CN101593249A - Suspicious file analyzing method and suspicious file analyzing system - Google Patents

Suspicious file analyzing method and suspicious file analyzing system Download PDF

Info

Publication number
CN101593249A
CN101593249A CN 200810067552 CN200810067552A CN101593249A CN 101593249 A CN101593249 A CN 101593249A CN 200810067552 CN200810067552 CN 200810067552 CN 200810067552 A CN200810067552 A CN 200810067552A CN 101593249 A CN101593249 A CN 101593249A
Authority
CN
China
Prior art keywords
file
suspicious
virtual machine
module
log
Prior art date
Application number
CN 200810067552
Other languages
Chinese (zh)
Other versions
CN101593249B (en
Inventor
张增现
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Priority to CN 200810067552 priority Critical patent/CN101593249B/en
Publication of CN101593249A publication Critical patent/CN101593249A/en
Application granted granted Critical
Publication of CN101593249B publication Critical patent/CN101593249B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Abstract

The embodiment of the invention provides a suspicious file analyzing method which comprises the following steps: obtaining one or more suspicious files according to a prestored configuration file, wherein the configuration file is information relevant to the suspicious file; selecting one of the suspicious files, transmitting the selected suspicious file to a virtual machine and running the selected suspicious file; recoding the behavior characteristics of the suspicious file in the virtual machine during running and storing the behavior characteristics into a log; and analyzing the suspicious file according to the recorded log and outputting an analyzing result. The embodiment of the invention also provides a suspicious file analyzing system. The embodiment of the invention automatically transmits one or more suspicious files to the virtual machine, automatically outputs the analyzing result by monitoring and analyzing the behavior characteristics of the suspicious file in the virtual machine during running and can automatically analyze the suspicious file and output the analyzing result, improve the analyzing efficiency and save the time and the manpower cost.

Description

一种可疑文件分析方法及系统 A suspected document analysis method and system

技术领域 FIELD

本发明涉及计算机安全技术领域,尤其涉及一种可疑文件分析方法及系统。 Technical Field The present invention relates to computer security, and particularly to a method and system for analyzing the suspicious file. 背景技术 Background technique

虚拟机(Virtual Machine)是一个虚构出来的计算机,是通过在真实的计算机上仿真模拟各种计算机功能来实现的。 VM (Virtual Machine) is a fictional computer, is achieved by computer simulation on a real simulation of various computer functions. 通过虚拟机软件可以在一台电脑(宿主机)上模拟出一个或多个台虚拟的计算机(虚拟机),且每台虚拟计算机都可以运行单独的操作系统而互不干扰,即一台虚拟^U就是一台独立的计算机, 拥有独立的操作系统。 Can be simulated by the virtual machine software on a computer (host) or a plurality of virtual computers (VM), and each virtual machine can run a separate operating system and interfere with each other, i.e., a virtual ^ U is a stand-alone computer, independent of the operating system. 虚拟机使用真实系统的CPU、部分磁盘空间及内存,虚拟机完全就像真正的计算机进行工作,例如可以安装操作系统、安装应用程序、 访问网络资源等。 Virtual machine using real system's CPU, some disk space and memory, virtual machine exactly like a real computer work, for example, can install the operating system, installed applications, access to network resources.

由于虚拟机最大的优点就是方便、快捷、节省资源,所以成为很多个人或企业的必备工具,尤其是信息安全行业,由于信息安全行业工作性质的特殊性, 尤其是研究或测试恶意程序的部门,在研究每一个恶意程序时都需要一个"干净,,的操作系统,因为恶意程序之间会相互干扰,可能会导致操作系统紊乱, 从而干扰研究人员对其行为的判断。为了得到准确的结果,研究人员必须采用"干净,,的操作系统。 Since the maximum advantage of the virtual machine is convenient, fast, saving resources, become an indispensable tool for many individuals or companies, especially in the information security industry, due to the nature of the work of the special nature of the information security industry, particularly testing sector research or malicious programs in each study a malicious program needs a "clean ,, operating system, because it will interfere with each other malicious programs that can cause the operating system disorders, which interfere with the researchers judge their actions. in order to get accurate results researchers must be "clean ,, operating system. 若研究人员选择真实主机系统来研究恶意程序,恢复(重装)系统需要较长时间,从而会浪费大量时间,软件公司必须节省这个时间, 另外当今流行的恶意软件大都会能在虚拟机里正常运行,和在真实主机操作系统里运行结果没有任何区别,不会影响研究人员的判断力,所以软件信息安全公司在对大部分恶意软件(Malware)的分析和测试处理时大都选用了虚拟机环境。 If the researchers chose to study the real host system malicious programs to restore (reload) system takes a long time, which will waste a lot of time, software companies must save this time, in addition to today's popular malware Metropolitan normal in a virtual machine run, and run in a real host operating system results did not make any difference, does not affect the judgment of the researchers, so the software companies in the information security analysis and testing process for most of malicious software (malware) mostly selected virtual machine environment .

在实现本发明的过程中,发明人发现现有技术中至少存在如下问题:在使用虚拟机时需要手动操作,如对单一对象存储(Single Instance Storage, SIS)的创建、恢复、删除操作以及对VirtualMachine系统的启动、暂停、重启、关机等操作都需要人工参与,软件信息安全公司的分析工程师和测试工程师在对恶意软件进行分析和测试时就必须手动操作虚拟^^来达到工作目的,因此,软件信息安全公司在此环节花费大量的人力物力。 During the implementation of the present invention, the inventor finds at least the following problems in the prior art: the need for manual operation in the virtual machine, such as a single object storage (Single Instance Storage, SIS) creation, recovery, and deletion of the start VirtualMachine system, pause, restart, shutdown and other operations require human intervention, information security software company's analysis and test engineers in the malicious software analysis and testing must be manually operated to achieve virtual ^^ work purposes, therefore, information security software company in this part takes a lot of manpower and resources.

发明内容 SUMMARY

鉴于以上内容,有必要提供一种可疑文件分析方法及系统,可以自动完成对可疑文件的分析,提高分析和测试可疑文件的效率。 In view of the above, it is necessary to provide a method and system for analyzing suspicious files, you can automate the analysis of suspicious files and improve the efficiency of analysis and testing of suspicious files.

本发明实施方式提供一种可疑文件分析方法,包括: Embodiments of the invention provide a suspected document analysis method, comprising:

根据预先存储的配置文件获取一个或多个可疑文件,所述配置文件为与可疑文件相关的信息; Obtain one or more suspicious file pre-stored configuration file, the configuration file is associated with the suspicious file information;

选取其中一可疑文件传送到虚拟机并运行所述选取的可疑文件; Wherein selecting a suspicious file transfer suspicious files to a virtual machine and said selected operation;

根据所述记录的日志分析所述可疑文件并输出分析结果。 The log analysis of the recording of the suspicious file and outputs the analysis result.

本发明实施方式还提供一种可疑文件分析系统,包括: Embodiments of the invention further provides a suspicious file analysis system, comprising:

文件获取模块,用于根据预先存储的配置文件获取一个或多个可疑文 File acquisition module for acquiring a pre-stored profile according to one or more suspicious packets

件,所述配置文件为与可疑文件相关的信息; Member, the configuration file to the information related to the suspicious file;

虚拟机模块,用于运行所述传送的可疑文件,记录所述可疑文件在所述 Virtual machine module, suspicious files for operating the transmission, the recording of the suspicious files

虚拟机中运行时的行为特征并保存为曰志; Behavioral characteristics when running virtual machines and save as saying Chi;

分析模块,用于根据所述记录的日志分析所述可疑文件并输出分析结果。 An analysis module for analyzing the suspicious file according to the record of the log and outputs the analysis result.

本发明实施例将所述一个或多个可疑文件自动传送到所述虚拟机,通过分析可疑文件并输出分析结果,提高了分析效率,节省了时间和人力成本。 Embodiments of the invention the one or more suspicious files are automatically transferred to the virtual machine, by analyzing the suspicious file and outputs the analysis result, the analysis to improve efficiency and save time and labor costs.

附图说明 BRIEF DESCRIPTION

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the technical solutions in the embodiments or the prior art embodiment of the present invention, the following figures will be described in the embodiments or the prior art are required to briefly introduced hereinafter, the following description of the accompanying drawings only some embodiments of the present invention, those of ordinary skill in the art is concerned, without any creative effort, and may also obtain other drawings based on these drawings.

图l是本发明实施例可疑文件分析方法的流程示意图; 图2是本发明实施例一可疑文件分析系统的结构示意图; 图3是本发明实施例二可疑文件分析系统的结构示意图。 Figure l is a schematic flowchart suspicious file analysis method of the present embodiment of the invention; FIG. 2 is a schematic structural diagram of a suspicious file analysis system according to the present invention; FIG. 3 is a schematic diagram according to a second embodiment of suspicious file analysis system of the present invention.

具体实施方式 Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施方式,对本发明进行进一步详细说明。 To make the objectives, technical solutions and advantages of the present invention will become more apparent hereinafter in conjunction with the accompanying drawings and embodiments, the present invention will be further described in detail. 应当理解,此处所描述的具体实施方式仅仅用以解释本发明,并不用于限定本发明。 It should be understood that the specific embodiments described herein are only intended to illustrate the present invention and are not intended to limit the present invention.

请参考图1,为本发明实施例可疑文件分析方法的流程示意图,其步骤具体包括: Referring to FIG. 1, a schematic flowchart suspicious file analysis method of the present embodiment of the invention, which comprises the step of:

步骤S10:读取配置文件;所述配置文件为预先存储的与可疑文件相关的信息,比如可疑文件的路径、用于可疑文件分析的自定义规则(包括可疑文件分析的步骤或策略)等信息。 Step S10: reading the configuration file; the configuration file to the information related to the suspicious files stored in advance, such as the path suspicious files, suspicious files used to customize the analysis rule (step comprises analyzing the suspicious file or policy) and other information . 所述配置文件可根据实际需要进行修改, 比如实际放置的可疑文件的路径位置改变、可疑文件分析的步骤或策略需要调整等。 The configuration file may be modified according to actual needs, the file path location, such as changing the suspicious actually set, the step of analyzing suspicious files or other strategies need to be adjusted.

步骤S12:根据所述配置文件获取一个或多个可疑文件,具体的,在读取所述配置文件后,根据所述配置文件中的相关信息,如可疑文件的路径, 从可疑文件的路径获取一个或多个可疑文件。 Step S12: acquiring one or more suspicious file according to the configuration file, particularly after reading the configuration file, the configuration file according to the relevant information, such as the path of a suspicious file, acquires the file from the path suspicious one or more suspicious files. 具体实现时,可将一个或多个待分析的可疑文件预先放置在所述配置文件中可疑文件的路径位置处。 In specific implementation, it may be one or more suspicious files to be analyzed is placed in advance at the configuration file path location suspicious file.

步骤S14:选取一可疑文件传送到虚拟机并运行所述选取的可疑文件, 所述虚拟机为一可模拟真实系统的处理器、内存,并将真实系统的硬盘的一部分模拟成自己硬盘的模拟装置,本发明实施例以初始状态的虚拟机为例进行说明;具体的,通过遍历或者随机的方式从获取的一个或多个可疑文件中 Step S14: Select a suspicious file transfer suspicious file to run the virtual machine and selected, the virtual machine can simulate the real system is a processor, memory, hard disk and a portion of the virtual reality system to simulate their own hard disk It means embodiment of the present invention the initial state of the virtual machine described as an example; specifically, by traversing or random manner from the one or more suspicious file acquired

7选取一个可疑文件,将所述选取的可疑文件传送到一个处于初始状态的虚拟冲几中并运行。 7 to select a virtual suspicious file, transferring the file to a selected suspect in an initial state and washed several runs. 处于初始状态的虚拟机即表示所述虚拟冲几刚#皮创建或者初始化,没有被任何恶意程序感染过,具体实现时可创建一个初始状态的虚拟机镜像。 In the initial state of the virtual machine virtual means that just a few red # skin created or initialized, the program is not infected with any malicious, create a virtual machine image may be a specific implementation of the initial state. 所述初始状态的虚拟机可事先已被运行,等所述可疑文件传送过来后即运行所述可疑文件,也可等所述可疑文件传送过来后,启动所述初始状态的虚拟机开始运行,接着由虚拟机运行所述可疑文件,具体步骤顺序由所述配置文件中的可疑文件分析的自定义规则决定。 The initial state of the virtual machine has been running in advance, such as the suspicious files sent over after running the suspicious file, such as the suspicious files can also be sent over after the start of the initial state of the virtual machine is running, then the suspect file by the virtual machine is running, custom rules by analyzing specific sequence of steps in the configuration file determines suspicious files.

为曰志;具体的,目前的恶意程序运行后的行为特征主要有:修改注册表(目的让自己下次开机自启动)、发现自己不是在系统目录就将自己拷贝到系统目录(然后还会删除自己,防止用户怀疑),还包括通过挂系统钩子以获取用户键盘操作、收集用户信息,利用系统漏洞、远程注入等恶意行为特征。 Chi is said; specifically, the behavioral characteristics of malicious programs currently running are: Modify the registry (the goal to have the next boot from the start), he found himself not in the system directory will copy itself to the system directory (then also delete your own, to prevent users from suspicion), also includes hanging by a hook system for user keystrokes, collect user information, the use of malicious behavior characteristic vulnerabilities, remote implantation. 所述虚拟机模块监视所述可疑文件在虚拟机中运行时的行为特征,并将所述行为特征记录为日志,保存在日志记录模块中。 The virtual machine module monitors the characteristic behavior of the suspicious file when running in a virtual machine, and wherein said behavior is recorded as log stored in the log module.

步骤S18:根据所述记录的日志分析所述可疑文件并输出分析结果;具体的,可根据自定义规则进行分析,比如对所述记录的日志中的行为特征进行打分,如恶意程序将自己拷贝到系统目录、修改了某个特定的注册表、释放了其它文件(衍生物)到系统目录等都进行打分,根据分值与预先设定的阈值的比较结果输出分析结果。 Step S18: The recording of the log file and analyzing the suspect outputs the analysis result; Specifically, the analysis can be based on custom rules, such as the behavior of the feature in the log record scoring, as the copy itself malware to the system directory, a modification of a particular registry, released other documents (derivative) to a scoring system directory and so, the analysis result based on the output comparison result value with the threshold value set in advance. 本实施例中,当分值达到事先设置好的阈值则判定为恶意程序,即输出所述可疑文件为恶意程序文件的分析结果;若分 If points; embodiment, when a good score reaches a threshold value set in advance is determined as a malicious program, i.e., the output of the analysis result of a malicious suspicious file is a program file of the present embodiment

师进一步确认的分析结果;另外,还可将所述记录的日志与一恶意程序数据 Further analysis confirmed the division result; Further, the recording can also be a log of malicious programs and data

库模块中存储的恶意程序行为特征进行比较,根据比较结果输出分析结果。 Malicious behavior characteristic stored in the library module compares the analysis result according to the comparison output. 本实施例中,若所述记录的日志中的行为特征全部与所述恶意程序数据库模块中存储的恶意程序行为特征相符,则输出所述可疑文件为恶意程序文件的分析结果,若不符合或部分符合,则分别输出所述可疑文件为非恶意程序文件或需要工程师进一步确认的分析结果,具体的分析规则可根据用户需要自定义,也可由所述配置文件中的可疑文件分析的自定义规则决定。 In this embodiment, if the behavior characteristic matching record in the log store all of the database module malware malicious program behavior characteristic, outputting the analysis result of a malicious suspicious file is a program file, or do not meet portions meet, respectively, the output file is not a suspicious or malicious program file engineers need to analyze the results further confirmed the specific analysis rules may be defined according to user needs, but also by the configuration files in the analysis of the suspicious custom rules decision.

步骤S20:判断是否还有其他可疑文件,具体的,在步骤S18输出所述可疑文件的分析结果后,判断是否还有其他未传送的可疑文件,若判断为是, 则执行步骤S22;若判断为否,则结束可疑文件分析。 Step S20: determines whether there are other suspicious file. Specifically, the step S18 after the output of the analysis result suspicious file, determines whether or not there are other suspicious file transfer, if the determination is YES, a step S22 is executed; if Analyzing no, suspicious files analysis is finished.

步骤S22:恢复所述虚拟机到初始状态;具体的,通过恢复虚拟机镜像的方式将所述虚拟机恢复到初始状态,执行步骤S14以进行另一可疑文件的分析。 Step S22: the virtual machine restored to the initial state; in particular, the virtual machine image restoration by the virtual machine is restored to the original state, step S14 is executed to perform another analysis of suspicious file.

本发明实施例将所述一个或多个可疑文件自动传送到所述虚拟机,通过 Embodiments of the invention the one or more suspicious files are automatically transferred to the virtual machine, by

批量的分析可疑文件,提高了分析效率,节省了时间和人力成本。 Batch analyzes suspicious files and improve the efficiency of the analysis, saving time and labor costs.

请参考图2,为本发明实施例一可疑文件分析系统的结构示意图,所述可疑文件分析系统包括配置文件模块50、文件获取模块52、虚拟机模块60、 分析模块54、恶意程序数据库模块56及判断模块58。 Please refer to FIG. 2, a schematic structural diagram of the present invention, the analysis system according suspicious file, the suspect document analysis system 50 includes a module configuration file, the file acquisition module 52, the virtual machine module 60, analysis module 54, a database module 56 malware and determining module 58.

所述配置文件模块50,用于存储配置文件,所述配置文件为与可疑文件相关的信息,如可疑文件的路径、用于可疑文件分析的自定义规则(包括可疑文件分析的步骤或策略)等信息。 The profile module 50 for storing configuration files, the configuration information related to the suspicious file path of the file as suspicious file, suspicious files used to customize the analysis rule (step comprises analysis of suspicious file or policy) and other information.

所述文件获取模块52,用于从所述配置文件模块50读取所述配置文件, 根据所述配置文件获取一个或多个可疑文件,选取一可疑文件传送到所述虚拟机模块60中的虚拟机并运行所述选取的可疑文件。 The file acquisition module 52, for the configuration file from the configuration module 50 to read the file, obtaining one or more suspicious file according to the configuration file, select a transfer to the suspicious files in the virtual machine module 60 the virtual machine and run the suspicious files selected. 具体的,所述文件获取模块52根据所述配置文件中的可疑文件的路径获取预先放置的可疑文件,通过遍历或者随机的方式从获取的一个或多个可疑文件中选取一个可疑文件,将所述选取的可疑文件传送到所述虚拟机模块60中的一个处于初始状态的虚拟机中并运行。 Specifically, the file acquisition module 52 according to the configuration file path suspicious documents for pre-placed suspicious file, select a file from the one or more suspicious suspicious file acquired by traversing or random manner, The said selected suspicious files to a virtual machine in an initial state of the virtual machine module 60 and run.

所述虚拟机模块60,用于运行所述传送的可疑文件,记录所述可疑文件在所述虚拟机中运行时的行为特征并保存为日志。 The virtual machine module 60, operation of the suspicious file for transmission, recording characteristic behavior of the suspect file to run in the virtual machine and stored as a log time. 目前的恶意程序运行后的行为特征主要有:修改注册表(目的让自己下次开机自启动)、发现自己不是在系统目录就将自己拷贝到系统目录(然后还会删除自己,防止用户怀疑),还包括通过挂系统钩子以获取用户键盘操作、收集用户信息,利用系统漏洞、远程注入等。 After the behavioral characteristics of malicious programs currently running are: Modify the registry (the goal to have the next boot from the start), he found himself not in the system directory will copy itself to the system directory (then delete itself will prevent you suspect) , the system further comprising a hook for hanging by the user's keyboard operation, collect user information, to exploit system vulnerabilities, remote implantation. 所述虚拟机模块监视所述可疑文件在虚拟机中运行时的行为特征,并将所述行为特征保存为日志。 The virtual machine module monitors the characteristic behavior of suspicious files when running in a virtual machine, preservation and the behavioral characteristics of the log.

所述恶意程序数据库模块56,用于存储现有的恶意程序运行时的行为特征,如修改注册表、将自身拷贝到系统目录、挂系统钩子、释放了驱动或其它文件(衍生物)到系统目录、拦截API(SSDT链)、ATTACH文件(网络、键盘驱动)等。 The malicious program database module 56 for storing characteristic behavior of an existing malicious program is running, such as modifying the registry, copy itself to the system directory, the system hanging hook, or other files to release the drive (derivative) to the system directory, interception API (SSDT chain), ATTACH file (network, keyboard driver) and so on.

所述分析模块54,用于根据所述记录的日志分析所述可疑文件并输出分析结果;具体的,可根据自定义规则进行分析,比如对所述记录的日志中的行为特征进行打分,如恶意程序将自己拷贝到系统目录、修改了某个特定的注册表、释放了驱动或其它文件(衍生物)到系统目录、拦截API(SSDT 链)、ATTACH文件(网络、键盘驱动)等都进行打分,当分值达到事先设置好的阈值则判定为恶意程序,即输出所述可疑文件为恶意程序文件的分析结果;若分数为零或分数较低则分别输出所述可疑文件为非恶意程序文件或需要工程师进一步确认的分析结果;另外,还可将所述记录的日志与所述 The analysis module 54 for analyzing the log suspicious file according to the record and outputs the analysis result; Specifically, according to the custom rules analysis, such as behavioral characteristics of the recorded log of scoring, such as the malicious program copies itself to the system directory, modify a particular registry, the release of the driver or other documents (derivatives) to the system directory, intercepting API (SSDT chain), ATTACH file (network, keyboard-driven) and so were scoring, when the score reached a good threshold value set in advance is determined as a malicious program, i.e., the output of the analysis result of a malicious suspicious file is a program file; if the fractional score of zero or lower outputs the non-suspicious file malware file or engineer needs further confirmation of the results of analysis; in addition, also the recording of the log

恶意程序数据库模块56中存储的恶意程序行为特征进行比较,若所述记录的曰志记录的行为特征全部与所述恶意程序数据库模块中存储的恶意程序行为特征相符,则输出所述可疑文件为恶意程序文件的分析结果,若不符合或部分符合,则分别输出所述可疑文件为非恶意程序文件或需要工程师进一步确认的分析结果,具体的分析规则可根据用户需要自定义,也可由所述配置文件中的可疑文件分析的自定义规则决定。 Malicious behavior characteristics of a malicious program stored in the database module 56 compares the malicious behavior characteristics match if said behavior characteristics of the recording logging all the malicious program modules stored in the database, then the output file is suspect the results of a malicious program file, do not meet or partially meet, respectively, the output file is not a suspicious or malicious program file engineers need to analyze the results further confirmed the specific analysis rules may be defined according to user needs, but also by the customize the rules in the configuration file suspicious file analysis decision.

所述判断模块58,用于判断是否还有其他可疑文件,具体的,在所述分析模块54输出所述可疑文件的分析结果后,所述判断模块58判断所述文件获取模块52是否还有其他未传送的可疑文件,若判断为是,则通知所述 The determining module 58, configured to determine whether there are other suspicious file. Specifically, after the analyzing module 54 outputs the analysis result suspicious file, the determination module 58 determines whether the file acquisition module 52 also other suspicious file is not transmitted, if it is determined that the notification

1虚拟机模块60将所述虚拟机恢复到初始状态,并通知所述文件获取模块52 传送下一可疑文件到所述虚拟机;若判断为否,则结束可疑文件分析。 A virtual machine module 60 of the virtual machine restored to the original state, and notifies the file acquisition module 52 transmits the next suspicious files to the virtual machine; If the determination is NO, then the end of the suspicious file analysis. 所述判断模块58在本实施例中单独设置,在具体实现中也可与所述文件获取模块52集成在一起。 The determining module 58 provided separately in the present embodiment embodiment, the file is also available in a particular implementation integrated module 52.

本发明实施例中所述配置文件可预先存储在所述文件获取模块52,即不需要另外设置所述配置文件模块50。 Embodiment of the invention in the configuration file may be stored in advance in the file acquisition module 52, i.e. no need to provide the configuration file module 50.

本发明实施例通过所述文件获取模块52将所述一个或多个可疑文件自动传送到所述虚拟机模块60,通过监视和分析可疑文件在虚拟机运行时的行为特征通过所述分析模块54自动输出分析结果,提高了分析效率,节省了时间和人力成本。 Embodiment of the present invention the acquisition module 52 to the one or more suspicious files are automatically transferred to the virtual machine module 60, by monitoring and analysis of suspicious behavior files wherein the virtual machine is running through the analysis module 54 by the file Auto output analysis results and improve the efficiency of the analysis, saving time and labor costs.

请参考图3,为本发明实施例二可疑文件分析系统的结构示意图,其与本发明实施例一的区别在于具体细化了所述虚拟机模块60。 Please refer to FIG. 3, a schematic view of the structure of the present invention according to a second embodiment suspicious file analysis system, which consists in the specific and detailed embodiment of the present invention a difference between the embodiment of the virtual machine module 60. 所述虚拟机模块60包括虚拟机62、监视模块64、日志记录模块66及虚拟机恢复模块68。 The virtual machine module 60 includes a virtual machine 62, the monitoring module 64, log module 66 and module 68 to restore the virtual machine.

所述虚拟机62,用于接收到所述文件获取模块52传送的可疑文件后, 运行所述可疑文件。 The virtual machine 62, after receiving the document for obtaining suspect file transfer module 52, the operation of the suspicious file. 具体的,所述虚拟机62为一可模拟真实系统的处理器、 内存,并将真实系统的硬盘的一部分模拟成自己硬盘的模拟装置,可使所述可疑文件运行时像在真实系统运行时一样。 Specifically, the virtual machine 62 is a system can simulate the real processor, memory, and hard drive system to simulate the real part of their hard drive simulation apparatus, the suspect file can run as running a real time system same.

所述监视模块64,用于监视所述可疑文件在虚拟机62中运行时的行为特征; The monitoring module 64 for monitoring the characteristic behavior of the suspicious file on the virtual machine to run at 62;

所述日志记录模块66,用于记录所述监视模块64监视的可疑文件在所述虚拟机中运行时的行为特征并保存为日志。 The logging module 66, for recording the monitoring module 64 monitors the characteristic behavior of suspicious files in the virtual machine operating time and save as a log.

所述虚拟机恢复模块68,用于在所述判断模块58判断所述文件获取模块52还有未传送的可疑文件后,将所述虚拟机62恢复到初始状态。 Restore the virtual machine module 68, for the determination module 58 determines the file acquisition module 52 as well as the suspicious file is not transferred, the virtual machine 62 will be restored to the initial state.

在具体实现中,所述虚拟机模块60可能有其他模块组合形式,如可将所述监视模块64及所述日志记录模块66的功能集合在一起,用一个模块实现监视和记录行为特征的功能,本发明实施例只是用来举例说明,以解释本发明,并不用于限定本发明。 In a specific implementation, the virtual machine module 60 may be other combinations of modules, as can be grouped together and a function of the monitoring module 64 of the logging module 66, and to realize recording monitoring with a behavioral characteristics function module , embodiments of the present invention is merely intended to illustrate the present invention in order to explain, not to limit the present invention.

可以通过程序来指令相关的硬件来完成,所述程序可以存储于一计算机可读取 May be instructing relevant hardware by a program, the program may be stored in a computer readable

存储介质中,所述存储介质为ROM/RAM、磁碟、光盘等。 Storage medium, the storage medium is a ROM / RAM, magnetic disk, optical disk.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。 Above, the present invention is merely preferred specific embodiments, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the scope of the invention disclosed can be easily thought of the changes or Alternatively, it shall fall within the protection scope of the present invention. 因此,本发明的保护范围应该以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be defined by the scope of the claims.

Claims (15)

1、一种可疑文件分析方法,包括: 根据预先存储的配置文件获取一个或多个可疑文件,所述配置文件为与可疑文件相关的信息; 选取其中一可疑文件传送到虚拟机并运行所述选取的可疑文件; 记录所述可疑文件在所述虚拟机中运行时的行为特征并保存为日志; 根据所述记录的日志分析所述可疑文件并输出分析结果。 1, a suspected document analysis method, comprising: obtaining a pre-stored profile according to one or more suspicious file, the configuration file is associated with the suspicious file information; wherein selecting a suspect files to the virtual machine and run selected suspicious file; behavioral characteristics of the suspicious file and save the recording operation in the virtual machine when the log; analyzing the suspicious file according to the record of the log and outputs the analysis result.
2、 如权利要求1所述的方法,其特征在于:所述配置文件包括所述可疑文件的路径,根据预先存储的配置文件获取一个或多个可疑文件具体为: 从所述可疑文件的路径获取预先放置的一个或多个可疑文件。 2. The method as claimed in claim 1, wherein: the configuration file path that includes the suspicious file, obtaining one or more suspicious file stored in advance according to the specific configuration file: file path from the suspect get pre-placement of one or more suspicious files.
3、 如权利要求1所述的方法,其特征在于:所述步骤根据所述记录的日志分析所述可疑文件并输出分析结果后,还包括步骤:判断是否还有其他可疑文件,若判断为是,则恢复所述虚拟机到初始状态。 3. The method of claim 1, wherein: said step of analyzing said recorded according to the log file and outputs the suspect results, further comprising the step of: determining whether there are other suspicious file, if it is determined that the virtual machine is restored to the initial state.
4、 如权利要求3所述的方法,其特征在于:所述步骤恢复所述虚拟机到初始状态后,执行步骤:选取其中一可疑文件传送到虚拟机并运行所述选取的可疑文件。 4. The method as claimed in claim 3, wherein: said step of resuming the virtual machine to the initial state, execute the steps of: selecting a file in which suspicious suspicious files to the virtual machine and run the selected.
5、 如权利要求1所述的方法,其特征在于:所述步骤根据所述记录的日志分析所述可疑文件并输出分析结果包括:对所述记录的日志中的行为特 5. The method of claim 1, wherein: said step of analyzing the suspect log file according to the record and outputs the analysis result comprises: recording the behavior log Laid
6、 如权利要求5所述的方法,其特征在于:当分值达到事先设置好的阈值则判定为恶意程序,即输出所述可疑文件为恶意程序文件的分析结果; 若分数为零或分数较低则分别输出所述可疑文件为非恶意程序文件或需要工程师进一步确认的分析结果。 6. The method as claimed in claim 5, wherein: when a good score reaches a threshold value set in advance is determined as a malicious program, i.e., the output of the analysis result of a malicious suspicious file is a program file; if the score is zero or a fraction the results of the outputs of said lower non-suspicious file or a malicious program file needs further confirmation of the engineer.
7、 如权利要求1所述的方法,其特征在于:所述步骤根据所述记录的日志分析所述可疑文件并输出分析结果包括:将所述记录的日志与一恶意程序数据库模块中存储的恶意程序行为特征进行比较,根据比较结果输出分析结果。 7. The method as claimed in claim 1, wherein: said step of recording said log analysis according to the suspicious file and outputs the analysis result comprises: recording the log with a malicious program stored in the database module malicious program behavior characteristics, and outputs the results of the analysis based on the comparison.
8、 如权利要求7所述的方法,其特征在于:若所述记录的日志中的行为特征全部与所述恶意程序数据库模块中存储的恶意程序行为特征相符,则输出所述可疑文件为恶意程序文件的分析结果,若不符合或部分符合,则分别输出所述可疑文件为非恶意程序文件或需要工程师进一步确认的分析结果。 8. A method as claimed in claim 7, wherein: the program behavior consistent malicious behavior characteristic feature if the log record to store all the malicious program database module, the output file is a malicious suspicious the results of the analysis results file, do not meet or partially meet, respectively, the output file is not a suspicious or malicious program file needs further confirmation of the engineer.
9、 一种可疑文件分析系统,包括:文件获取模块,用于根据预先存储的配置文件获取一个或多个可疑文件,所述配置文件为与可疑文件相关的信息;虚拟机模块,用于运行所述传送的可疑文件,记录所述可疑文件在所述虚拟机中运行时的行为特征并保存为日志;分析模块,用于根据所述记录的日志分析所述可疑文件并输出分析结果。 9, a suspected document analysis system, comprising: file acquiring means for acquiring one or more suspicious file pre-stored configuration file, the configuration file is associated with the suspicious file information; virtual machine module, for operating the suspicious file transfer, recording characteristic behavior of the suspect files in the virtual machine operating time and save as a log; analysis module for analyzing the suspicious file according to the record of the log and outputs the analysis result.
10、 如权利要求9所述的系统,其特征在于:还包括配置文件模块,用于存储所述配置文件,所述文件获取模块从所述配置文件模块读取所述配置文件。 10. The system as claimed in claim 9, characterized in that: further comprising a profile module for storing the configuration file, the file acquisition module to read the configuration file from the configuration file module.
11、 如权利要求9所述的系统,其特征在于:所述虚拟机模块包括: 虚拟机,用于接收所述文件获取模块传送的可疑文件后运行所述可疑文件;日志记录模块,用于记录所述监视模块监视的可疑文件在所述虚拟机中运行时的行为特征并保存为日志。 11. The system of claim 9, wherein: the virtual machine module comprising: a virtual machine configured to receive the file acquisition module transmits suspicious files after running the suspicious file; logging module, for behavioral characteristics of recording the monitoring module to monitor suspicious file to run in the virtual machine when and save it as a log.
12、 如权利要求11所述的系统,其特征在于:还包括判断模块,用于判断所述文件获取模块是否还有其他未传送的可疑文件,若判断为是,则通知所述虚拟机模块将所述虚拟机恢复到初始状态,并通知所述文件获取模块传送下一可疑文件到所述虚拟机。 12. The system as claimed in claim 11, characterized in further comprising: determining means for determining whether the file acquisition module other suspicious files are not transmitted, if the determination is YES, the module notifies the virtual machine the virtual machine restored to the original state, and notifies the file acquisition module transmits the next suspicious files to the virtual machine.
13、 如权利要求12所述的系统,其特征在于:所述虚拟机模块还包括虚拟机恢复模块,用于在所述判断模块判断所述文件获取模块还有未传送的可疑文件后,将所述虚拟机恢复到初始状态。 13. The system as claimed in claim 12, wherein: said module further comprises a virtual machine VM recovery module, configured to, after the determination means determines the file acquisition module also suspicious files are not transferred, the the virtual machine restored to the initial state.
14、 如权利要求9所述的系统,其特征在于:所述分析模块对所述记录的日志中的行为特征进行打分,根据分值与预先设定的阈值的比较结果输出分析结果。 14. The system of claim 9, wherein: the analysis module of the behavior characteristics of the log record to rate the analysis result based on the output comparison result value with the threshold value set in advance.
15、 如权利要求9所述的系统,其特征在于:还包括恶意程序数据库模块,用于存储现有的恶意程序运行时的行为特征,所述分析模块将所述记录的日志与所述恶意程序数据库模块中存储的恶意程序行为特征进行比较,根据比较结果输出分析结果。 15. The system as claimed in claim 9, characterized in that: the malicious program database further comprising means for storing characteristic behavior of an existing malicious program is running, the analysis module to the log record of the malicious malicious behavior characteristic database program stored in the module by comparing the analysis result according to the comparison output.
CN 200810067552 2008-05-30 2008-05-30 Suspicious file analyzing method and suspicious file analyzing system CN101593249B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810067552 CN101593249B (en) 2008-05-30 2008-05-30 Suspicious file analyzing method and suspicious file analyzing system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200810067552 CN101593249B (en) 2008-05-30 2008-05-30 Suspicious file analyzing method and suspicious file analyzing system
PCT/CN2009/071759 WO2009143742A1 (en) 2008-05-30 2009-05-12 Analysis method and system for suspicious file

Publications (2)

Publication Number Publication Date
CN101593249A true CN101593249A (en) 2009-12-02
CN101593249B CN101593249B (en) 2011-08-03

Family

ID=41376597

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810067552 CN101593249B (en) 2008-05-30 2008-05-30 Suspicious file analyzing method and suspicious file analyzing system

Country Status (2)

Country Link
CN (1) CN101593249B (en)
WO (1) WO2009143742A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102754073A (en) * 2010-02-05 2012-10-24 微软公司 Extension point declarative registration for virtualization
CN102957667A (en) * 2011-08-23 2013-03-06 潘燕辉 Method for intelligently replacing files on basis of cloud computation
CN103106364A (en) * 2011-11-15 2013-05-15 株式会社日立制作所 Program analyzing system and method
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103902886A (en) * 2014-03-04 2014-07-02 珠海市君天电子科技有限公司 Method and device for detecting third-party application
CN103905417A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Device and method for authentication of network device files
CN104504331A (en) * 2014-12-19 2015-04-08 北京奇虎科技有限公司 Virtualization security detection method and system
CN105809035A (en) * 2016-03-07 2016-07-27 南京邮电大学 Android application real-time behavior based malicious software detection method and system
CN106228067A (en) * 2016-07-15 2016-12-14 江苏博智软件科技有限公司 Malicious code dynamic testing method and device
CN106572122A (en) * 2016-12-09 2017-04-19 哈尔滨安天科技股份有限公司 Host security evaluation method and system based on network behavior feature correlation analysis
CN107004089A (en) * 2014-08-11 2017-08-01 森蒂内尔实验室以色列有限公司 Malware detection method and its system
CN108038375A (en) * 2017-12-21 2018-05-15 北京星河星云信息技术有限公司 A kind of malicious file detection method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978911B (en) * 2016-07-15 2019-05-21 江苏博智软件科技有限公司 Malicious code detecting method and device based on virtual execution technology

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707383A (en) 2004-06-10 2005-12-14 陈朝晖 Method for analysing and blocking computer virus through process and system trace
US7908653B2 (en) * 2004-06-29 2011-03-15 Intel Corporation Method of improving computer security through sandboxing
CN100547513C (en) 2005-02-07 2009-10-07 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN100374972C (en) 2005-08-03 2008-03-12 珠海金山软件股份有限公司 System and method for detecting and defending computer worm
CN100595778C (en) * 2007-07-16 2010-03-24 珠海金山软件股份有限公司 Method and apparatus for identifying virus document
CN101154258A (en) * 2007-08-14 2008-04-02 电子科技大学 Automatic analyzing system and method for dynamic action of malicious program

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9262187B2 (en) 2010-02-05 2016-02-16 Microsoft Technology Licensing, Llc Extension point declarative registration for virtualization
CN102754073A (en) * 2010-02-05 2012-10-24 微软公司 Extension point declarative registration for virtualization
US10331466B2 (en) 2010-02-05 2019-06-25 Microsoft Technology Licensing, Llc Extension point declarative registration for virtualization
CN102957667A (en) * 2011-08-23 2013-03-06 潘燕辉 Method for intelligently replacing files on basis of cloud computation
CN103106364A (en) * 2011-11-15 2013-05-15 株式会社日立制作所 Program analyzing system and method
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103839003B (en) * 2012-11-22 2018-01-30 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program
CN103150506B (en) * 2013-02-17 2016-03-30 北京奇虎科技有限公司 The method and apparatus that a kind of rogue program detects
CN103905417A (en) * 2013-11-12 2014-07-02 国家计算机网络与信息安全管理中心 Device and method for authentication of network device files
CN103902886A (en) * 2014-03-04 2014-07-02 珠海市君天电子科技有限公司 Method and device for detecting third-party application
CN107004089A (en) * 2014-08-11 2017-08-01 森蒂内尔实验室以色列有限公司 Malware detection method and its system
CN104504331B (en) * 2014-12-19 2017-12-08 北京奇安信科技有限公司 Virtualize safety detection method and system
CN104504331A (en) * 2014-12-19 2015-04-08 北京奇虎科技有限公司 Virtualization security detection method and system
CN105809035A (en) * 2016-03-07 2016-07-27 南京邮电大学 Android application real-time behavior based malicious software detection method and system
CN105809035B (en) * 2016-03-07 2018-11-09 南京邮电大学 The malware detection method and system of real-time behavior is applied based on Android
CN106228067A (en) * 2016-07-15 2016-12-14 江苏博智软件科技有限公司 Malicious code dynamic testing method and device
CN106572122A (en) * 2016-12-09 2017-04-19 哈尔滨安天科技股份有限公司 Host security evaluation method and system based on network behavior feature correlation analysis
CN108038375A (en) * 2017-12-21 2018-05-15 北京星河星云信息技术有限公司 A kind of malicious file detection method and device

Also Published As

Publication number Publication date
WO2009143742A1 (en) 2009-12-03
CN101593249B (en) 2011-08-03

Similar Documents

Publication Publication Date Title
Yin et al. Panorama: capturing system-wide information flow for malware detection and analysis
Scaife et al. Cryptolock (and drop it): stopping ransomware attacks on user data
US7540027B2 (en) Method/system to speed up antivirus scans using a journal file system
US9996693B2 (en) Automated malware signature generation
US7058975B2 (en) Method and system for delayed write scanning for detecting computer malwares
US8171547B2 (en) Method and system for real time classification of events in computer integrity system
US8555385B1 (en) Techniques for behavior based malware analysis
US8782792B1 (en) Systems and methods for detecting malware on mobile platforms
US9230100B2 (en) Securing anti-virus software with virtualization
US8839434B2 (en) Multi-nodal malware analysis
CN101137963B (en) Systems and methods for verifying trust of executable files
JP4936294B2 (en) Method and apparatus for dealing with malware
US7437764B1 (en) Vulnerability assessment of disk images
JPWO2010100769A1 (en) Security management apparatus and method, and program
US8635694B2 (en) Systems and methods for malware classification
US7257842B2 (en) Pre-approval of computer files during a malware detection
ES2685662T3 (en) Malignant anti-software systems and methods for imprecise white list inclusion
US20110047618A1 (en) Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
CN100374972C (en) System and method for detecting and defending computer worm
US20040181677A1 (en) Method for detecting malicious scripts using static analysis
JP2009522676A (en) Method, system, and computer-readable medium for sharing files between different virtual machine images
US8898775B2 (en) Method and apparatus for detecting the malicious behavior of computer program
US20080127355A1 (en) Isolation Environment-Based Information Access
US8161556B2 (en) Context-aware real-time computer-protection systems and methods
US8069372B2 (en) Simulated computer system for monitoring of software performance

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.