.
Additionally provide a kind of file behavior analytical equipment in embodiments of the present invention, the device in the present embodiment is used for realizing said method, and the explanation carried out in method does not repeat them here.Each step of the method in above-described embodiment all can be realized by a module.Fig. 3 is the structural representation of a kind of file behavior analytical equipment according to the embodiment of the present invention, and as shown in Figure 3, this device comprises acquisition module 32, analysis module 34.
Acquisition module 32, for obtaining the operation note information of sample file, this operation note information comprise following one of at least: the application programming interface API Calls record of sample file run duration, File Snapshot before and after sample file runs, wherein, sample file is file to be analyzed, and File Snapshot is the snapshot of the file in system residing for sample file.
Analysis module 34, for the operation behavior information operated the one or more files in the file in system according to operation note acquisition of information sample file, with the behavior of analyzing samples file.
Preferably, the one or more files of analysis module 34 also for operating according to API Calls record determination sample file, the fileinfo change of one or more file is determined according to the comparison of the File Snapshot this sample file being run to front and back, and according to the operation behavior information that fileinfo change acquisition sample file operates one or more file.
Preferably, this device also comprises probe module 36, for placing probe file in systems in which, wherein, probe file is the user file that analog subscriber is deposited, and for souning out the operation behavior of sample file, the file in this system comprises probe file and/or system file.
Whether preferably, this device can also comprise determination module 38, for being virus according to this operation behavior information determination sample file.
Although above-mentioned acquisition module 32 name is called acquisition, be to be understood that this module title does not limit this module, such as, this module also can be called " for obtaining the module of the operation behavior information of sample file run duration ".The module title of other module does not also form restriction to this module, repeats no more herein.
Equally, corresponding to the method in Fig. 2, additionally provide a kind of file protection device in the embodiment of the present invention, Fig. 4 is the structural representation of a kind of file protection device according to the embodiment of the present invention, and as shown in Figure 4, this device comprises identification module 42, protection module 44.
When above-mentioned file behavior analytical equipment determination sample file is virus, identification module 42, for the mode of infection of recognition sample file; Protection module 44, for reducing mode according to the killing mode of mode of infection determination sample file and/or the reparation of the one or more file of anti-release.
In the preferred embodiment of the present embodiment, additionally provide a kind of processor, this processor is configured to perform the program element stored in memory, and the module that these program elements comprise can for the module mentioned in any one embodiment above.In another embodiment, additionally provide a kind of storage medium, store above-mentioned module in this storage medium, this storage medium includes but not limited to: CD, floppy disk, hard disk, scratch pad memory etc.Fig. 5 is the process flow diagram of file behavior analysis method according to the preferred embodiment of the invention, and as shown in Figure 5, the method comprises the following steps:
Step S500, places probe file.
In the system that sample file will run, place probe file.Wherein, the placement location of probe file includes but not limited to desktop, User Catalog, system file directory, driving catalogue, software installation directory, disk root directory, virtual mobile disk catalogue and sub-directory.The probe file placed includes but not limited to the compressed files such as executable file, autoexec, script file, html file, zip or rar, other form may infected file.
Step S502, obtains File Snapshot before sample file runs.
Before sample file runs, obtain the snapshot of the All Files in this system, namely sample file run before the File Snapshot of whole system.
Step S504, runs sample file in systems in which.
Step S506, obtains API Calls record.
Can start API monitoring module, this module links up with all API calls.Here hook refers to and can jump to API monitoring module by revising the instruction of api function head, to obtain and after processing API Calls record, then is giving the process of primal system function.
The sample file of Water demand is put into system, when running sample file, obtaining and recording all API Calls records of sample file run duration, such as, the parameter called, the return address etc. of function call.
Step S508, obtains File Snapshot after sample file runs.
Sample file, in systems in which after end of run, does second time File Snapshot to whole system, namely sample file run after the File Snapshot of whole system.
Wherein, the API Calls record of sample file run duration and/or the File Snapshot of sample file operation front and back can be referred to as operation note information.
Step S510, by operation note information determination sample file to the operation behavior information of one or more file.
By the API daily record of sample file run duration, obtain the API Calls record of sample file.Wherein, API Calls record comprise following one of at least: API parameter, API rreturn value, API combination, API stream.And then the file type, file path, infection order, mode of infection, Infection label etc. of one or more files of sample file operation can be obtained according to API Calls record.
The operation behavior of sample file is determined further by the various information change of twice File Snapshot before and after analyzing samples running paper.Wherein, File Snapshot can be the snapshot of user file in system, the snapshot of the probe file for analog subscriber file of special tectonic, the snapshot of the derivative file of system cloud gray model, the snapshot of sample file self.Wherein, information in various information change comprise following one of at least: file path, file Ha Xi, file date, file size, executable file joint information, the entry point information of executable file, executable file resource information, html file DOM Document Object Model (Document Object Model, be called for short DOM) structure, file content changes, the listed files change of compression package-in file and the fileinfo of institute's include file.Wherein, executable file joint information refers to the information such as code, data, symbol (variable sum functions) reorientation that any one executable file is preserved by interval.
By being modified the file type of file before and after analyzing samples running paper, the file type of amendment when sample file runs can be obtained.
By being modified the file scale-of-two comparative result of file before and after analyzing samples running paper, file in sample file runtime system can being obtained and how to be modified, whether increasing, delete, move, replace, revise binary data.Such as, as shown in Figure 6, file is before certain virus is run, and its some binary data is in primary importance 62, and after certain virus is run, these binary data are moved to other positions 64 of file, and original position is replaced with viral native codes.
By being modified the File Snapshot of file before and after analyzing samples running paper, sample file content change can be obtained.Such as, office office document content and structure change, and web page files content and structure changes, and picture file content and structure changes, and pdf document content and structure changes.For another example, certain virus infections web page files, reaches infection object by inserting other dangerous web page contents in the former page.
Step S512, the operation behavior information of output sample file.
According to the analysis of above-mentioned steps, the operation behavior information of output sample file.
Wherein, step S510, specifically can comprise the flow process of two shown in Fig. 7 and Fig. 8, below will elaborate this two flow processs.
Fig. 7 be according to the embodiment of the present invention by API Calls record determination sample file to the method flow diagram of the operation behavior of one or more file.The operation behavior of sample file can be divided three classes usually, the operation behavior of locating file, the operation behavior of reading and writing of files and compare the operation behavior of data.As shown in Figure 7, this flow process comprises the following steps:
Step S702, judges whether the operation behavior of locating file according to API Calls record.
The operation behavior of locating file can be determined by locating file API parameter of being correlated with.Such as under windows system, the API of conventional locating file first file is FindFirstFileA or FindFirstFileW, the API searching next file is FindNextFileA or FindNextFileW, whether can be had the operation behavior of locating file by the API parameter of searching first file, the API parameter judgement sample file of searching next file.If there is the operation behavior of locating file, then perform step S710, obtain the operation behavior information of locating file, such as, search the path of catalogue priority, the type of locating file and the path of locating file and PI.If there is no the operation behavior of locating file, then directly perform step S704.
Step S704, judges whether the operation behavior of reading and writing of files according to API Calls record.
The operation behavior of file reading can read API parameter to determine by file, such as under windows system, the API of file reading content has ReadFile, and the API parameter ReadFile be correlated with by file reading etc. obtain the operation behavior information that sample file reads probe file and/or system file.
The operation behavior of amendment file can be determined by file API combination.Such as under windows system, can be combined by following API: read file ReadFile, written document WriteFile, close handle CloseHandle, or combined by following API: read file ReadFile, written document WriteFile, file attribute SetFileAttributesA etc. is set, obtain the operation behavior of amendment file.
The operation behavior of amendment file can also be determined by file API stream.Such as under windows system, file read-write mode can be obtained by following API stream, and mate existing read-write rule: establishment file CreateFileA-> reads file ReadFile-> and closes handle CloseHandle; Establishment file CreateFileA-> arranges file pointer SetFilePointer-> and reads file ReadFile-> ...-> closes handle CloseHandle; Create file CreateFileA-> written document WriteFile-> and close handle CloseHandle; Create file CreateFileA-> and file pointer SetFilePointer-> written document WriteFile-> is set ...-> closes handle CloseHandle.
After the operation behavior determining amendment file, the data obtaining sample file write can by the relevant API parameter of file write.Such as under windows system, the conventional API of operating writing-file has WriteFile etc., and the parameter obtaining this API can obtain write data content.According to these data, sample file can be classified simultaneously, such as, can classify according to formulation specimen discerning rule or formulation sample families rule etc.
If after determining that sample file has read-write operation behavior, perform step S712, obtain the operation behavior information of the amendment file of sample file, then perform step S706.
Step S706, judges whether according to API Calls record the operation behavior comparing data.
Relatively the operation behavior of data can be determined by the API more relevant to internal memory.Such as under windows system, the relevant API that content compares has lstrcmpiA, lstrcmpiW, StrStrIW, StrCmpNIA etc., is compared the operation behavior information of data by the parameter acquiring sample file of these API.
If define the operation behavior comparing data, then perform step S714, obtain the operation behavior information comparing data.
Fig. 8 be according to the embodiment of the present invention by File Snapshot determination sample file to the method flow diagram of the operation behavior of one or more file, as shown in Figure 8, the method comprises the following steps:
Step S802, judges whether system file changes.
Twice File Snapshot before and after being run by analyzing samples, can also obtain the information such as file additions and deletions in sample file runtime system, file modification, file attribute amendment.
If it is determined that system file changes, then perform step S810, determine that sample file has the operation behavior of amendment system file, otherwise directly perform step S804.
Step S804, judges whether probe file changes.
Whether be infection type virus by the contrast judgement sample file of the File Snapshot of probe file.Such as, code if there is executable file be tampered and the executable file be tampered still have behavior similar to original sample can assert be infection type virus, for another example, multiple web page files is modified and inserts code and the webpage be tampered still has the virus that behavior similar to original sample can think to infect web page files.If determine that probe file changes, then determine that sample file is virus document, perform step S812, otherwise directly perform step S806.
Preferably, determining after sample file is infection type virus, can also by the mode of infection of above-mentioned various information change judgement sample file.Such as, amendment executable file entry point address points to the malicious code inserted, directly amendment covers the code of executable file entrance, <OBJECT/> correlative code is inserted at web page files, <SCRIPT/> correlative code is inserted at web page files, insert dll file in executable file catalogue in compressed package, heavily insert Office macrocode at Office document.
Preferably, determining after sample file is infection type virus, can also by above-mentioned various information change determination sample file whether mutation and mutation mode.Whether the multiple executable file modes such as infected are identical, whether the position of inserting after infection or distort is identical, the code inserted after infection or distort or content whether identical, if distort content difference, whether be then more common mutation mode, such as with different secret key encryption, insert different rubbish code or transform code insertion position etc.In addition, also according to the modification time of each file be tampered, can calculate that sample file is searched and the looked-up sequence etc. tampered with a document.
Step S806, whether judgement sample file changes.
If sample file self there occurs change, then perform step S814 and judge that sample file is from amendment.
Certainly, the process flow diagram shown in Fig. 7 and Fig. 8 also can perform independently of one another.Such as, after having run sample file, perform the flow process of Fig. 7, namely only according to the behavior of API Calls record determination sample file.Or, after operation sample file, and after obtaining the File Snapshot before and after sample file operation, perform the flow process in Fig. 8, namely only according to the behavior of File Snapshot determination sample file.
From above description, can find out, this preferred embodiment runs the API daily record of API monitoring acquisition as analysis condition by using dynamic sample, utilize API stream information as virus characteristic, use and run front and back file SNAPSHOT INFO file content changes in contrast as analysis condition by sample, utilize sample file to the mode of distorting of system file or user file and feature as virus characteristic, whole analytic process full automation flow process, automatically by above information reporting result, thus can fast automatic identification new virus, quick judgement new virus, and identify mode of infection and repair the method for original, and then can exit rapidly and specially kill and fix tool accurately.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a file behavior analysis method, is characterized in that, comprising:
Obtain the operation note information of sample file, described operation note information comprise following one of at least: the application programming interface API Calls record of described sample file run duration, File Snapshot before and after described sample file runs, wherein, described sample file is file to be analyzed, and described File Snapshot is the snapshot of the file in system residing for described sample file;
The operation behavior information that sample file operates the one or more files in the file in described system according to described operation note acquisition of information, to analyze the behavior of described sample file.
2. method according to claim 1, is characterized in that, according to described operation note acquisition of information, sample file comprises the operation behavior information that the one or more files in the file in described system operate:
Described one or more file that described sample file operates is determined according to described API Calls record;
The fileinfo change of described one or more file is determined according to the comparison of the File Snapshot described sample file being run to front and back;
According to the operation behavior information that the described sample file of described fileinfo change acquisition operates described one or more file.
3. method according to claim 1 and 2, is characterized in that,
Described API Calls record comprise following one of at least: API parameter, API rreturn value, API combines, and API flows; And/or
Described operation behavior information comprise following one of at least: action type, file type, file path, infection order, mode of infection, Infection label, wherein, described action type comprise following one of at least: read operation, retouching operation, compare operation.
4. method according to claim 2, it is characterized in that, the change of described fileinfo comprise following one of at least: file path changes, and file Hash changes, file date changes, file size changes, executable file joint information change, the entry point information change of executable file, executable file resource information changes, file content changes, the listed files change of compressed package files, the fileinfo change of institute's include file.
5. method according to claim 1, it is characterized in that, before obtaining the operation note information of described sample file, described method also comprises: place probe file in the system, wherein, described probe file is the user file that analog subscriber is deposited, and for souning out the operation behavior of described sample file, the file in described system comprises described probe file and/or system file.
6. method according to claim 5, is characterized in that, described probe file comprise following one of at least: executable file, autoexec, script file, text markup language file, compressed file, office documents file.
7. the method according to claim 1,2,4,5 or 6, it is characterized in that, after the operation behavior information that sample file operates the one or more files in the file in described system according to described operation note acquisition of information, described method also comprises: determine whether described sample file is virus according to described operation behavior information.
8. method according to claim 7, it is characterized in that, described method also comprises: when determining that described sample file is virus, identify the mode of infection of described sample file, and determine the killing mode of described sample file and/or the anti-reparation reduction mode releasing described one or more file according to described mode of infection.
9. a file behavior analytical equipment, is characterized in that, comprising:
Acquisition module, for obtaining the operation note information of sample file, described operation note information comprise following one of at least: the application programming interface API Calls record of described sample file run duration, File Snapshot before and after described sample file runs, wherein, described sample file is file to be analyzed, and described File Snapshot is the snapshot of the file in system residing for described sample file;
Analysis module, for the operation behavior information that sample file according to described operation note acquisition of information operates the one or more files in the file in described system, to analyze the behavior of described sample file.
10. device according to claim 9, it is characterized in that, described analysis module is also for determining according to described API Calls record described one or more file that described sample file operates, the fileinfo change of described one or more file is determined, according to the operation behavior information that the described sample file of described fileinfo change acquisition operates described one or more file according to the comparison of the File Snapshot described sample file being run to front and back.
11. devices according to claim 9, it is characterized in that, described device also comprises probe module, for placing probe file in the system, wherein, described probe file is the user file that analog subscriber is deposited, and for souning out the operation behavior of described sample file, the file in described system comprises described probe file and/or system file.
12. devices according to any one of claim 9 to 11, it is characterized in that, described device also comprises determination module, for determining according to described operation behavior information whether described sample file is virus.
13. devices according to claim 12, it is characterized in that, described device also comprises reparation module, for when determining that described sample file is virus, identify the mode of infection of described sample file, and determine the killing mode of described sample file and/or the anti-reparation reduction mode releasing described one or more file according to described mode of infection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310263717.0A CN104252447A (en) | 2013-06-27 | 2013-06-27 | File behavior analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310263717.0A CN104252447A (en) | 2013-06-27 | 2013-06-27 | File behavior analysis method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104252447A true CN104252447A (en) | 2014-12-31 |
Family
ID=52187355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310263717.0A Pending CN104252447A (en) | 2013-06-27 | 2013-06-27 | File behavior analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104252447A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
| CN106874759A (en) * | 2016-09-26 | 2017-06-20 | 深圳市安之天信息技术有限公司 | A kind of recognition methods of wooden horse act of randomization and system |
| CN108334777A (en) * | 2017-04-17 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method of sample analysis and system based on user perspective |
| CN110333906A (en) * | 2019-05-16 | 2019-10-15 | 广州明珞汽车装备有限公司 | Method, system, device and the storage medium of equipment are reserved in a kind of quick processing |
| CN110674498A (en) * | 2019-08-20 | 2020-01-10 | 中国科学院信息工程研究所 | Internal threat detection method and system based on multi-dimensional file activity |
| CN111008117A (en) * | 2019-11-29 | 2020-04-14 | 苏州浪潮智能科技有限公司 | XDP _ log analysis method and system |
| CN113010481A (en) * | 2021-03-18 | 2021-06-22 | 成都欧珀通信科技有限公司 | File capture method, device, terminal and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060230012A1 (en) * | 2005-03-30 | 2006-10-12 | International Business Machines Corporation | System and method for dynamically tracking user interests based on personal information |
| CN102012807A (en) * | 2010-08-19 | 2011-04-13 | 上海酷吧信息技术有限公司 | Configuration file control method and device in program development process |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN102902924A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting behavior feature of file |
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
-
2013
- 2013-06-27 CN CN201310263717.0A patent/CN104252447A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060230012A1 (en) * | 2005-03-30 | 2006-10-12 | International Business Machines Corporation | System and method for dynamically tracking user interests based on personal information |
| CN102012807A (en) * | 2010-08-19 | 2011-04-13 | 上海酷吧信息技术有限公司 | Configuration file control method and device in program development process |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
| CN102902924A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting behavior feature of file |
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
Non-Patent Citations (3)
| Title |
|---|
| J.Y.XU ET AL.: "Polymorphic Malicious Executable Scanner by API Sequence Analysis", 《HYBRID INTELLIGENT SYSTERM,2004. HIS`04. FOURTH INTERNATIONAL CONFERENCE ON》 * |
| 段玉龙: "基于沙盒仿真的可执行程序恶意代码检测工具的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 范媛媛: "手机病毒传播模型与分析技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
| CN106874759A (en) * | 2016-09-26 | 2017-06-20 | 深圳市安之天信息技术有限公司 | A kind of recognition methods of wooden horse act of randomization and system |
| CN106874759B (en) * | 2016-09-26 | 2020-04-28 | 深圳市安之天信息技术有限公司 | Identification method and system for Trojan horse randomized behavior |
| CN108334777A (en) * | 2017-04-17 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method of sample analysis and system based on user perspective |
| CN108334777B (en) * | 2017-04-17 | 2020-04-24 | 北京安天网络安全技术有限公司 | Sample analysis method and system based on user view angle |
| CN110333906A (en) * | 2019-05-16 | 2019-10-15 | 广州明珞汽车装备有限公司 | Method, system, device and the storage medium of equipment are reserved in a kind of quick processing |
| CN110333906B (en) * | 2019-05-16 | 2023-06-16 | 广州明珞装备股份有限公司 | Method, system, device and storage medium for rapidly processing reserved equipment |
| CN110674498A (en) * | 2019-08-20 | 2020-01-10 | 中国科学院信息工程研究所 | Internal threat detection method and system based on multi-dimensional file activity |
| CN110674498B (en) * | 2019-08-20 | 2022-06-03 | 中国科学院信息工程研究所 | Internal threat detection method and system based on multi-dimensional file activity |
| CN111008117A (en) * | 2019-11-29 | 2020-04-14 | 苏州浪潮智能科技有限公司 | XDP _ log analysis method and system |
| CN111008117B (en) * | 2019-11-29 | 2022-08-12 | 苏州浪潮智能科技有限公司 | XDP _ log analysis method and system |
| CN113010481A (en) * | 2021-03-18 | 2021-06-22 | 成都欧珀通信科技有限公司 | File capture method, device, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104252447A (en) | File behavior analysis method and device | |
| US7536445B2 (en) | Enabling a web-crawling robot to collect information from web sites that tailor information content to the capabilities of accessing devices | |
| CN107204960B (en) | Webpage identification method and device and server | |
| US20160065613A1 (en) | System and method for detecting malicious code based on web | |
| US9361317B2 (en) | Method for entity enrichment of digital content to enable advanced search functionality in content management systems | |
| US20120011431A1 (en) | Method and System of Retrieving Ajax Web Page Content | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| KR100509276B1 (en) | Method for searching web page on popularity of visiting web pages and apparatus thereof | |
| JP7120350B2 (en) | SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM | |
| CN102436564A (en) | Method and device for identifying falsified webpage | |
| CN102663052B (en) | Method and device for providing search results of search engine | |
| Beel et al. | Docear's PDF inspector: Title extraction from PDF files | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| US20120131428A1 (en) | Web page crawling method, web page crawling device and computer storage medium thereof | |
| KR20090088687A (en) | System for detecting webshell and method thereof | |
| JP2018519575A (en) | Page jump based on text hiding | |
| CN110619075B (en) | Webpage identification method and equipment | |
| WO2015196981A1 (en) | Method and device for recognizing picture junk files | |
| KR101481910B1 (en) | Apparatus and method for monitoring suspicious information in web page | |
| CN108280102B (en) | Internet surfing behavior recording method and device and user terminal | |
| Fu et al. | Data correlation‐based analysis methods for automatic memory forensic | |
| CN107085684B (en) | Program feature detection method and device | |
| KR101430175B1 (en) | System and method for searching leakage of individual information | |
| CN110929185A (en) | Website directory detection method and device, computer equipment and computer storage medium | |
| CN115437930B (en) | Webpage application fingerprint information identification method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141231 |