CN101593253A - A kind of rogue program determination methods and device - Google Patents

A kind of rogue program determination methods and device Download PDF

Info

Publication number
CN101593253A
CN101593253A CN 200910150705 CN200910150705A CN101593253A CN 101593253 A CN101593253 A CN 101593253A CN 200910150705 CN200910150705 CN 200910150705 CN 200910150705 A CN200910150705 A CN 200910150705A CN 101593253 A CN101593253 A CN 101593253A
Authority
CN
China
Prior art keywords
program
feature
characteristic
sample
rogue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200910150705
Other languages
Chinese (zh)
Other versions
CN101593253B (en
Inventor
顾凌志
张小松
Original Assignee
University of Electronic Science and Technology of China
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China, Huawei Symantec Technologies Co Ltd filed Critical University of Electronic Science and Technology of China
Priority to CN 200910150705 priority Critical patent/CN101593253B/en
Publication of CN101593253A publication Critical patent/CN101593253A/en
Application granted granted Critical
Publication of CN101593253B publication Critical patent/CN101593253B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention is that described method comprises about a kind of rogue program determination methods and device: the evaluating objects program, obtain the feature of target program; Feature according to the target program that gets access to generates and the corresponding characteristic set of target program; The threat value of described target program characteristic set with the sample program feature set that presets is complementary, judges according to matching result whether described target program is rogue program.Rogue program determination methods and device that the embodiment of the invention provides have overcome rogue program the recognition efficiency low and rate of false alarm high problem of prior art to the unknown, can increase substantially the efficient of the unknown rogue program of identification and reduce the rogue program rate of false alarm.

Description

A kind of rogue program determination methods and device
Technical field
The present invention relates to the computer security technique field, is about a kind of rogue program determination methods and device specifically.
Background technology
For a long time, computer rogue program (as computer virus, logic bomb, Trojan Horse etc.) is the significant problem that faces during computing machine uses to the destruction of computing machine always, prior art use characteristic sign indicating number matching technique detects the identification computer rogue program, but the condition code matching technique can not detect the unknown rogue program (as virus mutation and new virus etc.) of identification.In order to overcome this problem, prior art adopts modes such as wide spectrum analysis, heuristic analysis to detect the unknown rogue program of identification.
The inventor finds that in realizing process of the present invention it is very low that prior art adopts modes such as wide spectrum analysis, heuristic analysis to detect the unknown rogue program efficient of identification, and higher rate of false alarm is arranged.
Summary of the invention
For overcoming rogue program the recognition efficiency low and rate of false alarm high problem of prior art to the unknown, the embodiment of the invention provides a kind of rogue program determination methods and device, can increase substantially the efficient of the unknown rogue program of identification and reduce the rogue program rate of false alarm.
The embodiment of the invention provides a kind of rogue program determination methods, and described method comprises: the evaluating objects program, obtain the feature of target program; Feature according to the target program that gets access to generates and the corresponding characteristic set of target program; The threat value of described target program characteristic set with the sample program feature set that presets is complementary, judges according to matching result whether described target program is rogue program.
The embodiment of the invention also provides a kind of rogue program judgment means, and described device comprises: the target program analytic unit, be used for the evaluating objects program, and obtain the feature of target program; The goal set generation unit is used for generating and the corresponding characteristic set of target program according to the feature of the target program that gets access to; The rogue program judging unit is used for the threat value of described target program characteristic set with the sample program feature set that presets is complementary, and judges according to matching result whether described target program is rogue program.
Rogue program determination methods and device that the embodiment of the invention provides are according to the feature generation and the corresponding characteristic set of target program of the target program that gets access to; The threat value of described target program characteristic set with the sample program feature set that presets is complementary, judge according to matching result whether described target program is rogue program, can increase substantially the efficient of the unknown rogue program of identification and reduce the rogue program rate of false alarm.
Description of drawings
Accompanying drawing described herein is used to provide the further understanding to the embodiment of the invention, constitutes the application's a part, does not constitute the qualification to the embodiment of the invention.In the accompanying drawings:
Fig. 1 is the process flow diagram of a kind of rogue program determination methods of providing of the embodiment of the invention;
Fig. 2 is the process flow diagram of a kind of rogue program determination methods of providing of the embodiment of the invention;
Fig. 3 be the embodiment of the invention provide judge according to the threat value whether described target program is the method flow diagram of rogue program;
Fig. 4 is the block diagram of a kind of rogue program judgment means of providing of the embodiment of the invention;
Fig. 5 is the block diagram of a kind of rogue program judgment means of providing of the embodiment of the invention;
Fig. 6 is the block diagram of the rogue program judging unit 506 that provides of the embodiment of the invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, the embodiment of the invention is described in further details below in conjunction with embodiment and accompanying drawing.At this, the exemplary embodiment of the embodiment of the invention and explanation thereof are used to explain the embodiment of the invention, but not as the qualification to the embodiment of the invention.
Embodiment one
Fig. 1 is the process flow diagram of a kind of rogue program determination methods of providing of the embodiment of the invention, and as shown in Figure 1, described method comprises:
S101, the evaluating objects program is obtained the feature of target program.
In embodiments of the present invention, target program is the unknown object program that needs judgement, and it may be rogue program or non-rogue program.In step S101, the evaluating objects program, obtain the feature that target program has, the feature that target program had comprises code characteristic and behavioural characteristic, wherein, code characteristic can comprise file structure, the entrance of sample program, the static informations such as API Calls sequence of executable file, and behavioural characteristic can comprise sample program action message in the process of implementation, as revise registration table, modification system file, self-starting, revise that security of system is provided with etc.
S102 is according to the feature generation and the corresponding characteristic set of target program of the target program that gets access to.
In embodiments of the present invention, the goal set generation unit generates corresponding with it target program characteristic set according to the feature that gets access to from target program, comprises at least one code characteristic and/or behavioural characteristic in the target program characteristic set.
S103 is complementary the threat value of described target program characteristic set with the sample program feature set that presets, and judges according to matching result whether described target program is rogue program.
In embodiments of the present invention, judge whether described target program is that rogue program comprises: search with the target program characteristic set in the identical sample program feature set of feature that comprised, if find with the target program characteristic set in the identical sample program feature set of feature that comprised, judge further that then whether the threat value of the sample program feature set that finds is greater than a predetermined threshold value, if the threat value of sample program feature set is greater than predetermined threshold value, then the judgement sample program is a rogue program; If do not find with the target program characteristic set in the identical sample program feature set of feature that comprised, then search with the target program characteristic set in the akin sample program feature set of feature that comprised, judge whether threat value in the sample program feature set that finds surpasses half greater than the quantity of predetermined threshold value; If the threat value surpasses half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is a rogue program; If the threat value does not surpass half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is normal non-rogue program.
Fig. 2 is the process flow diagram of a kind of rogue program determination methods of providing of the embodiment of the invention, and as shown in Figure 2, described method comprises:
S201, the analyzing samples program is obtained the feature of each sample program.
In embodiments of the present invention, the sample program is the known procedure that the user provides, comprising rogue program and non-rogue program.In step S201, all known sample programs that analysis user provides, obtain the feature that each sample program is had, the feature that the sample program is had comprises code characteristic and behavioural characteristic, wherein, code characteristic can comprise file structure, the entrance of sample program, the static informations such as API Calls sequence of executable file, behavioural characteristic can comprise sample program action message in the process of implementation, as revise registration table, modification system file, self-starting, revise that security of system is provided with etc.
S202 generates and the corresponding characteristic set of each sample program according to the feature that gets access to.
In embodiments of the present invention, sample characteristics set generation unit generates corresponding with it characteristic set according to the feature that gets access to from each sample program, that is to say, each sample program all generates a characteristic of correspondence set, comprise at least one code characteristic and/or behavioural characteristic in the characteristic set, in the present embodiment, the feature quantity homogeneous phase that comprises in all characteristic sets with, below comprise that with each characteristic set three are characterized as example and describe.
The sample program Feature one Feature two Feature three Whether be rogue program
??P1 Self-starting Do not revise registration table Close fire wall Rogue program
??P2 Not self-starting Revise registration table Close fire wall Rogue program
??P3 Not self-starting Do not revise registration table Do not close fire wall Non-rogue program
??P4 Not self-starting Revise registration table Do not close fire wall Non-rogue program
??P5 Not self-starting Revise registration table Do not close fire wall Rogue program
??P6 Not self-starting Revise registration table Do not close fire wall Rogue program
??P7 Self-starting Revise registration table Close fire wall Rogue program
??P8 Self-starting Revise registration table Close fire wall Rogue program
Table 1
Table 1 is the characteristic set tabulation that eight sample programs that the embodiment of the invention provides are generated, and wherein, sample program P1, P2, P5, P6, P7 and P8 are known as rogue program, and P3 and P4 are known as normal non-rogue program.In step S201 at the whether self-starting of each sample program, whether revise registration table, whether close these three features of fire wall and analyze, obtain the feature of each sample program, eight characteristic sets of the sample characteristics set corresponding generation of generation unit, the characteristic set that each sample program is produced is as shown in table 1, wherein, sample program P4, P5 have identical characteristic set with P6, and sample program P7 has identical characteristic set with P8.
Whether S203 is the threat value that rogue program generates described sample program feature set according to described sample program.
In embodiments of the present invention, obtain and comprise the pairing sample program of the identical characteristic set of feature, as shown in table 1, sample program P4, P5 have identical feature (not self-starting with P6, revise registration table, do not close fire wall), sample program P7 has identical feature (self-starting with P8, revise registration table, close fire wall).
Get access to comprise the pairing sample program of the identical characteristic set of feature after, determine the threat value of described characteristic set according to the shared proportion of rogue program in the sample program that gets access to, in the present embodiment, what comprise the pairing sample program of the identical characteristic set of feature adds up to A, having B in this A the sample program is rogue program, and then the threat value V of this characteristic set equals B/A * 100%.As shown in table 1, characteristic set (not self-starting, revise registration table, do not close fire wall) the corresponding sample program is totally 3 of P4, P5 and P6, wherein sample program P4 is a normal procedure, and sample program P5 and P6 are rogue program, then characteristic set (not self-starting, revise registration table, do not close fire wall) threat value V 1=2/3*100%=66.7%.Characteristic set (registration table is revised in self-starting, closes fire wall) corresponding sample program is P7 and P8, and P7 and P8 be rogue program, then the threat value V of characteristic set (registration table is revised in self-starting, closes fire wall) 2=2/2*100%=100%.For characteristic set (registration table is not revised in self-starting, closes fire wall), because its corresponding sample program has only 1, i.e. sample program P1, and P1 is a rogue program, so threat value V of characteristic set (registration table is not revised in self-starting, closes fire wall) 3=100%, the threat value V of same characteristic set P2 (registration table is revised in not self-starting, closes fire wall) 4=100%.For characteristic set (registration table is not revised in not self-starting, does not close fire wall), its corresponding sample program has only P3, and P3 is normal procedure, so the threat value V of characteristic set (registration table is not revised in not self-starting, does not close fire wall) 5=0%.
Wherein, the described sample program feature set of above-mentioned acquisition can obtain in advance, and when the evaluating objects program, the characteristic set that directly obtains coupling in the sample program feature set that obtains in advance is used to judge whether target program is rogue program;
S204, the evaluating objects program is obtained the feature of target program.
In embodiments of the present invention, target program is the unknown object program that needs judgement, and it may be rogue program or non-rogue program.In step S204, the evaluating objects program, obtain the feature that target program has, the feature that target program had comprises code characteristic and behavioural characteristic, wherein, code characteristic can comprise file structure, the entrance of sample program, the static informations such as API Calls sequence of executable file, and behavioural characteristic can comprise sample program action message in the process of implementation, as revise registration table, modification system file, self-starting, revise that security of system is provided with etc.
S205 is according to the feature generation and the corresponding characteristic set of target program of the target program that gets access to.
In embodiments of the present invention, the goal set generation unit generates corresponding with it target program characteristic set according to the feature that gets access to from target program, comprise at least one code characteristic and/or behavioural characteristic in the target program characteristic set, in the present embodiment, comprise whether self-starting, whether revise registration table, whether close these three on fire wall and be characterized as example and describe with the target program characteristic set.
Target program Feature one Feature two Feature three
??P9 Self-starting Revise registration table Close fire wall
??P10 Not self-starting Revise registration table Do not close fire wall
??P11 Not self-starting Do not revise registration table Close fire wall
Table 2
Table 2 is feature list that target program comprised that the embodiment of the invention provides, as shown in table 2, the characteristic set that generates according to target program P9 is (self-starting, revise registration table, close fire wall), the characteristic set that generates according to target program P10 is (not self-starting, revise registration table, do not close fire wall), and the characteristic set that generates according to target program P11 is (not self-starting, do not revise registration table, close fire wall).
S206 is complementary the threat value of described target program characteristic set with the sample program feature set that presets, and judges according to matching result whether described target program is rogue program.
Fig. 3 be the embodiment of the invention provide judge according to the threat value whether described target program is the method flow diagram of rogue program, and as shown in Figure 3, described method comprises:
S301, search with the target program characteristic set in the identical sample program feature set of feature that comprised; If find with the target program characteristic set in the identical sample program feature set of feature that comprised, enter step S302, if do not find, then enter step S303.
In the present embodiment, search and the identical sample program feature set of the characteristic set of target program P9 (self-starting, revise registration table, close fire wall), with the identical sample program feature set of the characteristic set of target program P10 (not self-starting, revise registration table, do not close fire wall), and with the identical sample program feature set of the characteristic set of target program P11 (not self-starting, do not revise registration table, close fire wall).
S302, whether the threat value of judging the sample program feature set that finds is greater than a predetermined threshold value, if judge that then described target program is a rogue program;
In the present embodiment, if the threat value of the described sample program feature set that finds, judges then that described target program is a rogue program greater than a predetermined threshold value; If it is normal non-rogue program that the threat value of the described sample program feature set that finds, is then judged described target program smaller or equal to a predetermined threshold value.In the present embodiment, predetermined threshold value V In advanceBe decided to be 58%, in other embodiments of the invention, V In advanceNumerical value also can adjust flexibly according to actual conditions.
In the present embodiment, the characteristic set that the feature that is comprised with the characteristic set of target program P9 (self-starting, revise registration table, close fire wall) is identical is the characteristic set of P7 and P8 for the sample program, and the sample program is the threat value V of the characteristic set of P7 and P8 2=100%>58%, therefore judge that target program P9 is a rogue program; The characteristic set that the feature that is comprised with the characteristic set of target program P10 (not self-starting, revise registration table, do not close fire wall) is identical is the characteristic set of P4, P5 and P6 for the sample program, and the sample program is the threat value V of the characteristic set of P4, P5 and P6 1=66.7%>58%, therefore judge that target program P10 is a rogue program.In the present embodiment, if the identical characteristic set of the feature that characteristic set comprised of target program is sample program P3, and the threat value V of the characteristic set of sample program P3 5=0%<58%, therefore judge that this target program is normal non-rogue program.
S303, search with the target program characteristic set in the akin sample program feature set of feature that comprised;
In the present embodiment, not with the identical sample program feature set of the characteristic set of target program P11 (not self-starting, do not revise registration table, close fire wall), therefore search and the akin sample program feature set of the feature that characteristic set comprised of P11, here, the characteristic set of sample program P1, P2 and P3 all has only a feature different with the characteristic set of target program P11, therefore with the akin characteristic set for sample program P1, P2 and P3 of the feature that characteristic set comprised of P11.
S304, whether the threat value surpasses half greater than the quantity of predetermined threshold value in the sample program feature set that judgement is found; If the threat value surpasses half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is a rogue program; If the threat value does not surpass half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is normal non-rogue program.
In the present embodiment, with target program P11 is that example describes, find with target program P11 characteristic set in the akin sample program of feature that comprised, wherein the characteristic set of these three sample programs of P1, P2 and P3 all only differs a feature with the characteristic set of target program P11, wherein, the threat value of P1 and P2 is 100%, the threat value of P3 is 0%, the threat value of P1 and P2 is all above 58%, the threat value surpasses half greater than the quantity of predetermined threshold value, therefore judges that target program P11 is a rogue program.In other embodiments of the invention, if the threat value surpasses half greater than the quantity of predetermined threshold value in the sample program feature set that finds, judge that then this target program is normal non-rogue program.In other embodiments of the invention, if the threat value equals half just greater than the quantity of predetermined threshold value in the sample program feature set that finds, judge that then this target program is suspicious program.
Rogue program determination methods and device that the embodiment of the invention provides have overcome rogue program the recognition efficiency low and rate of false alarm high problem of prior art to the unknown, the rogue program of identification the unknown that can precise and high efficiency.
Embodiment two
Fig. 4 is the block diagram of a kind of rogue program judgment means of providing of the embodiment of the invention, and as shown in Figure 4, described device comprises: target program analytic unit 401, goal set generation unit 402 and rogue program judging unit 403, wherein:
Target program analytic unit 401 is used for the evaluating objects program, obtains the feature of target program;
In embodiments of the present invention, target program is the unknown object program that needs judgement, and it may be rogue program or non-rogue program.Target program analytic unit 401 evaluating objects programs are obtained the feature that target program has, and in embodiments of the present invention, target program analytic unit 401 comprises: the code characteristic acquisition module is used to obtain the code characteristic of target program; The behavioural characteristic acquisition module is used to obtain the behavioural characteristic of target program.Described code characteristic is the static information of sample program, comprises the API Calls sequence information of document structure information, entry point information, executable file; Described behavioural characteristic is a program action message in the process of implementation, comprises revising registry information, modification system file information, self-starting information, revises the security of system configuration information.
Goal set generation unit 402 is used for generating and the corresponding characteristic set of target program according to the feature of the target program that gets access to;
In embodiments of the present invention, target program set generation unit 402 generates corresponding with it target program characteristic set according to the feature that gets access to from target program, comprises at least one code characteristic and/or behavioural characteristic in the target program characteristic set.
Rogue program judging unit 403 is used for the threat value according to the sample program feature set that is complementary with the target program characteristic set, judges whether described target program is rogue program.
Fig. 5 is the block diagram of a kind of rogue program judgment means of providing of the embodiment of the invention, as shown in Figure 5, described device comprises: sample process analysis unit 501, sample set generation unit 502, threat value generation unit 503, target program analytic unit 504, goal set generation unit 505 and rogue program judging unit 506, wherein:
Sample process analysis unit 501 is used for the analyzing samples program, obtains the feature of each sample program;
In embodiments of the present invention, the sample program is the known procedure that the user provides, comprising rogue program and non-rogue program, all known sample programs that sample process analysis unit 501 analysis user provide, obtain the feature that each sample program is had, the feature that the sample program is had comprises code characteristic and behavioural characteristic.In embodiments of the present invention, sample process analysis unit 501 comprises: the code characteristic acquisition module is used to obtain the code characteristic of sample program; The behavioural characteristic acquisition module is used to obtain the behavioural characteristic of sample program.Described code characteristic is the static information of sample program, comprises the API Calls sequence information of document structure information, entry point information, executable file; Described behavioural characteristic is a program action message in the process of implementation, comprises revising registry information, modification system file information, self-starting information, revises the security of system configuration information.
Sample set generation unit 502 is used for generating and the corresponding characteristic set of each sample program according to the feature that gets access to;
In embodiments of the present invention, sample set generation unit 502 generates corresponding with it characteristic set according to the feature that gets access to from each sample program, that is to say, each sample program all generates a characteristic of correspondence set, comprise at least one code characteristic and/or behavioural characteristic in the characteristic set, in the present embodiment, the feature quantity homogeneous phase that comprises in all characteristic sets with, below comprise that with each characteristic set three are characterized as example and describe.
Table 1 is the characteristic set tabulation that eight sample programs that the embodiment of the invention provides are generated, and wherein, sample program P1, P2, P5, P6, P7 and P8 are known as rogue program, and P3 and P4 are known as normal non-rogue program.In step S201 at the whether self-starting of each sample program, whether revise registration table, whether close these three features of fire wall and analyze, obtain the feature of each sample program, eight characteristic sets of the sample characteristics set corresponding generation of generation unit, the characteristic set that each sample program is produced is as shown in table 1, wherein, sample program P4, P5 have identical characteristic set with P6, and sample program P7 has identical characteristic set with P8.
Threat value generation unit 503, whether be used for according to described sample program is the threat value that rogue program generates described characteristic set;
In embodiments of the present invention, threat value generation unit 503 comprises sample program acquisition module and threat value computing module, wherein sample program acquisition module is used to obtain and comprises the pairing sample program of the identical characteristic set of feature, as shown in table 1, sample program P4, P5 have identical feature (not self-starting, modification registration table with P6, do not close fire wall), sample program P7 has identical feature (registration table is revised in self-starting, closes fire wall) with P8;
Threat value computing module is used for calculating according to the shared proportion of sample program rogue program that gets access to the threat value of described characteristic set, in the present embodiment, what comprise the pairing sample program of the identical characteristic set of feature adds up to A, having B in this A the sample program is rogue program, and then the threat value V of this characteristic set equals B/A * 100%.As shown in table 1, characteristic set (not self-starting, revise registration table, do not close fire wall) the corresponding sample program is totally 3 of P4, P5 and P6, wherein sample program P4 is a normal procedure, and sample program P5 and P6 are rogue program, then characteristic set (not self-starting, revise registration table, do not close fire wall) threat value V 1=2/3*100%=66.7%.Characteristic set (registration table is revised in self-starting, closes fire wall) corresponding sample program is P7 and P8, and P7 and P8 be rogue program, then the threat value V of characteristic set (registration table is revised in self-starting, closes fire wall) 2=2/2*100%=100%.For characteristic set (registration table is not revised in self-starting, closes fire wall), because its corresponding sample program has only 1, i.e. sample program P1, and P1 is a rogue program, so threat value V of characteristic set (registration table is not revised in self-starting, closes fire wall) 3=100%, the threat value V of same characteristic set P2 (registration table is revised in not self-starting, closes fire wall) 4=100%.For characteristic set (registration table is not revised in not self-starting, does not close fire wall), its corresponding sample program has only P3, and P3 is normal procedure, so the threat value V of characteristic set (registration table is not revised in not self-starting, does not close fire wall) 5=0%.
Target program analytic unit 504 is used for the evaluating objects program, obtains the feature of target program;
In embodiments of the present invention, target program is the unknown object program that needs judgement, and it may be rogue program or non-rogue program.Target program analytic unit 504 evaluating objects programs are obtained the feature that target program has, and in embodiments of the present invention, target program analytic unit 504 comprises: the code characteristic acquisition module is used to obtain the code characteristic of target program; The behavioural characteristic acquisition module is used to obtain the behavioural characteristic of target program.Described code characteristic is the static information of sample program, comprises the API Calls sequence information of document structure information, entry point information, executable file; Described behavioural characteristic is a program action message in the process of implementation, comprises revising registry information, modification system file information, self-starting information, revises the security of system configuration information.
Goal set generation unit 505 is used for generating and the corresponding characteristic set of target program according to the feature of the target program that gets access to;
In embodiments of the present invention, target program set generation unit 505 generates corresponding with it target program characteristic set according to the feature that gets access to from target program, comprise at least one code characteristic and/or behavioural characteristic in the target program characteristic set, in the present embodiment, comprise whether self-starting, whether revise registration table, whether close these three on fire wall and be characterized as example and describe with the target program characteristic set.
Table 2 is feature list that target program comprised that the embodiment of the invention provides, as shown in table 2, the characteristic set that generates according to target program P9 is (self-starting, revise registration table, close fire wall), the characteristic set that generates according to target program P10 is (not self-starting, revise registration table, do not close fire wall), and the characteristic set that generates according to target program P11 is (not self-starting, do not revise registration table, close fire wall).
Rogue program judging unit 506 is used for the threat value according to the sample program feature set that is complementary with the target program characteristic set, judges whether described target program is rogue program.
Fig. 6 is the block diagram of the rogue program judging unit 506 that provides of the embodiment of the invention, as shown in Figure 6, in embodiments of the present invention, rogue program judging unit 506 comprises: identity set is searched module 601, identity set judge module 602, approximate set search module 603 and approximate set judge module 604.
Identity set is searched module 601, is used for searching the identical sample program feature set of feature that is comprised with the target program characteristic set;
In the present embodiment, identity set is searched module 601 and is searched and the identical sample program feature set of the characteristic set of target program P9 (self-starting, revise registration table, close fire wall), with the identical sample program feature set of the characteristic set of target program P10 (not self-starting, revise registration table, do not close fire wall), and with the identical sample program feature set of the characteristic set of target program P11 (not self-starting, do not revise registration table, close fire wall).
Identity set judge module 602, be used for when finding the identical sample program feature set of the feature that comprised with the target program characteristic set, whether the threat value of judging the sample program feature set that finds is greater than a predetermined threshold value, if the threat value of the described sample program feature set that finds is greater than a predetermined threshold value, judge that then described target program is a rogue program, if it is normal non-rogue program that the threat value of the described sample program feature set that finds, is then judged described target program smaller or equal to a predetermined threshold value.
In the present embodiment, predetermined threshold value V In advanceBe decided to be 58%, in other embodiments of the invention, V In advanceNumerical value also can adjust flexibly according to actual conditions.In the present embodiment, the characteristic set that the feature that is comprised with the characteristic set of target program P9 (self-starting, revise registration table, close fire wall) is identical is the characteristic set of P7 and P8 for the sample program, and the sample program is the threat value V of the characteristic set of P7 and P8 2=100%>58%, therefore judge that target program P9 is a rogue program; The characteristic set that the feature that is comprised with the characteristic set of target program P10 (not self-starting, revise registration table, do not close fire wall) is identical is the characteristic set of P4, P5 and P6 for the sample program, and the sample program is the threat value V of the characteristic set of P4, P5 and P6 1=66.7%>58%, therefore judge that target program P10 is a rogue program.In the present embodiment, if the identical characteristic set of the feature that characteristic set comprised of target program is sample program P3, and the threat value V of the characteristic set of sample program P3 5=0%<58%, therefore judge that this target program is normal non-rogue program.
Approximate set search module 603 is used for when the identical sample program feature set of the feature that is not comprised with the target program characteristic set, search with the target program characteristic set in the akin sample program feature set of feature that comprised;
In the present embodiment, not with the identical sample program feature set of the characteristic set of target program P11 (not self-starting, do not revise registration table, close fire wall), therefore approximate set search module 703 is searched and the akin sample program feature set of the feature that characteristic set comprised of P11, here, the characteristic set of sample program P1, P2 and P3 all has only a feature different with the characteristic set of target program P11, therefore with the akin characteristic set for sample program P1, P2 and P3 of the feature that characteristic set comprised of P11.
Approximate set judge module 604, be used for judging whether the sample program feature set threat value that finds surpasses half greater than the quantity of predetermined threshold value, if the threat value surpasses half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is a rogue program; If the threat value does not surpass half greater than the quantity of predetermined threshold value in the described sample program feature set that finds, judge that then described target program is normal non-rogue program.
In the present embodiment, with target program P11 is that example describes, approximate set search module 603 find with target program P11 characteristic set in the akin sample program of feature that comprised, P1 wherein, the characteristic set of these three sample programs of P2 and P3 all only differs a feature with the characteristic set of target program P11, wherein, the threat value of P1 and P2 is 100%, the threat value of P3 is 0%, the threat value of P1 and P2 is all above 58%, the threat value surpasses half greater than the quantity of predetermined threshold value, and therefore approximate set judge module 604 judges that target program P11 is a rogue program.In other embodiments of the invention, if the threat value surpasses half greater than the quantity of predetermined threshold value in the sample program feature set that finds, then approximate set judge module 604 judges that these target programs are normal non-rogue program.In other embodiments of the invention, if the threat value equals half just greater than the quantity of predetermined threshold value in the sample program feature set that finds, then approximate set judge module 604 judges that these target programs are suspicious program.
Rogue program determination methods and device that the embodiment of the invention provides have overcome rogue program the recognition efficiency low and rate of false alarm high problem of prior art to the unknown, the rogue program of identification the unknown that can precise and high efficiency.
Above-described embodiment; embodiments of the invention purpose, technical scheme and beneficial effect are further described; institute is understood that; the above only is the embodiment of the embodiment of the invention; and be not used in the protection domain that limits the embodiment of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (11)

1. a rogue program determination methods is characterized in that, described method comprises:
The evaluating objects program is obtained the feature of target program;
Feature according to the target program that gets access to generates and the corresponding characteristic set of target program;
The threat value of described target program characteristic set with the sample program feature set that presets is complementary, judges according to matching result whether described target program is rogue program.
2. rogue program determination methods according to claim 1 is characterized in that, the threat value of the described sample program feature set that presets obtains by following steps in advance:
The analyzing samples program is obtained the feature of each sample program; Generate and the corresponding characteristic set of each sample program according to the feature that gets access to; Whether according to described sample program is the threat value of the rogue program characteristic set that generates described sample program.
3. rogue program determination methods according to claim 1 and 2 is characterized in that described characteristic set comprises at least one code characteristic and/or behavioural characteristic.
4. rogue program determination methods according to claim 2 is characterized in that, whether described be that the threat value that malice generates described characteristic set comprises according to the sample program:
Obtain and comprise the pairing sample program of the identical characteristic set of feature;
Determine the threat value of described characteristic set according to the shared proportion of rogue program in the sample program that gets access to.
5. rogue program determination methods according to claim 1, it is characterized in that, described the threat value of described target program characteristic set with the sample program feature set that presets is complementary, judges according to matching result whether described target program is that rogue program comprises:
In the sample program feature set that presets, search with the target program characteristic set in the identical sample program feature set of feature that comprised;
If find with the target program characteristic set in the identical sample program feature set of feature that comprised, judge that then whether the threat value of the sample program feature set that finds is greater than predetermined threshold value;
If the threat value of the described sample program feature set that finds, judges then that described target program is a rogue program greater than described predetermined threshold value.
6. rogue program determination methods according to claim 5 is characterized in that, described method also comprises:
If in the sample program feature set that presets, not with the target program characteristic set in the identical sample program feature set of feature that comprised, then search with the target program characteristic set in the akin sample program feature set of feature that comprised;
Whether the threat value surpasses half greater than the set quantity of predetermined threshold value in the sample program feature set of the feature similarity that judgement is found;
If judge that then described target program is a rogue program.
7. a rogue program judgment means is characterized in that, described device comprises:
The target program analytic unit is used for the evaluating objects program, obtains the feature of target program;
The goal set generation unit is used for generating and the corresponding characteristic set of target program according to the feature of the target program that gets access to;
The rogue program judging unit is used for the threat value of described target program characteristic set with the sample program feature set that presets is complementary, and judges according to matching result whether described target program is rogue program.
8. rogue program judgment means according to claim 7 is characterized in that, described device also comprises:
Sample process analysis unit is used for the analyzing samples program, obtains the feature of each sample program;
The sample set generation unit is used for generating and the corresponding characteristic set of each sample program according to the feature that gets access to;
Whether threat value generation unit, being used for according to described sample program is the threat value that rogue program generates described characteristic set.
9. rogue program judgment means according to claim 8 is characterized in that, threat value generation unit comprises:
Sample program acquisition module is used to obtain and comprises the pairing sample program of the identical characteristic set of feature;
Threat value computing module is used for calculating according to the shared proportion of sample program rogue program that gets access to the threat value of described characteristic set.
10. rogue program judgment means according to claim 7 is characterized in that, described rogue program judging unit comprises:
Identity set is searched module, is used in the sample program feature set that presets, search with the target program characteristic set in the identical sample program feature set of feature that comprised;
The identity set judge module, be used for when finding the identical sample program feature set of the feature that comprised with the target program characteristic set, whether the threat value of judging the sample program feature set that finds is greater than a predetermined threshold value, if the threat value of the described sample program feature set that finds, judges then that described target program is a rogue program greater than a predetermined threshold value.
11. rogue program judgment means according to claim 10 is characterized in that, described rogue program judging unit also comprises:
Approximate set search module, be used for the sample program feature set that presetting, during not identical sample program feature set with the feature that comprised in the target program characteristic set, search with the target program characteristic set in the akin sample program feature set of feature that comprised;
Approximate set judge module is used for judging whether the sample program feature set threat value that finds surpasses half greater than the quantity of predetermined threshold value, if judge that then described target program is a rogue program.
CN 200910150705 2009-06-22 2009-06-22 Method and device for judging malicious programs Expired - Fee Related CN101593253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910150705 CN101593253B (en) 2009-06-22 2009-06-22 Method and device for judging malicious programs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910150705 CN101593253B (en) 2009-06-22 2009-06-22 Method and device for judging malicious programs

Publications (2)

Publication Number Publication Date
CN101593253A true CN101593253A (en) 2009-12-02
CN101593253B CN101593253B (en) 2012-04-04

Family

ID=41407905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910150705 Expired - Fee Related CN101593253B (en) 2009-06-22 2009-06-22 Method and device for judging malicious programs

Country Status (1)

Country Link
CN (1) CN101593253B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102479298A (en) * 2010-11-29 2012-05-30 北京奇虎科技有限公司 Program identification method and device based on machine learning
WO2012071989A1 (en) * 2010-11-29 2012-06-07 北京奇虎科技有限公司 Method and system for program identification based on machine learning
CN102542190A (en) * 2010-12-31 2012-07-04 北京奇虎科技有限公司 Program identifying method and device based on machine learning
CN102567661A (en) * 2010-12-31 2012-07-11 北京奇虎科技有限公司 Program recognition method and device based on machine learning
CN102831153A (en) * 2012-06-28 2012-12-19 北京奇虎科技有限公司 Method and device for selecting sample
WO2013026304A1 (en) * 2011-08-23 2013-02-28 腾讯科技(深圳)有限公司 Method and server for discriminating malicious attribute of program
CN103051617A (en) * 2012-12-18 2013-04-17 北京奇虎科技有限公司 Method, device and system for identifying network behaviors of program
CN103839006A (en) * 2010-11-29 2014-06-04 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN103853979A (en) * 2010-12-31 2014-06-11 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN103905415A (en) * 2013-10-25 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for preventing remote control type Trojan viruses
CN103905423A (en) * 2013-12-25 2014-07-02 武汉安天信息技术有限责任公司 Harmful advertisement piece detecting method and system based on dynamic behavior analysis
CN104021343A (en) * 2014-05-06 2014-09-03 南京大学 Rogue program monitoring method and system based on pile access modes
CN104221026A (en) * 2012-04-10 2014-12-17 高通股份有限公司 Method for malicious activity detection in mobile station
CN104252595A (en) * 2013-06-28 2014-12-31 贝壳网际(北京)安全技术有限公司 Application analysis method, device and client end
CN104572085A (en) * 2014-12-23 2015-04-29 华为技术有限公司 Method and device for analyzing application program
CN104915596A (en) * 2014-03-10 2015-09-16 可牛网络技术(北京)有限公司 apk virus characteristic library establishing method and device and apk virus detection system
CN103607381B (en) * 2010-08-18 2017-02-15 北京奇虎科技有限公司 White list generation method, malicious program detection method, client and server
CN107085684A (en) * 2016-02-16 2017-08-22 腾讯科技(深圳)有限公司 The detection method and device of performance of program

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100485703C (en) * 2006-10-11 2009-05-06 飞塔信息科技(北京)有限公司 Computer malevolence code processing method and system
CN101360023A (en) * 2008-09-09 2009-02-04 成都市华为赛门铁克科技有限公司 Exception detection method, apparatus and system
CN101388056B (en) * 2008-10-20 2010-06-02 成都市华为赛门铁克科技有限公司 Method, system and apparatus for preventing worm

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762B (en) * 2010-08-18 2013-02-27 北京奇虎科技有限公司 Cloud security-based active defense method
US9177141B2 (en) 2010-08-18 2015-11-03 Beijing Qihoo Technology Company Limited Active defense method on the basis of cloud security
US9916447B2 (en) 2010-08-18 2018-03-13 Beijing Qihoo Technology Company Limited Active defense method on the basis of cloud security
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN103607381B (en) * 2010-08-18 2017-02-15 北京奇虎科技有限公司 White list generation method, malicious program detection method, client and server
CN102479298A (en) * 2010-11-29 2012-05-30 北京奇虎科技有限公司 Program identification method and device based on machine learning
WO2012071989A1 (en) * 2010-11-29 2012-06-07 北京奇虎科技有限公司 Method and system for program identification based on machine learning
CN102479298B (en) * 2010-11-29 2014-03-12 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN103839006B (en) * 2010-11-29 2017-07-28 北京奇虎科技有限公司 Procedure identification method and device based on machine learning
CN103839006A (en) * 2010-11-29 2014-06-04 北京奇虎科技有限公司 Program identification method and device based on machine learning
US9349006B2 (en) 2010-11-29 2016-05-24 Beijing Qihoo Technology Company Limited Method and device for program identification based on machine learning
CN102567661A (en) * 2010-12-31 2012-07-11 北京奇虎科技有限公司 Program recognition method and device based on machine learning
CN102567661B (en) * 2010-12-31 2014-03-26 北京奇虎科技有限公司 Program recognition method and device based on machine learning
CN102542190A (en) * 2010-12-31 2012-07-04 北京奇虎科技有限公司 Program identifying method and device based on machine learning
CN103853979A (en) * 2010-12-31 2014-06-11 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN102542190B (en) * 2010-12-31 2014-07-09 北京奇虎科技有限公司 Program identifying method and device based on machine learning
CN102955912A (en) * 2011-08-23 2013-03-06 腾讯科技(深圳)有限公司 Method and server for identifying application malicious attribute
WO2013026304A1 (en) * 2011-08-23 2013-02-28 腾讯科技(深圳)有限公司 Method and server for discriminating malicious attribute of program
CN102955912B (en) * 2011-08-23 2013-11-20 腾讯科技(深圳)有限公司 Method and server for identifying application malicious attribute
JP2014513368A (en) * 2011-08-23 2014-05-29 ▲騰▼▲訊▼科技(深▲セン▼)有限公司 Method for determining malicious attribute of program and server for determination
CN104221026A (en) * 2012-04-10 2014-12-17 高通股份有限公司 Method for malicious activity detection in mobile station
CN104221026B (en) * 2012-04-10 2017-05-24 高通股份有限公司 Method for malicious activity detection in mobile station
CN102831153B (en) * 2012-06-28 2015-09-30 北京奇虎科技有限公司 A kind of method and apparatus choosing sample
CN102831153A (en) * 2012-06-28 2012-12-19 北京奇虎科技有限公司 Method and device for selecting sample
CN103051617A (en) * 2012-12-18 2013-04-17 北京奇虎科技有限公司 Method, device and system for identifying network behaviors of program
CN104252595A (en) * 2013-06-28 2014-12-31 贝壳网际(北京)安全技术有限公司 Application analysis method, device and client end
CN104252595B (en) * 2013-06-28 2017-05-17 贝壳网际(北京)安全技术有限公司 Application analysis method, device and client end
CN103905415A (en) * 2013-10-25 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for preventing remote control type Trojan viruses
CN103905423A (en) * 2013-12-25 2014-07-02 武汉安天信息技术有限责任公司 Harmful advertisement piece detecting method and system based on dynamic behavior analysis
CN103905423B (en) * 2013-12-25 2017-08-11 武汉安天信息技术有限责任公司 A kind of harmful advertising member detection method and system analyzed based on dynamic behaviour
CN104915596B (en) * 2014-03-10 2018-01-26 可牛网络技术(北京)有限公司 Apk virus characteristics base construction method, device and apk virus detection systems
CN104915596A (en) * 2014-03-10 2015-09-16 可牛网络技术(北京)有限公司 apk virus characteristic library establishing method and device and apk virus detection system
CN104021343A (en) * 2014-05-06 2014-09-03 南京大学 Rogue program monitoring method and system based on pile access modes
CN104021343B (en) * 2014-05-06 2016-08-24 南京大学 A kind of rogue program based on heap access module monitoring method and system
CN104572085A (en) * 2014-12-23 2015-04-29 华为技术有限公司 Method and device for analyzing application program
CN104572085B (en) * 2014-12-23 2018-04-20 华为技术有限公司 The analysis method and device of application program
CN107085684A (en) * 2016-02-16 2017-08-22 腾讯科技(深圳)有限公司 The detection method and device of performance of program
CN107085684B (en) * 2016-02-16 2020-02-07 腾讯科技(深圳)有限公司 Program feature detection method and device

Also Published As

Publication number Publication date
CN101593253B (en) 2012-04-04

Similar Documents

Publication Publication Date Title
CN101593253B (en) Method and device for judging malicious programs
CN100504903C (en) Malevolence code automatic recognition method
US8332944B2 (en) System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences
CN103793650A (en) Static analysis method and static analysis device for Android application program
CN103839003A (en) Malicious file detection method and device
CN105229661A (en) Malware is determined based on signal mark
CN106599688A (en) Application category-based Android malicious software detection method
CN104751053A (en) Static behavior analysis method of mobile smart terminal software
CN105897807A (en) Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN105447388A (en) Android malicious code detection system and method based on weight
CN102208002A (en) Novel computer virus scanning and killing device
CN106682515B (en) The measure of capacity in malicious code analysis
CN105207842B (en) The method and system of the plug-in feature detection of Android
CN103902906A (en) Mobile terminal malicious code detecting method and system based on application icon
US20190156024A1 (en) Method and apparatus for automatically classifying malignant code on basis of malignant behavior information
Wang et al. Droidcontext: Identifying malicious mobile privacy leak using context
CN109284590B (en) Method, equipment, storage medium and device for access behavior security protection
Feichtner et al. Obfuscation-resilient code recognition in Android apps
US10599845B2 (en) Malicious code deactivating apparatus and method of operating the same
US20150007324A1 (en) System and method for antivirus protection
Kim et al. A Bit Vector Based Binary Code Comparison Method for Static Malware Analysis.
Madani et al. Towards sequencing malicious system calls
KR20160076167A (en) System and Method for Anomaly Detection
EP2811699A1 (en) System and method for spam filtering using shingles
CN109413016B (en) Rule-based message detection method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: Huawei Symantec Technologies Co., Ltd.

Patentee after: University of Electronic Science and Technology of China

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd.

Patentee before: University of Electronic Science and Technology of China

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: Huawei Symantec Technologies Co., Ltd.

Patentee after: University of Electronic Science and Technology of China

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd.

Patentee before: University of Electronic Science and Technology of China

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120404

Termination date: 20190622