CN105653949A - Malicious program detection method and device - Google Patents

Malicious program detection method and device Download PDF

Info

Publication number
CN105653949A
CN105653949A CN201410653072.6A CN201410653072A CN105653949A CN 105653949 A CN105653949 A CN 105653949A CN 201410653072 A CN201410653072 A CN 201410653072A CN 105653949 A CN105653949 A CN 105653949A
Authority
CN
China
Prior art keywords
api function
malice
code
sequence
webpage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410653072.6A
Other languages
Chinese (zh)
Other versions
CN105653949B (en
Inventor
刘铸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201410653072.6A priority Critical patent/CN105653949B/en
Publication of CN105653949A publication Critical patent/CN105653949A/en
Application granted granted Critical
Publication of CN105653949B publication Critical patent/CN105653949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Devices For Executing Special Programs (AREA)

Abstract

The invention discloses a malicious program detection method and device, and relates to the technical field of electronic information. The method and the device can solve the problem that the matching rate is low during a matching process of webpage codes and malicious features due to too many compiling forms of the webpage codes. The malicious program detection method includes the following steps: acquiring the webpage codes; running the webpage codes, and recording the webpage codes through a preset program; and comparing an API function sequence and a malicious feature sequence stored in a malicious feature library, and determining that the webpage codes contains the malicious program if the number that N API functions contained in the API function sequence are identical to the malicious features in the malicious sequence, is greater than or equal to a first threshold. The method and the device are used for detecting the malicious program.

Description

A kind of malware detection methods and device
Technical field
The present invention relates to electronic information technical field, particularly relate to a kind of malware detection methods and device.
Background technology
People, in the process using electronics, can run into the malice program such as wooden horse, virus. For webpage Trojan horse, webpage Trojan horse typically refers to the page with specific function script that assailant writes, it is intended that in order to steal the information of user, and interference user uses browser and obtains the operation authority of user. Some malice programs can be obscured in webpage by obfuscation, to reach the object escaping detection. Wherein, script is mainly encoded by obfuscation by specific algorithm, code burst (refers to that code is split and assigns to different webpages, in picture) and in code, insert rubbish code etc. so that scripted code originally turns into code not easy to identify, thus hides detection.
Herein, the code definition before that obtained by obfuscation, solution being obscured is web page source code, and the code carrying out web page source code obtaining after solution is obscured is called webpage code. In prior art, by adopting JS (JavaScript, literal translation formula script language) web page source code carries out solution and obscures by engine, the scripted code obscured mainly through extracting in web page source code, the scripted code extracted is carried out solution and obscures the webpage code generating correspondence, and then webpage code is mated with the malice feature in malice feature database, if webpage code and malice characteristic matching success, then prove the code comprising malice program in this webpage code. But, owing to the compiling form of webpage code is many, this will cause carrying out in the process mated with malice feature at webpage code, and matching rate is lower.
Summary of the invention
Embodiments of the invention provide a kind of malware detection methods and device, it is possible to solve in prior art due to solution obscure after the compiling form of webpage code more, cause carrying out in the process mated at webpage code with maliciously feature, the problem that matching rate is lower.
For achieving the above object, embodiments of the invention adopt following technical scheme:
First aspect, it provides a kind of malware detection methods, the method comprises:
Obtain webpage code;
Run described webpage code and by pre-set programs record operation code, described operation code is the code that described webpage code operationally generates, described operation code comprises application programming interfaces api function sequence, and described api function sequence comprises N number of api function, and N is positive integer;
Described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that described N number of api function that described api function sequence comprises is identical with the malice feature in described malice characteristic sequence is more than or equal to the first threshold value, then confirm described webpage code comprises malice program.
In conjunction with first aspect, in a kind of possible implementation of first aspect,
If the quantity that described N number of api function that described api function sequence comprises is identical with the malice feature in described malice characteristic sequence is more than or equal to the first threshold value, then confirms described webpage code comprises malice program, comprising:
If M api function is identical with in described malice characteristic sequence M malice feature respectively in described N number of api function, and described M api function putting in order in described api function sequence is identical with described M malice feature putting in order in described malice characteristic sequence, then confirm described webpage code comprises malice program, M is integer, and M is more than or equal to the first threshold value, M is less than or equals N.
In conjunction with the first possible implementation of first aspect or first aspect, in two kinds of first aspect possible implementations,
Described webpage code comprises at least one label, and a label comprises at least one api function, the corresponding described N number of api function of at least one label described;
The described webpage code of described operation and by pre-set programs record operation code, comprising:
According at least one label described in described webpage code, call described N number of api function, and obtain the information of described N number of api function, the title of N number of api function described in the information of described N number of api function and the attribute of described N number of api function;
The information sets of described N number of api function is synthesized described api function sequence.
In conjunction with any one possible implementation of first aspect or above-mentioned first aspect, in three kinds of first aspect possible implementations,
Described webpage code comprises static code and dynamic code, after described webpage code analysis, the code that in described webpage code, data structure does not change is described static code, after described webpage code analysis, the code that in described webpage code, data structure changes is described dynamic code.
In conjunction with any one possible implementation of first aspect or above-mentioned first aspect, in four kinds of first aspect possible implementations,
Described malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature;
Described described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, it are specially:
In N number of api function that relatively described api function sequence comprises, whether the title of the n-th malice feature that the title of the n-th api function and described malice characteristic sequence comprise is identical, and in the attribute of the attribute and described n-th comparing the api function that described n-th api function comprises maliciously feature, whether the quantity of same alike result exceedes Second Threshold;
Based on the title of the n-th api function in N number of api function that described api function sequence comprises comprise with described malice characteristic sequence the title of the n-th malice feature identical, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n be interval (0, N] in integer.
In conjunction with any one possible implementation of first aspect or above-mentioned first aspect, in five kinds of first aspect possible implementations,
Malice characteristic sequence in described malice feature database comprises: behavior sequence numbering sid information, and sequence order information, judges verdict information. Wherein, described sid information is for defining the position of malice feature in described malice characteristic sequence, and described order information is for defining order when malice feature compares, if true, expression order compares, if false, then representing unordered comparison, described verdict information is for judging whether a certain feature belongs to malice feature, if suspicious suspect, represent and do not belong to malice feature, if malice malicious, then represent and belong to malice feature.
In conjunction with any one possible implementation of first aspect or above-mentioned first aspect, in six kinds of first aspect possible implementations,
Described described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, comprising:
Compare according to character string string mode, then by equal equal, ignore capital and small letter ic-equal and regular expression regex tri-parameters compare; Compare according to integer integer mode or length length mode, all compare by being greater than greater, equal and be less than less tri-parameters. Wherein, described equal represents that the parameter compared equals predetermined threshold value, described ic-equal represents and equals described predetermined threshold value ignoring under capital and small letter the parameter compared, the mode of described regex expression canonical goes to compare parameter, described greater represents that the parameter compared is greater than described predetermined threshold value, and described less represents that the parameter compared is less than described predetermined threshold value.
In conjunction with any one possible implementation of first aspect or above-mentioned first aspect, in seven kinds of first aspect possible implementations,
Described acquisition webpage code, comprising:
Obtain web page source code;
Described web page source code is carried out solution and obscures the described webpage code of generation.
Second aspect, the present invention provides a kind of detection device, comprising:
Acquisition module, for obtaining webpage code;
Run module, for run described webpage code and by pre-set programs record operation code, described operation code is the code that described webpage code operationally generates, described operation code comprises application programming interfaces api function sequence, described api function sequence comprises N number of api function, and N is positive integer;
Contrast module, for described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that described N number of api function that described api function sequence comprises is identical with the malice feature in described malice characteristic sequence is more than or equal to the first threshold value, then confirm described webpage code comprises malice program.
In conjunction with second aspect, in a kind of possible implementation of second aspect,
Described contrast module, if it is also identical with in described malice characteristic sequence M malice feature respectively for M api function in described N number of api function, and described M api function putting in order in described api function sequence is identical with described M malice feature putting in order in described malice characteristic sequence, then confirm described webpage code comprises malice program, M is integer, and M is more than or equal to the first threshold value, M is less than or equals N.
In conjunction with the first possible implementation of second aspect or second aspect, in two kinds of second aspect possible implementations,
Described webpage code comprises at least one label, and a label comprises at least one api function, the corresponding described N number of api function of at least one label described;
Described operation module, also for according at least one label described in described webpage code, call described N number of api function, and obtain the information of described N number of api function, the title of N number of api function described in the information of described N number of api function and the attribute of described N number of api function, and respectively by the information sets described N number of api function sequence of synthesis of described N number of api function.
In conjunction with any one possible implementation of second aspect or above-mentioned second aspect, in three kinds of second aspect possible implementations,
Described malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature;
Described contrast module, whether the title of the n-th malice feature also comprised for the title and described malice characteristic sequence that compare the n-th api function in N number of api function that described api function sequence comprises is identical, and whether the quantity comparing same alike result in the attribute of the api function that described n-th api function comprises and the attribute of described n-th malice feature exceedes Second Threshold, title based on the n-th api function in N number of api function that described api function sequence comprises is identical with the title of the n-th malice feature that described malice characteristic sequence comprises, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n is interval (0, N] in integer.
In conjunction with any one possible implementation of second aspect or above-mentioned second aspect, in four kinds of second aspect possible implementations,
Described acquisition module, also for obtaining web page source code, and carries out solution and obscures the described webpage code of generation described web page source code.
The detection method of the malice program that the embodiment of the present invention provides and device, obtain webpage code, run webpage code and by pre-set programs record operation code, operation code comprises api function sequence, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program. like this, first run webpage code by pre-set programs, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, afterwards, the malice feature that the N number of api function comprised by operation code again comprises with malice characteristic sequence compares, and prior art is webpage code is compared with malice characteristic sequence, and webpage written in code form is more, malice characteristic sequence may extract not exclusively, some malice characteristic sequence may not be stored in malice feature database, and the Basic API function sequence of webpage code call is directly compared by the present invention with malice characteristic sequence, no matter webpage code with what form is write, as long as realizing identical function, the Basic API function sequence that it calls is all identical, the compiling form that so just can solve webpage code in prior art is many, malice characteristic sequence may extract incomplete, cause carrying out in the process mated at webpage code with malice feature, the problem that matching rate is lower.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, it is briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
A kind of malware detection methods schema that Fig. 1 provides for the embodiment of the present invention;
Another kind of malware detection methods schema that Fig. 2 provides for the embodiment of the present invention;
A kind of structure of the detecting device schematic diagram that Fig. 3 provides for the embodiment of the present invention;
A kind of structure of the detecting device schematic diagram that Fig. 4 provides for another embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only the present invention's part embodiment, instead of whole embodiments. Based on the embodiment in the present invention, those of ordinary skill in the art, not making other embodiments all obtained under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention provides a kind of malware detection methods, is applied to the detection of the malice program obscured in webpage code. It is described for webpage Trojan horse, does not represent the present invention and be confined to this. In the process using electronics to browse webpage, often can be subjected to the attack of webpage Trojan horse, the information security of people is caused threat. Wherein, electronics can be computer, it is also possible to be mobile phone, and at this, the present invention does not do concrete restriction. Under normal circumstances, most of webpage Trojan horse can be obscured in webpage code, is changed the grammer feature of webpage code by obfuscation, hides the logic relation of webpage code inside, thus reaches the object escaping detection.
As shown in Figure 1, the malware detection methods that the embodiment of the present invention provides, comprises the following steps:
S101, acquisition webpage code.
Optionally, for the webpage not obscured malice program by obfuscation, the webpage code of this webpage can be directly obtained by webpage, for the webpage being obscured malice program by obfuscation, can first obtain the web page source code of webpage, afterwards by separating obfuscation, obtain the webpage code of webpage.
S102, run webpage code and by pre-set programs record operation code.
Wherein, operation code is the code that webpage code operationally generates, and operation code comprises API (ApplicationProgrammingInterface, application programming interfaces) function sequence, and api function sequence comprises N number of api function, and N is positive integer.
Optionally, pre-set programs can be Hook (hook) program, and Hook is a kind of technology performing result for changing api function sequence. concrete, can by running Hook program, M1 api function calling when WebCore is loaded the node in the structure of DOM and being tackled by M2 the api function called during JavasciptCore operation state code, and record the information of N number of api function, make webpage code after running, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, like this, operation code compares with the malice feature in malice feature database, can improve and be matched to power.
S103, api function sequence and the malice characteristic sequence being stored in malice feature database are compared.
Wherein, malice feature database is for storing malice characteristic sequence, and common malice characteristic sequence can be stored in malice feature database by malice feature database. Malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature. Concrete, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program. Optionally, the first threshold value can pre-set according to practical situation, and at this, for the concrete value of the first threshold value, the present invention does not limit.
The detection method of the malice program that the embodiment of the present invention provides, obtain webpage code, run webpage code and by pre-set programs record operation code, operation code comprises api function sequence, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program. like this, first run webpage code by pre-set programs, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, afterwards, the malice feature that the N number of api function comprised by operation code again comprises with malice characteristic sequence compares, compared with prior art, identical from having due to without the need to Numerous, but the malice feature extracted in the webpage code that compiling form is different is mated, improve matching efficiency.
And prior art is webpage code to be detected and malice feature are compared, and due to webpage written in code form more, when the malice feature built in malice feature database, collection has identical, but the sample of the webpage code that compiling form is different may be incomplete, cause webpage code malice feature may extract not exclusively, some malice feature may not be stored in malice feature database, thus also there is missing inspection or the not good problem of recall rate, and the Basic API function sequence of webpage code call is directly compared by the present invention with malice characteristic sequence, no matter webpage code with what form is write, as long as realizing identical function, the Basic API function sequence that it calls is all identical, also improve the accuracy of detection like this.
Based on the embodiment that Fig. 1 is corresponding, the embodiment of the present invention provides another kind of malware detection methods, and as shown in Figure 2, the method can comprise:
S201, acquisition web page source code.
Optionally, it is possible to obtain web page source code by webpage. Optionally, it is possible to by by obfuscation obscure malice program after code definition be web page source code, it is webpage code that web page source code carries out the code definition after solution is obscured. Wherein, script is mainly encoded by obfuscation by specific algorithm, code burst (refers to that code is split and assigns to different webpages, in picture) and code in insert rubbish code etc. so that scripted code originally turns into code not easy to identify, thus hides detection.
S202, web page source code carry out solution obscure generating webpage code.
Optionally; most of malice program is obscured in webpage by obfuscation; when carrying out malice Programmable detection; usually solution obfuscation can be adopted; web page source code is carried out solution and obscures generation webpage code; but and the malice program of not all is all obscure in webpage by obfuscation, for the webpage not obscured malice program by obfuscation, it is possible to directly obtain webpage code by webpage.
Concrete, web page source code is carried out solution and obscures, solution is obscured and by specific algorithm, web page source code can be carried out solution and obscure, the code before being obscured, i.e. webpage code. Webpage code can comprise static code and dynamic code, after webpage code analysis, the code that in webpage code, data structure does not change is static code, and after webpage code analysis, the code that in webpage code, data structure changes is dynamic code.
Optionally, webpage code can comprise at least one label, and a label comprises at least one API (ApplicationProgrammingInterface, application programming interfaces) function, the corresponding N number of api function of at least one label. Wherein, for static code, a label can be the malice feature of an encapsulation, and for dynamic code, a label can be the function of an encapsulation.
S203, run webpage code and by pre-set programs record operation code.
Wherein, operation code is the code that webpage code operationally generates, and operation code comprises application programming interfaces api function sequence, and api function sequence comprises N number of api function, and N is positive integer.
Optionally, operation webpage code comprises resolves webpage code, calls N number of api function by the label comprised in webpage code and obtains the information of api function.
General, it is possible to webpage code is delivered to Webkit (a kind of browser engine increased income) and resolves. In Webkit, mainly through WebCore (web page core) and JavasciptCore (Java script core), webpage code is resolved. Wherein, static code is resolved by WebCore primary responsibility, and dynamic code is resolved by JavasciptCore primary responsibility. Including at least one label in static code and dynamic code, a label comprises at least one api function.
Optionally, after static code is resolved by WebCore, the M that the node obtained in DOM (DocumentObjectModel, document object model) structure calls1Individual api function, and obtain M1The information of individual api function. Wherein, the title of information api function of api function and the attribute of api function. Concrete, the structure of DOM can comprise a node, information Document (file) api function of node, Element (element) api function and CharacterData (characteristic) api function.
Wherein, the api function that node calls can comprise:
NodeAPI function defines type and the effect of each node;
DocumentAPI function defines DOM document structure modify operation associated viscera;
ElementAPI function definition HTML (HyperTextMark-upLanguage, HTML);
CharacterDataAPI function process textview field label and notes content label.
In addition, optionally, JavasciptCore according at least one label in dynamic code, can call M2Individual api function, and obtain M2The information of individual api function, for dynamic code, a label can be a packaged function, is made up of at least one api function, wherein the title of information api function of api function and the attribute of api function.Further alternative, if dynamic code in resolving for the M corresponding to static code1Individual api function has impact, then need again to the M corresponding to static code1The title of individual api function and M1The attribute of individual api function is modified so that static code is resolved by WebCore again, thus obtains the api function that the node realized in DOM structure calls, and obtains the information of api function. Wherein, M1+M2=N.
Afterwards, by the information sets synthesis api function sequence of N number of api function.
Optionally, pre-set programs can be Hook program, and Hook is a kind of technology performing result for changing API (ApplicationProgrammingInterface, application programming interfaces) function. Tool, it is possible to by running Hook program, the M called when WebCore is loaded the node in the structure of DOM1Individual api function and the M by calling during JavasciptCore operation state code2Individual api function is tackled, and record the information of N number of api function, make webpage code after running, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, because being all operationally that what to call is identical api function, so the form of the operation code generated is all identical, like this, the compiling form that can solve webpage code in prior art is more, when making webpage code and malice characteristic matching, a corresponding multiple different webpage written in code form of malice characteristic sequence, thus cause mating infull problem.
In operation code, an attribute, a function and a node are described respectively, after being run by Hook program, it is possible to adjusted by the form of operation code.
Such as, an attribute in operation code:
Shellcode=unescape (' %u9090%ue8fc ... ');
Operation code after being run by Hook program is:
FUNC:unescape (' %u9090%ue8fc ... ');
ATTR:DOMWindow.shellcode=x90 x90 x90 x90 xfc xe8;
A function:
Document.write ('<tablestyle=position:absolute; Clip:rect (0)>');
Operation code after being run by Hook program is:
FUNC:HTMLDocument.write (<tablestyle=position:absolute; Clip:rect (0)>);
A node:
<tablestyle=" position:absolute; Clip:rect (0) ">;
Operation code after being run by Hook program is:
Table (style=position:absolute; Clip:rect (0));
S204, api function sequence and the malice characteristic sequence in the malice feature database stored are compared.
Wherein, malice feature database is for storing malice characteristic sequence, common malice characteristic sequence can be stored in malice feature database, malice characteristic sequence is by being resolved by the malice program code identified, the api function sequence called obtained as malice characteristic sequence in malice program code resolving. Malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature. Malice characteristic sequence information in malice feature database adopts XML (ExtensibleMarkupLanguage, extensible markup language) form to store usually.Before carrying out malice characteristic sequence compare, it is possible to malice characteristic sequence is classified, because the data manner of comparison of inhomogeneity is different.
Optionally, the malice characteristic sequence in malice feature database can comprise: sid (behavior sequence numbering) information, order (sequence) information, verdict (judgement) information. Wherein, sid is for defining the position of malice feature in malice characteristic sequence, it is possible to numbering from 1, the present invention does not do concrete restriction; Order is for defining order when malice feature compares, if true, expression order compares, if false, then represents unordered comparison, is generally defaulted as order and compares; Verdict is for judging whether a certain feature belongs to malice feature, if suspect (suspicious), represent and do not belong to malice feature, if malicious (maliciously), then represent and belong to malice feature, optionally, can pre-defining a preset value, when being greater than preset value, this feature belongs to malice feature, when being less than preset value, this feature does not belong to malice feature.
Optionally, in malice feature database, the information of malice feature can comprise: name (title) information, icase (capital and small letter accurately mates switch) information, type (type) information, index (index) information and types (type) information. Wherein, name is for defining the title of concrete malice feature; Icase is used to indicate in the process compared, and whether ignores capital and small letter, if true, represents and ignores capital and small letter, if false, then representing and do not ignore capital and small letter, general default value is false; Type is for defining the type of name, and general acquiescence type is that name is function title for identifying for function, function; Index identifies the sequence number of function parameter from 1, certainly, it is also possible to not from 1, does not do any restriction in this present invention; Types is used to indicate the type of parameter when comparing, if string (character string), then represent and compare by character string mode, if integer (integer), then represent and compare by numeral, if length (length), then the length of expression character string compares, and is generally defaulted as string, at this, when carrying out malice feature and compare, for specifically selecting which kind of mode to compare, the present invention does not limit.
Optionally, malice feature database can also comprise root node. Concrete, the information of root node can comprise: enable (license) information and log (daily record) information. Wherein, enable be used to indicate whether carry out malice feature compare, if true, represent carry out malice feature compare, if false, then represent do not carry out malice feature compare; Whether log is used to indicate and exports, if true, represents and exports, if false, then represent and do not export. At this, the present invention does not do concrete restriction.
When comparing when carrying out malice characteristic sequence and mate, when comparing according to string (character string) mode, then can pass through equal (equal), ic-equal (ignoring capital and small letter) and regex (regular expression) three kinds of parameters compare; Compare when mating according to integer mode or length mode, all can pass through these three kinds of informations parameter of greater (being greater than), equal and less (being less than) and compare. Wherein, equal represents that the parameter compared equals predetermined threshold value, ic-equal represents and equals predetermined threshold value ignoring under capital and small letter the parameter compared, the Method compare parameter of regex expression canonical, greater represents that the parameter compared is greater than predetermined threshold value, and less represents that the parameter compared is less than predetermined threshold value.
Optionally, it is described for a certain api function sequence, writes the malice characteristic sequence of this api function sequence, described in as follows:
Such as, this api function sequence:
HTMLDocument.write (<tablestyle=position:absolute; Clip:rect (0)>);
Can be written as:
<methodssid=1order=tureverdict=malicious>
< methodname=' HTMLDocument.write '
Type=' function ' >
<argumentindex=' 1 ' type=' string ' compare=' ic-equal '>
<![CDATA [< table
Style=position:absolute; Clip:rect (0) >]] >
</argument>
</method>
</methods>
Optionally, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program.
Optionally, if M api function is identical with in malice characteristic sequence M malice feature respectively in N number of api function, and M api function putting in order in api function sequence is identical with M malice feature putting in order in malice characteristic sequence, then confirm webpage code comprises malice program, M is integer, and M is more than or equal to the first threshold value, M is less than or equals N. Optionally, the first threshold value can pre-set according to practical situation, and at this, for the concrete value of the first threshold value, the present invention does not limit.
Further alternative, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, can comprise: if the title of the n-th api function is identical with the title of the malice feature that malice characteristic sequence comprises in N number of api function of comprising of api function sequence, and n-th the quantity of same alike result in the attribute of malice feature that comprises with malice characteristic sequence of the attribute of api function that comprises of api function be more than or equal to Second Threshold, then the n-th api function is identical with the malice feature of malice characteristic sequence, wherein, n is interval (0, N] in integer. optionally, Second Threshold can pre-set according to practical situation, and at this, for the concrete value of Second Threshold, the present invention does not limit.
The detection method of the malice program that the embodiment of the present invention provides, obtain webpage code, run webpage code and by pre-set programs record operation code, operation code comprises api function sequence, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program. like this, first run webpage code by pre-set programs, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, afterwards, operation code comprises N number of api function number again compare with the malice feature that maliciously characteristic sequence comprises, and prior art is webpage code is compared with malice characteristic sequence, and webpage written in code form is more, malice characteristic sequence may extract not exclusively, some malice characteristic sequence may not be stored in malice feature database, and the Basic API function sequence of webpage code call is directly compared by the present invention with malice characteristic sequence, no matter webpage code with what form is write, as long as realizing identical function, the Basic API function sequence that it calls is all identical, the compiling form that so just can solve webpage code in prior art is many, malice characteristic sequence may extract incomplete, cause carrying out in the process mated at webpage code with malice feature, the problem that matching rate is lower.
Based on the embodiment that above-mentioned Fig. 1 and Fig. 2 is corresponding, the embodiment of the present invention provides a kind of detection device 30, and for performing the malware detection methods described by embodiment corresponding to above-mentioned Fig. 1 and Fig. 2, as shown in Figure 3, this detection device 30 comprises:
Acquisition module 301, for obtaining webpage code.
Run module 302, for running webpage code and by pre-set programs record operation code, operation code is the code that webpage code operationally generates, operation code comprises application programming interfaces api function sequence, api function sequence comprises N number of api function, and N is positive integer.
Contrast module 303, for api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program.
Optionally, contrast module 303, if it is also identical with in malice characteristic sequence M malice feature respectively for M api function in N number of api function, and M api function putting in order in api function sequence is identical with M malice feature putting in order in malice characteristic sequence, then confirm webpage code comprises malice program, M is integer, and M is more than or equal to the first threshold value, and M is less than or equals N.
Optionally, webpage code comprises at least one label, and a label comprises at least one api function, the corresponding N number of api function of at least one label.
Run module 302, also for according at least one label in webpage code, call N number of api function, and obtain the information of N number of api function, the title of the N number of api function of the information of N number of api function and the attribute of N number of api function, and respectively the information sets of N number of api function is synthesized N number of api function sequence.
Optionally, malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature.
Contrast module 303, whether the title of the n-th malice feature also comprised for the title and described malice characteristic sequence that compare the n-th api function in N number of api function that described api function sequence comprises is identical, and whether the quantity comparing same alike result in the attribute of the api function that described n-th api function comprises and the attribute of described n-th malice feature exceedes Second Threshold, title based on the n-th api function in N number of api function that described api function sequence comprises is identical with the title of the n-th malice feature that described malice characteristic sequence comprises, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n is interval (0, N] in integer.
Optionally, acquisition module 301, also for obtaining web page source code, and carries out solution and obscures generation webpage code web page source code.
The detection device that the embodiment of the present invention provides, acquisition module obtains webpage code, run module run webpage code and by pre-set programs record operation code, operation code is the code that webpage code operationally generates, contrast module just api function sequence compare with the malice characteristic sequence being stored in malice feature database, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program.Like this, first run webpage code by pre-set programs, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, afterwards, the malice feature that the N number of api function comprised by operation code again comprises with malice characteristic sequence compares, and prior art is webpage code is compared with malice characteristic sequence, and webpage written in code form is more, malice characteristic sequence may extract not exclusively, some malice characteristic sequence may not be stored in malice feature database, and the Basic API function sequence of webpage code call is directly compared by the present invention with malice characteristic sequence, no matter webpage code with what form is write, as long as realizing identical function, the Basic API function sequence that it calls is all identical, the compiling form that so just can solve webpage code in prior art is many, malice characteristic sequence may extract incomplete, cause carrying out in the process mated at webpage code with malice feature, the problem that matching rate is lower.
Based on the embodiment that above-mentioned Fig. 1 and Fig. 2 is corresponding, another embodiment of the present invention provides a kind of detection device 40, for performing the malware detection methods described by embodiment corresponding to above-mentioned Fig. 1 and Fig. 2, with reference to shown in Fig. 4, this detection device 40 comprises: at least one treater 401, storer 402, bus 403, this at least one treater 401, storer 402, is connected by bus 403 and completes mutual communication.
This bus 403 can be ISA (IndustryStandardArchitecture, industrial standards system structure) bus, PCI (PeripheralComponent, peripheral component interconnect) bus or EISA (ExtendedIndustryStandardArchitecture, expansion industrial standards system structure) bus etc. This bus 403 can be divided into address bus, data bus, control bus etc. For ease of representing, Fig. 4 only represents with a thick line, it is not intended that only there is the bus of a bus or a type. Wherein:
Storer 402 is for performing the application code of the present invention program, and the application code performing the present invention program preserves in memory, and controls to perform by treater 401.
This storer can be the static storage device that read only memory ROM maybe can store other types of static information and instruction, random access memory ram or the dynamic memory of other types of information and instruction can be stored, can also be electric erazable programmable read-only storage EEPROM, read-only optical disc CD-ROM or other optical disc storage, laser disc stores and (comprises compression laser disc, laser dish, laser disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus, or can be used in carrying or storing the expectation with instruction or data structure form program code and can by any other medium of computer access, but it is not limited to this. these storeies are connected with treater by bus.
Treater 401 may be a central processing unit 401 (CentralProcessingUnit, referred to as CPU), or specific unicircuit (ApplicationSpecificIntegratedCircuit, referred to as ASIC), or it is configured to implement one or more unicircuit of the embodiment of the present invention.
Treater 401, for the program code called in storer 402, in a kind of possible enforcement mode, when above-mentioned application program is performed by treater 401, it is achieved following function.
Treater 401, for obtaining webpage code, run webpage code and by pre-set programs record operation code, operation code is the code that webpage code operationally generates, operation code comprises application programming interfaces api function sequence, api function sequence comprises N number of api function, N is positive integer, api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program.
Optionally, in one application scene, treater 401, if it is also identical with in malice characteristic sequence M malice feature respectively for M api function in N number of api function, and M api function putting in order in api function sequence is identical with M malice feature putting in order in malice characteristic sequence, then confirm to comprise in webpage code malice program, M is integer, and M is more than or equal to the first threshold value, M is less than or equals N.
Optionally, webpage code comprises at least one label, and a label comprises at least one api function, the corresponding N number of api function of at least one label.
Treater 401, also for according at least one label in webpage code, call N number of api function, and obtain the information of N number of api function, the title of the N number of api function of the information of N number of api function and the attribute of N number of api function, and respectively the information sets of N number of api function is synthesized N number of api function sequence.
Optionally, malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature.
Treater 401, whether the title of the n-th malice feature also comprised for the title and described malice characteristic sequence that compare the n-th api function in N number of api function that described api function sequence comprises is identical, and whether the quantity comparing same alike result in the attribute of the api function that described n-th api function comprises and the attribute of described n-th malice feature exceedes Second Threshold, title based on the n-th api function in N number of api function that described api function sequence comprises is identical with the title of the n-th malice feature that described malice characteristic sequence comprises, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n is interval (0, N] in integer.
Optionally, treater 401, also for obtaining web page source code, and carries out solution and obscures generation webpage code web page source code.
The detection device that the embodiment of the present invention provides, treater obtains webpage code, run described webpage code and by pre-set programs record operation code, operation code is the code that webpage code operationally generates, again api function sequence and the malice characteristic sequence being stored in malice feature database are compared afterwards, if the quantity that N number of api function that api function sequence comprises is identical with the malice feature in malice characteristic sequence is more than or equal to the first threshold value, then confirm webpage code comprises malice program. like this, first run webpage code by pre-set programs, do not generate operation result, the operation code generated when webpage code runs can be recorded, and, for having identical function, but the webpage code that compiling form is different, what operationally call is identical api function, so the form of the operation code generated is all identical, afterwards, the malice feature that the N number of api function comprised by operation code again comprises with malice characteristic sequence compares, and prior art is webpage code is compared with malice characteristic sequence, and webpage written in code form is more, malice characteristic sequence may extract not exclusively, some malice characteristic sequence may not be stored in malice feature database, and the Basic API function sequence of webpage code call is directly compared by the present invention with malice characteristic sequence, no matter webpage code with what form is write, as long as realizing identical function, the Basic API function sequence that it calls is all identical, the compiling form that so just can solve webpage code in prior art is many, malice characteristic sequence may extract incomplete, cause carrying out in the process mated at webpage code with malice feature, the problem that matching rate is lower.
In several embodiments that the application provides, it should be appreciated that, disclosed system, device and method, it is possible to realize by another way. Such as, device embodiment described above is only schematic, such as, the division of described unit, being only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can ignore, or do not perform. Another point, shown or discussed coupling each other or directly coupling or communication connection can be the indirect coupling by some interfaces, device or unit or communication connection, it is possible to be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or can also be distributed on multiple NE. Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to is that the independent physics of each unit comprises, it is also possible to two or more unit are in a unit integrated. Above-mentioned integrated unit both can adopt the form of hardware to realize, it is also possible to the form adopting hardware to add software functional unit realizes.
The above-mentioned integrated unit realized with the form of software functional unit, it is possible to be stored in a computer read/write memory medium. Above-mentioned software functional unit is stored in a storage media, comprise some instructions with so that a computer equipment (can be Personal Computer, server, or the network equipment etc.) perform the part steps of method described in each embodiment of the present invention. And aforesaid storage media comprises: USB flash disk, portable hard drive, read-only storage (Read-OnlyMemory, be called for short ROM), random access memory (RandomAccessMemory, be called for short RAM), magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above embodiment is only in order to illustrate the technical scheme of the present invention, it is not intended to limit; Although with reference to previous embodiment to invention has been detailed description, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein part technology feature is carried out equivalent replacement; And these amendments or replacement, do not make the spirit and scope of the essence disengaging various embodiments of the present invention technical scheme of appropriate technical solution.

Claims (10)

1. a malware detection methods, it is characterised in that, the method comprises:
Obtain webpage code;
Run described webpage code and by pre-set programs record operation code, described operation code is the code that described webpage code operationally generates, described operation code comprises application programming interfaces api function sequence, and described api function sequence comprises N number of api function of order arrangement, and N is positive integer;
Described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the similarity degree of described api function sequence and described malice characteristic sequence meets pre-defined rule, then confirms described webpage code comprises malice program.
2. method according to claim 1, it is characterised in that, described pre-defined rule comprises:
There is M api function in described api function sequence, each api function in described M api function is identical with the malice feature on same sorting position in described malice characteristic sequence, wherein M is integer, and M is more than or equal to the first threshold value, and M is less than or equals N.
3. method according to claim 1, it is characterised in that,
Described webpage code comprises at least one label, and a label comprises at least one api function, the corresponding described N number of api function of at least one label described;
The described webpage code of described operation and by pre-set programs record operation code, comprising:
According at least one label described in described webpage code, call described N number of api function, and obtain the information of described N number of api function, the title of N number of api function described in the information of described N number of api function and the attribute of described N number of api function;
The information sets of described N number of api function is synthesized described api function sequence.
4. method according to claim 3, it is characterised in that,
Described malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature;
Described by described api function sequence and be stored in malice feature database in malice characteristic sequence compare, be specially:
In N number of api function that relatively described api function sequence comprises, whether the title of the n-th malice feature that the title of the n-th api function and described malice characteristic sequence comprise is identical, and in the attribute of the attribute and described n-th comparing the api function that described n-th api function comprises maliciously feature, whether the quantity of same alike result exceedes Second Threshold;
Title based on the n-th api function in N number of api function that described api function sequence comprises is identical with the title of the n-th malice feature that described malice characteristic sequence comprises, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n be interval (0, N] in integer.
5. method according to the arbitrary item of claim 1-4, it is characterised in that, described acquisition webpage code, comprising:
Obtain web page source code;
Described web page source code is carried out solution and obscures the described webpage code of generation.
6. a detection device, it is characterised in that, comprising:
Acquisition module, for obtaining webpage code;
Run module, for run described webpage code and by pre-set programs record operation code, described operation code is the code that described webpage code operationally generates, described operation code comprises application programming interfaces api function sequence, described api function sequence comprises N number of api function, and N is positive integer;
Contrast module, for described api function sequence and the malice characteristic sequence being stored in malice feature database are compared, if the quantity that described N number of api function that described api function sequence comprises is identical with the malice feature in described malice characteristic sequence is more than or equal to the first threshold value, then confirm described webpage code comprises malice program.
7. detection device according to claim 6, it is characterised in that,
Described contrast module, if it is also identical with in described malice characteristic sequence M malice feature respectively for M api function in described N number of api function, and described M api function putting in order in described api function sequence is identical with described M malice feature putting in order in described malice characteristic sequence, then confirm described webpage code comprises malice program, M is integer, and M is more than or equal to the first threshold value, M is less than or equals N.
8. detection device according to claim 6, it is characterised in that,
Described webpage code comprises at least one label, and a label comprises at least one api function, the corresponding described N number of api function of at least one label described;
Described operation module, also for according at least one label described in described webpage code, call described N number of api function, and obtain the information of described N number of api function, the title of N number of api function described in the information of described N number of api function and the attribute of described N number of api function, and respectively by the information sets described N number of api function sequence of synthesis of described N number of api function.
9. detection device according to claim 8, it is characterised in that,
Described malice feature database comprises at least one malice characteristic sequence, and a malice characteristic sequence comprises at least one malice feature;
Described contrast module, whether the title of the n-th malice feature also comprised for the title and described malice characteristic sequence that compare the n-th api function in N number of api function that described api function sequence comprises is identical, and whether the quantity comparing same alike result in the attribute of the api function that described n-th api function comprises and the attribute of described n-th malice feature exceedes Second Threshold, title based on the n-th api function in N number of api function that described api function sequence comprises is identical with the title of the n-th malice feature that described malice characteristic sequence comprises, and the quantity of same alike result exceedes the comparative result of described Second Threshold in the attribute of the attribute of api function that comprises of described n-th api function and described n-th malice feature, determine that described n-th api function is identical with the n-th malice feature in described malice characteristic sequence, wherein, n is interval (0, N] in integer.
10. detection device according to the arbitrary item of claim 6-9, it is characterised in that,
Described acquisition module, also for obtaining web page source code, and carries out solution and obscures the described webpage code of generation described web page source code.
CN201410653072.6A 2014-11-17 2014-11-17 A kind of malware detection methods and device Active CN105653949B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410653072.6A CN105653949B (en) 2014-11-17 2014-11-17 A kind of malware detection methods and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410653072.6A CN105653949B (en) 2014-11-17 2014-11-17 A kind of malware detection methods and device

Publications (2)

Publication Number Publication Date
CN105653949A true CN105653949A (en) 2016-06-08
CN105653949B CN105653949B (en) 2019-06-21

Family

ID=56478961

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410653072.6A Active CN105653949B (en) 2014-11-17 2014-11-17 A kind of malware detection methods and device

Country Status (1)

Country Link
CN (1) CN105653949B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126412A (en) * 2016-06-14 2016-11-16 中国科学院软件研究所 The automatic Evaluation and Optimization of code quality based on Android API operating specification
CN108256322A (en) * 2018-01-26 2018-07-06 平安科技(深圳)有限公司 Safety detecting method, device, computer equipment and storage medium
CN108932428A (en) * 2017-05-25 2018-12-04 腾讯科技(深圳)有限公司 A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing
CN109241742A (en) * 2018-10-23 2019-01-18 北斗智谷(北京)安全技术有限公司 A kind of recognition methods of rogue program and electronic equipment
CN109800569A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 Program identification method and device
CN111339531A (en) * 2020-02-24 2020-06-26 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN112637013A (en) * 2020-12-21 2021-04-09 苏州三六零智能安全科技有限公司 CAN bus message abnormity detection method and device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 API use action discovering and malice deciding method after confusion of multi-tier synergism
US7784096B2 (en) * 2004-11-15 2010-08-24 Microsoft Corporation Outgoing connection attempt limiting to slow down spreading of viruses
CN103761475A (en) * 2013-12-30 2014-04-30 北京奇虎科技有限公司 Method and device for detecting malicious code in intelligent terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7784096B2 (en) * 2004-11-15 2010-08-24 Microsoft Corporation Outgoing connection attempt limiting to slow down spreading of viruses
CN101359352A (en) * 2008-09-25 2009-02-04 中国人民解放军信息工程大学 API use action discovering and malice deciding method after confusion of multi-tier synergism
CN103761475A (en) * 2013-12-30 2014-04-30 北京奇虎科技有限公司 Method and device for detecting malicious code in intelligent terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李炜: "基于贝叶斯理论的网页木马检测技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126412A (en) * 2016-06-14 2016-11-16 中国科学院软件研究所 The automatic Evaluation and Optimization of code quality based on Android API operating specification
CN106126412B (en) * 2016-06-14 2019-03-05 中国科学院软件研究所 The automatic Evaluation and Optimization of code quality based on Android API operating specification
CN108932428A (en) * 2017-05-25 2018-12-04 腾讯科技(深圳)有限公司 A kind of processing method that extorting software, device, equipment and readable storage medium storing program for executing
CN108256322A (en) * 2018-01-26 2018-07-06 平安科技(深圳)有限公司 Safety detecting method, device, computer equipment and storage medium
CN108256322B (en) * 2018-01-26 2020-10-27 平安科技(深圳)有限公司 Security testing method and device, computer equipment and storage medium
CN109241742A (en) * 2018-10-23 2019-01-18 北斗智谷(北京)安全技术有限公司 A kind of recognition methods of rogue program and electronic equipment
CN109800569A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 Program identification method and device
CN111339531A (en) * 2020-02-24 2020-06-26 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN111339531B (en) * 2020-02-24 2023-12-19 南开大学 Malicious code detection method and device, storage medium and electronic equipment
CN112637013A (en) * 2020-12-21 2021-04-09 苏州三六零智能安全科技有限公司 CAN bus message abnormity detection method and device, equipment and storage medium

Also Published As

Publication number Publication date
CN105653949B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN105653949A (en) Malicious program detection method and device
US11188650B2 (en) Detection of malware using feature hashing
KR101083311B1 (en) System for detecting malicious script and method for detecting malicious script using the same
CN107204960B (en) Webpage identification method and device and server
US10216848B2 (en) Method and system for recommending cloud websites based on terminal access statistics
CN107665306B (en) A kind of method, apparatus, client and the server of the injection of detection illegal file
CN107341399B (en) Method and device for evaluating security of code file
WO2013026320A1 (en) Method and system for detecting webpage trojan embedded
CN104168293A (en) Method and system for recognizing suspicious phishing web page in combination with local content rule base
CN104462985A (en) Detecting method and device of bat loopholes
US20200065074A1 (en) Devices, systems, and methods of program identification, isolation, and profile attachment
CN104158828A (en) Method and system for identifying doubtful phishing webpage on basis of cloud content rule base
CN111191243A (en) Vulnerability detection method and device and storage medium
CN107180194B (en) Method and device for vulnerability detection based on visual analysis system
CN107577944A (en) Website malicious code detecting method and device based on code syntax analyzer
CN112148305A (en) Application detection method and device, computer equipment and readable storage medium
CN107103243B (en) Vulnerability detection method and device
CN107784107B (en) Dark chain detection method and device based on escape behavior analysis
KR20160099160A (en) Method of modelling behavior pattern of instruction set in n-gram manner, computing device operating with the method, and program stored in storage medium configured to execute the method in computing device
CN105760761A (en) Software behavior analyzing method and device
KR20210054799A (en) Method and apparatus for generating summary of url for url clustering
CN111460448B (en) Malicious software family detection method and device
CN111125704B (en) Webpage Trojan horse recognition method and system
WO2013020325A1 (en) A method for retrieving associated information using an image
KR102103802B1 (en) Method for generating reconstructed payload data by extracting web attack pattern based on commands of machine learning target system and the preprocessor using the same

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant