CN102592080B - flash malicious file detection method and device - Google Patents
flash malicious file detection method and device Download PDFInfo
- Publication number
- CN102592080B CN102592080B CN201110442268.7A CN201110442268A CN102592080B CN 102592080 B CN102592080 B CN 102592080B CN 201110442268 A CN201110442268 A CN 201110442268A CN 102592080 B CN102592080 B CN 102592080B
- Authority
- CN
- China
- Prior art keywords
- flash
- file
- virtual machine
- flash file
- machine bytecodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
This application provides a kind of flash malicious file detection method, comprise the following steps: flash file is resolved, extract Virtual Machine bytecodes wherein; Described Virtual Machine bytecodes is mated with attribute byte code, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determine that described flash file is malicious file.Present invention also provides a kind of flash malicious file pick-up unit realizing preceding method.A kind of flash malicious file detection method of the application and device, have higher detection efficiency and precision.
Description
Technical field
The application relates to technical field of data security, particularly relates to a kind of flash malicious file detection method and device.
Background technology
Adobeflashplayer can play all kinds of image files such as brief multimedia animation fast, interactive animation and flight mark, is widely used in browser in operating system with on some mobile devices.Therefore, Adobeflashplayer is also utilized itself leak by some rogue programs publisher, malicious file is added in flash file, when user plays these flash file, will automatically download executable malicious file, the server can initiatively specified in connecting Internet network subsequently, downloads the rogue programs such as other virus, wooden horses, finally cause computer system to be completely controlled, serious threat is to the system of computer user and information security.
At present, be calculate the unique MD5 cryptographic hash of flash file for a kind of virus method that flash file is common, then compare with the MD5 cryptographic hash comprising the flash file of malicious file of collecting in advance, if can match, then illustrate that this flash file is malicious file, can not mate, then illustrate that this flash file is normal file.When some difference appears in flash file code, MD5 cryptographic hash also can be caused to change.So, for same malicious file, as long as its publisher adds some meaningless and not identical codes wherein, then MD5 cryptographic hash may be caused different.So cannot carry out exhaustive to the mutation of all malicious files when adding up, just can there is the situation that accurately cannot identify malice flash file in this.Or namely allow to exhaustive, also need to calculate a large amount of MD5 cryptographic hash, this can increase workload undoubtedly, reduces the efficiency of recognition detection.
Summary of the invention
Technical problems to be solved in this application are to provide a kind of flash malicious file detection method and device, can solve flash file detection efficiency and the low problem of precision.
In order to solve the problem, this application discloses a kind of flash malicious file detection method, comprising the following steps:
Flash file is resolved, extracts Virtual Machine bytecodes wherein;
Described Virtual Machine bytecodes is mated with attribute byte code, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determine that described flash file is malicious file.
Further, resolve flash file, the Virtual Machine bytecodes extracted wherein comprises:
Resolve the crucial label section that the ActionScript in flash file is correlated with;
The data structure of analysis of key label section, the reverse Virtual Machine bytecodes extracted wherein.
Further, described method also comprises determines attribute byte code, and detailed process comprises:
Data structure based on flash file carries out resolving inversely to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but does not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value;
The Virtual Machine bytecodes of described statistics is defined as attribute byte code.
Further, described described Virtual Machine bytecodes to be mated with attribute byte code, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs and comprise:
If Virtual Machine bytecodes mates with one of them attribute byte code, and the number of times occurred exceedes threshold value, then stop follow-up mating with other attribute byte codes; Or
If Virtual Machine bytecodes mates with one of them attribute byte code, and the number of times occurred exceedes threshold value, will continue to mate with all the other attribute byte codes by Virtual Machine bytecodes.
Further, described flash file is defined as malicious file after also comprise and return testing result and/or described flash file is processed.
Further, described to described flash file carry out process comprise following one or more:
Delete described flash file;
Isolate described flash file;
Described flash file is labeled as apocrypha;
For described flash file setting safe class.
Further, describedly carry out Virtual Machine bytecodes and attribute byte code mating and add up that Virtual Machine bytecodes occurs time is realized by discriminant function, the parameter of described discriminant function is attribute byte code, described deterministic process is: described Virtual Machine bytecodes is substituted into different discriminant functions, and carries out mating with the parameter in each discriminant function and the statistics of occurrence number.
Further, described Virtual Machine bytecodes comprises character string or shaping string, described attribute byte code comprises character string or shaping string, after the described Virtual Machine bytecodes of extraction, wherein all character strings are consisted of an array, all shaping strings form an array, described two number groups are adopted respectively and character string are judged as the discriminant function of parameter as the discriminant function of parameter and employing shaping string.
In order to solve the problem, disclosed herein as well is a kind of flash malicious file pick-up unit, comprising:
Virtual Machine bytecodes extraction module, for resolving flash file, extracts Virtual Machine bytecodes wherein;
Judge module, for being mated with attribute byte code by described Virtual Machine bytecodes, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determines that described flash file is malicious file.
Further, described Virtual Machine bytecodes extraction module comprises:
Resolution unit, the crucial label section that the ActionScript for resolving in flash file is correlated with;
Analytic unit, for the data structure of analysis of key label section, the reverse Virtual Machine bytecodes extracted wherein.
Further, described device also comprises attribute byte code determination module, and for determining attribute byte code, described attribute byte code determination module comprises:
Resolution unit, carries out resolving inversely for the data structure based on flash file to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein;
Statistic unit, normal value is greater than or equal to for statistics probability of occurrence in malice flash file, but not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value, and the Virtual Machine bytecodes of described statistics is defined as attribute byte code.
Further, described device also comprises:
Result treatment module, returns testing result for also comprising after flash file is defined as malicious file and/or processes described flash file.
Further, described result treatment module to described flash file carry out process comprise following one or more:
Delete described flash file;
Isolate described flash file;
Described flash file is labeled as apocrypha;
For described flash file setting safe class.
Further, described judge module comprises:
Discriminant function unit, discriminant function is adopted to judge, the parameter of described discriminant function is attribute byte code, and described deterministic process is: described Virtual Machine bytecodes is substituted into different discriminant functions, and carries out mating with the parameter in each discriminant function and the statistics of occurrence number.
Compared with prior art, the application has the following advantages:
The flash malicious file detection method of the application, by carrying out resolving inversely for flash file, obtains wherein metastable Virtual Machine bytecodes, and with malicious file in extract Virtual Machine bytecodes compares recognition detection flash file.Virtual Machine bytecodes itself has certain meaning, it is the condition code of flash file, even if with the addition of other insignificant codes in malicious file, also Virtual Machine bytecodes wherein can not be affected, therefore by collecting malicious file in a large number, after extracting Virtual Machine bytecodes wherein, even if there is mutation in these malicious files, also still can accurate recognition detection, carry out exhaustive without the need to the extra mutation to malicious file, improve degree of accuracy and the efficiency of recognition detection.
In addition, even if the malicious code in some malicious file is unknown, as long as it includes the Virtual Machine bytecodes that the malicious file added up in advance comprises, just can be detected by the method for the application, therefore, the flash malicious file of the application detected and can detect known malicious file, can also detect unknown malicious file to a certain extent.
Further, when Virtual Machine bytecodes be character string or shaping string time, by analyzing the encryption method that malicious file may use in advance, again encryption method is introduced in testing process, can be real-time detected parameters be encrypted, even if thus the Virtual Machine bytecodes that guarantee is extracted from flash file to be detected is the data after encryption, also can match accurately, improve the precision of detection.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the flash malicious file detection method embodiment one of the application;
Fig. 2 is the structural representation of the flash malicious file pick-up unit embodiment one of the application.
Embodiment
For enabling above-mentioned purpose, the feature and advantage of the application more become apparent, below in conjunction with the drawings and specific embodiments, the application is described in further detail.
With reference to Fig. 1, the flash malicious file detection method embodiment one of the application is shown, comprises the following steps:
Step 101, resolves flash file, extracts Virtual Machine bytecodes wherein.
Flash file is according to label (Tag) structure composition, and the frame inside flash is that the label comprising graph data by some is formed with some labels comprising voice data, also has simultaneously and comprises ActionScript code label.ActionScript action script is the programming language of the AdobeFlashPlayer runtime environment following ECMAscript the 4th edition, and it realizes interactivity, data processing and other functions in flash content and application program.AdobeFlashPlayer is a built-in AVM virtual machine, the ActionScript bytecode (ActionScriptBytecode) inside flash file can be changed into corresponding instruction according to different platforms and rerun by AVM virtual machine.
Resolving flash file, the Virtual Machine bytecodes extracted wherein is preferred in the following way: resolve the crucial label section that the ActionScript in flash file is correlated with; The data structure of analysis of key label section, according to the reverse Virtual Machine bytecodes (AdobeAVMByteCode) extracted wherein of official document's form.Be appreciated that and can also adopt other modes, such as from flash file, relevant position reads.Common Virtual Machine bytecodes comprises character string and shaping string, is appreciated that the application does not limit this if need to extract the bytecode of other types.
Step 102, mates described Virtual Machine bytecodes with attribute byte code, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determines that described flash file is malicious file.
Wherein, a large amount of malice flash file of attribute byte code by collecting in advance, and to data analysis wherein, then compare with normal flash file and draw, concrete deterministic process comprises the following steps:
Data structure based on flash file carries out resolving inversely to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but does not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value;
The Virtual Machine bytecodes of described statistics is defined as attribute byte code.
Wherein, normal value can be determine an empirical value based on mass data.
Preferably, Virtual Machine bytecodes and attribute byte code mate and the statistics of Virtual Machine bytecodes occurrence number can be realized automatically by system.Such as, after determining subscription parameters, corresponding code can be write for each subscription parameters and threshold value, when judging, only need by utilizing these codes to go to realize coupling, and add up the number of times that Virtual Machine bytecodes occurs in flash file, then compare with threshold value and both can realize.Namely, all subscription parameters are considered as a series of strong feature of malice flash file, and add other conditions as judgment rule, according to judgment rule, Virtual Machine bytecodes is judged, if meet the condition that arbitrary judgment rule is corresponding, then think that flash file comprises the strong feature that just has of malice flash file, namely think that flash file is malicious file.
Although some Virtual Machine bytecodes can match with attribute byte code, this illustrates that these Virtual Machine bytecodes are bytecodes common in malicious file, but also may exist in normal file, just probability of occurrence is lower, therefore, by setting the mode of threshold value, can avoid occurring erroneous judgement, avoiding normal file to be considered as malicious file.
Below in conjunction with instantiation, preceding method is described in detail.
Suppose that the attribute byte code determined when adding up malice flash file in advance comprises character string and shaping string, a corresponding discriminant function of attribute byte code, and this attribute byte code is as the parameter of this discriminant function.Discriminant function corresponding to all character strings is a combination, and the discriminant function that all shaping strings are corresponding is a combination.
When needs carry out the detection of malice flash file, first from flash file to be detected, extract Virtual Machine bytecodes, and be an array by all character string combinations wherein, all shaping strings are combined as an array.The discriminant function that each character string in character string dimension substitutes into all character strings corresponding is judged.The discriminant function that each shaping string in shaping string array substitutes into all shaping strings corresponding is judged.Deterministic process is as the step 102 of previous embodiment.
Have a character string or shaping string can with the parameter matching in a discriminant function as long as be appreciated that in the Virtual Machine bytecodes extracted in flash file to be detected, and occurrence number be greater than threshold value, then think that this flash file is malicious file.Now, can stop judging, and result is returned, choose subsequent treatment mode for user, also can directly delete this malicious file.Preferably, in order to improve the accuracy of detection, can also continue that other character strings or shaping string are substituted into other discriminant functions and judging.
Preferably, because some malicious file can be encrypted character string wherein or shaping string, the application is while determining attribute byte code, the encryption method that malicious file may use can also be analyzed in advance, and encryption method is introduced in discriminant function simultaneously, make an attribute byte code and the data of this attribute byte code after encryption all as the parameter of a discriminant function.When detecting, if the character string extracted in flash file to be detected or shaping string can with one of them parameter, just think the condition meeting this discriminant function.Therefore, even if the character string extracted from flash file to be detected or shaping string are the data after encryption, also can match accurately, improve the precision of detection.
Below in conjunction with concrete discriminant function, aforementioned deterministic process is described in detail.
Example one: suppose to analyze in advance to draw: occur that in normal flash file the situation of " 0x90909090 " this attribute byte code of int type does not exist substantially, and owing to there being special code to write demand in the flash file of malice, occur that this attribute byte synchronous codes number can be many, so now can using " 0x90909090 " as parameter, and set the threshold value of occurrence number, write following discriminant function:
The number of times that the int type parameter that this section of source code adds up 0x90909090 in a flash file Virtual Machine bytecodes to be detected occurs, when this type of parameter occurs more than a threshold values, a Virtual Machine bytecodes feature will be matched, then think that this flash file to be detected is malicious file.
Example two, the key-strings in malice flash file is frequently by the encryption of XOR (XOR) cipher mode, and so cipher mode can be added in discriminant function and realize judging, the concrete discriminant function write is as follows:
This section of source code changes the character string that a section performs malicious commands into 256 groups of XOR (XOR) encrypted characters strings, energy Intelligent Matching goes out the malicious commands through encryption that malice flash file often occurs, as long as this malicious commands to meet in 256 groups of character strings arbitrary one, then can judge that this flash file is malicious file, improves the accuracy of testing result.Can not occur situation about judging by accident because of whether encrypting, meanwhile, a discriminant function just can realize, and repeatedly judges without the need to adding multiple function, can save detection time and space.
With reference to Fig. 2, a kind of flash malicious file pick-up unit embodiment one of the application is shown, comprises Virtual Machine bytecodes extraction module 10 and judge module 20.
Virtual Machine bytecodes extraction module 10, for resolving flash file, extracts Virtual Machine bytecodes wherein.Preferably, Virtual Machine bytecodes extraction module comprises resolution unit and analytic unit.Resolution unit, the crucial label section that the ActionScript for resolving in flash file is correlated with.Analytic unit, for the data structure of analysis of key label section, the reverse Virtual Machine bytecodes extracted wherein.
Judge module 20, for being mated with attribute byte code by described Virtual Machine bytecodes, if can mate, then adds up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determines that described flash file is malicious file.Preferably, judge module comprises discriminant function unit, discriminant function is adopted to judge, the parameter of described discriminant function is attribute byte code, described deterministic process is: described Virtual Machine bytecodes is substituted into different discriminant functions, and carries out mating with the parameter in each discriminant function and the statistics of occurrence number.
Preferably, this flash malicious file pick-up unit also comprises attribute byte code determination module, for determining attribute byte code.Wherein, attribute byte code determination module comprises resolution unit and statistic unit.Resolution unit, carries out resolving inversely for the data structure based on flash file to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein.Statistic unit, normal value is greater than or equal to for statistics probability of occurrence in malice flash file, but not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value, and the Virtual Machine bytecodes of described statistics is defined as attribute byte code.
Preferably, this flash malicious file pick-up unit also comprises result treatment module, returns testing result for also comprising after flash file is defined as malicious file and/or processes described flash file.Wherein, to flash file carry out process comprise following one or more: delete flash file, isolation flash file, flash file be labeled as apocrypha and set safe class for flash file.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
The flash malicious file detection method provided the application above and device are described in detail, apply specific case herein to set forth the principle of the application and embodiment, the explanation of above embodiment is just for helping method and the core concept thereof of understanding the application; Meanwhile, for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.
Claims (14)
1. a flash malicious file detection method, is characterized in that, comprises the following steps:
Collect malice flash file and normal flash file in advance, described malice flash file and described normal flash file are compared, determine attribute byte code, the number of times that described attribute byte code occurs in described malice flash file is more than the number of times occurred in described normal flash file;
Resolve flash file, extract Virtual Machine bytecodes wherein, described Virtual Machine bytecodes is the ActionScript bytecode inside described flash file;
Described Virtual Machine bytecodes is mated with described attribute byte code, if can mate, then add up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determine that described flash file is malicious file, wherein, when described Virtual Machine bytecodes is through encryption, described Virtual Machine bytecodes is mated with the attribute byte code be encrypted according to same encryption method.
2. flash malicious file detection method as claimed in claim 1, is characterized in that, resolve flash file, and the Virtual Machine bytecodes extracted wherein comprises:
Resolve the crucial label section that the ActionScript in flash file is correlated with;
The data structure of analysis of key label section, the reverse Virtual Machine bytecodes extracted wherein.
3. flash malicious file detection method as claimed in claim 1, it is characterized in that, the described flash file of collection malice in advance and normal flash file, compare described malice flash file and described normal flash file, determine that attribute byte code comprises:
Data structure based on flash file carries out resolving inversely to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein;
Statistics probability of occurrence in malice flash file is greater than or equal to normal value, but does not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value;
The Virtual Machine bytecodes of described statistics is defined as attribute byte code.
4. flash malicious file detection method as claimed in claim 1, is characterized in that, is describedly mated with attribute byte code by described Virtual Machine bytecodes, if can mate, then the number of times adding up the appearance of described Virtual Machine bytecodes comprises:
If Virtual Machine bytecodes mates with one of them attribute byte code, and the number of times occurred exceedes threshold value, then stop follow-up mating with other attribute byte codes; Or
If Virtual Machine bytecodes mates with one of them attribute byte code, and the number of times occurred exceedes threshold value, will continue to mate with all the other attribute byte codes by Virtual Machine bytecodes.
5. flash malicious file detection method as claimed in claim 1, is characterized in that, described flash file is defined as malicious file after also comprise and return testing result and/or described flash file is processed.
6. flash malicious file detection method as claimed in claim 5, is characterized in that, described to described flash file carry out process comprise following one or more:
Delete described flash file;
Isolate described flash file;
Described flash file is labeled as apocrypha;
For described flash file setting safe class.
7. the flash malicious file detection method as described in any one of claim 1 to 6, it is characterized in that, describedly carry out Virtual Machine bytecodes and attribute byte code mating and add up the number of times that Virtual Machine bytecodes occurs and realized by discriminant function, the parameter of described discriminant function is attribute byte code, described deterministic process is: described Virtual Machine bytecodes is substituted into different discriminant functions, and carries out mating with the parameter in each discriminant function and the statistics of occurrence number.
8. flash malicious file detection method as claimed in claim 7, it is characterized in that, described Virtual Machine bytecodes comprises character string or shaping string, described attribute byte code comprises character string or shaping string, after the described Virtual Machine bytecodes of extraction, wherein all character strings are consisted of an array, all shaping strings form an array, described two number groups are adopted respectively and character string are judged as the discriminant function of parameter as the discriminant function of parameter and employing shaping string.
9. a flash malicious file pick-up unit, is characterized in that, comprising:
Attribute byte code determination module, for collecting malice flash file and normal flash file in advance, described malice flash file and described normal flash file are compared, determine attribute byte code, the number of times that described attribute byte code occurs in described malice flash file is more than the number of times occurred in described normal flash file;
Virtual Machine bytecodes extraction module, for resolving flash file, extract Virtual Machine bytecodes wherein, described Virtual Machine bytecodes is the ActionScript bytecode inside described flash file;
Judge module, for described Virtual Machine bytecodes is mated with described attribute byte code, if can mate, then add up the number of times that described Virtual Machine bytecodes occurs, if number of times exceedes threshold value, then determine that described flash file is malicious file, wherein, when described Virtual Machine bytecodes is through encryption, described Virtual Machine bytecodes is mated with the attribute byte code be encrypted according to same encryption method.
10. flash malicious file pick-up unit as claimed in claim 9, it is characterized in that, described Virtual Machine bytecodes extraction module comprises:
Resolution unit, the crucial label section that the ActionScript for resolving in flash file is correlated with;
Analytic unit, for the data structure of analysis of key label section, the reverse Virtual Machine bytecodes extracted wherein.
11. flash malicious file pick-up units as claimed in claim 9, is characterized in that, described attribute byte code determination module comprises:
Resolution unit, carries out resolving inversely for the data structure based on flash file to malice flash file and normal flash file, extracts Virtual Machine bytecodes wherein;
Statistic unit, normal value is greater than or equal to for statistics probability of occurrence in malice flash file, but not exist in normal flash file or probability of occurrence is less than the Virtual Machine bytecodes of normal value, and the Virtual Machine bytecodes of described statistics is defined as attribute byte code.
12. flash malicious file pick-up units as claimed in claim 9, it is characterized in that, described device also comprises:
Result treatment module, returns testing result for also comprising after flash file is defined as malicious file and/or processes described flash file.
13. flash malicious file pick-up units as claimed in claim 12, is characterized in that, described result treatment module to described flash file carry out process comprise following one or more:
Delete described flash file;
Isolate described flash file;
Described flash file is labeled as apocrypha;
For described flash file setting safe class.
14. flash malicious file pick-up units as described in any one of claim 9 to 13, it is characterized in that, described judge module comprises:
Discriminant function unit, discriminant function is adopted to judge, the parameter of described discriminant function is attribute byte code, and described deterministic process is: described Virtual Machine bytecodes is substituted into different discriminant functions, and carries out mating with the parameter in each discriminant function and the statistics of occurrence number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442268.7A CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442268.7A CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102592080A CN102592080A (en) | 2012-07-18 |
| CN102592080B true CN102592080B (en) | 2015-11-11 |
Family
ID=46480702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110442268.7A Active CN102592080B (en) | 2011-12-26 | 2011-12-26 | flash malicious file detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102592080B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102890630B (en) * | 2012-08-29 | 2015-08-26 | 四三九九网络股份有限公司 | The minimizing technology of swf file peripheral link |
| CN102915359B (en) * | 2012-10-16 | 2016-08-10 | 北京奇虎科技有限公司 | File management method and device |
| CN103839004A (en) * | 2012-11-26 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Method and equipment for detecting malicious files |
| CN103870752B (en) * | 2012-12-18 | 2018-04-20 | 百度在线网络技术(北京)有限公司 | A kind of method, apparatus and equipment for being used to detect Flash XSS loopholes |
| CN103235733B (en) * | 2013-04-22 | 2015-12-02 | 四三九九网络股份有限公司 | A kind of batch resolves the method and apparatus that flash trivial games is byte code |
| CN104252599B (en) * | 2013-06-28 | 2019-07-05 | 深圳市腾讯计算机系统有限公司 | A kind of method and device detecting cross site scripting loophole |
| CN104519007A (en) * | 2013-09-26 | 2015-04-15 | 深圳市腾讯计算机系统有限公司 | Loophole detection method and server |
| EP3113065B1 (en) * | 2015-06-30 | 2017-07-05 | Kaspersky Lab AO | System and method of detecting malicious files on mobile devices |
| CN105224870B (en) * | 2015-09-15 | 2019-04-26 | 百度在线网络技术(北京)有限公司 | The method and apparatus that suspected virus application uploads |
| CN106446686B (en) * | 2016-09-30 | 2020-10-20 | 北京奇虎科技有限公司 | Malicious document detection method and device |
| CN106650453B (en) * | 2016-12-30 | 2019-11-05 | 北京启明星辰信息安全技术有限公司 | A kind of detection method and device |
| JP7561825B2 (en) * | 2019-07-25 | 2024-10-04 | バテル メモリアル インスティチュート | CAN bus protection system and method |
| CN110881212B (en) * | 2019-12-09 | 2023-08-25 | Oppo广东移动通信有限公司 | Method and device for saving power of equipment, electronic equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984450B (en) * | 2010-12-15 | 2012-10-24 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
-
2011
- 2011-12-26 CN CN201110442268.7A patent/CN102592080B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
Non-Patent Citations (1)
| Title |
|---|
| Flash应用程序漏洞挖掘与利用;贺拓;《中国优秀硕士学位论文全文数据库》;20101215(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102592080A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102592080B (en) | flash malicious file detection method and device | |
| Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| Chen et al. | Achieving accuracy and scalability simultaneously in detecting application clones on android markets | |
| Lu et al. | De-obfuscation and detection of malicious PDF files with high accuracy | |
| WO2015101097A1 (en) | Method and device for feature extraction | |
| WO2015101096A1 (en) | Method and device for detecting malicious code in smart terminal | |
| CN100483434C (en) | Method and device for recognizing virus | |
| Tang et al. | A novel hybrid method to analyze security vulnerabilities in android applications | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN104834859A (en) | Method for dynamically detecting malicious behavior in Android App (Application) | |
| CN109462575B (en) | Webshell detection method and device | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| CN104123493A (en) | Method and device for detecting safety performance of application program | |
| CN108985064B (en) | Method and device for identifying malicious document | |
| KR20170068814A (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
| KR102151318B1 (en) | Method and apparatus for malicious detection based on heterogeneous information network | |
| US20140150101A1 (en) | Method for recognizing malicious file | |
| CN113987517B (en) | Vulnerability discovery method, device, equipment and storage medium based on Internet of things firmware | |
| Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
| CN103914657A (en) | Malicious program detection method based on function characteristics | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN115062309A (en) | Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium | |
| WO2020168614A1 (en) | Method for fast and smart comparison and security inspection of mobile malware big data | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |