CN101593249B - Suspicious file analyzing method and suspicious file analyzing system - Google Patents
Suspicious file analyzing method and suspicious file analyzing system Download PDFInfo
- Publication number
- CN101593249B CN101593249B CN 200810067552 CN200810067552A CN101593249B CN 101593249 B CN101593249 B CN 101593249B CN 200810067552 CN200810067552 CN 200810067552 CN 200810067552 A CN200810067552 A CN 200810067552A CN 101593249 B CN101593249 B CN 101593249B
- Authority
- CN
- China
- Prior art keywords
- apocrypha
- virtual machine
- module
- file
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 12
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 230000003542 behavioural effect Effects 0.000 claims description 36
- 238000013459 approach Methods 0.000 claims description 7
- 230000000052 comparative effect Effects 0.000 claims description 6
- 241000700605 Viruses Species 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000012360 testing method Methods 0.000 description 4
- 241001597008 Nomeidae Species 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000012797 qualification Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a suspicious file analyzing method which comprises the following steps: obtaining one or more suspicious files according to a prestored configuration file, wherein the configuration file is information relevant to the suspicious file; selecting one of the suspicious files, transmitting the selected suspicious file to a virtual machine and running the selected suspicious file; recoding the behavior characteristics of the suspicious file in the virtual machine during running and storing the behavior characteristics into a log; and analyzing the suspicious file according to the recorded log and outputting an analyzing result. The embodiment of the invention also provides a suspicious file analyzing system. The embodiment of the invention automatically transmits one or more suspicious files to the virtual machine, automatically outputs the analyzing result by monitoring and analyzing the behavior characteristics of the suspicious file in the virtual machine during running and can automatically analyze the suspicious file and output the analyzing result, improve the analyzing efficiency and save the time and the manpower cost.
Description
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of apocrypha analytical approach and system.
Background technology
Virtual machine (Virtual Machine) is a computing machine of fabricating out, realizes by the various computer functions of analogue simulation on real computing machine.Can on a computer (host), simulate one or more virtual computing machines (virtual machine) by software virtual machine, and every virtual machine can move independent operating system and not disturb mutually, promptly the computing machine that virtual machine is exactly a platform independent has independently operating system.Virtual machine uses CPU, part disk space and the internal memory of real system, and virtual machine carries out work just as real computing machine fully, for example can installing operating system, set up applications, accesses network resource etc.
Because the virtual machine biggest advantage is exactly convenient, fast, saving resource, so become the indispensable instrument of a lot of individuals or enterprise, especially information security industry, because the singularity of information security industry job specification, especially study or test the department of rogue program, when each rogue program of research, all need the operating system of one " totally ", because meeting phase mutual interference between the rogue program, may cause the operating system disorder, thereby the The Study of Interference personnel are to the judgement of its behavior.In order to obtain result accurately, the researchist must adopt the operating system of " totally ".If the researchist selects true host computer system to study rogue program, (refitting) system of recovery needs the long period, thereby the plenty of time can be wasted, software company must save this time, current popular in addition Malware big city can normally move in virtual machine, with operation result in true host operating system without any difference, can not influence researchist's judgment, so software information security firm has mostly selected virtual machine environment for use to the analysis of most of Malware (Malware) and test processes the time.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: need manual operation when using virtual machine, as to single object storage (Single Instance Storage, SIS) establishment, recover, deletion action and to the startup of VirtualMachine system, suspend, restart, operations such as shutdown all need artificial participation, analysis project teacher of software information security firm and Test Engineer just must reach the work purpose by the manual operation virtual machine when Malware is analyzed and tested, therefore, software information security firm is in this link cost lot of manpower and material resources.
Summary of the invention
In view of above content, be necessary to provide a kind of apocrypha analytical approach and system, can finish analysis automatically to apocrypha, improve the efficient of analyzing and testing apocrypha.
Embodiment of the present invention provides a kind of apocrypha analytical approach, comprising:
Read configuration file, described configuration file is the information relevant with apocrypha;
Obtain one or more apocryphas according to described configuration file;
Choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing;
Behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
According to the described apocrypha of the log analysis of described record and export analysis result;
Judge whether other apocryphas in addition, be, then recover described virtual machine to original state if be judged as.
Embodiment of the present invention also provides a kind of apocrypha analytic system, comprising:
Profile module is used to store described configuration file,, described configuration file is the information relevant with apocrypha;
The file acquisition module is used for obtaining one or more apocryphas from described profile module, and described configuration file is the information relevant with apocrypha;
The virtual machine module is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
Analysis module is used for according to the described apocrypha of the log analysis of described record and exports analysis result;
Judge module, be used to judge whether described file acquisition module also has other apocryphas that do not transmit, if be judged as be, then notify described virtual machine module that described virtual machine is returned to original state, and notify described file acquisition module to transmit next apocrypha to described virtual machine.
The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, can analyze apocrypha automatically and export analysis result, improve analysis efficiency, saved time and human cost.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of embodiment of the invention apocrypha analytical approach;
Fig. 2 is the structural representation of the embodiment of the invention one apocrypha analytic system;
Fig. 3 is the structural representation of the embodiment of the invention two apocrypha analytic systems.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and the embodiments.Should be appreciated that embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Please refer to Fig. 1, be the schematic flow sheet of embodiment of the invention apocrypha analytical approach, its step specifically comprises:
Step 10: read configuration file; Described configuration file is the information relevant with apocrypha of storage in advance, such as the path of apocrypha, be used for the custom rule information such as (step or the strategies that comprise the apocrypha analysis) that apocrypha is analyzed.Described configuration file can be made amendment according to actual needs, and the step that path position changes, apocrypha is analyzed of the apocrypha of placing such as reality or strategy need to adjust etc.
Step 12: obtain one or more apocryphas according to described configuration file, concrete, after reading described configuration file, according to the relevant information in the described configuration file, as the path of apocrypha, obtain one or more apocryphas from the path of apocrypha.During specific implementation, one or more apocryphas to be analyzed can be placed in advance the path position place of apocrypha in the described configuration file.
Step 14: choose an apocrypha and be sent to virtual machine and move the described apocrypha of choosing, but described virtual machine is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, the embodiment of the invention describes with the virtual machine instance of original state; Concrete, from the one or more apocryphas that obtain, choose an apocrypha by traversal or mode at random, be sent in the virtual machine that is in original state the described apocrypha of choosing and operation.The virtual machine that is in original state represents that promptly described virtual machine just has been created or initialization, is not infected by any rogue program, can create the virtual machine image of an original state during specific implementation.The virtual machine of described original state can be moved in advance, promptly move described apocrypha after sending etc. described apocrypha, after also can waiting described apocrypha to send, the virtual machine that starts described original state brings into operation, then move described apocrypha, the custom rule decision that the concrete steps order is analyzed by the apocrypha in the described configuration file by virtual machine.
Step 16: the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record; Concrete, the postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize malicious act features such as system vulnerability, long-range injection to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic is recorded as daily record, be kept in the logger module.
Step 18: according to the described apocrypha of the log analysis of described record and export analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copying system directory to, revised certain specific registration table, having discharged other file (derivant) and all give a mark, according to the comparative result output analysis result of score value and pre-set threshold to system directory etc.In the present embodiment, then be judged to be rogue program, promptly export the analysis result that described apocrypha is the rogue program file when score value reaches the threshold value that sets in advance; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module can be compared, according to comparative result output analysis result.In the present embodiment, if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.
Step 20: judge whether other apocryphas in addition, concrete, behind the analysis result of the described apocrypha of step 18 output, judge whether other apocryphas that do not transmit in addition, be that then execution in step 22 if be judged as; If be judged as not, then finish the apocrypha analysis.
Step 22: recover described virtual machine to original state; Concrete, by the mode of recovering virtual machine image described virtual machine being returned to original state, execution in step S14 is to carry out the analysis of another apocrypha.
The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, but the analysis apocrypha of automatic batch, improve analysis efficiency, saved time and human cost.
Please refer to Fig. 2, be the structural representation of the embodiment of the invention one apocrypha analytic system, described apocrypha analytic system comprises profile module 50, file acquisition module 52, virtual machine module 60, analysis module 54, virus database module 56 and judge module 58.
Described profile module 50 is used for store configuration files, and described configuration file is the information relevant with apocrypha, as the path of apocrypha, be used for the custom rule information such as (comprising step or strategy that apocrypha is analyzed) that apocrypha is analyzed.
Described file acquisition module 52, be used for reading described configuration file from described profile module 50, obtain one or more apocryphas according to described configuration file, choose an apocrypha and be sent to the virtual machine in the described virtual machine module 60 and move the described apocrypha of choosing.Concrete, described file acquisition module 52 obtains prepositioned apocrypha according to the path of the apocrypha in the described configuration file, from the one or more apocryphas that obtain, choose an apocrypha by traversal or at random mode, the described apocrypha of choosing is sent in the described virtual machine module 60 one is in the virtual machine of original state and operation.
Described virtual machine module 60 is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record.The postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize system vulnerability, long-range injection etc. to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic saved as daily record.
Described virus database module 56, behavioural characteristic when being used to store existing rogue program operation, as revise registration table, with self copy system directory to, hang system's hook, discharged drive or other file (derivant) to system directory, interception API (SSDT chain), ATTACH file (network, keyboard drive) etc.
Described analysis module 54 is used for according to the described apocrypha of the log analysis of described record and exports analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copy system directory to, revised certain specific registration table, discharged drive or other file (derivant) to system directory, tackle API (SSDT chain), ATTACH file (network, keyboard drive) etc. and all give a mark, then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storage in the daily record of described record and the described virus database module 56 can be compared, if the behavioural characteristic of the log record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.
Described judge module 58, be used to judge whether to also have other apocryphas, concrete, behind the analysis result of the described apocrypha of described analysis module 54 outputs, described judge module 58 judges whether described file acquisition module 52 also has other apocryphas that do not transmit, if be judged as be, then notify described virtual machine module 60 that described virtual machine is returned to original state, and notify described file acquisition module 52 to transmit next apocrypha to described virtual machine; If be judged as not, then finish the apocrypha analysis.Described judge module 58 is provided with separately in the present embodiment, also can integrate with described file acquisition module 52 in specific implementation.
Configuration file described in the embodiment of the invention can be stored in described file acquisition module 52 in advance, does not promptly need to be provided with in addition described profile module 50.
The embodiment of the invention is sent to described virtual machine module 60 by described file acquisition module 52 automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically by described analysis module 54, improve analysis efficiency, saved time and human cost.
Please refer to Fig. 3, be the structural representation of the embodiment of the invention two apocrypha analytic systems, described virtual machine module 60 that the difference of itself and the embodiment of the invention one has been concrete refinement.Described virtual machine module 60 comprises that virtual machine 62, monitor module 64, logger module 66 and virtual machine recover module 68.
Described virtual machine 62 after being used to receive the apocrypha of described file acquisition module 52 transmission, moves described apocrypha.Concrete, but described virtual machine 62 is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, can make described apocrypha operation time image the same when real system moves.
Described monitor module 64 is used for monitoring the behavioural characteristic of described apocrypha when virtual machine 62 operations;
Described logger module 66, be used for writing down apocrypha that described monitor module 64 monitors when described virtual machine operation behavioural characteristic and save as daily record.
Described virtual machine recovers module 68, is used for after described judge module 58 judges that described file acquisition module 52 also has the apocrypha that does not transmit described virtual machine 62 being returned to original state.
In specific implementation, described virtual machine module 60 has other module combinations forms, as can with as described in monitor module 64 and as described in the function of logger module 66 gather together, realize monitoring and writing down the function of behavioural characteristic with a module, the embodiment of the invention just is used for illustrating, with explanation the present invention, and be not used in qualification the present invention.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and described storage medium is ROM/RAM, magnetic disc, CD etc.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (12)
1. apocrypha analytical approach comprises:
Read configuration file, described configuration file is the information relevant with apocrypha;
Obtain one or more apocryphas according to described configuration file;
Choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing;
Behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
According to the described apocrypha of the log analysis of described record and export analysis result;
Judge whether other apocryphas in addition, be, then recover described virtual machine to original state if be judged as.
2. the method for claim 1, it is characterized in that: described configuration file comprises the path of described apocrypha, obtains one or more apocryphas according to the configuration file of storing in advance and is specially: obtain prepositioned one or more apocrypha from the path of described apocrypha.
3. the method for claim 1, it is characterized in that: described step is recovered described virtual machine after original state, execution in step: choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing.
4. the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the behavioural characteristic in the daily record of described record is given a mark, according to the comparative result output analysis result of score value and pre-set threshold.
5. method as claimed in claim 4 is characterized in that: then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm.
6. the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module is compared, according to comparative result output analysis result.
7. method as claimed in claim 6, it is characterized in that: if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meet, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist.
8. apocrypha analytic system comprises:
Profile module is used to store described configuration file,, described configuration file is the information relevant with apocrypha;
The file acquisition module is used for obtaining one or more apocryphas from described profile module;
The virtual machine module is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
Analysis module is used for according to the described apocrypha of the log analysis of described record and exports analysis result;
Judge module, be used to judge whether described file acquisition module also has other apocryphas that do not transmit, if be judged as be, then notify described virtual machine module that described virtual machine is returned to original state, and notify described file acquisition module to transmit next apocrypha to described virtual machine.
9. system as claimed in claim 8 is characterized in that: also comprise profile module, be used to store described configuration file, described file acquisition module reads described configuration file from described profile module.
10. system as claimed in claim 8 is characterized in that: described virtual machine module comprises:
Virtual machine is used to receive the described apocrypha of operation behind the apocrypha that described file acquisition module transmits;
Monitor module is used for monitoring the behavioural characteristic of described apocrypha when described virtual machine moves;
Logger module, be used for writing down apocrypha that described monitor module monitors when described virtual machine operation behavioural characteristic and save as daily record;
Virtual machine recovers module, is used for after described judge module judges that described file acquisition module also has the apocrypha that does not transmit described virtual machine being returned to original state.
11. system as claimed in claim 8 is characterized in that: described analysis module is given a mark to the behavioural characteristic in the daily record of described record, according to the comparative result output analysis result of score value and pre-set threshold.
12. system as claimed in claim 8, it is characterized in that: also comprise the virus database module, behavioural characteristic when being used to store existing rogue program operation, described analysis module compares the rogue program behavioural characteristic of storing in the daily record of described record and the described virus database module, according to comparative result output analysis result.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200810067552 CN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
PCT/CN2009/071759 WO2009143742A1 (en) | 2008-05-30 | 2009-05-12 | Analysis method and system for suspicious file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200810067552 CN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101593249A CN101593249A (en) | 2009-12-02 |
CN101593249B true CN101593249B (en) | 2011-08-03 |
Family
ID=41376597
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200810067552 Expired - Fee Related CN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101593249B (en) |
WO (1) | WO2009143742A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9262187B2 (en) | 2010-02-05 | 2016-02-16 | Microsoft Technology Licensing, Llc | Extension point declarative registration for virtualization |
CN102957667A (en) * | 2011-08-23 | 2013-03-06 | 潘燕辉 | Method for intelligently replacing files on basis of cloud computation |
JP2013105366A (en) * | 2011-11-15 | 2013-05-30 | Hitachi Ltd | Program analyzing system and method |
CN103839003B (en) * | 2012-11-22 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
CN103150506B (en) * | 2013-02-17 | 2016-03-30 | 北京奇虎科技有限公司 | The method and apparatus that a kind of rogue program detects |
CN103905417B (en) * | 2013-11-12 | 2018-02-16 | 国家计算机网络与信息安全管理中心 | A kind of network equipment file identification apparatus and method |
CN103902886A (en) * | 2014-03-04 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for detecting third-party application |
US9710648B2 (en) * | 2014-08-11 | 2017-07-18 | Sentinel Labs Israel Ltd. | Method of malware detection and system thereof |
CN104504331B (en) * | 2014-12-19 | 2017-12-08 | 北京奇安信科技有限公司 | Virtualize safety detection method and system |
CN105809035B (en) * | 2016-03-07 | 2018-11-09 | 南京邮电大学 | The malware detection method and system of real-time behavior is applied based on Android |
CN106228067A (en) * | 2016-07-15 | 2016-12-14 | 江苏博智软件科技有限公司 | Malicious code dynamic testing method and device |
CN106572122A (en) * | 2016-12-09 | 2017-04-19 | 哈尔滨安天科技股份有限公司 | Host security evaluation method and system based on network behavior feature correlation analysis |
CN108038375A (en) * | 2017-12-21 | 2018-05-15 | 北京星河星云信息技术有限公司 | A kind of malicious file detection method and device |
CN109960928B (en) * | 2017-12-22 | 2021-10-29 | 北京安天网络安全技术有限公司 | Method and system for processing suspicious file |
CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
CN110837639A (en) * | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
CN111092895B (en) * | 2019-12-23 | 2022-09-23 | 和元达信息科技有限公司 | Internet sensitive data safety protection system and method |
CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7908653B2 (en) * | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
CN100595778C (en) * | 2007-07-16 | 2010-03-24 | 珠海金山软件股份有限公司 | Method and apparatus for identifying virus document |
CN101154258A (en) * | 2007-08-14 | 2008-04-02 | 电子科技大学 | Automatic analyzing system and method for dynamic action of malicious program |
-
2008
- 2008-05-30 CN CN 200810067552 patent/CN101593249B/en not_active Expired - Fee Related
-
2009
- 2009-05-12 WO PCT/CN2009/071759 patent/WO2009143742A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
CN105978911B (en) * | 2016-07-15 | 2019-05-21 | 江苏博智软件科技有限公司 | Malicious code detecting method and device based on virtual execution technology |
Also Published As
Publication number | Publication date |
---|---|
WO2009143742A1 (en) | 2009-12-03 |
CN101593249A (en) | 2009-12-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101593249B (en) | Suspicious file analyzing method and suspicious file analyzing system | |
EP3002702B1 (en) | Identifying an evasive malicious object based on a behavior delta | |
CN104685476B (en) | For restoring the method, system and product of virtual machine | |
CN103970585B (en) | Create the method and device of virtual machine | |
CN103514023B (en) | The method and system that a kind of virtual machine off-line automatic software is installed | |
CN101425016B (en) | Method and system for operating and installing software | |
US8561180B1 (en) | Systems and methods for aiding in the elimination of false-positive malware detections within enterprises | |
US8458232B1 (en) | Systems and methods for identifying data files based on community data | |
CN104573515A (en) | Virus processing method, device and system | |
CN104360892B (en) | Create the system and method for virtual machine | |
CN102331957B (en) | File backup method and device | |
CN105868056B (en) | Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine | |
JP6282217B2 (en) | Anti-malware system and anti-malware method | |
CN104268473A (en) | Method and device for detecting application programs | |
CN108133143B (en) | Data leakage prevention method and system for cloud desktop application environment | |
CN113515457A (en) | Internet of things equipment firmware security detection method and device | |
TW201335779A (en) | File synchronization system and method | |
CN104317672A (en) | System file repairing method, device and system | |
CN103400602B (en) | A kind of bad track of hard disk self-repairing method and equipment | |
CN104346570A (en) | Trojan horse decision system based on dynamic code sequence tracking analysis | |
KR101228902B1 (en) | Cloud Computing-Based System for Supporting Analysis of Malicious Code | |
CN105608150A (en) | Business data processing method and system | |
CN103020051B (en) | A kind of data transfering method inserting equipment | |
Knauth et al. | Vecycle: Recycling vm checkpoints for faster migrations | |
CN103646213A (en) | Method and device for classifying malicious software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110803 |
|
CF01 | Termination of patent right due to non-payment of annual fee |