CN102034050A - Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception - Google Patents
Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception Download PDFInfo
- Publication number
- CN102034050A CN102034050A CN2011100263696A CN201110026369A CN102034050A CN 102034050 A CN102034050 A CN 102034050A CN 2011100263696 A CN2011100263696 A CN 2011100263696A CN 201110026369 A CN201110026369 A CN 201110026369A CN 102034050 A CN102034050 A CN 102034050A
- Authority
- CN
- China
- Prior art keywords
- behavior
- malware
- file
- detection
- training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a dynamic malicious software detection method based on a virtual machine and sensitive Native application programming interface (API) calling perception. The method consists of three parts, namely a Xen secondary development-based analysis and detection environment, a monitoring control program, and a training learning and detection program of a malicious software classifier. A detection model is divided into a training stage and a detection stage, wherein the training stage comprises the following steps of: executing a sample set file in a clean analysis environment for fixed length time, acquiring Native API calling frequencies of process behavior, privilege behavior, memory behavior, registry behavior, file behavior and network behavior of the sample set file, and training the classifier by using the data; and the detection stage comprises the following steps of: executing files to be checked, counting the Native API calling frequencies of six sensitive behaviors in the fixed length time, and classifying the detected files by using the trained classifier to obtain classification results which are malicious software or normal files. The method is still effective for the malicious software with anti-virtual, anti-debugging and anti-tracking capabilities.
Description
Technical field
The present invention relates to the malware detection method in the information security, it can be after through the training of limited training set, detects known and Malware the unknown.
Background technology
Jinshan anti-virus software whole world anti-virus monitoring center Monitoring Data shows that by the end of on June 30th, 2008, the first half of the year in 2008, the Jinshan anti-virus software was intercepted and captured 1,242,244 on newly-increased virus, wooden horse altogether, than 2007 annual virus, wooden horse is total has increased by 338%.The quantity of computer malware sharply increases, its route of transmission variation, and anti-anti-viral software ability is strong, and computer malware has become internet and numerous computer users' maximum security threat.
Traditional malware detection mainly is based on the detection technique of condition code scanning.It uses the attribute byte sequence (as character string) that extracts from the particular malicious code to detect, and these attribute byte sequences are unlikely to be appeared in the nontoxic program.The characteristics of this method are, the bytecode of an anti-viral software handling procedure, and be indifferent to its behavior.But, extract the also sharp increase of the human and material resources that feature consumed of malicious code along with increasing rapidly of malicious code kind and quantity.The more important thing is the essence decision of this technology, it can only detect known malware, to the detectability of unknown Malware extremely a little less than.In order to address this problem, the heuristic analysis detection method has been proposed, heuristic any utilization rule and the pattern of being meant detects the method for unknown malicious code.Heuristic detection method mainly contains static heuristic detection method, based on the heuristic detection method of code emulation.The feature of Malware is obtained in code after the static file structure of static heuristic detection method by analyzing Malware, binary code, the dis-assembling, the static call after the dis-assembling etc., utilize sorting algorithm to set up cut-off rule preferably between normal software and malicious code, experimental result shows that its ability that detects unknown Malware is stronger.Cardinal principle based on the heuristic detection method of code emulation is that target program is placed in the sandbox model, and the behavior by the monitoring objective program operation process judges whether to be Malware.Heuristic detection method based on code emulation is mainly used the Black-box Testing method, and the black box technology may be very useful to rapid some behaviors and the principle of work of understanding Malware.
Said method mainly faces the problem of three aspects:
The first, the static detection method detection speed is fast, and rate of false alarm and false alarm rate are low, but be easy to be subjected to polymorphic, be out of shape, obscure, add the influence that shell etc. is evaded technology.Very big change has taken place through binary code and the code after the dis-assembling that adds the Malware after shell is handled, change has also taken place in the feature that was used for originally detecting, make the accuracy rate that detects descend, if after shelling, detect again, will extend the detection time of each file, and general shelling software can not be sloughed the shell of all Malwares automatically under the influence of anti-exuviating technology.Use after each propagation of Malware of polymorphic and deformation technology the binary code that changing of dynamic randoms all, do not have changeless feature, static detection method is difficult to detect this Malware.
The second, based on the heuristic detection method of code emulation be not subjected to polymorphic, be out of shape, obscure, add the influence that shell etc. is evaded technology, be a kind of more effective malware detection method in early days, but Evolution Development along with the Malware technology, a lot of Malwares have possessed anti-virtual, anti-debugging, antitracking ability, if malware detection is to moving under simulated environment, will hide its malicious act, these all make based on the accuracy rate of the heuristic detection of code emulation not high long with spended time.
Three, some rules and pattern have been utilized based on didactic method, along with the Malware developer is familiar with gradually to these rules and pattern, emerging Malware just has some counterattacking measures, makes didactic method can not detect these Malwares.
Summary of the invention
The objective of the invention is to propose and design a kind of Malware dynamic testing method based on virtual machine and the perception of responsive Native API Calls, it can detect known and unknown Malware, do not added shell, obscured, the influence of polymorphic, deformation technology, and have the higher detection accuracy rate, the Malware that possesses anti-virtual, anti-debugging, antitracking ability can not be found the analyzing and testing environment that the present invention uses.
The object of the present invention is achieved like this: a kind of Malware dynamic testing method based on virtual machine and the perception of responsive Native API Calls is characterized in that:
Detection model is divided into 2 stages: training stage and detection-phase; Training stage is used to finish the structure of sorter; And detection-phase is used to finish the detection of Malware;
In the training stage, at first obtain the Native API series of sample file collection, allow sample file in clean analysis environments, carry out the fixed length time, note its Native API series, the Native API Calls frequency of the behavior of statistics process, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior, use these data to come training classifier then, the sorter that trains is as distinguishing Malware and normal file;
At detection-phase, the examine file is placed in the clean analysis environments carries out, add up it and call frequency at the NativeAPI of process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and the network behavior of fixed length in the time, the sorter that the use training stage trains, the examine file is classified, and obtaining is the Malware or the result of normal file.
The present invention is made up of three parts: based on the analyzing and testing environment of Xen secondary development the Native API Calls series of operating analysis sample and monitor sample (be used for), Monitoring and Controlling program (being used for carrying out the automatic analysis monitoring of sample in batches), the training study of Malware sorter and trace routine (NativeAPI with limited sample calls the frequency data training classifier, uses the sorter that trains to detect unknown Malware).
The present invention moves sample in the analyzing and testing environment, whether monitor the frequency of calling in identical time of relevant Native API of its process behavior, franchise behavior, internal memory operation behavior, registration table behavior, file behavior and network behavior, differentiating by the sorting technique of data mining as feature is Malware;
Model is by the Native API series beginning of obtaining sample set of training stage, allow sample file in clean analysis environments, carry out the fixed length time, note its Native API series, the NativeAPI of sample file calls many, a lot of Native API Calls can not well be distinguished Malware and normal file, we extract the Native API Calls that might distinguish based on the deep understanding to the Malware behavior; Calculate it and call frequency in fixed length in the time, use these data to come training classifier then, the sorter that trains can be distinguished Malware and normal file.
At detection-phase, the examine file is placed in the clean analysis environments carries out, add up it, use the sorter that the training stage trains in the responsive Native API Calls frequency of fixed length in the time, file to be detected is classified, and obtaining is the Malware or the result of normal file.
Above-mentioned file is the PE file.
With respect to traditional Malware method, the inventive method mainly has following characteristic:
1, can detect unknown Malware: traditional malware detection method based on virus characteristic can only detect the Malware that is identified feature by the professional, but emerging Malware exponentially level increases, the workload that the professional discerns characteristic of malware will increase considerably, along with the virus characteristic storehouse day by day increases, the detection speed of anti-viral software will descend significantly, to taking increase of system resource.The present invention detects unknown Malware by data digging method on the basis of the responsive Native API Calls of the existing Malware of study frequency, the sorter that study obtains has relative stability, possesses the higher detection accuracy rate simultaneously;
2, can detect the Malware of 0day: there is the vacuum phase in traditional malware detection method based on virus characteristic---and from Malware this Malware of anti-viral software energy killing appears promptly, vacuum phase Malware may be long-living destruction seriously, this has brought severe challenge for protected working of computer malware.Method used in the present invention can just can detect it in the very first time that Malware occurs, and can just stop its propagation in early days what Malware occurred, in order to avoid propagation is spread unchecked in the internet, produced serious destruction;
3, detection method is effectively stable: along with the development of Malware technology, Malware can be taked some counterattacking measures at heuristic rule and pattern, makes heuristic can not detect these Malwares.But Malware will be realized propagating and destroy, must be frequent call Native API, this just causes this feature not hide, the method that the present invention uses is to be feature with Native API Calls frequency, this detection method can maintain a long-term stability effectively;
4, can resist add shell, obscure, the Malware of distortion, technology such as polymorphic: how no matter Malware add shell, encryption, distortion, and its Core Feature partly is static constant, realizes that the pairing Native API Calls of this part function also is constant.The present invention is a feature with Native API Calls frequency, thus can detect add shell, obscure, distortion, the Malware after polymorphic;
5, the feature of Shi Yonging is less and relatively stable: traditional dynamic testing method is that Markov chain with API Calls series is as feature, the activity of Malware is quite active, API Calls is frequent and intensive, very huge through the feature set that Markov chain slip back produces, it is also more relatively to filter the remaining feature in back, sorter more complicated after the training, detection speed is slower.100 of the responsive Native API less thaies that the present invention uses, the less and relative fixed of feature, the realization of feature extraction and training study is all relative simple;
6, transparent analyzing and testing environment: traditional performance analysis monitoring of environmental prerogative grade separates unintelligible, the execution result of part instruction and execution time and true environment are carried out variant, it is to move in analysis environments that the Malware that possesses anti-virtual, anti-debugging, antitracking ability can detect, hide its malicious act, make and detect failure; The small part Malware can pass through the Virtual Analysis environment, host is produced destroy.The analyzing and testing environment that the present invention uses carries out secondary development based on hardware virtual platform Xen, it is clear that prerogative grade separates, and instruction is directly executed instruction on CPU by hardware is virtual, and execution result is the same with true environment, speed is very fast, has really reached transparent to Malware;
7, the core of platform all is based on the technology of increasing income, and can carry out secondary development based on demand.
At last, provide the inventive method and traditional by table 1 based on virus characteristic method, traditional based on brief comparison and summary between the heuristic detection method of code emulation.
Contrast between table 1 the inventive method and classic method is summed up
Description of drawings
Fig. 1 is the malware detection illustraton of model that the present invention is based on the perception of responsive Native API Calls frequency.
Fig. 2 is a Native API analytic system Organization Chart of the present invention.
Fig. 3 is the process flow diagram of Monitoring and Controlling process analysis of the present invention.
Embodiment
Detection model and basic thought:
The thought of foundation of the present invention is: must there be some special function in Malware, and this makes and has some difference between the behavior of Malware and the ordinary procedure.Therefore the behavior of watchdog routine can be used as and judges whether this program is a feasible method of Malware.The difference of Malware and general procedure mainly has been to carry out some special actions and has propagated and the destruction system.No matter be that scale-of-two can be carried out virus, script virus or macrovirus, they all are a kind of programs, and the various power functions that it needs the call operation system to provide just can reach the purpose of the propagation self and the system of destruction.All malicious acts of Malware show as various API Calls on code, if can detect the API Calls of these behavior correspondences, detected the corresponding dynamic behavior exactly.Therefore, realize that by the api function that supervisory programme called the behavior monitoring to program is a kind of effective method.
Sum up by performance analysis and experimental knowledge analysis malicious code (virus, worm, wooden horse), we find, the propagation of malicious code and destruction mainly show the behavioural characteristic of six aspects: process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior, finishing of these behaviors all is to realize by calling corresponding api function.Api function is that Microsoft offers the interface of user as application development, and itself is not possess malice.That is to say that the API that Malware calls, normal procedure frequently call.But take all factors into consideration the frequency of calling in identical time of relevant API of program process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior, just had good discrimination between Malware and normal procedure.The present invention adds up the frequency that the relevant api function in above six the behavior aspects of each program calls by the API Calls series of each program of monitoring, and whether differentiate by data mining method as feature is Malware.
User's attitude application program is asked basic system service by calling the Win32API function, and the main function of Win32API is encapsulated among Kernel32.dll and the Advapi32.dll.The system service that window management is relevant with drawing then is implemented in User32.dll and Gdi32.dll respectively.The Win32API function is checked affirmation to the parameter of routine call, afterwards corresponding with it Native api function among the Win32API function call Ntdll.dll.Native API is can be by the Windows set of system services interface of user model and core schema routine call, and they directly provide by the operating system realization and at Ntdll.dll and call.For example, when application call Win32API CreateFi le (), finally can be converted to calling to Native API NtCreateFi le ().The Win32API that provides in User32.dl l, Aadvapi32.dl l, Gdi32.dl l, Rpcrt4.dl l and the Kernel32.dll provides calling interface, does not have specific implementation, and the Native API that will call Ntdll.dll realizes corresponding function.The Native API that application program and kernel program can directly call in the Ntdll.dll realizes corresponding function, if the API Calls of watchdog routine is preferably directly monitored NativeAPI and called.If monitoring Win32API, program is walked around User32.dll, Aadvapi32.dll, Gdi32.dll, Rpcrt4.dll and Kernel32.dll and is directly called Native API, just can not monitor.
The present invention combines the responsive Native API Calls frequency of Malware with the data mining sorting algorithm, structure based on the Malware detection of dynamic model of virtual machine and the perception of responsive Native API Calls as shown in Figure 1.
Detection model is divided into 2 stages: training stage and detection-phase.Training stage is used to finish the structure of sorter; And detection-phase is used to finish the detection of Malware.
Model is by the Native API series beginning of obtaining sample set of training stage, allow sample file in clean analysis environments, carry out the fixed length time, note its Native API series, the Native API Calls frequency of the behavior of statistics process, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior, use these data to come training classifier then, the sorter that trains can be distinguished Malware and normal file.
At detection-phase, the examine file is placed in the clean analysis environments carries out, add up it, use the sorter that the training stage trains in the responsive Native API Calls frequency of fixed length in the time, file to be detected is classified, and obtaining is the Malware or the result of normal file.
Though the heuristic detection method based on code emulation has obtained using widely, along with the Evolution Development of Malware, the part Malware has possessed anti-virtual, anti-debugging, antitracking ability, makes that this method verification and measurement ratio is low, false alarm rate is high.The Malware dynamic testing method that the present invention makes up based on virtual machine and the perception of responsive Native API Calls, realized transparent check and analysis environment, it is less relatively and fixing that the feature that extracts is compared additive method, and discrimination is higher, the sorter that trains is simple relatively, and possesses than high-accuracy and performance.
Method is described:
1, realize based on the analyzing and testing environment of Xen secondary development:
1) problem of existing Malware analytic system and existence thereof:
There are four kinds of fundamental types in special-purpose virus analysis system: based on real system set up, based on software virtual machine, based on system level simulation devices such as Bochs, Qemu, based on the application layer virtual technology.Partly there is following problem in these analytic systems:
Can realize most of virtual work based on the virtual of software, but the execution result of a few instructions and the result who carries out on real system are variant, whether part Malware has utilized these features to come detection of malicious software to carry out in virtual environment, carry out if detect in virtual environment, Malware will change execution route, is difficult to find its malicious act.In addition, because the restriction on the x86 framework hardware, based on the analytic system of software virtual at host operating system, software virtual machine, to be separated by the prerogative grade of virtual opetrating system be not very clear, have been found that now the small part Malware can pass through virtual machine, destroy host operating system, do not realize by the absolute isolation of virtual opetrating system.
The operation Malware is more satisfactory a kind of environment on real system, but also there are a lot of problems, more time-consuming such as environment recovery to clean state, the execution of monitoring single Malware is easy to, but want the behavior of monitoring Malware in batches to be difficult to, because all will arrive clean state to system recovery after carrying out a Malware, program realizes going up more complicated.Bigger problem is that the behavior of the monitoring Malware Hook that must write a program goes up Win32API and calls, because monitoring facilities and Malware operate in the same system, so a lot of Malware can detect this monitoring, and Malware will change execution route, is difficult to find its malicious act.Same problem also exists in virtual environments such as VMware, VirtualPC, because VMware, VirtualPC do not increase income, can not revise the code of virtual software and tackle associative operation, monitor, also can only be in by virtual operating system the Hook dependent event, Malware operation on by virtual operating system can detect these Hook.
At virtual machine, simulator or on by the true operation of Hook corresponding event, carry out Malware, execution time all can be the doubly a lot of of execution time in the true operation system, Malware was simply compared to the execution time of certain code snippet, just can find its behavior sentence monitored among, can not expose its malicious act, make and analyze failure.
At problem above-mentioned, the present invention is based on the software virtual machine Xen that increases income and carry out secondary development, realized transparent analyzing and testing environment
2) realize based on the analyzing and testing environment of the virtual Xen secondary development of the hardware of increasing income:
Xen is a software virtual machine of increasing income based on the GPL authorization, can be used for a kind of Intel Virtualization Technology of linux kernel.Xen is between OS and hardware, for OS provides the virtual hardware level of abstraction.The system that contains Xen software comprises three nucleus module Hypervisor, guest kernel, user program usually.The task of Hypervisor is that the guest system is run, and these guest systems also are referred to as territory (Domain).After Xen starts, at first one of the thing that will do is exactly to load Domain 0 kernel, that is to say that Domain 0 is the guest of first startup, and have the higher authority of other guest relatively, other domain is referred to as domain U-U and represents non-privilege (unprivileged).The level of Xen operation is higher than all Guest operating system, and all Guest operating system all will be passed through Xen Hypervisor to access hardware.
From the framework of Xen as can be seen, allow Malware in guest operating system (WinXP), move, the behavior of monitor malicious software, dual mode is arranged:
First kind: coding Hook corresponding event in guest operating system (WinXP), the behavior of record Malware sends out the result by signal procedure then in event handling.
Second kind: the code to Xen carries out secondary development, the behavior of monitor malicious software in Xen Hypervi sor.
The problem that first kind of mode exists is the operation in the guest operating system (WinXP) that coexists of Malware and Hook program, Malware may detect and be monitored, and to make the working time of Malware be many times that move in the true operation system in the virtual meeting of Hook program and guest operating system in addition.The second way is monitored in XenHypervisor, even the Malware that operates in kernel level also can not be found the existence of Xen Hypervisor, in order to solve the problem of Malware lengthening working time in virtual environment, can be at the actual run time of statistics Malware on the hardware on the XenHypervisor, revise the clock of Guest operating system, make Malware judge whether in virtual environment and whether be monitored from the time.
The present invention has realized the second way, concrete realization framework such as Fig. 2:
The monitoring that Xen virtual software after the secondary development can carry out is as follows:
A) can monitor Native API Calls in the whole guest operating system (WinXP), can see from the Native API Calls of whole guest operating system (WinXP) whether there is improper behavior in certain program;
B) can monitor the Native API Calls of certain program separately, the behavior that can well disclose this program;
C) can monitor the dynamic instruction sequence of certain program, can fine-grained this program be analyzed;
D) can monitor the memory read-write of certain program;
E) can realize general shelling with two kinds of methods.
The advantage that this analysis platform exists:
A) based on the hardware virtualization technology, to Xen, Domain0 operating system, the prerogative grade of DomainU operating system separates, Malware can not pass through virtual machine, by virtual operating system at ring 0, the application program of virtual opetrating system operates in ring 3, directly on CPU, executed instruction by hardware is virtual by virtual operating system, directly execution command is the same on hardware, preserve Xen by the hardware fictitious order, the state of Guest operating system and carry out state and switch, Xen Hypervisor to influence hardware state instruction be absorbed in processing, the prerogative grade of Xen Hypervisor operation is than Guest operating system height, and the Malware that moves in Guest can not be found to be monitored;
B) realized monitoring simultaneously Sysenter, Syscall instruction and soft interruption Int 0x2E have guaranteed that all Native API Calls modes all are among the monitoring.Because that monitoring is Native API, having guaranteed is from kernel or directly or indirectly calling Native API from user's attitude all is among the monitoring, has solved most of scheme and can only monitor from user's attitude and call the leakage monitoring defective that Win32API causes;
C) realized being instructed the statistics of original hardware execution time by virtual opetrating system, instructing the original hardware execution time to revise, prevented that whether monitored Malware from detecting by the calculation procedure fragment execution time or not in the problem of virtual environment operation by the clock of virtual opetrating system;
D) virtual by the hardware Virtual Realization.Because traditional x86 framework is not suitable for carrying out virtual defective, the virtual machine technique of most of x86 framework all is to realize virtual by software, make software virtual machine design more complicated, huge, it is not high to carry out efficient, and it is virtual that the x86 framework has begun to increase the instruction support hardware after 2006, and it is virtual that the platform that the present invention builds is based on hardware, the software virtual machine simplicity of design, it is higher to carry out efficient;
E) core of platform all is based on the technology of increasing income, and can carry out secondary development based on demand.Software virtual machine is based on the Xen 3.1.0 that increases income, privileged domain Domain0 operating system is the DebianLinux lenny that increases income, though do not increased income by virtual operating system Windows XP SP3, but we partly monitor at Xen Hypervisor, not the increasing income to secondary development without any influence of XP operating system.
2, the Monitoring and Controlling program realizes:
As can be seen from Figure 2, the Monitoring and Controlling program is operating in management domain Dom0 (Debian Linux Lenny), Malware and normal file sample move in DomU (by virtual XP operating system), the analysis and Control program realized sample transmission, monitoring beginning and stop, the startup of DomU and close, DomU returns to clean state and regularly.
Monitoring and Controlling program realization flow such as Fig. 3, DomU refer to by virtual Win XP SP3 operating system:
If the sample that will analyze is arranged, at first DomU (by virtual opetrating system XP) is returned to clean state, then DomU is started, analyzing samples is sent among the DomU, opens watchdog routine, make the Native API Calls of its monitoring sample, the remote activation sample is carried out, and the opening timing device is if timing arrives, the execution of long-range termination sample, stop watchdog routine, close DomU, if continue to analyze next sample, continuation is from beginning execution, up to having analyzed all samples.
Monitoring and Controlling program false code is achieved as follows:
procedure?StartAnalazy();
(1)repeat;
(2) obtain sample file;
(3) recovering by the image file of virtual system (Win XP) is clean state;
(4) start by virtual system (Win XP);
(5) sample is passed on a skill of craft to others by virtual system (Win XP);
(6) open Native API watchdog routine;
(7) in by virtual opetrating system, move the sample that imports into by far call;
(8) Sleep (fixed length time);
(9) stop the execution of sample by far call;
(10) close Native API watchdog routine;
(11) close by virtual system (Win XP);
(12) until has analyzed all samples.
3, the training study of Malware sorter and detection realize
Performing step is divided into training stage and detection-phase, and is as follows:
1) training stage:
A, obtain training sample: training sample is divided into Malware sample and normal file sample, if in actual anti-virus product, should obtain abundant training sample, consider that we are the realization of verification method, we have obtained 350 of normal PE files now from detecting the virus-free windows of XP system catalogue and ProgramFiles through antivirus software, 493 of Malwares have been downloaded from the vxheavens.com website, amount to 843 samples, the distribution of Malware such as following table (referring to table 2):
Table 2PE form Malware distribution table
| The Malware type | Worm | Trojan | Virus | Sum |
| Quantity (individual) | 137 | 156 | 200 | 493 |
B) use the Monitoring and Controlling program in the analyzing and testing environment, to move training sample file (totally 843) the fixed length time, obtain each sample process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior relevant NativeAPI call frequency, the Native API of monitoring is as follows:
The process behavior:
NtCreateEvent,NtQueryInformationToken,NtReleaseSemaphore,NtAdjustPrivilegesToken,NtImpersonateAnonymousToken,NtQueryInformationJobObject,NtReleaseMutant,NtDuplicateToken,NtDelayExecution,NtFindAtom,NtQueryInformationAtom,NtWaitForSingleObject,NtYieldExecution,NtAddAtom,NtDuplicateObject,NtWaitForMultipleObjects,NtQueryObject,NtCreateMutant,NtRegi?sterThreadTerminatePort,NtSetContextThread,NtGetContextThread,NtQueueApcThread,NtSetThreadExecutionState,NtTerminateProcess,NtOpenProcess,NtTerminateThread,NtQueryInformationProcess,NtSetInformationProcess,NtQueryInformationThread,NtOpenThreadTokenEx,NtOpenProcessTokenEx,NtOpenThreadToken,NtOpenProcessToken,NtCreateThread,NtResumeThread,NtCreateProcessEx,NtSetInformationThread,NtCreateSemaphore,NtReplyPort,NtRequestPort,NtCreatePort,NtCompleteConnectPort,NtReadRequestData,NtReplyWaitReceivePortEx,NtSecureConnectPort,NtRequestWaitReplyPort,NtConnectPort;
The privilege behavior:
NtSetEvent,NtOpenKeyedEvent,NtAllocateUuids,NtAccessCheckByType,NtQueryTimer,NtQueryTimerResolution,NtCancelTimer,NtQueryInstallUILanguage,NtAl?locateLocal?lyUniqueId,NtSetInformationObject,NtQueryDefaultUILanguage,NtTestAlert,NtFlushInstructionCache,NtQueryDefaultLocale,NtSetTimer,NtRaiseHardError,NtQuerySecurityObject,NtCreateIoCompletion,NtOpenEvent,NtQuerySystemInformation,NtSetEventBoostPriority,NtQueryPerformanceCounter,NtAccessCheck,NtClearEvent,NtQuerySystemTime,NtQueryDebugFi?lterState,NtOpenSymbolicLinkObject,NtQuerySymbolicLinkObject,NtQueryEvent,NtRaiseException,NtRemoveIoCompletion;
The internal memory behavior:
NtQuerySection,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,NtCreateSection,NtReadVirtualMemory,NtProtectVirtualMemory,NtQueryVirtualMemory,NtWriteVirtualMemory,NtLockVirtualMemory,NtFlushVirtualMemory,NtAl?locateVirtualMemory,NtFreeVirtualMemory;
The registration table behavior:
NtNotifyChangeMultipleKeys,NtSetValueKey,NtDeleteKey,NtDeleteValueKey,NtCreateKey,NtQueryValueKey,NtOpenKey,NtQueryKey,NtEnumerateValueKey,NtNot?i?fyChangeKey,NtEnumerateKey;
The file behavior:
NtQueryFullAttributesFi?le,NtReadFi?le,NtFlushBuffersFile,NtAreMappedFilesTheSame,NtOpenDirectoryObject,NtUnlockFile,NtLockFile,NtQueryInformationFile,NtOpenFile,NtCreateFile,NtDeviceIoControlFile,NtQueryAttributesFile,NtQueryDirectoryFile,NtSetInformationFile,NtQueryVolumeInformationFile,NtWriteFile,NtFsControlFile;
Network behavior:
LISTEN,RECV,SEND,DNS_LOOKUP,CONNECT
C) responsive Native API called frequency as feature, use four kinds of sorting algorithm J48 (the 8th version of C4.5) of WEAK data mining software, RandomForest, Bagging (j48), AdboostM1 (j48) trains four kinds of sorters, the accuracy of four kinds of sorter detection of malicious softwares after the training is similar, all more than 93.9%, can select for use a kind of arbitrarily.
2) detection-phase:
To PE file to be detected, use the Monitoring and Controlling program that file to be detected is moved the fixed length time in the analyzing and testing environment, obtain each sample process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior relevant NativeAPI call frequency, arbitrary sorter that use trains, Native API Calls frequency with monitoring is that feature is classified, and classification results is Malware or normal file.
3) experimental result:
The result who 843 samples is carried out 10 equal portions cross validations in order to last method is (referring to table 3):
1 minute malware detection result of table 3 analyzing samples
Claims (3)
1. Malware dynamic testing method based on virtual machine and the perception of responsive Native API Calls is characterized in that:
Detection model is divided into 2 stages: training stage and detection-phase; Training stage is used to finish the structure of sorter; And detection-phase is used to finish the detection of Malware;
In the training stage, at first obtain the Native API series of sample file collection, allow sample file in clean analysis environments, carry out the fixed length time, note its Native API series, the Native API Calls frequency of the behavior of statistics process, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior, use these data to come training classifier then, the sorter that trains is as distinguishing Malware and normal file;
At detection-phase, the examine file is placed in the clean analysis environments carries out, add up it and call frequency at the NativeAPI of process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and the network behavior of fixed length in the time, the sorter that the use training stage trains, the examine file is classified, and obtaining is the Malware or the result of normal file.
2. the Malware dynamic testing method based on virtual machine and the perception of responsive Native API Calls according to claim 1, it is characterized in that: described detection model is based on the analyzing and testing environment of Xen secondary development; Described file is a windows platform PE file.
3. the Malware dynamic testing method based on virtual machine and the perception of responsive Native API Calls according to claim 1 and 2 is characterized in that: the process behavior of described file, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior are as follows respectively:
The process behavior:
NtCreateEvent,NtQueryInformationToken,NtReleaseSemaphore,NtAdjustPrivi?legesToken,NtImpersonateAnonymousToken,NtQueryInformationJobObject,NtReleaseMutant,NtDuplicateToken,NtDelayExecution,NtFindAtom,NtQueryInformationAtom,NtWaitForSingleObject,NtYieldExecution,NtAddAtom,NtDuplicateObject,NtWaitForMultipleObjects,NtQueryObject,NtCreateMutant,NtRegisterThreadTerminatePort,NtSetContextThread,NtGetContextThread,NtQueueApcThread,NtSetThreadExecutionState,NtTerminateProcess,NtOpenProcess,NtTerminateThread,NtQueryInformationProcess,NtSetInformationProcess,NtQueryInformationThread,NtOpenThreadTokenEx,NtOpenProcessTokenEx,NtOpenThreadToken,NtOpenProcessToken,NtCreateThread,NtResumeThread,NtCreateProcessEx,NtSetInformationThread,NtCreateSemaphore,NtReplyPort,NtRequestPort,NtCreatePort,NtCompleteConnectPort,NtReadRequestData,NtReplyWaitReceivePortEx,NtSecureConnectPort,NtRequestWaitReplyPort,NtConnectPort;
The privilege behavior:
NtSetEvent,NtOpenKeyedEvent,NtAllocateUuids,NtAccessCheckByType,NtQueryTimer,NtQueryTimerResolution,NtCancelTimer,NtQueryInstallUILanguage,NtAllocateLocallyUniqueId,NtSetInformationObject,NtQueryDefaultUILanguage,NtTestAlert,NtFlushInstructionCache,NtQueryDefaultLocale,NtSetTimer,NtRaiseHardError,NtQuerySecurityObject,NtCreateIoCompletion,NtOpenEvent,NtQuerySystemInformation,NtSetEventBoostPriority,NtQueryPerformanceCounter,NtAccessCheck,NtClearEvent,NtQuerySystemTime,NtQueryDebugFi?lterState,NtOpenSymbolicLinkObject,NtQuerySymbolicLinkObject,NtQueryEvent,NtRaiseException,NtRemoveIoCompletion;
The internal memory behavior:
NtQuerySection,NtOpenSection,NtMapViewOfSection,NtUnmapViewOfSection,NtCreateSection,NtReadVirtualMemory,NtProtectVirtualMemory,NtQueryVirtualMemory,NtWriteVirtualMemory,NtLockVirtualMemory,NtFlushVirtualMemory,NtAl?locateVirtualMemory,NtFreeVirtualMemory;
The registration table behavior:
NtNotifyChangeMultitipleKeys,NtSetValueKey,NtDeleteKey,NtDeleteValueKey,NtCreateKey,NtQueryValueKey,NtOpenKey,NtQueryKey,NtEnumerateValueKey,NtNotifyChangeKey,NtEnumerateKey;
The file behavior:
NtQueryFullAttributesFile,NtReadFile,NtFlushBuffersFile,NtAreMappedFilesTheSame,NtOpenDirectoryObject,NtUnlockFile,NtLockFile,NtQueryInformationFile,NtOpenFile,NtCreateFile,NtDeviceIoControlFile,NtQueryAttributesFile,NtQueryDirectoryFi?le,NtSetInformationFile,NtQueryVolumeInformationFile,NtWriteFile,NtFsControlFile;
Network behavior:
LISTEN,RECV,SEND,DNS_LOOKUP,CONNECT;
In the training stage:
Obtain training sample: should obtain abundant training sample, training sample is divided into Malware sample and normal file sample;
Use four kinds of sorting algorithm J48 of WEAK data mining software to train four kinds of sorters during described training classifier;
At detection-phase:
Obtain process behavior, franchise behavior, internal memory behavior, registration table behavior, file behavior and network behavior in the examine file fixed length time NativeAPI call frequency, arbitrary sorter that use trains, the examine file is classified, and classification results is Malware or normal file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100263696A CN102034050A (en) | 2011-01-25 | 2011-01-25 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100263696A CN102034050A (en) | 2011-01-25 | 2011-01-25 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102034050A true CN102034050A (en) | 2011-04-27 |
Family
ID=43886930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100263696A Pending CN102034050A (en) | 2011-01-25 | 2011-01-25 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102034050A (en) |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN102289616A (en) * | 2011-06-30 | 2011-12-21 | 北京邮电大学 | Method and system for guarding against malicious system resource invasion in mobile intelligent terminal |
| CN102355519A (en) * | 2011-06-30 | 2012-02-15 | 北京邮电大学 | Malicious call dialing prevention method for mobile intelligent terminal and system thereof |
| CN102722672A (en) * | 2012-06-04 | 2012-10-10 | 奇智软件(北京)有限公司 | Method and device for detecting authenticity of operating environment |
| CN102750484A (en) * | 2012-06-28 | 2012-10-24 | 腾讯科技(深圳)有限公司 | Method and device for preventing virus sample self-checking |
| CN102750475A (en) * | 2012-06-07 | 2012-10-24 | 中国电子科技集团公司第三十研究所 | Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine |
| CN102801579A (en) * | 2012-06-29 | 2012-11-28 | 杭州华三通信技术有限公司 | Method and device for continuously monitoring VMWare events |
| CN102902700A (en) * | 2012-04-05 | 2013-01-30 | 中国人民解放军国防科学技术大学 | Online-increment evolution topic model based automatic software classifying method |
| CN103136475A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting computer viruses |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN103428212A (en) * | 2013-08-08 | 2013-12-04 | 电子科技大学 | Malicious code detection and defense method |
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN103632099A (en) * | 2013-09-29 | 2014-03-12 | 广州华多网络科技有限公司 | Underived Native API function acquiring method and device |
| CN103646086A (en) * | 2013-12-13 | 2014-03-19 | 北京奇虎科技有限公司 | Junk file cleaning method and device |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN104252447A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | File behavior analysis method and device |
| CN104346570A (en) * | 2014-12-01 | 2015-02-11 | 西安邮电大学 | Trojan horse decision system based on dynamic code sequence tracking analysis |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN105046152A (en) * | 2015-07-24 | 2015-11-11 | 四川大学 | Function call graph fingerprint based malicious software detection method |
| CN105760760A (en) * | 2015-01-05 | 2016-07-13 | 润钜股份有限公司 | Intelligent device and method for dynamically detecting application program and computer program product |
| CN105975851A (en) * | 2016-04-27 | 2016-09-28 | 北京金山安全软件有限公司 | Process processing method and device |
| CN106503552A (en) * | 2016-09-19 | 2017-03-15 | 南京邮电大学 | The Android malware detecting system that is excavated with pattern of traffic based on signature and method |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| CN106709349A (en) * | 2016-12-15 | 2017-05-24 | 中国人民解放军国防科学技术大学 | Multi-dimension behavior characteristic-based malicious code classification method |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
| CN107483386A (en) * | 2016-06-08 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Analyze the method and device of network data |
| CN107590382A (en) * | 2017-09-29 | 2018-01-16 | 杭州安恒信息技术有限公司 | A kind of malware detection analysis method and device based on virtual machine Dynamic Execution |
| CN107690627A (en) * | 2015-06-01 | 2018-02-13 | 高通股份有限公司 | Cross module behavior is verified |
| CN108093652A (en) * | 2015-06-27 | 2018-05-29 | 迈克菲有限责任公司 | The simulation of application |
| CN108345795A (en) * | 2017-01-23 | 2018-07-31 | 西普霍特公司 | System and method for the Malware that detects and classify |
| CN108351936A (en) * | 2015-11-11 | 2018-07-31 | 高通股份有限公司 | The program of detection virtual machine or emulator is evaded |
| CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
| CN109033839A (en) * | 2018-08-10 | 2018-12-18 | 天津理工大学 | A kind of malware detection method based on dynamic multiple features |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| CN109409089A (en) * | 2018-09-28 | 2019-03-01 | 西安电子科技大学 | A kind of Windows ciphering type examined oneself based on virtual machine extorts software detecting method |
| CN110334511A (en) * | 2019-06-21 | 2019-10-15 | 南京航空航天大学 | A kind of Android malware detection methods based on virtualization |
| CN110362995A (en) * | 2019-05-31 | 2019-10-22 | 电子科技大学成都学院 | It is a kind of based on inversely with the malware detection of machine learning and analysis system |
| CN110781081A (en) * | 2019-10-12 | 2020-02-11 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
| CN112395602A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Processing method, device and system for static security feature database |
| CN112585662A (en) * | 2018-06-26 | 2021-03-30 | 西门子股份公司 | Method and system for automatically sharing process knowledge |
| CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
| CN113221112A (en) * | 2021-05-28 | 2021-08-06 | 广州大学 | Malicious behavior identification method, system and medium based on weak correlation integration strategy |
| CN113221109A (en) * | 2021-03-30 | 2021-08-06 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
| CN113569244A (en) * | 2021-09-18 | 2021-10-29 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1731310A (en) * | 2005-08-04 | 2006-02-08 | 西安交通大学 | Intrusion detection method for host under Windows environment |
| CN1875607A (en) * | 2003-04-17 | 2006-12-06 | 迈克非公司 | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
| CN101183418A (en) * | 2007-12-25 | 2008-05-21 | 北京大学 | Windows concealed malevolence software detection method |
| CN101341491A (en) * | 2005-12-20 | 2009-01-07 | 西姆毕恩软件有限公司 | Malicious software detection in a computing device |
| CN101388057A (en) * | 2008-10-07 | 2009-03-18 | 珠海金山软件股份有限公司 | Method for preventing Trojan for web page |
| US20100251340A1 (en) * | 2009-03-27 | 2010-09-30 | Wavemarket, Inc. | System and method for managing third party application program access to user information via a native application program interface (api) |
-
2011
- 2011-01-25 CN CN2011100263696A patent/CN102034050A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1875607A (en) * | 2003-04-17 | 2006-12-06 | 迈克非公司 | Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework |
| CN1731310A (en) * | 2005-08-04 | 2006-02-08 | 西安交通大学 | Intrusion detection method for host under Windows environment |
| CN101341491A (en) * | 2005-12-20 | 2009-01-07 | 西姆毕恩软件有限公司 | Malicious software detection in a computing device |
| CN101183418A (en) * | 2007-12-25 | 2008-05-21 | 北京大学 | Windows concealed malevolence software detection method |
| CN101388057A (en) * | 2008-10-07 | 2009-03-18 | 珠海金山软件股份有限公司 | Method for preventing Trojan for web page |
| US20100251340A1 (en) * | 2009-03-27 | 2010-09-30 | Wavemarket, Inc. | System and method for managing third party application program access to user information via a native application program interface (api) |
Cited By (71)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102289616A (en) * | 2011-06-30 | 2011-12-21 | 北京邮电大学 | Method and system for guarding against malicious system resource invasion in mobile intelligent terminal |
| CN102355519A (en) * | 2011-06-30 | 2012-02-15 | 北京邮电大学 | Malicious call dialing prevention method for mobile intelligent terminal and system thereof |
| US9465941B2 (en) | 2011-08-09 | 2016-10-11 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for detecting malicious code |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103136475A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting computer viruses |
| CN103136475B (en) * | 2011-11-29 | 2017-07-04 | 姚纪卫 | A kind of method and apparatus for checking computer virus |
| CN102902700A (en) * | 2012-04-05 | 2013-01-30 | 中国人民解放军国防科学技术大学 | Online-increment evolution topic model based automatic software classifying method |
| CN102902700B (en) * | 2012-04-05 | 2015-02-25 | 中国人民解放军国防科学技术大学 | Online-increment evolution topic model based automatic software classifying method |
| CN102722672B (en) * | 2012-06-04 | 2015-10-14 | 北京奇虎科技有限公司 | A kind of method and device detecting running environment authenticity |
| CN102722672A (en) * | 2012-06-04 | 2012-10-10 | 奇智软件(北京)有限公司 | Method and device for detecting authenticity of operating environment |
| CN102750475B (en) * | 2012-06-07 | 2017-08-15 | 中国电子科技集团公司第三十研究所 | Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine |
| CN102750475A (en) * | 2012-06-07 | 2012-10-24 | 中国电子科技集团公司第三十研究所 | Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine |
| CN102750484A (en) * | 2012-06-28 | 2012-10-24 | 腾讯科技(深圳)有限公司 | Method and device for preventing virus sample self-checking |
| CN102801579A (en) * | 2012-06-29 | 2012-11-28 | 杭州华三通信技术有限公司 | Method and device for continuously monitoring VMWare events |
| CN102801579B (en) * | 2012-06-29 | 2015-12-02 | 杭州华三通信技术有限公司 | A kind of method and apparatus of continuous monitoring VMWare event |
| CN103218566A (en) * | 2013-01-25 | 2013-07-24 | 江南大学 | Active defense system based on Android platform software behavior detection |
| CN104252447A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | File behavior analysis method and device |
| CN103428212A (en) * | 2013-08-08 | 2013-12-04 | 电子科技大学 | Malicious code detection and defense method |
| CN103632099B (en) * | 2013-09-29 | 2016-08-17 | 广州华多网络科技有限公司 | The Native api function acquisition methods do not derived and device |
| CN103632099A (en) * | 2013-09-29 | 2014-03-12 | 广州华多网络科技有限公司 | Underived Native API function acquiring method and device |
| CN103530118A (en) * | 2013-09-30 | 2014-01-22 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN103530118B (en) * | 2013-09-30 | 2017-01-11 | 广州华多网络科技有限公司 | Method and device for loading user-defined DLL into target progress |
| CN103646086A (en) * | 2013-12-13 | 2014-03-19 | 北京奇虎科技有限公司 | Junk file cleaning method and device |
| CN103646086B (en) * | 2013-12-13 | 2017-01-25 | 北京奇虎科技有限公司 | Junk file cleaning method and device |
| CN104751052A (en) * | 2013-12-30 | 2015-07-01 | 南京理工大学常熟研究院有限公司 | Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN104200161B (en) * | 2014-08-05 | 2017-01-25 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN104346570A (en) * | 2014-12-01 | 2015-02-11 | 西安邮电大学 | Trojan horse decision system based on dynamic code sequence tracking analysis |
| CN105760760A (en) * | 2015-01-05 | 2016-07-13 | 润钜股份有限公司 | Intelligent device and method for dynamically detecting application program and computer program product |
| CN104766011B (en) * | 2015-03-26 | 2017-09-12 | 国家电网公司 | The sandbox detection alarm method and system of Intrusion Detection based on host feature |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN107690627A (en) * | 2015-06-01 | 2018-02-13 | 高通股份有限公司 | Cross module behavior is verified |
| CN108093652A (en) * | 2015-06-27 | 2018-05-29 | 迈克菲有限责任公司 | The simulation of application |
| CN105046152A (en) * | 2015-07-24 | 2015-11-11 | 四川大学 | Function call graph fingerprint based malicious software detection method |
| CN105046152B (en) * | 2015-07-24 | 2018-01-26 | 四川大学 | Malware detection method based on function call graph fingerprint |
| CN108351936A (en) * | 2015-11-11 | 2018-07-31 | 高通股份有限公司 | The program of detection virtual machine or emulator is evaded |
| CN108351936B (en) * | 2015-11-11 | 2021-11-23 | 高通股份有限公司 | Detecting program circumvention of virtual machines or emulators |
| CN106709336A (en) * | 2015-11-18 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Method and apparatus for identifying malware |
| US10635812B2 (en) | 2015-11-18 | 2020-04-28 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for identifying malicious software |
| CN105975851B (en) * | 2016-04-27 | 2019-02-12 | 珠海豹趣科技有限公司 | A kind of process handling method and device |
| CN105975851A (en) * | 2016-04-27 | 2016-09-28 | 北京金山安全软件有限公司 | Process processing method and device |
| CN107483386A (en) * | 2016-06-08 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Analyze the method and device of network data |
| CN106503552A (en) * | 2016-09-19 | 2017-03-15 | 南京邮电大学 | The Android malware detecting system that is excavated with pattern of traffic based on signature and method |
| CN106709349A (en) * | 2016-12-15 | 2017-05-24 | 中国人民解放军国防科学技术大学 | Multi-dimension behavior characteristic-based malicious code classification method |
| CN106709349B (en) * | 2016-12-15 | 2019-10-29 | 中国人民解放军国防科学技术大学 | A kind of malicious code classification method based on various dimensions behavioural characteristic |
| CN108345795A (en) * | 2017-01-23 | 2018-07-31 | 西普霍特公司 | System and method for the Malware that detects and classify |
| CN108345795B (en) * | 2017-01-23 | 2021-12-07 | 西普霍特公司 | System and method for detecting and classifying malware |
| CN107169355B (en) * | 2017-04-28 | 2020-05-08 | 北京理工大学 | Worm homology analysis method and device |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
| CN108959951A (en) * | 2017-05-19 | 2018-12-07 | 北京瑞星网安技术股份有限公司 | Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection |
| CN107590382A (en) * | 2017-09-29 | 2018-01-16 | 杭州安恒信息技术有限公司 | A kind of malware detection analysis method and device based on virtual machine Dynamic Execution |
| CN112585662A (en) * | 2018-06-26 | 2021-03-30 | 西门子股份公司 | Method and system for automatically sharing process knowledge |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| CN109101815B (en) * | 2018-07-27 | 2023-04-07 | 平安科技(深圳)有限公司 | Malicious software detection method and related equipment |
| CN109033839A (en) * | 2018-08-10 | 2018-12-18 | 天津理工大学 | A kind of malware detection method based on dynamic multiple features |
| CN109409089A (en) * | 2018-09-28 | 2019-03-01 | 西安电子科技大学 | A kind of Windows ciphering type examined oneself based on virtual machine extorts software detecting method |
| CN109409089B (en) * | 2018-09-28 | 2021-11-23 | 西安电子科技大学 | Windows encryption type Lego software detection method based on virtual machine introspection |
| CN110362995A (en) * | 2019-05-31 | 2019-10-22 | 电子科技大学成都学院 | It is a kind of based on inversely with the malware detection of machine learning and analysis system |
| CN110334511A (en) * | 2019-06-21 | 2019-10-15 | 南京航空航天大学 | A kind of Android malware detection methods based on virtualization |
| CN112395602B (en) * | 2019-08-15 | 2022-09-30 | 奇安信安全技术(珠海)有限公司 | Processing method, device and system for static security feature database |
| CN112395602A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Processing method, device and system for static security feature database |
| CN110781081A (en) * | 2019-10-12 | 2020-02-11 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
| CN110781081B (en) * | 2019-10-12 | 2024-04-09 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
| CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
| CN113221109A (en) * | 2021-03-30 | 2021-08-06 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
| CN113221109B (en) * | 2021-03-30 | 2022-06-28 | 浙江工业大学 | Intelligent malicious file analysis method based on generation countermeasure network |
| CN113221112B (en) * | 2021-05-28 | 2022-03-04 | 广州大学 | Malicious behavior identification method, system and medium based on weak correlation integration strategy |
| CN113221112A (en) * | 2021-05-28 | 2021-08-06 | 广州大学 | Malicious behavior identification method, system and medium based on weak correlation integration strategy |
| CN113569244A (en) * | 2021-09-18 | 2021-10-29 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
| CN113569244B (en) * | 2021-09-18 | 2021-12-03 | 成都数默科技有限公司 | Memory malicious code detection method based on processor tracking |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102034050A (en) | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception | |
| Sihwail et al. | A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis | |
| Wilhelm et al. | A forced sampled execution approach to kernel rootkit identification | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| US9917855B1 (en) | Mixed analysys-based virtual machine sandbox | |
| Azmandian et al. | Virtual machine monitor-based lightweight intrusion detection | |
| Canfora et al. | Acquiring and analyzing app metrics for effective mobile malware detection | |
| Blackthorne et al. | {AVLeak}: Fingerprinting Antivirus Emulators through {Black-Box} Testing | |
| Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
| Lengyel et al. | Virtual machine introspection in a hybrid honeypot architecture. | |
| Ho et al. | PREC: practical root exploit containment for android devices | |
| Choudhary et al. | A simple method for detection of metamorphic malware using dynamic analysis and text mining | |
| CN106778266A (en) | A kind of Android Malware dynamic testing method based on machine learning | |
| Musavi et al. | Back to static analysis for kernel-level rootkit detection | |
| Pektaş et al. | A dynamic malware analyzer against virtual machine aware malicious software | |
| Copty et al. | Accurate malware detection by extreme abstraction | |
| Druffel et al. | Davinci: Android app analysis beyond frida via dynamic system call instrumentation | |
| Salehi et al. | Detecting malicious applications using system services request behavior | |
| Sihag et al. | Opcode n-gram based malware classification in android | |
| Salehi et al. | Android malware detection using Markov Chain model of application behaviors in requesting system services | |
| Lee et al. | Kernel-level rootkits features to train learning models against namespace attacks on containers | |
| Papazis et al. | Detecting indicators of deception in emulated monitoring systems | |
| Reeves | Autoscopy Jr.: Intrusion detection for embedded control systems | |
| Jia et al. | Findevasion: an effective environment-sensitive malware detection system for the cloud | |
| Toldinas et al. | Rootkit detection experiment within a virtual environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110427 |