CN101162485A - Method and system for processing computer malicious code - Google Patents

Method and system for processing computer malicious code Download PDF

Info

Publication number
CN101162485A
CN101162485A CNA2006101136644A CN200610113664A CN101162485A CN 101162485 A CN101162485 A CN 101162485A CN A2006101136644 A CNA2006101136644 A CN A2006101136644A CN 200610113664 A CN200610113664 A CN 200610113664A CN 101162485 A CN101162485 A CN 101162485A
Authority
CN
China
Prior art keywords
code
information
malicious code
malicious
computer program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006101136644A
Other languages
Chinese (zh)
Other versions
CN100485703C (en
Inventor
王志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fortinet Inc
Original Assignee
Fortinet Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortinet Information Technology Beijing Co Ltd filed Critical Fortinet Information Technology Beijing Co Ltd
Priority to CNB2006101136644A priority Critical patent/CN100485703C/en
Publication of CN101162485A publication Critical patent/CN101162485A/en
Application granted granted Critical
Publication of CN100485703C publication Critical patent/CN100485703C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for processing computer malicious codes. The method comprises the following steps: reading and running a computer program file possibly containing malicious codes, and collecting code information associated with the malicious codes when the computer program file runs; combining the code information, comparing and matching the code information with malicious code knowledge in a malicious code knowledge base, and analyzing whether a computer program file contains malicious codes or not; after confirming that the computer program file contains the malicious codes, extracting file codes from the computer program file according to the relationship between code information in the coded data and data addresses, and generating malicious code feature codes. The method and the system improve the working efficiency of malicious code analysis, and reduce the system overhead and the implementation difficulty.

Description

A kind of computer malevolence code processing method and system
Technical field
The present invention relates to information security field, particularly relate to a kind of computer malevolence code processing method and system, relate in particular to whether include computer malevolence code in a kind of inspection computer program file, and the method and system that from the computer program file that comprises computer malevolence code, extracts the malicious code condition code.
Background technology
Along with popularizing and rapid development of Internet of computing machine, computer malevolence code (broadly, generally also can be computer virus) threat more and more serious, the quantity growth of computer malevolence code is rapid, it is propagated, harmfulness, hide property or the like and also improving constantly, thereby makes the work of anticomputer malicious code be faced with great challenge.
The anticomputer malicious code technology of existing widespread use is static mode-matching technique, it laggard pedestrian's work point occurs at the computer program file that may comprise malicious code and analyses, determine whether file comprises malicious code, if comprise malicious code just extracts malicious code from computer program file condition code, the condition code of new malicious code is upgraded offers malicious code in user's killing computer program to malicious code condition code storehouse then.The work of these analyses and extraction malicious code condition code all will be by manually finishing.Wherein, many computer program files that comprise malicious code are arranged, their file appearance varies, can not see directly that outfile is the computer program file that comprises what malicious code, have to by manually one by one computer program file go to analyze it and whether comprise malicious code, extract the malicious code that is comprised based on this computer program file then, generate the malicious code condition code, join malicious code condition code storehouse and offer malicious code in user's killing computer program.Yet existing a lot of computer malevolence codes have multiple mutation, have a lot of identical or similar code informations when operation.As prestige gold virus (Viking), grey pigeon back door virus (Huigezi, Gpigeon), Banker steals bank cipher virus or the like, and the mutation malicious code of these One's name is legions has identical or similar code information when moving.As prestige gold virus family, have three identical or similar code informations during its operation: 1) all can infect the Windows program; 2) source document is bundled in the back of malicious code; 3) download the rogue program of several stealing passwords from the Internet, and propagate by LAN (Local Area Network).Although the mutation of prestige gold virus family is a lot, but basic act is exactly these three aspects, but and for each malicious code and mutation thereof, all have to repeatedly analyze by manually repeating, just can obtain the malicious code condition code of malicious code and mutation thereof, make work efficiency reduce, and have influence on the renewal speed in malicious code condition code storehouse.
Chinese patent Granted publication number discloses a kind of computer virus detection and Identification method for the patent of invention of CN1235108C, it is by the simulation Immune System, immunity principle is applied to the feature code method of anticomputer virus, in conjunction with computer virus detection and Identification methods such as behavior monitoring methods, detect and find computer virus and obtain Virus Sample by supervisory computer system, obtain virus signature at the study cognitive phase by using variation evolution and sample text analysis then.This invention has the ability that detects some known malicious code and unknown malicious code, but should invent not to monitoring and find in the process of computer malevolence code, code information during the running paper of infect computers malicious code is collected fully and is analyzed and utilizes, isolate the computer program file of involved computer malevolence code and the contact in operational process between malicious code and the mutation thereof, it still is a kind of malicious code condition code extracting method based on single file, can not increase work efficiency equally, and have influence on the renewal speed in malicious code condition code storehouse.Simultaneously, this invention is because it can't directly generate malicious code condition code accurately, need constantly variation and evolution, this must cause the comparison that need repeat when the generating feature sign indicating number, thereby has increased the expense of system, and, wherein from the body library, need include the code collection of all normal files, the difficulty of realization is very big, and practicality is very little.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of computer malevolence code processing method and system, to improve efficiency of malicious code analysis, reduces system overhead and realizes difficulty.
For achieving the above object, the invention provides a kind of computer malevolence code processing method, comprise the following steps:
Steps A reads the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation;
Step B carries out information combination with described code information, with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes described computer program file and whether comprises malicious code.
Described computer malevolence code processing method can also comprise the following steps: between steps A and step B
The computer run environment of isolating described collection code information.
The described computer program file that may comprise malicious code that reads also moves, and can be:
Duplicate the computer program file that may comprise malicious code, and move described computer program file.
Described steps A can also comprise the following steps:
Described code information is corresponding with the data address of the document code of described computer program file, generate coded data.
Described that code information is corresponding with the data address of the document code of computer program file, can be:
According to described code information, the data address of record and the document code of the corresponding computer program file of described code information, and described data address is converted into the address text is set up the related of described code information and data address.
Described generation coded data can be:
According to described code information, and with the corresponding address of described code information text, set up the data link table of described code information and address text, generate the coded data of described code information.
Can also comprise the following steps: between described steps A and the step B
Transmit the computer run environment whether described code information and coded data comprise malicious code for described Analytical Computer Program file, and the computer run environment of malicious code condition code extraction.
Can also comprise the following steps: after the described step B
Step C, after confirming that described computer program file comprises malicious code, according to the relation of code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
Described relation according to code information in the coded data and address text, extraction document code in described computer program file can be:
Relation according to code information in the coded data and address text, code information by corresponding malicious code, find described code information corresponding address text, obtain data address with the document code of the corresponding computer program file of described code information by described address text;
Then the binary file code of the described computer program file of described data address corresponding position storage is extracted.
Described generation malicious code condition code can be:
The binary file code that extracts, and the relative address position of described document code in described computer program file is summarised in and forms the malicious code condition code together.
Can also comprise the following steps: after the described step C
Step D after generating the malicious code condition code, utilizes malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.
Described information combination comprises the acceleration symbol string, is used to represent the code information that collects and code information is classified.
The malicious code knowledge of described malicious code knowledge for quantizing utilizes the acceleration symbol string to classify.
For realizing that purpose of the present invention also provides a kind of computer malevolence code disposal system, comprising: information acquisition module, analysis module, wherein:
Information acquisition module is used to read the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation;
Analysis module is used for information combination is carried out in described code information, with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes described computer program file and whether comprises malicious code.
Described computer malevolence code disposal system can also comprise isolation module, is used for the computer run environment of isolation information acquisition module.
Described information acquisition module can comprise replicon module and information acquisition submodule, wherein:
The replicon module is used to duplicate the computer program file that may comprise malicious code, and moves described computer program file;
The information acquisition submodule, the code information that is associated with malicious code when being used to gather described computer program file operation.
Described information acquisition module can also comprise the coding submodule, is used for described code information correspondingly with the data address of the document code of described computer program file, generates coded data.
Described information acquisition module can also comprise the transmission submodule, is used to transmit described code information and coded data and gives analysis module.
Described computer malevolence code disposal system, can also comprise malicious code condition code generation module, be used for after confirming that described computer program file comprises malicious code, relation according to code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
Described malicious code condition code generation module can comprise to be searched submodule and extracts submodule, wherein:
Search submodule, be used for relation according to coded data code information and address text, code information by corresponding malicious code, find described code information corresponding address text, obtain data address with the document code of the corresponding computer program file of described code information by described address text;
Extract submodule, be used for the binary file code of the described computer program file of described data address corresponding position storage is extracted.
Described malicious code condition code generation module can also comprise and gathers submodule, be used for a binary file code that extracts, and the relative address position of described document code in described computer program file is summarised in and forms the malicious code condition code together.
Described computer malevolence code disposal system can also comprise optimal module, is used for utilizing malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse after generating the malicious code condition code.
Described information combination comprises the acceleration symbol string, is used to represent the code information that collects and code information is classified.
The malicious code knowledge of described malicious code knowledge for quantizing utilizes the acceleration symbol string to classify.
The described code information that is associated with malicious code is the fileinfo that is associated with malicious code, progress information, user password information, system service information, network shares and the log-on message of visit information, system in a kind of or more than one combination.
Described collection is dynamic tracking collection and static the collection.
Described Network Isolation or the virtual machine of being isolated into isolated.
The invention has the beneficial effects as follows: computer malevolence code processing method of the present invention and system, by abundant collection to the code information that is associated with malicious code in the computer program file operational process that may comprise malicious code, utilize the data address that obtains the document code of computer program file with the corresponding code information of malicious code, generate coded data then, according to the code information that collects combination with known malicious code knowledge base in malicious code knowledge comparison match, whether identification rapidly and accurately comprises malicious code, and then extracts the malicious code condition code from the computer program file that comprises malicious code.It has the ability of identification unknown malicious code, especially the computer program file that comprises computer malevolence code that the file appearance is different to internal information is similar, the malicious code condition code can be discerned and extract rapidly and accurately, thereby malicious code condition code storehouse can be upgraded rapidly.It has been than having improved efficient by the artificial disposal route based on single file, and is more efficient for the processing of the malicious code of similar same family, and the malicious code analysis personnel are broken away from from the inefficient malicious code analysis work that repeats.
Description of drawings
Fig. 1 is a computer malevolence code processing method process flow diagram of the present invention;
Fig. 2 is the code information gatherer process synoptic diagram that is associated with malicious code of the present invention;
Fig. 3 is the corresponding process synoptic diagram with data address of code information of the present invention;
Fig. 4 is code information of the present invention and address text code process synoptic diagram;
Fig. 5 A is a Network Isolation synoptic diagram of the present invention;
Fig. 5 B is that virtual machine of the present invention is isolated synoptic diagram;
Fig. 6 is a malicious code analysis process synoptic diagram of the present invention;
Fig. 7 is that malicious code condition code of the present invention generates and optimization deposits malicious code condition code storehouse process synoptic diagram in;
Fig. 8 is a computer malevolence code disposal system synoptic diagram of the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, a kind of computer malevolence code processing method of the present invention and system are further elaborated below in conjunction with accompanying drawing 1~8 and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Computer malevolence code processing method of the present invention and system, the code information that is associated with malicious code when moving by reading the computer program file and the operation that may comprise malicious code, gathering described computer program file; Then described code information is made up, compare coupling, analyze whether comprise malicious code in this computer program file with the malicious code of collection knowledge information in the known malicious code knowledge base.Further, can this code information is corresponding with the data address of the document code of computer program file, generate coded data; After confirming that described computer program file comprises malicious code, according to the relation of code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code; After generating the malicious code condition code, utilize malicious code condition code optimized Algorithm that the malicious code condition code is optimized, the malicious code condition code of restoring storehouse.It is according to coded data, comprises the computer program file of malicious code from determining, extracts corresponding malicious code, accurately extracts the condition code of malicious code automatically.
As shown in Figure 1, computer malevolence code processing method of the present invention comprises the following steps:
Step 1: read the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation;
Further, described step 1 also comprises the following steps:
This code information is corresponding with the data address of the document code of computer program file, the coded data of generating code information and date address.
Step 2: the computer run environment of isolating described collection code information; Send described code information and coded data to computer run environment that whether described Analytical Computer Program file after the isolation comprises malicious code from the computer run environment of gathering code information, and the computer run environment that extracts of malicious code condition code.
Step 3: information combination is carried out in described code information,, analyze described computer program file and whether comprise malicious code with the malicious code knowledge comparison match in the malicious code knowledge base;
Step 4: after confirming that described computer program file comprises malicious code, according to the relation of code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
Step 5: after generating the malicious code condition code, utilize malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.
Describe computer malevolence code processing method of the present invention below in detail:
In step 1, read the computer program file and the operation that may comprise malicious code, the code information that is associated with malicious code when gathering the operation of described computer program file, this code information is corresponding with the document code data address of computer program file, the generation coded data.Particularly:
At first, duplicate the computer program file that may comprise malicious code, this computer program file is operated in the computer run environment of gathering code information, and the code information that is associated with malicious code when gathering this document operation.
By monitoring to computer system, discovery may comprise the computer program file of malicious code, this computer program file is duplicated, and move this computer program file, in operation this document process, gather the code information that is associated with malicious code.
The computer run environment refers to that computer program file moves needed hardware environment and software environment, and hardware environment includes but not limited to move the main frame of this computer program file and peripherals etc.; Software environment includes but not limited to move system software, driver software of this computer program file etc.Providing the computer run environment according to computer program file is the common practise of this area, gives unnecessary details no longer one by one among the present invention.
The described code information that is associated with malicious code specifically comprises the following code information that is associated with malicious code:
Fileinfo, be duplicating of file, the deletion of file or folder, the variation of file or folder attribute, the variation of file size, the variation of file creation date, file owner (ower), the information such as variation of user's group (group) attribute, the embodiment of the invention mainly is to gather the code information of malicious code to the computer program file operation, as download advertisement from the Internet, download other rogue program code from the Internet, and discharge malicious code program (dropper) that makes new advances or the like from malicious code inside;
Progress information comprises establishment, the deletion of process or thread, module information of process or the like, and the embodiment of the invention mainly is that collection is relevant with malicious code, and the information relevant with implantttion technique and concealing technology.
User and encrypted message comprise the establishment of computer user and working group, revise and deletion, and the modification information of password etc., the embodiment of the invention mainly are the relevant information in collecting computer back door.
System service information, comprise service routine establishment, start, stop, deleting, the type of user, service under the service, description, function information or the like, the embodiment of the invention mainly is to gather the information of malicious code to the computing machine bottom control.
Network is shared and visit information, comprise the local resource of being shared by malicious code, malicious code is to the visit of network, to the network environment (application rule of fire wall for example, the host file, IP address etc.) information such as modification, the embodiment of the invention mainly are the Internet communications of gathering malicious code, the information of Web Grafiti behavior.
The log-on message of system, the embodiment of the invention mainly are to gather the modification information of malicious code to registration table, comprise the information relevant with the self-starting technology etc.
For example, be example with Banker malicious code (being that Banker steals bank cipher virus), after duplicating operation and gathering, can access the following code information that is associated with malicious code:
I) fileinfo, this malicious code can copy oneself under the system directory to earlier, and deletes own source document;
II) system registry information, this malicious code can be in the self-triggered program file that oneself adds system to;
III) progress information, the keyboard input of recording user.
Other information do not have.
By to the computer run environmental monitoring, can find to comprise the computer program file of malicious code, it both can be an artificial manual operation computer program and finding, the malicious code monitoring personnel that also can be the company of special monitoring computer malevolence code find, also can be to find (as the Rising Antivirus RAV of company of Rising) by the anti-malicious code monitoring of software of computing machine that computer software company produces, be in addition by " honey jar " (" honey jar " system is the part of rogue program collection system in system, all there is oneself " honey jar " system in each company) file collected, and the file that reports of user's malicious code reporting system or the like, also there is international anti-virus tissue to provide sample file, exchange sample or the like between each anti-virus company to each anti-virus company.
This computer program file that may comprise malicious code offers computer malevolence code disposal system of the present invention after being found.This monitoring finds to comprise the process of the computer program file of malicious code, or artificial process, or the existing known technology that has nothing to do with the present invention, and is irrelevant with the present invention, therefore gives unnecessary details no longer one by one in the present invention.
The computer program file that may comprise malicious code both can be to suspect the computer program file that has known or unknown malicious code, also can be to have known the computer program file that has certain unknown malicious code.This malicious code can be whole codes (being that computer program file itself is exactly a malicious code) of computer program file, also can be a part of code in this computer program file.
As shown in Figure 2, computer system is by dynamic tracking collection and static the collection, gather the code information be associated with malicious code, as whether having produced new file and the newly path and the address of file, the network address that whether has connected malice be connected which concrete network address or the like.
The dynamic tracking collection mainly contains to be interrupted following the tracks of, and it inserts interrupt instruction by the dis-assembling engine in the computer program that may comprise malicious code, reach the execution of control documents, it is similar with the computing machine debugged program, as Ollydebug, and SoftIce software etc.; Another kind is an implantttion technique, by a monitor code is injected in the computer program file that may comprise malicious code, by revising the introducing table of this document, the address of inlet changed course monitor code, after this document is carried out, after monitor code is carried out monitoring, enter again that the original address of file begins to carry out in the introducing table, the execution of monitor code monitoring this document.This method realizes fairly simple, and accuracy and efficient are all very high; Also having a kind of method in addition is by assembly routine system bottom to be taken over.
The static collection is statically to before and after the computer program file operation that may comprise malicious code, the code information that obtains after the contrast according to computer system information, the function that it provides by computer operating system, system property is conducted interviews, and the information result before and after the record this document operation and the code information that obtains.Variation by system information before and after the rogue program operation according to the contrast of two times result, obtains different code information parts.
Static collection is similar to the code information that dynamic tracking is gathered, but because the dynamic tracking collection is just at act of revision, and revise the code data address that takes place and carry out effective information extraction, but status information and amended status information before revising, utilize dynamic tracking can not carry out effective information acquisition, and can not provide effective reference to the repair of the system that destroyed by malicious code, thereby, contrast collection by static state replenishes dynamic deficiency, and repair provides reference to system.
It is that data address for the document code of code information and computer program file is associated and provides support that dynamic tracking is gathered fundamental purpose, and then the extraction quick and precisely of malicious code condition code is provided support.Static fundamental purpose of gathering is that collection replenishes to dynamic tracking, finally forms a complete code information chain (prerupture state, destruction, the result after the destruction).
Secondly, as shown in Figure 3, according to the code information that is associated with malicious code, the data address of the document code of record and the corresponding computer program file of this code information, and this data address is converted into the address text, set up the related of code information and data address;
The computer run environment of gathering code information is in the process of gathering the code information that is associated with malicious code, the data address of the document code of the computer program file of this code information of record generation, promptly the document code of this computer program file is stored in the relative data address location in the calculator memory, then this data address is converted into the address text, promptly writes down this data address with textual form.Like this, just can set up the incidence relation of the data address of code information and this code information of generation.
, as shown in Figure 4, according to the code information that with malicious code be associated that collect, and the address text that with this code information be associated, set up the data link table of this code information and address text, generate coded data thereafter.
According to the code information that is associated with malicious code, and the address text, the coding that standardizes is set up the data link table of this code information and address text, generates coded data.
The standardization coding of the embodiment of the invention is represented information with a unified data structure chained list exactly.
The concrete storage organization of the data link table of code information and address text is as shown in Figure 4:
As shown in Figure 4, this coded data list structure is: at first be an overall sign structure that whether collects information, can point to an address array if collect this structure of information, wherein each points to the big class of information, and each big class has an information chained list to represent.Because each category information is unfixed, the information of description of each in the chained list, each information comprises an information description and file association.
In step 2, isolate the computer run environment of described collection code information; Whether described code information and coded data are comprised malicious code computer run environment from the described Analytical Computer Program file that the computer run environment of gathering code information sends to after the isolation, and the computer run environment that extracts of malicious code condition code.
Because the harmfulness of malicious code, in in computer program file computer run environment, should take effective method that the computer run environmental facies of computer malevolence code computer run environment and malicious code analysis and extraction malicious code condition code are isolated, with spreading of the destruction that prevents malicious code, could effectively prevent the spreading of destruction of malicious code, carry out exactly according to code information and coded data, carry out malicious code analysis, and then extract the malicious code condition code.
It can be to isolate by Network Isolation or virtual machine that environment among the present invention is isolated.
Shown in Fig. 5 A, Network Isolation is exactly that two different environment are based upon on two different computer systems, between with safety data channel link together;
Shown in Fig. 5 B, it is that two environment are based upon on the computer system that virtual machine is isolated, by virtual machine technique virtual again a computer system, two environment do not disturb mutually, reach the purpose that prevents that malicious code from leaking.
Then, with the code information that is associated with malicious code that collects, and coded data is by the data transmission channel of safety, for example utilize new floppy disk copy, the perhaps Network Transmission of data filter etc. sends the computer run environment that malicious code analysis after the isolation and malicious code condition code are extracted to.
In step 3, the code information that will be associated with malicious code is made up, and with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes this computer program file and whether comprises computer malevolence code.
The malicious code knowledge base is the code information that produces when collecting the condition code of all known malicious code and operation thereof, and a system that provides malicious code to explain.Because when antivirus software is reported as malicious code to a computer program file, the foundation and the rational explanation that need antivirus software company to provide to do like this, so each antivirus software company all can have oneself a malicious code knowledge base, it includes malicious code condition code storehouse and information bank.In the prior art, malicious code condition code storehouse offers the user and is used for virus killing, by all means according to the malicious code in the malicious code condition code killing computer program file, and information bank only is used for explaining, is the description of the code information of generation when providing the malicious code operation to different malicious codes, and malicious code is explained, be malicious code knowledge, as the instrument of killing malicious code, therefore, these two parts are not two different systems.Yet these two parts of malicious code condition code storehouse in the malicious code knowledge base and information bank are close relation in anti-malicious code.The present invention sets up contact closely to malicious code condition code storehouse and information bank, promote means mutually as anti-malicious code, at first may comprise the code information that computer program file when operation of malicious code produces, compare coupling with malicious code knowledge known in the information bank, confirm the code information that this code information produces when whether being the malicious code operation, thereby confirm that this computer program file includes malicious code.
Usually, the language of malicious code knowledge base operating specification is described malicious code knowledge, particularly, to malicious code knowledge, include but not limited to fileinfo, progress information, user password information, system service information, network is shared and visit information, the log-on message of system etc., the malicious code knowledge base is all carried out normalized editor, for example, XX1 malicious code program has been opened the X1 port, and XX2 malicious code program has been downloaded the XX2 program from http://www.XX2.com.
The malicious code knowledge base comprises the set that a plurality of malicious codes are described, and wherein, each description is again one or more malicious code knowledge, and these malicious code knowledge textual descriptions can be quantified as the code information that needs well.
Because the descriptive language to malicious code knowledge is a standard, for example the language that different malicious code condition codes is used when describing identical malicious code knowledge is identical, just can be during quantification these identical linguistic notationizations, become and calculate the language that function is understood, the malicious code knowledge of textual description is quantized,, become and calculate the language that function is understood identical linguistic notationization, be the common practise of this area, the present invention gives unnecessary details no longer one by one.
As shown in Figure 6, described code information is made up,, analyze described computer program file and whether comprise malicious code with the malicious code knowledge comparison match that quantizes in the malicious code knowledge base of presetting.
The code information that collects is the code information of a maximized structure, comprise those code informations that are associated with malicious code that all can collect, and make up the information combination structure that obtains according to the code information that collects is a minimized message structure, and it has pointed out to determine the information combination of the needed minimum of the code information amount that this information combination produces when whether being the malicious code operation.
The mode of this information combination can be the simple arrangements combination, and all information that collect of being about to are arranged one by one and added together, obtain an information combination, and the information combination of for example above-mentioned Banker malicious code is:
Fileinfo: earlier oneself is copied under the system directory, and delete own source document;
System registry information: in the self-triggered program file that oneself adds system to;
Progress information: the keyboard input of recording user.
Certainly, this information combination also can be other array modes that those skilled in the art can learn.As randomly draw array mode of wherein code information etc.
Simultaneously, in order to accelerate search efficiency, this information combination also comprises the acceleration symbol string, is used to represent the code information that collects and code information is classified.Under the code information of each collection, set up a total acceleration symbol, whether expression collects information.For example, 1 expression has, and 0 expression does not have, and then code information is divided into several big classes, as files classes, and process class etc.Category information respectively has one to quicken symbol, and 1 this big class of expression has information to be collected into, and 0 expression does not have, and can also continue then class is divided into littler class again.Can obtain the acceleration symbol string of an integral body after the classification.For example, fileinfo is first, and system registry information is second, and progress information is the 3rd, and other information is the position of back, and the code information of then above-mentioned example about the Banker malicious code will generate one 111000 ... the acceleration symbol string.Equally, for the malicious code knowledge in the malicious code knowledge base, also adopt the acceleration symbol string to classify.Then, quicken the symbol string by the identical malicious code knowledge of acceleration symbol string of searching with code information, group in comparison information combination and the malicious code knowledge or concrete information again like this than directly mating specifying information, thereby have improved efficient.
Like this, in the process of carrying out malicious code analysis, will improve the speed of comparison match.
The malicious code knowledge that quantizes in the malicious code knowledge base and the information combination of code information are to comprise and involved relation, and comparison match calculating process between the two is a logical computing.When the operation result identical just coupling of malicious code knowledge with information combination, if the code information of certain information combination in the description of the code information that produces when promptly malicious code knowledge is moved malicious code and the code information that collects is described identical, then mate, judge that the code of determining this information combination of generation is a malicious code, show in this computer program file and comprise malicious code, promptly virus confirms whether this code information is the code information that malicious code produces; The operation result difference does not just match, show that this information combination is not the code information that malicious code produces, if might information combination all with the malicious code knowledge base in malicious code knowledge be not complementary, show that then this computer program file does not comprise computer malevolence code.In addition, if do not collect any code information that is associated with malicious code, then show not comprise malicious code in the computer program file.
Preferably, when comparison match, adopt the coupling priority principle,, accelerate the speed of searching computer malevolence code as long as promptly there is an information combination coupling just not carry out the coupling of back.
With computing be one of the fastest substantially computing of computing machine, fast more a lot of than additive operation.
If comparison match success, so from the malicious code knowledge base, just can obtain the man Praenomen of corresponding malicious code, the description of the code information that produces during according to this malicious code operation, inverse process by the quantification of malicious code knowledge base, just can generate the malicious code knowledge in the malicious code knowledge base automatically to this malicious code description, the code information that produces during i.e. this malicious code operation, the malicious code name can be arranged in proper order according to the discovery in the family, as abcd ... aa, ab, ac ...
When the malicious code knowledge of utilizing the information combination of these code informations that collect and malicious code knowledge base to quantize compares coupling,, can determine apace the malicious code searched to have strengthened the accuracy of searching malicious code by quickening symbol string.Simultaneously, because the result's that code information produces when being the file internal operation description, can reduce the complexity that the variation owing to the file outside produces.
In step 4, after the described computer program file of affirmation is to comprise the computer program file of malicious code, according to the relation of code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.Particularly:
As shown in Figure 7, by the malicious code knowledge that quantizes in information combination and the malicious code knowledge base is compared coupling, determine that this computer program file comprises malicious code, after promptly comprising virus, whole addresses text of this information combination of generation that just can obtain by coded data according to information combination, and then obtain the data address of the document code that is associated with this code information from the address text, searching of document code by the computer program file stored in the data address to document code, extract and gather, generate the malicious code condition code of this malicious code.Like this, by information combination, three resources of coded data and computer program file are searched, are extracted and gather, and just can generate the malicious code condition code.
Malicious code condition code and malicious code are carried out related process comprise following process:
At first, utilize information combination, in coded data, find the corresponding address text of this information combination, obtain the data address of the document code that is associated with this information combination by the address text;
Then, the binary file code of the data address of the document code of information combination corresponding position storage is extracted, can use hexadecimal representation;
At last, the binary file code that extracts and document code relative data address location hereof are summarised in generate the malicious code condition code together.
Like this, the user just can search malicious code according to the relevant position of malicious code condition code in computer program file, finds just to report to be malicious code, and carries out the processing of corresponding killing malicious code.
The embodiment of the invention according to the malicious code knowledge of this code information coupling, malicious code condition code storehouse obtains corresponding malicious code condition code, be associated with confirming the computer program file that comprises malicious code then, according to coded data, confirm this comprise malicious code computer program file comprised is what malicious code, be known malicious code mutation or unknown malicious code.If the known malicious code mutation is then searched the malicious code condition code of its mutation part and is named affirmation; If unknown malicious code then directly extracts the malicious code condition code and names affirmation from computer program file.
In step 5, after generating the malicious code condition code, utilize malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.Particularly:
Optimized Algorithm is to change the algorithm in space by the time, the malicious code condition code of You Huaing not is the right combination of document code data of file relative data address and malicious code, after adopting optimized Algorithm the file relative address in the malicious code condition code is become a scope, the malicious code condition code can shorten accordingly, such malicious code condition code can replace the feature of file relative address in a scope, optimize by malicious code condition code optimized Algorithm, can effectively reduce the size in malicious code condition code storehouse like this.
Described optimized Algorithm can be the optimized Algorithm of using always, as the constraint variable-metric method, mixes discrete comprehensive algorithm, leash law etc.
The document code data of malicious code are different from the malicious code condition code, the document code data of malicious code are the strings of binary characters in the file, and the malicious code condition code is the document code data and the right assembly of relative address of malicious code, and both comprise and involved relation.
Computer malevolence code processing method of the present invention, the code information that is associated with malicious code that produces when gathering the computer program file operation that may comprise malicious code (virus) by standardizing, and will obtain code information and encode with the data address of the document code that is associated, the code information comparison match that is associated with malicious code that produces when moving the malicious code knowledge of malicious code knowledge base with to computer program file, judge whether this computer program file includes malicious code (virus), it links together malicious code condition code storehouse and information bank in the malicious code knowledge base by code information, played the function of a tie, can judge whether comprise malicious code in the computer program file by express analysis, strengthen the accuracy of malicious code in the determining program file, generate the malicious code condition code fast, improved the efficient of work, the malicious code analysis personnel are broken away from from the inefficient malicious code analysis work that repeats.
Simultaneously, the present invention also provides and the corresponding a kind of computer malevolence code disposal system of this method:
As shown in Figure 8, computer malevolence code disposal system of the present invention comprises information acquisition module 810, isolation module 820, analysis module 830, malicious code condition code generation module 840.Wherein:
Information acquisition module 810 is used to read the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation.
Isolation module 820 is used for the computer run environment of isolation information acquisition module.
Analysis module 830 is used for information combination is carried out in described code information, with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes described computer program file and whether comprises malicious code.
Malicious code condition code generation module 840, be used for after the described computer program file of affirmation is to comprise the computer program file of malicious code, relation according to code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
Wherein, information acquisition module 810 comprises replicon module 811, information acquisition submodule 812, and coding submodule 813 transmits submodule 814.
Replicon module 811 is used to duplicate the computer program file that may comprise malicious code, and moves described computer program file.
Information acquisition submodule 812, the code information that is associated with malicious code when gathering the operation of described computer program file.
The code information that information acquisition submodule 812 is associated with malicious code by dynamic tracking and static collection.
The coding submodule 813, be used for described code information corresponding with the data address of the document code of described computer program file, the generation coded data.
Transmit submodule 814, be used to transmit described code information and coded data and give analysis module 830.
Isolation module 820 is isolated the computer run environment of isolation information acquisition module 810 by Network Isolation or virtual machine, prevents the spreading of destruction of malicious code, effectively prevents the spreading of destruction of malicious code
Each code information that analysis module 830 produces when moving according to malicious code program file in the coded data, the coupling of comparing with the malicious code knowledge in the malicious code knowledge base confirms whether include malicious code in this computer program file.
Preferably, when the malicious code knowledge of utilizing these code information combinations that collect and malicious code knowledge base to quantize compares coupling, by quickening symbol string, can determine malicious code apace, and fully the description of malicious code condition code and malicious code knowledge is combined, strengthened the accuracy of searching.
Malicious code condition code generation module 840 comprises searches submodule 841, extracts submodule 842 and gathers submodule 843.Wherein:
Search submodule 841, be used for relation according to coded data code information and address text, code information by corresponding malicious code, find described code information corresponding address text, obtain data address with the document code of the corresponding computer program file of described code information by described address text;
Extract submodule 842, be used for the binary file code of the described computer program file of described data address corresponding position storage is extracted.
Gather submodule 843, be used for, and the relative address position of described document code in described computer program file is summarised in and forms the malicious code condition code together the binary file code that extracts.
Whole addresses text of the generation information combination that malicious code condition code generation module 840 is obtained by coded data according to information combination, and then obtain the data address of the document code that is associated with this code information from the address text, by the searching, extract and gather of the document code stored in the data address to document code, generate the condition code of this malicious code.Like this, by information combination, three resources of coded data and computer program file are searched, are extracted and gather, and just can generate the malicious code condition code
Preferably, computer malevolence code disposal system of the present invention also comprises optimal module 850, be used for after generating the malicious code condition code, utilizing malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.
Malicious code feature generation module 840 utilized malicious code condition code optimized Algorithm that the malicious code condition code is optimized before depositing malicious code condition code storehouse in after generating the malicious code condition code.
Described optimized Algorithm can be the optimized Algorithm of using always, as the constraint variable-metric method, mixes discrete comprehensive algorithm, leash law etc.
Computer malevolence code processing method of the present invention and system, carry out code information corresponding with the data address of document code, then these code informations and data address are encoded, compare coupling by code information combination and the malicious code of collection knowledge in the known malicious code knowledge base, determine whether this document comprises malicious code, promptly viral, code information combination by having determined again for the malicious code generation, address according to coded data, from this document, find out corresponding document code, extraction also gathers, and accurately extracts the computer malevolence code condition code that this document has infected automatically.It is than having improved efficient by the artificial disposal route based on single file, processing for the malicious code of similar same family is more efficient, the malicious code analysis personnel are broken away from from the analytical work of the single file of inefficient malicious code of repetition, extract the malicious code condition code rapidly and accurately, reduced the expense of computer system, do not need to set up yet all normal files from the body library, improve the efficient of anti-malicious code work.
More than specific embodiments of the invention are described and illustrate it is exemplary that these embodiment should be considered to it, and be not used in and limit the invention, the present invention should make an explanation according to appended claim.

Claims (30)

1. a computer malevolence code processing method is characterized in that, comprises the following steps:
Steps A reads the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation;
Step B carries out information combination with described code information, with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes described computer program file and whether comprises malicious code.
2. computer malevolence code processing method according to claim 1 is characterized in that, also comprises the following steps: between described steps A and the step B
The computer run environment of isolating described collection code information.
3. computer malevolence code processing method according to claim 1 and 2 is characterized in that, the described computer program file that may comprise malicious code that reads also moves, and is:
Duplicate the computer program file that may comprise malicious code, and move described computer program file.
4. computer malevolence code processing method according to claim 1 and 2 is characterized in that described steps A also comprises the following steps:
Described code information is corresponding with the data address of the document code of described computer program file, generate coded data.
5. computer malevolence code processing method according to claim 4 is characterized in that, and is described that code information is corresponding with the data address of the document code of computer program file, is:
According to described code information, the data address of record and the document code of the corresponding computer program file of described code information, and described data address is converted into the address text is set up the related of described code information and data address.
6. computer malevolence code processing method according to claim 4 is characterized in that, described generation coded data is:
According to described code information, and with the corresponding address of described code information text, set up the data link table of described code information and address text, generate the coded data of described code information.
7. computer malevolence code processing method according to claim 6 is characterized in that, also comprises the following steps: between described steps A and the step B
Transmit the computer run environment whether described code information and coded data comprise malicious code for described Analytical Computer Program file, and the computer run environment of malicious code condition code extraction.
8. computer malevolence code processing method according to claim 4 is characterized in that, also comprises the following steps: after the described step B
Step C, after confirming that described computer program file comprises malicious code, according to the relation of code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
9. computer malevolence code processing method according to claim 8 is characterized in that, described relation according to code information in the coded data and address text, and extraction document code in described computer program file is:
Relation according to code information in the coded data and address text, code information by corresponding malicious code, find described code information corresponding address text, obtain data address with the document code of the corresponding computer program file of described code information by described address text;
Then the binary file code of the described computer program file of described data address corresponding position storage is extracted.
10. computer malevolence code processing method according to claim 9 is characterized in that, described generation malicious code condition code is:
The binary file code that extracts, and the relative address position of described document code in described computer program file is summarised in and forms the malicious code condition code together.
11. computer malevolence code processing method according to claim 8 is characterized in that, also comprises the following steps: after the described step C
Step D after generating the malicious code condition code, utilizes malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.
12. computer malevolence code processing method according to claim 8 is characterized in that, described information combination comprises the acceleration symbol string, is used to represent the code information that collects and code information is classified.
13. computer malevolence code processing method according to claim 12 is characterized in that, the malicious code knowledge of described malicious code knowledge for quantizing utilizes the acceleration symbol string to classify.
14. computer malevolence code processing method according to claim 8, it is characterized in that, the described code information that is associated with malicious code is the fileinfo that is associated with malicious code, progress information, user password information, system service information, network shares and the log-on message of visit information, system in a kind of or more than one combination.
15. computer malevolence code processing method according to claim 8 is characterized in that, described collection is dynamic tracking collection and static the collection.
16. computer malevolence code processing method according to claim 8 is characterized in that, described Network Isolation or the virtual machine of being isolated into isolated.
17. a computer malevolence code disposal system is characterized in that, comprising: information acquisition module, analysis module, wherein:
Information acquisition module is used to read the computer program file that may comprise malicious code and operation, the code information that is associated with malicious code when gathering described computer program file operation;
Analysis module is used for information combination is carried out in described code information, with the malicious code knowledge comparison match in the malicious code knowledge base, analyzes described computer program file and whether comprises malicious code.
18. computer malevolence code disposal system according to claim 17 is characterized in that, also comprises isolation module, is used for the computer run environment of isolation information acquisition module.
19. according to claim 17 or 18 described computer malevolence code disposal systems, it is characterized in that described information acquisition module comprises replicon module and information acquisition submodule, wherein:
The replicon module is used to duplicate the computer program file that may comprise malicious code, and moves described computer program file;
The information acquisition submodule, the code information that is associated with malicious code when being used to gather described computer program file operation.
20. according to claim 17 or 18 described computer malevolence code disposal systems, it is characterized in that, described information acquisition module also comprises the coding submodule, is used for described code information correspondingly with the data address of the document code of described computer program file, generates coded data.
21. computer malevolence code disposal system according to claim 20 is characterized in that described information acquisition module also comprises the transmission submodule, is used to transmit described code information and coded data and gives analysis module.
22. computer malevolence code disposal system according to claim 20, it is characterized in that, also comprise malicious code condition code generation module, be used for after confirming that described computer program file comprises malicious code, relation according to code information and data address in the described coded data, extraction document code in described computer program file, and generate the malicious code condition code.
23. computer malevolence code disposal system according to claim 22 is characterized in that, described malicious code condition code generation module comprises to be searched submodule and extracts submodule, wherein:
Search submodule, be used for relation according to coded data code information and address text, code information by corresponding malicious code, find described code information corresponding address text, obtain data address with the document code of the corresponding computer program file of described code information by described address text;
Extract submodule, be used for the binary file code of the described computer program file of described data address corresponding position storage is extracted.
24. computer malevolence code disposal system according to claim 23, it is characterized in that, described malicious code condition code generation module also comprises and gathers submodule, be used for the binary file code that extracts, and the relative address position of described document code in described computer program file is summarised in and forms the malicious code condition code together.
25. computer malevolence code disposal system according to claim 22, it is characterized in that, also comprise optimal module, be used for after generating the malicious code condition code, utilize malicious code condition code optimized Algorithm that described malicious code condition code is optimized, the malicious code condition code of restoring storehouse.
26. computer malevolence code disposal system according to claim 22 is characterized in that described information combination comprises the acceleration symbol string, is used to represent the code information that collects and code information is classified.
27. computer malevolence code processing method according to claim 26 is characterized in that, the malicious code knowledge of described malicious code knowledge for quantizing utilizes the acceleration symbol string to classify.
28. computer malevolence code disposal system according to claim 22, it is characterized in that, the described code information that is associated with malicious code is the fileinfo that is associated with malicious code, progress information, user password information, system service information, network shares and the log-on message of visit information, system in a kind of or more than one combination.
29. computer malevolence code processing method according to claim 22 is characterized in that, described collection is dynamic tracking collection and static the collection.
30. computer malevolence code processing method according to claim 22 is characterized in that, described Network Isolation or the virtual machine of being isolated into isolated.
CNB2006101136644A 2006-10-11 2006-10-11 Method and system for processing computer malicious code Active CN100485703C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101136644A CN100485703C (en) 2006-10-11 2006-10-11 Method and system for processing computer malicious code

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101136644A CN100485703C (en) 2006-10-11 2006-10-11 Method and system for processing computer malicious code

Publications (2)

Publication Number Publication Date
CN101162485A true CN101162485A (en) 2008-04-16
CN100485703C CN100485703C (en) 2009-05-06

Family

ID=39297409

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101136644A Active CN100485703C (en) 2006-10-11 2006-10-11 Method and system for processing computer malicious code

Country Status (1)

Country Link
CN (1) CN100485703C (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989320A (en) * 2010-10-12 2011-03-23 李彬杰 Computer file processing method
CN102012987A (en) * 2010-12-02 2011-04-13 李清宝 Automatic behavioural analysis system for binary malicious codes
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
CN101593253B (en) * 2009-06-22 2012-04-04 成都市华为赛门铁克科技有限公司 Method and device for judging malicious programs
CN103268443A (en) * 2012-12-27 2013-08-28 武汉安天信息技术有限责任公司 Symbol-based Android malicious code detection method and system
WO2013139215A1 (en) * 2012-03-21 2013-09-26 北京奇虎科技有限公司 Method and device for identifying virus apk
CN103369555A (en) * 2012-04-01 2013-10-23 西门子公司 Method and device for detecting mobile-phone virus
CN103428212A (en) * 2013-08-08 2013-12-04 电子科技大学 Malicious code detection and defense method
CN103679034A (en) * 2013-12-26 2014-03-26 南开大学 Computer virus analyzing system based on body and virus feature extraction method
CN105337994A (en) * 2015-11-26 2016-02-17 晶赞广告(上海)有限公司 Malicious code detection method and device based on network flow
CN105528543A (en) * 2015-12-23 2016-04-27 北京奇虎科技有限公司 Remote antivirus method, client, console and system
CN105740711A (en) * 2016-01-29 2016-07-06 哈尔滨工业大学深圳研究生院 Malicious code detection method and system based on kernel object behavior body
CN105760762A (en) * 2016-03-10 2016-07-13 华中科技大学 Unknown malicious code detection method for embedded processor
CN105975855A (en) * 2015-08-28 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on apk certificate similarity
CN103902905B (en) * 2013-12-17 2017-02-15 哈尔滨安天科技股份有限公司 Malicious code generator identification method and system based on software structure cluster
CN109284604A (en) * 2018-09-10 2019-01-29 中国联合网络通信集团有限公司 A kind of software action analysis method and system based on virtual machine
CN109800574A (en) * 2018-12-12 2019-05-24 中国人民公安大学 Computer Virus Detection Method and system based on cryptographic algorithm analysis
CN109857481A (en) * 2018-12-29 2019-06-07 医渡云(北京)技术有限公司 A kind of collecting method, device, readable medium and electronic equipment

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593253B (en) * 2009-06-22 2012-04-04 成都市华为赛门铁克科技有限公司 Method and device for judging malicious programs
CN101989320A (en) * 2010-10-12 2011-03-23 李彬杰 Computer file processing method
CN102012987A (en) * 2010-12-02 2011-04-13 李清宝 Automatic behavioural analysis system for binary malicious codes
CN102012987B (en) * 2010-12-02 2013-03-13 李清宝 Automatic behavior analysis system for binary malicious codes
CN102254120B (en) * 2011-08-09 2014-05-21 华为数字技术(成都)有限公司 Method, system and relevant device for detecting malicious codes
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
US9465941B2 (en) 2011-08-09 2016-10-11 Huawei Technologies Co., Ltd. Method, system, and apparatus for detecting malicious code
WO2013139215A1 (en) * 2012-03-21 2013-09-26 北京奇虎科技有限公司 Method and device for identifying virus apk
CN103369555A (en) * 2012-04-01 2013-10-23 西门子公司 Method and device for detecting mobile-phone virus
CN103369555B (en) * 2012-04-01 2017-03-01 西门子公司 A kind of method and apparatus for detecting mobile phone viruses
CN103268443B (en) * 2012-12-27 2016-08-10 武汉安天信息技术有限责任公司 A kind of Android malicious code detecting method based on symbol and system
CN103268443A (en) * 2012-12-27 2013-08-28 武汉安天信息技术有限责任公司 Symbol-based Android malicious code detection method and system
CN103428212A (en) * 2013-08-08 2013-12-04 电子科技大学 Malicious code detection and defense method
CN103902905B (en) * 2013-12-17 2017-02-15 哈尔滨安天科技股份有限公司 Malicious code generator identification method and system based on software structure cluster
CN103679034B (en) * 2013-12-26 2016-04-13 南开大学 A kind of computer virus analytic system based on body and feature extracting method thereof
CN103679034A (en) * 2013-12-26 2014-03-26 南开大学 Computer virus analyzing system based on body and virus feature extraction method
CN105975855A (en) * 2015-08-28 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on apk certificate similarity
CN105337994B (en) * 2015-11-26 2018-09-14 晶赞广告(上海)有限公司 Malicious code detecting method based on network flow and device
CN105337994A (en) * 2015-11-26 2016-02-17 晶赞广告(上海)有限公司 Malicious code detection method and device based on network flow
CN105528543A (en) * 2015-12-23 2016-04-27 北京奇虎科技有限公司 Remote antivirus method, client, console and system
CN105740711A (en) * 2016-01-29 2016-07-06 哈尔滨工业大学深圳研究生院 Malicious code detection method and system based on kernel object behavior body
CN105740711B (en) * 2016-01-29 2018-08-31 哈尔滨工业大学深圳研究生院 A kind of malicious code detecting method and system based on kernel objects behavior ontology
CN105760762A (en) * 2016-03-10 2016-07-13 华中科技大学 Unknown malicious code detection method for embedded processor
CN109284604A (en) * 2018-09-10 2019-01-29 中国联合网络通信集团有限公司 A kind of software action analysis method and system based on virtual machine
CN109800574A (en) * 2018-12-12 2019-05-24 中国人民公安大学 Computer Virus Detection Method and system based on cryptographic algorithm analysis
CN109857481A (en) * 2018-12-29 2019-06-07 医渡云(北京)技术有限公司 A kind of collecting method, device, readable medium and electronic equipment
CN109857481B (en) * 2018-12-29 2022-12-02 医渡云(北京)技术有限公司 Data acquisition method and device, readable medium and electronic equipment

Also Published As

Publication number Publication date
CN100485703C (en) 2009-05-06

Similar Documents

Publication Publication Date Title
CN100485703C (en) Method and system for processing computer malicious code
Gao et al. Enabling efficient cyber threat hunting with cyber threat intelligence
Zeng et al. WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics.
Chen et al. Detecting android malware using clone detection
Li et al. AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports
Caselden et al. Hi-cfg: Construction by binary analysis and application to attack polymorphism
Alhuzali et al. Chainsaw: Chained automated workflow-based exploit generation
CN109684838B (en) Static code auditing system and method for Ether house intelligent contract
CN113821804B (en) Cross-architecture automatic detection method and system for third-party components and security risks thereof
CN101512522A (en) System and method for analyzing web content
CN111104579A (en) Identification method and device for public network assets and storage medium
CN113076538B (en) Method for extracting embedded privacy policy of mobile application APK file
CN102867144A (en) Method and device for detecting and removing computer viruses
Bai et al. A malware and variant detection method using function call graph isomorphism
Gao et al. A system for efficiently hunting for cyber threats in computer systems using threat intelligence
CN112688966A (en) Webshell detection method, device, medium and equipment
Akram et al. DroidMD: an efficient and scalable android malware detection approach at source code level
Pirch et al. Tagvet: Vetting malware tags using explainable machine learning
CN103440454B (en) A kind of active honeypot detection method based on search engine keywords
Gray et al. Identifying authorship style in malicious binaries: techniques, challenges & datasets
Cheng et al. An ensemble framework for interpretable malicious code detection
CN101594234B (en) Method for controlling Internet encrypted safe communication
Alhawi et al. Evaluation and application of two fuzzing approaches for security testing of IoT applications
Lyu et al. An Efficient and Packing‐Resilient Two‐Phase Android Cloned Application Detection Approach
KR20110129020A (en) Malicious code prevention system using code analysis technique and method for operating the system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: FORTINET INC.

Free format text: FORMER OWNER: FORTINET INFORMATION TECHNOLOGY (BEIJING) CO., LTD.

Effective date: 20091002

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20091002

Address after: California, USA

Patentee after: Fortinet, Inc.

Address before: Room 507, digital media building, No. 7 information road, Beijing, Haidian District

Patentee before: Fortinet,Inc.