CN102592080A - Flash malicious file detection method and flash malicious file detection device - Google Patents
Flash malicious file detection method and flash malicious file detection device Download PDFInfo
- Publication number
- CN102592080A CN102592080A CN2011104422687A CN201110442268A CN102592080A CN 102592080 A CN102592080 A CN 102592080A CN 2011104422687 A CN2011104422687 A CN 2011104422687A CN 201110442268 A CN201110442268 A CN 201110442268A CN 102592080 A CN102592080 A CN 102592080A
- Authority
- CN
- China
- Prior art keywords
- flash
- file
- virtual machine
- malice
- machine bytecode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a flash malicious file detection method, which includes the steps: analyzing a flash file, and extracting virtual machine byte codes from the flash file; and matching the virtual machine byte codes with characteristic byte codes, making statistics on occurrence times of the virtual machine byte codes if the virtual machine byte codes can be matched with characteristic byte codes, and determining the flash file as a malicious file if the times exceed a threshold value. The invention further provides a flash malicious file detection device for implementing the method. By the aid of the flash malicious file detection method and the flash malicious file detection device, high detection efficiency and high detection precision are achieved.
Description
Technical field
The application relates to the data security technical field, particularly relates to a kind of flash malice file test method and device.
Background technology
Adobe flash player can play briefly all kinds of image files such as multimedia animation, interactive animation and flight sign fast, is widely used on the browser and some mobile devices in the operating system.Therefore, Adobe flash player is also utilized the leak of itself by some rogue program publishers, in the flash file, adds the malice file; When the user plays these flash files; Will download executable malice file automatically, can initiatively connect specified server in the internet subsequently, download rogue programs such as other viruses, wooden horse; Finally cause computer system by control fully, serious threat is to computer user's system and information security.
At present; A kind of virus method common to the flash file is the unique MD5 cryptographic hash of calculating flash file; MD5 cryptographic hash with the flash file of collecting in advance that comprises the malice file compares then, if can mate, explains that then this flash file is the malice file; Can not mate, explain that then this flash file is a normal file.When some difference appears in the flash document code, also can cause the MD5 cryptographic hash to change.So, for same malice file, its publisher then possibly cause the MD5 cryptographic hash different as long as add some codes meaningless and inequality therein.The time can't carry out exhaustively so to the mutation of all malice files in statistics, this situation of malice flash file just can occur accurately discerning.Even perhaps can be exhaustive, also need calculate a large amount of MD5 cryptographic hash, this can increase workload undoubtedly, has reduced the efficient that identification detects.
Summary of the invention
The application's technical matters to be solved provides a kind of flash malice file test method and device, can solve the low problem of flash file detection efficiency and precision.
In order to address the above problem, the application discloses a kind of flash malice file test method, may further comprise the steps:
The flash file is resolved, extract virtual machine bytecode wherein;
Said virtual machine bytecode and attribute byte sign indicating number are mated,, then add up the number of times that said virtual machine bytecode occurs,, confirm that then said flash file is the malice file if number of times surpasses threshold value if can mate.
Further, the flash file is resolved, the virtual machine bytecode that extracts wherein comprises:
Resolve the relevant crucial label section of ActionScript in the flash file;
The data structure of analysis of key label section, the reverse virtual machine bytecode that extracts wherein.
Further, said method also comprises confirms the attribute byte sign indicating number, and detailed process comprises:
Data structure based on the flash file is carried out resolving inversely to malice flash file and normal flash file, extracts virtual machine bytecode wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value;
The virtual machine bytecode of said statistics is confirmed as the attribute byte sign indicating number.
Further, said said virtual machine bytecode and attribute byte sign indicating number are mated,, then add up the number of times that said virtual machine bytecode occurs and comprise if can mate:
If virtual machine bytecode and one of them attribute byte sign indicating number coupling, and the number of times that occurs then stops follow-up and couplings other attribute byte sign indicating numbers above threshold value; Or
If virtual machine bytecode and one of them attribute byte sign indicating number coupling, and the number of times that occurs surpasses threshold value, will mate with the continuation of all the other attribute byte sign indicating numbers by the virtual machine bytecode.
Further, the said flash file is confirmed as also comprises after the malice file and returns testing result and/or said flash file is handled.
Further, said to said flash file handle comprise following one or more:
Delete said flash file;
Isolate said flash file;
Said flash file is labeled as apocrypha;
For said flash file is set safe class.
Further; Saidly time realize through discriminant function with what virtual machine bytecode and attribute byte sign indicating number mated and added up that the virtual machine bytecode occurs; The parameter of said discriminant function is the attribute byte sign indicating number; Said deterministic process is: with the different discriminant function of said virtual machine bytecode substitution, and mate and the statistics of occurrence number with the parameter in each discriminant function.
Further; Said virtual machine bytecode comprises character string or shaping string; Said attribute byte sign indicating number comprises character string or shaping string, after extracting said virtual machine bytecode, wherein all character strings is consisted of an array; All shaping strings are formed an array, said two number groups are adopted respectively character string is judged as the discriminant function of parameter as the discriminant function and the employing shaping string of parameter.
In order to address the above problem, disclosed herein as well is a kind of flash malice file pick-up unit, comprising:
Virtual machine bytecode extraction module is used for the flash file is resolved, and extracts virtual machine bytecode wherein;
Judge module is used for said virtual machine bytecode and attribute byte sign indicating number are mated, if can mate, then adds up the number of times that said virtual machine bytecode occurs, if number of times surpasses threshold value, confirms that then said flash file is the malice file.
Further, said virtual machine bytecode extraction module comprises:
Resolution unit is used for resolving the relevant crucial label section of ActionScript of flash file;
Analytic unit is used for the data structure of analysis of key label section, the reverse virtual machine bytecode that extracts wherein.
Further, said device also comprises attribute byte sign indicating number determination module, is used for confirming the attribute byte sign indicating number, and said attribute byte sign indicating number determination module comprises:
Resolution unit is used for based on the data structure of flash file malice flash file and normal flash file being carried out resolving inversely, extracts virtual machine bytecode wherein;
Statistic unit; Be used for statistics and be greater than or equal to normal value at malice flash file probability of occurrence; But do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value, and the virtual machine bytecode of said statistics confirmed as the attribute byte sign indicating number.
Further, said device also comprises:
The result treatment module is used for the flash file confirmed as and also comprises after the malice file and return testing result and/or said flash file is handled.
Further, said result treatment module to said flash file handle comprise following one or more:
Delete said flash file;
Isolate said flash file;
Said flash file is labeled as apocrypha;
For said flash file is set safe class.
Further, said judge module comprises:
The discriminant function unit; Adopt discriminant function to judge; The parameter of said discriminant function is the attribute byte sign indicating number, and said deterministic process is: with the different discriminant function of said virtual machine bytecode substitution, and mate and the statistics of occurrence number with the parameter in each discriminant function.
Compared with prior art, the application has the following advantages:
The application's flash malice file test method obtains wherein metastable virtual machine bytecode through carrying out resolving inversely for the flash file, and with the malice file in extract to such an extent that the virtual machine bytecode compares to discern and detects the flash file.The virtual machine bytecode itself has certain meaning, is the condition code of flash file, even added other insignificant codes in the malice file; Can not influence virtual machine bytecode wherein yet, therefore through a large amount of malice files of collecting, extract virtual machine bytecode wherein after; Even mutation appears in these malice files; Also still can accurately discern detection, need not extra mutation and carry out exhaustively, improve degree of accuracy and efficient that identification detects the malice file.
In addition; Even the malicious code in some malice file is unknown; As long as the virtual machine bytecode that its malice file that includes in advance statistics is comprised just can detect through the application's method, therefore; The application's flash malice file has detected and can detect known malice file, can also detect unknown malice file to a certain extent.
Further; When the virtual machine bytecode is character string or shaping string, can employable encryption method through analyzing the malice file in advance, again encryption method is introduced in the testing process; Can be real-time detected parameters be encrypted; Thereby guaranteeing that even the virtual machine bytecode that from flash file to be detected, extracts is a data encrypted, also can mate accurately, improved the precision that detects.
Description of drawings
Fig. 1 is the process flow diagram of the application's flash malice file test method embodiment one;
Fig. 2 is the structural representation of the application's flash malice file pick-up unit embodiment one.
Embodiment
For above-mentioned purpose, the feature and advantage that make the application can be more obviously understandable, the application is done further detailed explanation below in conjunction with accompanying drawing and embodiment.
With reference to Fig. 1, the application's flash malice file test method embodiment one is shown, may further comprise the steps:
The flash file is to form according to label (Tag) structure, and a frame of flash the inside is to be made up of with the label that some comprise voice data some labels that comprise graph data, and the ActionScript of comprising code label is also arranged simultaneously.The ActionScript action script is to follow the programming language of the Adobe Flash Player runtime environment of ECMAscript the 4th edition, and it realizes interactivity, data processing and other functions in flash content and application program.Adobe Flash Player is built-in AVM virtual machine, the AVM virtual machine can change into corresponding instruction according to different platforms with the ActionScript bytecode (ActionScript Bytecode) of flash file the inside and rerun.
The flash file is being resolved, and the virtual machine bytecode that extracts wherein preferably adopts following mode: resolve the relevant crucial label section of ActionScript in the flash file; The data structure of analysis of key label section is according to the reverse virtual machine bytecode (Adobe AVM ByteCode) that extracts wherein of official's document format.Be appreciated that and can also adopt other modes, for example relevant position reads from the flash file.Common virtual machine bytecode comprises character string and shaping string, is appreciated that the bytecode that can also extract other types if desired, and the application does not limit this.
Wherein, the attribute byte sign indicating number passes through a large amount of malice flash files of collection in advance, and data are wherein analyzed, and compares with normal flash file then to draw, and concrete definite process may further comprise the steps:
Data structure based on the flash file is carried out resolving inversely to malice flash file and normal flash file, extracts virtual machine bytecode wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value;
The virtual machine bytecode of said statistics is confirmed as the attribute byte sign indicating number.
Wherein, normal value can be based on mass data and confirms an empirical value.
Preferably, the statistics of the coupling of virtual machine bytecode and attribute byte sign indicating number and virtual machine bytecode occurrence number can realize through system automatically.For example, after confirming subscription parameters, can write corresponding code to each subscription parameters and threshold value; When judging; Only need go to realize coupling, and add up the number of times that the virtual machine bytecode occurs in the flash file, both compare and to realize with threshold value then through utilizing these codes.Promptly; All subscription parameters are regarded as a series of strong characteristic of malice flash file; And add other conditions as judgment rule, according to judgment rule the virtual machine bytecode is judged, if meet the corresponding condition of arbitrary judgment rule; Think that then the flash file comprises the strong characteristic that malice flash file just has, think that promptly the flash file is the malice file.
Though some virtual machine bytecode can be with on the attribute byte sign indicating number coupling; These these virtual machine bytecodes of explanation are bytecodes common in the malice file, but in normal file, also possibly exist, and just probability of occurrence is lower; Therefore; Through the mode of setting threshold, can avoid erroneous judgement occurring, avoid normal file is regarded as the malice file.
Below in conjunction with instantiation preceding method is elaborated.
Suppose that the attribute byte sign indicating number of when in advance malice flash file being added up, confirming comprises character string and shaping string, the corresponding discriminant function of attribute byte sign indicating number, and this attribute byte sign indicating number is as the parameter of this discriminant function.The corresponding discriminant function of all character strings is a combination, and the discriminant function that all shaping strings are corresponding is a combination.
When needs carry out the detection of malice flash file, at first from flash file to be detected, extract the virtual machine bytecode, and all character strings wherein are combined as an array, all shaping strings are combined as an array.The corresponding discriminant function of all character strings of each character string substitution in the character string array is judged.The corresponding discriminant function of all shaping strings of each shaping string substitution in the shaping string array is judged.The step 102 of deterministic process such as previous embodiment.
As long as be appreciated that have in the virtual machine bytecode that extracts in the flash file to be detected a character string or shaping string can with the parameter matching in the discriminant function, and occurrence number thinks then that greater than threshold value this flash file is the malice file.At this moment, can stop to judge, and the result is returned, supply the user to choose the subsequent treatment mode, also can directly delete this malice file.Preferably, in order to improve the accuracy of detection, can also continue other character strings or other discriminant functions of shaping string substitution are judged.
Preferably; Because some malice file can be encrypted wherein character string or shaping string; The application is in definite attribute byte sign indicating number; Can also analyze the malice file in advance can employable encryption method, and encryption method is introduced in the discriminant function simultaneously, make an attribute byte sign indicating number and this attribute byte sign indicating number through data encrypted all as the parameter of a discriminant function.When detecting, if character string of extracting in the flash file to be detected or shaping string can with one of them parameter, just think the condition that satisfies this discriminant function.Therefore,, also can mate accurately, improve the precision that detects even character string of from flash file to be detected, extracting or shaping string are data encrypted.
Below in conjunction with concrete discriminant function aforementioned deterministic process is elaborated.
Instance one: suppose to analyze in advance to draw: the situation that " 0x90909090 " this attribute byte sign indicating number of int type occurs at normal flash file does not exist basically; And in the flash file of malice because special code compiling demand arranged; The number of times that this attribute byte sign indicating number occurs can be many; This moment can be with " 0x90909090 " as parameter so, and the threshold value of setting occurrence number, writes following discriminant function:
The number of times that the int type parameter of 0x90909090 occurs in flash file virtual machine bytecode to be detected of this section source code statistics; When a threshold values appears surpassing in this type of parameter; Will match a virtual machine bytecode characteristic, think that then this flash file to be detected is the malice file.
Instance two, the key-strings in the malice flash file are often encrypted through XOR (XOR) cipher mode, can cipher mode be added to so and realize in the discriminant function judging that the concrete discriminant function of writing is following:
This section source code changes one section character string of carrying out malicious commands into 256 groups of XOR (XOR) encrypted characters string; Can intelligence match the normal malicious commands that occurs of malice flash file through encrypting; As long as this malicious commands satisfies in 256 groups of character strings arbitrary one; Then can judge this flash file is the malice file, has improved the accuracy of testing result.Can be because of the situation of whether encrypting and occurring judging by accident, simultaneously, a discriminant function just can be realized, need not to add a plurality of functions repeatedly to judge, can save detection time and space.
With reference to Fig. 2, a kind of flash malice file pick-up unit embodiment one of the application is shown, comprise virtual machine bytecode extraction module 10 and judge module 20.
Virtual machine bytecode extraction module 10 is used for the flash file is resolved, and extracts virtual machine bytecode wherein.Preferably, virtual machine bytecode extraction module comprises resolution unit and analytic unit.Resolution unit is used for resolving the relevant crucial label section of ActionScript of flash file.Analytic unit is used for the data structure of analysis of key label section, the reverse virtual machine bytecode that extracts wherein.
Preferably, this flash malice file pick-up unit also comprises attribute byte sign indicating number determination module, is used for confirming the attribute byte sign indicating number.Wherein, attribute byte sign indicating number determination module comprises resolution unit and statistic unit.Resolution unit is used for based on the data structure of flash file malice flash file and normal flash file being carried out resolving inversely, extracts virtual machine bytecode wherein.Statistic unit; Be used for statistics and be greater than or equal to normal value at malice flash file probability of occurrence; But do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value, and the virtual machine bytecode of said statistics confirmed as the attribute byte sign indicating number.
Preferably, this flash malice file pick-up unit also comprises the result treatment module, is used for the flash file confirmed as also comprising after the malice file and returning testing result and/or said flash file is handled.Wherein, to the flash file handle comprise following one or more: deletion flash file, isolate the flash file, the flash file be labeled as apocrypha and be flash file setting safe class.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.For device embodiment, because it is similar basically with method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
More than flash malice file test method and device that the application provided have been carried out detailed introduction; Used concrete example among this paper the application's principle and embodiment are set forth, the explanation of above embodiment just is used to help to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to the application's thought, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the application.
Claims (14)
1. a f1ash malice file test method is characterized in that, may further comprise the steps:
The flash file is resolved, extract virtual machine bytecode wherein;
Said virtual machine bytecode and attribute byte sign indicating number are mated,, then add up the number of times that said virtual machine bytecode occurs,, confirm that then said flash file is the malice file if number of times surpasses threshold value if can mate.
2. flash malice file test method as claimed in claim 1 is characterized in that, the flash file is resolved, and the virtual machine bytecode that extracts wherein comprises:
Resolve the relevant crucial label section of ActionScript in the flash file;
The data structure of analysis of key label section, the reverse virtual machine bytecode that extracts wherein.
3. flash malice file test method as claimed in claim 1 is characterized in that, said method also comprises confirms the attribute byte sign indicating number, and detailed process comprises:
Data structure based on the flash file is carried out resolving inversely to malice flash file and normal flash file, extracts virtual machine bytecode wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value;
The virtual machine bytecode of said statistics is confirmed as the attribute byte sign indicating number.
4. flash malice file test method as claimed in claim 1 is characterized in that, said said virtual machine bytecode and attribute byte sign indicating number is mated, if can mate, then adds up the number of times that said virtual machine bytecode occurs and comprises:
If virtual machine bytecode and one of them attribute byte sign indicating number coupling, and the number of times that occurs then stops follow-up and couplings other attribute byte sign indicating numbers above threshold value; Or
If virtual machine bytecode and one of them attribute byte sign indicating number coupling, and the number of times that occurs surpasses threshold value, will mate with the continuation of all the other attribute byte sign indicating numbers by the virtual machine bytecode.
5. flash malice file test method as claimed in claim 1 is characterized in that, the said flash file is confirmed as also comprises after the malice file and return testing result and/or said flash file is handled.
6. flash malice file test method as claimed in claim 5 is characterized in that, said to said flash file handle comprise following one or more:
Delete said flash file;
Isolate said flash file;
Said flash file is labeled as apocrypha;
For said flash file is set safe class.
7. like each described flash malice file test method of claim 1 to 6; It is characterized in that; Saidly time realize through discriminant function with what virtual machine bytecode and attribute byte sign indicating number mated and added up that the virtual machine bytecode occurs; The parameter of said discriminant function is the attribute byte sign indicating number, and said deterministic process is: with the different discriminant function of said virtual machine bytecode substitution, and mate and the statistics of occurrence number with the parameter in each discriminant function.
8. flash malice file test method as claimed in claim 7; It is characterized in that said virtual machine bytecode comprises character string or shaping string, said attribute byte sign indicating number comprises character string or shaping string; After extracting said virtual machine bytecode; Wherein all character strings are consisted of an array, and all shaping strings are formed an array, said two number groups are adopted respectively character string is judged as the discriminant function of parameter as the discriminant function and the employing shaping string of parameter.
9. a flash malice file pick-up unit is characterized in that, comprising:
Virtual machine bytecode extraction module is used for the flash file is resolved, and extracts virtual machine bytecode wherein;
Judge module is used for said virtual machine bytecode and attribute byte sign indicating number are mated, if can mate, then adds up the number of times that said virtual machine bytecode occurs, if number of times surpasses threshold value, confirms that then said flash file is the malice file.
10. flash malice file pick-up unit as claimed in claim 9 is characterized in that, said virtual machine bytecode extraction module comprises:
Resolution unit is used for resolving the relevant crucial label section of ActionScript of flash file;
Analytic unit is used for the data structure of analysis of key label section, the reverse virtual machine bytecode that extracts wherein.
11. flash malice file pick-up unit as claimed in claim 9 is characterized in that said device also comprises attribute byte sign indicating number determination module, is used for confirming the attribute byte sign indicating number, said attribute byte sign indicating number determination module comprises:
Resolution unit is used for based on the data structure of flash file malice flash file and normal flash file being carried out resolving inversely, extracts virtual machine bytecode wherein;
Statistic unit; Be used for statistics and be greater than or equal to normal value at malice flash file probability of occurrence; But do not exist in the normal flash file or probability of occurrence less than the virtual machine bytecode of normal value, and the virtual machine bytecode of said statistics confirmed as the attribute byte sign indicating number.
12. flash malice file pick-up unit as claimed in claim 9 is characterized in that said device also comprises:
The result treatment module is used for the flash file confirmed as and also comprises after the malice file and return testing result and/or said flash file is handled.
13. flash malice file pick-up unit as claimed in claim 12 is characterized in that, said result treatment module to said flash file handle comprise following one or more:
Delete said flash file;
Isolate said flash file;
Said flash file is labeled as apocrypha;
For said flash file is set safe class.
14., it is characterized in that said judge module comprises like each described flash malice file pick-up unit of claim 9 to 13:
The discriminant function unit; Adopt discriminant function to judge; The parameter of said discriminant function is the attribute byte sign indicating number, and said deterministic process is: with the different discriminant function of said virtual machine bytecode substitution, and mate and the statistics of occurrence number with the parameter in each discriminant function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442268.7A CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442268.7A CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102592080A true CN102592080A (en) | 2012-07-18 |
| CN102592080B CN102592080B (en) | 2015-11-11 |
Family
ID=46480702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110442268.7A Active CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102592080B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102890630A (en) * | 2012-08-29 | 2013-01-23 | 四三九九网络股份有限公司 | Method for removing external links from shockwave flash (swf) file |
| CN103235733A (en) * | 2013-04-22 | 2013-08-07 | 四三九九网络股份有限公司 | Method and device for parsing flash mini-game into byte code |
| CN103839004A (en) * | 2012-11-26 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Method and equipment for detecting malicious files |
| CN103870752A (en) * | 2012-12-18 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting Flash XSS (Cross Site Script) vulnerabilities and equipment |
| CN104252599A (en) * | 2013-06-28 | 2014-12-31 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting cross-site scripting bug |
| CN104519007A (en) * | 2013-09-26 | 2015-04-15 | 深圳市腾讯计算机系统有限公司 | Loophole detection method and server |
| CN105631336A (en) * | 2015-06-30 | 2016-06-01 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files on mobile device, and computer program product |
| CN106203105A (en) * | 2012-10-16 | 2016-12-07 | 北京奇虎科技有限公司 | File management method and device |
| CN106446686A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting malicious document |
| CN106650453A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and apparatus |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| CN110881212A (en) * | 2019-12-09 | 2020-03-13 | Oppo广东移动通信有限公司 | Method and device for saving power of equipment, electronic equipment and medium |
| US20210029148A1 (en) * | 2019-07-25 | 2021-01-28 | Battellle Memorial Institute | Can bus protection systems and methods |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
-
2011
- 2011-12-26 CN CN201110442268.7A patent/CN102592080B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
Non-Patent Citations (1)
| Title |
|---|
| 贺拓: "Flash应用程序漏洞挖掘与利用", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102890630B (en) * | 2012-08-29 | 2015-08-26 | 四三九九网络股份有限公司 | The minimizing technology of swf file peripheral link |
| CN102890630A (en) * | 2012-08-29 | 2013-01-23 | 四三九九网络股份有限公司 | Method for removing external links from shockwave flash (swf) file |
| CN106203105A (en) * | 2012-10-16 | 2016-12-07 | 北京奇虎科技有限公司 | File management method and device |
| CN103839004A (en) * | 2012-11-26 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Method and equipment for detecting malicious files |
| CN103870752A (en) * | 2012-12-18 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting Flash XSS (Cross Site Script) vulnerabilities and equipment |
| CN103870752B (en) * | 2012-12-18 | 2018-04-20 | 百度在线网络技术(北京)有限公司 | A kind of method, apparatus and equipment for being used to detect Flash XSS loopholes |
| CN103235733B (en) * | 2013-04-22 | 2015-12-02 | 四三九九网络股份有限公司 | A kind of batch resolves the method and apparatus that flash trivial games is byte code |
| CN103235733A (en) * | 2013-04-22 | 2013-08-07 | 四三九九网络股份有限公司 | Method and device for parsing flash mini-game into byte code |
| CN104252599A (en) * | 2013-06-28 | 2014-12-31 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting cross-site scripting bug |
| CN104519007A (en) * | 2013-09-26 | 2015-04-15 | 深圳市腾讯计算机系统有限公司 | Loophole detection method and server |
| CN105631336A (en) * | 2015-06-30 | 2016-06-01 | 卡巴斯基实验室股份制公司 | System and method for detecting malicious files on mobile device, and computer program product |
| CN105631336B (en) * | 2015-06-30 | 2018-04-17 | 卡巴斯基实验室股份制公司 | Detect the system and method for the malicious file in mobile device |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| CN106446686A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Method and device for detecting malicious document |
| CN106446686B (en) * | 2016-09-30 | 2020-10-20 | 北京奇虎科技有限公司 | Malicious document detection method and device |
| CN106650453A (en) * | 2016-12-30 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Detection method and apparatus |
| CN106650453B (en) * | 2016-12-30 | 2019-11-05 | 北京启明星辰信息安全技术有限公司 | A kind of detection method and device |
| US20210029148A1 (en) * | 2019-07-25 | 2021-01-28 | Battellle Memorial Institute | Can bus protection systems and methods |
| US11606376B2 (en) * | 2019-07-25 | 2023-03-14 | Battelle Memorial Institute | CAN bus protection systems and methods |
| CN110881212A (en) * | 2019-12-09 | 2020-03-13 | Oppo广东移动通信有限公司 | Method and device for saving power of equipment, electronic equipment and medium |
| CN110881212B (en) * | 2019-12-09 | 2023-08-25 | Oppo广东移动通信有限公司 | Method and device for saving power of equipment, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102592080B (en) | 2015-11-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102592080A (en) | Flash malicious file detection method and flash malicious file detection device | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| Laskov et al. | Static detection of malicious JavaScript-bearing PDF documents | |
| Wang et al. | TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection | |
| Lu et al. | De-obfuscation and detection of malicious PDF files with high accuracy | |
| WO2015101097A1 (en) | Method and device for feature extraction | |
| WO2015101096A1 (en) | Method and device for detecting malicious code in smart terminal | |
| Tang et al. | A novel hybrid method to analyze security vulnerabilities in android applications | |
| CN101751530B (en) | Method for detecting loophole aggressive behavior and device | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN104123493A (en) | Method and device for detecting safety performance of application program | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| CN104834859A (en) | Method for dynamically detecting malicious behavior in Android App (Application) | |
| US20160142437A1 (en) | Method and system for preventing injection-type attacks in a web based operating system | |
| WO2015101042A1 (en) | Method and device for detecting malicious code in smart terminal | |
| CN109255241B (en) | Android permission promotion vulnerability detection method and system based on machine learning | |
| CN109271788A (en) | A kind of Android malware detection method based on deep learning | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| US20140123283A1 (en) | Detection of heap spraying by flash with an actionscript emulator | |
| CN104680065A (en) | Virus detection method, virus detection device and virus detection equipment | |
| KR102151318B1 (en) | Method and apparatus for malicious detection based on heterogeneous information network | |
| EP3087527B1 (en) | System and method of detecting malicious multimedia files | |
| WO2020168614A1 (en) | Method for fast and smart comparison and security inspection of mobile malware big data | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN111291377A (en) | Application vulnerability detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |