CN102902924A - Method and device for detecting behavior feature of file - Google Patents

Method and device for detecting behavior feature of file Download PDF

Info

Publication number
CN102902924A
CN102902924A CN201210376077XA CN201210376077A CN102902924A CN 102902924 A CN102902924 A CN 102902924A CN 201210376077X A CN201210376077X A CN 201210376077XA CN 201210376077 A CN201210376077 A CN 201210376077A CN 102902924 A CN102902924 A CN 102902924A
Authority
CN
China
Prior art keywords
file
detected
classification
behavioural characteristic
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201210376077XA
Other languages
Chinese (zh)
Other versions
CN102902924B (en
Inventor
梁志文
张海
林岳川
徐立业
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210376077.XA priority Critical patent/CN102902924B/en
Publication of CN102902924A publication Critical patent/CN102902924A/en
Application granted granted Critical
Publication of CN102902924B publication Critical patent/CN102902924B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and device for detecting the behavior feature of a file. The method comprises determining the category of a to-be-detected file; putting the to-be-detected file into operation in a sandbox corresponding to the category, and collecting the behavior generated by the to-be-detected file during operation; comparing the behavior generated by the to-be-detected file during operation with a behavior feature in a non-malicious behavior feature library corresponding to the category, wherein the behavior feature in the non-malicious behavior feature library corresponding to the category is the behavior feature possessed by the non-malicious file of the category; and determining the to-be-detected file as the malicious file if a behavior outside the non-malicious behavior feature library exists. The method provided by the invention can lower the misjudgment rate and improve the detection result accuracy.

Description

Method and device that the file behavioural characteristic is detected
Technical field
The present invention relates to the computer security technique field, be specifically related to method and device that the file behavioural characteristic is detected.
Background technology
Some hackers often can write malicious code in file; so that file becomes malicious file; the network user is when downloading these files (such as game or other programs etc.) or copying these files from other movable storage device from the website; will bring in the lump together with malicious code the computer of oneself into, thereby user computer is worked the mischief or brings various interference to the user.
Therefore, effectively detect whether wrap in the file for malicious file be very important.At first, generally can file be detected by some static natures of file, for example, the title of file, MD5 value etc.If but file version updating, perhaps malicious code structural change, these static natures will lose efficacy, and need to make amendment, and the validity that therefore detects is not high, and the maintenance cost that needs also can be higher.
For this reason, the method that the behavioural characteristic based on file detects file has appearred.In the method, it generally is the behavioural characteristic of collecting in advance the various malice that may occur, file to be detected put in the sandbox move, the behavior that produces in the record operational process, and compare with the malicious act feature of collecting in advance, according to the quantity of the malicious act feature that occurs, determine that file is the probability of malicious file.For example, the behavioural characteristic of 100 malice is arranged in the malicious act feature database, and (these behavioural characteristics are to extract from the behavior of known various malicious files, be commonly referred to black behavioural characteristic), wherein 10 have been hit in the behavior that has a file to produce in operational process, the harmful grade of possible this document is lower, if wherein 50 have been hit in the behavior that another file produces in operational process, then the harmful grade of this document is just higher, etc.
But this detection method based on behavioural characteristic of the prior art causes wrong report easily.For example, the purpose that file adds shell generally is dis-assembling analysis or the performance analysis that stops file, to reach its hidden purpose.File adds the feature that the shell behavior generally can be used as malice and is kept in the sandbox, so so long as add the file of shell, all be considered to exist certain danger.Yet in some cases, it but is a kind of normal behavior that file adds shell, may be the copyright of protected file, prevents from being cracked by software, etc.For example, Video tutorials file etc. in order the reason such as to maintain secrecy, may add shell to file, but this and do not mean that this document is exactly the malicious file that contains malicious code, if directly it is judged to be malicious file, then may be a kind of erroneous judgement.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of device that overcomes the problems referred to above or the method that the file behavioural characteristic is detected that addresses the above problem at least in part and accordingly the file behavioural characteristic is detected is provided.
According to one aspect of the present invention, a kind of method that the file behavioural characteristic is detected is provided, comprising:
Determine the classification that file to be detected is affiliated;
Described file to be detected put in sandbox corresponding to this classification move, collect the behavior that described file to be detected produces in operational process;
Behavioural characteristic in the behavior that described file to be detected is produced in the operational process non-malicious act feature database corresponding with this classification is compared, the behavioural characteristic that the behavioural characteristic in non-malicious act feature database corresponding to described this classification has for such other non-malicious file;
If there is the behavior outside the described non-malicious act feature database, then should be defined as malicious file by file to be detected.
Alternatively, the classification under described definite file to be detected comprises:
According to the file static nature of file to be detected, determine the classification that file to be detected is affiliated.
Alternatively, described file static nature comprises the cyclic redundancy check (CRC) code CRC of icon, size and/or the code of file.
Alternatively, the classification under described definite file to be detected comprises:
If described document source to be detected is in the website, then determine classification under the file to be detected according to the classification under the website.
Alternatively, the classification under the described file to be detected comprises that private takes class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Traversal directory search game contents, search the dynamic link library file that games window and/or loading have particular path and filename.
Alternatively, the classification under the described file to be detected comprises plug-in class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Create non-malicious file, search game, load have the dynamic link library file of particular path and filename, to the operation of game process and/or the network operation of non-malice.
Alternatively, also comprise:
Receive the new paper sample of client upload, the paper sample of newly uploading is defined as described file to be detected;
Perhaps,
From the new paper sample of interconnected online collection, the new paper sample of newly collecting is defined as described file to be detected.
According to a further aspect in the invention, provide a kind of device that the file behavioural characteristic is detected, having comprised:
The file class determining unit is used for the classification of determining that file to be detected is affiliated;
The behavior collector unit is used for that described file to be detected is put into sandbox corresponding to this classification and moves, and collects the behavior that described file to be detected produces in operational process;
The feature comparing unit, be used for the behavioural characteristic of described file to be detected in the behavior that operational process the produces non-malicious act feature database corresponding with this classification compared the behavioural characteristic that the behavioural characteristic in non-malicious act feature database corresponding to described this classification has for such other non-malicious file;
The testing result determining unit was if for the behavior that exists outside the described non-malicious act feature database, then should be defined as malicious file by file to be detected.
Alternatively, described file class determining unit comprises:
The static analysis subelement is used for the file static nature according to file to be detected, determines the classification that file to be detected is affiliated.
Alternatively, described file static nature comprises the cyclic redundancy check (CRC) code CRC of icon, size and/or the code of file.
Alternatively, described file class determining unit comprises:
The web analytics subelement if be used for described document source to be detected in the website, is then determined classification under the file to be detected according to the classification under the website.
Alternatively, the classification under the described file to be detected comprises that private takes class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Traversal directory search game, search the dynamic link library file that games window and/or loading have particular path and filename.
Alternatively, the classification under the described file to be detected comprises plug-in class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Create non-malicious file, traversal directory search game, load have the dynamic link library file of particular path and filename, to the operation of game process and/or the network operation of non-malice.
Alternatively, also comprise:
The first file determining unit, the new paper sample for receiving client upload is defined as described file to be detected with the paper sample of newly uploading;
Perhaps,
The second file determining unit is used for from the new paper sample of interconnected online collection, and the new paper sample of newly collecting is defined as described file to be detected.
According to method and the device that the file behavioural characteristic is detected of the present invention, the total behavioural characteristic that can show according to the similar file that means no harm is set up the behavioural characteristic storehouse that means no harm of Miscellaneous Documents, like this, when detecting, can at first determine the affiliated classification of file to be detected, and file to be detected put in sandbox corresponding to this class file move, record all behaviors that file to be detected occurs in operational process, and each behavior in the behavioural characteristic storehouse that means no harm that these behaviors are corresponding with this class file is compared, if there is the behavior outside the behavioural characteristic storehouse that means no harm, then file to be detected can be defined as malicious file.By the method, owing to can different files be detected according to classification, therefore, can greatly reduce False Rate, improve the accuracy of testing result.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the according to an embodiment of the invention process flow diagram of method;
Fig. 2 shows the synoptic diagram of an apparatus in accordance with one embodiment of the invention;
Fig. 3 shows the according to an embodiment of the invention synoptic diagram of system; And
Fig. 4 shows the in accordance with another embodiment of the present invention synoptic diagram of system.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
In embodiments of the present invention, be not that behavior and black behavioural characteristic that file to be detected occurs in operational process are compared, but compare with white behavioural characteristic, the behavior that file generally all can occur in operational process that just refers to mean no harm of so-called white behavioural characteristic, like this, if the feature outside these white behavioural characteristics appears in file to be detected in operational process, then just may cause owing to comprising malicious code.But when specific implementation, the embodiment of the invention be not during as the contrast of black characteristic behavior, the black behavioural characteristic of numerous files mixed observe, but file is classified, the sandbox separately that every class file is corresponding, and from the similar file that means no harm, extract white behavioural characteristic; Before file to be detected is detected, at first determine the classification that file to be detected is affiliated, then should put in such other sandbox by file to be detected, record the behavior that occurs in the running paper process to be detected, and compare with the white behavioural characteristic of this classification file, if there is the behavior outside these white behavioural characteristics, then this file to be detected just may be malicious file.Why detect like this, be because, when using white behavioural characteristic to detect, if the white behavioural characteristic of all kinds of files that mean no harm is all mixed, then can relatively be not easy to distinguish, when using this white behavioural characteristic to detect, still can have higher False Rate.But for similar file, the developer of instant file, version difference, but also usually can show similar behavior; therefore; file is classified, then using the white behavioural characteristic with class file to detect, can greatly reduce the False Rate that detects.Also namely, in embodiments of the present invention, at first, find similar file, then will compile the total behavioural characteristic of such file that means no harm, set up the behavior storehouse that means no harm, detect in order to such other file to be detected is carried out security.Below the method that the file behavioural characteristic is detected that just embodiment of the invention provided at length introduce.
Referring to Fig. 1, the method that the file behavioural characteristic is detected that the embodiment of the invention provides can may further comprise the steps:
S101: determine the classification that file to be detected is affiliated;
In embodiments of the present invention, file to be detected may be the file of client upload, also may be the file of collecting from the internet.That is to say, at client-side, can provide for the user entrance of upload file, when the user finds the file of doubtful malice, just can by this entrance end of uploading onto the server, detect as file to be detected at the file of server end with client upload.Perhaps, when client is carried out safety detection to user's file, if finding certain file did not both appear in the white list, do not appear in the blacklist yet, can not determine then whether this document is malicious file on earth, therefore, its file as doubtful malice can be uploaded to server automatically, detect further by server, etc.Perhaps, also can collect suspicious file in whole internet scope at server end, for example, known from some is to collect the file that can download the website of private clothes or plug-in class, and these files are detected as file to be detected.Certainly, when the apocrypha that receives client upload, and the process of collecting apocrypha from the internet can carried out always, and whenever the apocrypha of finding newly to upload, perhaps from the internet, collect new apocrypha, can immediately it be detected as file to be detected, when collecting up-to-date paper sample with assurance, detect as early as possible, provide conclusion, avoid the propagation of rogue program.
For file to be detected, at first need to determine its affiliated classification.During specific implementation, according to the source difference of file to be detected, also can use the method for different definite file classs.For example, under a kind of mode, file to be detected may be the apocrypha that the user uploads onto the server, for this file to be detected, can determine classification under the file according to the static nature of file, wherein, the static nature of file can comprise cyclic redundancy check (CRC) code CRC of key word, size and/or code in the icon, filename, file specification information of file etc.These static natures of file can get access to by the modes such as attribute of inquiry file.In addition, when specific implementation, except the user uploaded apocrypha, the embodiment of the invention can also arrive and collect file to be detected in the website of appointment, like this, can be directly determines classification under the file to be detected according to the classification of website.Wherein, the mode that this server is initiatively collected in the website, the object of collection can be some files that often are added into easily malicious code.For example, private takes class file, plug-in class file etc., if take the file to be detected of collecting the class website from the private of appointment, can directly be defined as private and take class file, if the file to be detected of collecting from the plug-in class website of appointment can directly be defined as plug-in class file, etc.
Wherein, the so-called private server that refers to not obtain producer's statutory licence of online game and privately exist and run that takes, all there is not comparability in it with formal official's server (being called for short " robe ") on the pragmatic power of technology kimonos.But for reasons such as expense are lower, some game players still can have the demand of using private clothes.In order to use private clothes, private need to being taken file, to download to user's computing machine local, and private is taken in the file that file is installed to original robe place, and set up own logger, when the user logins next time, will sign in to the website that private takes class.And the private website that takes class is exactly to take the website that file is downloaded for the user provides private, in this class website, there is the private download link that takes file, but because the private class file that takes itself made by the wright of some non-statutory licences, so private takes class file and belongs to the high-risk file that is written into easily malicious code.Private takes the class website when providing private to take file to download, and the security that may be not private not be taken file is verified.Therefore, the user takes file and downloads to computing machine this locality in case the user will include the private of malicious code when download using private to take file, may the security of its computing machine be constituted a threat to, in the embodiment of the invention, can the file that this private takes class be detected.Concrete, just can be known from some be that private takes the website of class, its private that provides is taken file corresponding to file download link downloads, and the file that downloads to is detected as the file to be detected that private takes class.
Plug-inly refer to that computer technology that some people utilizes oneself is specially for one or more online games, by changing the subprogram of network game software, the cheating program that is made.Now along with game official to plug-in resistance, game itself has also had the superpower plug-in function of automatic detection, but making plug-in technology is also improving constantly, thereby now most popular is exactly to submit to false data to change the game character ability with package and packet catcher etc. to game server in game, etc.Take class files seemingly with private, these plug-in files are to be made by some people that do not obtain special mandate equally, therefore, also are the high-risk files that a class often is written into malicious code.And exist equally number of site that the download of plug-in class file is provided, and may the security of plug-in file not verified equally.For the user, in case download to the plug-in file that includes malicious code, then may be so that its computing machine be subject to the attack of malicious code.Therefore, in embodiments of the present invention, just can the file of this plug-in class be detected.Concrete, just can be from some known be the website of plug-in class, its file corresponding to plug-in file download link that provides to be downloaded, and the file that the downloads to file to be detected as plug-in class is detected.
Certainly, in actual applications, the classification of file to be detected also is not limited to above-mentioned private clothes and plug-in this two class, for the file of other classifications, if belong to equally the high-risk file that is written into easily code, and the similar file that means no harm can show some similar white behavioural characteristics equally, also is to detect with the method that the embodiment of the invention provides.
In addition, for for downloading the file to be detected that obtains the website of particular category, during classification under determining it, except directly the classification under the website being defined as the file class, can also be after downloading to file, static nature according to file further verifies the classification under the file to be detected, etc.
S102: described file to be detected put in sandbox corresponding to this classification move, collect the behavior that described file to be detected produces in operational process;
After the classification under determining file to be detected, just file to be detected can be put in sandbox corresponding to this classification, in sandbox, move file to be detected, and record is carried out in the whole behaviors in the operational process, with the basis as comparison.
S103: the behavioural characteristic in the behavior that described file to be detected is produced in the operational process behavioural characteristic storehouse that means no harm corresponding with this classification is compared, the behavioural characteristic that file has that means no harm for such other of the behavioural characteristic in the behavioural characteristic storehouse that means no harm that described this classification is corresponding;
Record all behaviors that file to be detected produces in operational process after, just can the white behavioural characteristic that classification under these behaviors and this document is corresponding compare, wherein, white behavioural characteristic corresponding to classification under this document, the behavior that namely may produce in operational process the file that means no harm of classification under this document is added up, the characteristic behavior set that obtains.
For example, in the analysis and research process that private is taken file, find, for the private that means no harm normally takes program, generally be that some total characteristics are arranged, a fixing class method, characteristic behavior itself is within the specific limits, even if version updating, characteristic behavior is changed also seldom.
For example: video player software, generally be exactly to travel through file directory to search video, audio file, invocation facility drives, reads video, audio file, and the characteristic behavior scope is relatively fixing, generally can not remove edit the registry, injects other processes, write to start and serve etc.Normal private takes file and plug-in file too, and the private part of admitting defeated has generally just been replaced the master routine of robe, has in fact only manyed the traversal catalogue than robe in the behavior.Other behaviors are the same with normal robe game behavior.Plug-in is the traversal process also generally, searches the complete rear injection game process of game process, revises the effect that the game process internal memory reaches cheating.In case have rogue program to pretend certain software, will trigger the behavior outside this class software action scope of script.
At first, from static nature, their program icon, size, code CRC etc. have general character, and within a period of time, static nature can not change, and can judge according to these characteristics initial stage of carrying out, and carry out category filter; Then, from dynamic behavioural characteristic, private takes for the file for same class, very similar of the behavior that shows after their operation, for example:
QueryDirectory: traversal directory search game contents;
FindWindow: search the games window;
MapView and LoadImage: load and carry out dynamic link library file.
Therefore, can set up the private behavioural characteristic storehouse that means no harm that takes class file according to these general character, according to these harmless behavioural characteristics, come the file behavioural characteristic is detected.
Wherein, for the behavior that loads and carry out dynamic link library file, be not that loading and the behavior of carrying out all dynamic link library files all are normal, allow the private dynamic link library file that takes the class file loading on path and filename, generally to have common ground, therefore, in that record is private when taking class and meaning no harm the white behavioural characteristic of file, need to formulate load and carry out and how to have the dynamic link library file of filename and path, if finding that file to be detected is in operation occur to load and carry out dynamic link library file beyond these dynamic link library files, also file to be detected can be defined as malicious file.For example, record loads and carries out in the dynamic link library behavior in the behavioural characteristic storehouse that means no harm, and also needs to set up a list that allows the dynamic link library file of loading, for example:
Figure BDA00002221477500101
Also namely, private takes file and only allows to load above dynamic link library file, if there is the dynamic link library file outside this tabulation to be loaded, the private that then can be judged as malice takes file.
It is identical at testing process that plug-in file takes file with private, and being concrete feature can be different.Wherein, at first equally for static nature, equally can be according to icon, size, the code CRC of file, add the static natures such as shell information and file to be detected is carried out classification and the screening at initial stage.Then for the dynamic behaviour feature of plug-in class file, set up equally the behavior storehouse that means no harm, for example:
CreateFile: create the behavior of file, and the file that creates is harmless file, can judges whether the file of establishment is malicious file according to the virus base of setting up in advance here;
FindWindow: traversal directory search game;
MapView and LoadImage: load dynamic link library, take files classes seemingly with private, the filename of load document and path all should be in the information banks that means no harm of collecting in advance here;
OpenProcess, AdjustPrivileges: to the certain operations of game process;
LPC_QueryDns, TCP_Connect: to the operation of network, need here to judge that according to the network information storehouse of setting up in advance network operation must be harmless.That is to say that plug-in file may have the behavior of some accesses network, but need in certain scope, exceed this scope network behavior in addition, then be considered to the behavior of malicious file.That is to say, in the behavior storehouse that means no harm, not only need to comprise network behavior itself, also need to specify which network operation behavior to allow, with this part as white behavioural characteristic.
Same, can find that by the arrangement to above and other information these collected behaviors operations can not produce harm to system, therefore can be used as the mean no harm white behavioural characteristic of file of plug-in class, detect the malicious file of plug-in class with this.
S104: if there is behavior outside the described behavioural characteristic storehouse that means no harm, then should be defined as malicious file by file to be detected.
As mentioned before, get access to all behaviors that file to be detected produces in operational process after, each behavior in the behavioural characteristic storehouse that means no harm of classification under these behaviors and this document can be compared, if there is the behavior outside the behavioural characteristic storehouse that means no harm, then file to be detected can be defined as malicious file.
As seen, in embodiments of the present invention, the total behavioural characteristic that can show according to the similar file that means no harm is set up the behavioural characteristic storehouse that means no harm of Miscellaneous Documents, like this, when detecting, can at first determine the affiliated classification of file to be detected, and file to be detected put into (this sandbox can be deployed on user's the client device in sandbox corresponding to this class file, also can be in server) operation, record all behaviors that file to be detected occurs in operational process, and each behavior in the behavioural characteristic storehouse that means no harm that these behaviors are corresponding with this class file is compared, if there is the behavior outside the behavioural characteristic storehouse that means no harm, then file to be detected can be defined as malicious file.By the method, owing to can different files be detected according to classification, therefore, can greatly reduce False Rate, improve the accuracy of testing result.
Corresponding with the method that the file behavioural characteristic is detected that the embodiment of the invention provides, the embodiment of the invention also provides a kind of device that the file behavioural characteristic is detected, and referring to Fig. 2, this device can comprise:
File class determining unit 201 is used for the classification of determining that file to be detected is affiliated;
Behavior collector unit 202 is used for that described file to be detected is put into sandbox corresponding to this classification and moves, and collects the behavior that described file to be detected produces in operational process;
Feature comparing unit 203, be used for the behavioural characteristic of described file to be detected in the behavior that operational process produces the mean no harm behavioural characteristic storehouse corresponding with this classification compared, the behavioural characteristic in the behavioural characteristic storehouse that means no harm that described this classification is corresponding is such other behavioural characteristic that file has that means no harm;
Testing result determining unit 204 was if for the behavior that exists outside the described behavioural characteristic storehouse that means no harm, then should be defined as malicious file by file to be detected.
During specific implementation, file class determining unit 201 can comprise:
The static analysis subelement is used for the file static nature according to file to be detected, determines the classification that file to be detected is affiliated.
Wherein, described file static nature can comprise the cyclic redundancy check (CRC) code CRC of key word, size and/or code in the icon, filename, file specification information of file.
Perhaps, under another kind of implementation, file class determining unit 201 can comprise:
The web analytics subelement if be used for described document source to be detected in the website, is then determined classification under the file to be detected according to the classification under the website.
Wherein, the classification under the described file to be detected comprises that private takes class, and the behavioural characteristic in the behavioural characteristic storehouse that means no harm that described this classification is corresponding comprises:
Traversal directory search game, search the dynamic link library file that games window and/or loading have particular path and filename.
Classification under the described file to be detected also can comprise plug-in class, and the behavioural characteristic in the behavioural characteristic storehouse that means no harm that described this classification is corresponding comprises:
Establishment mean no harm file, traversal directory search game, load dynamic link library file with particular path and filename, to operation and/or the harmless network operation of game process.
In actual applications, this device can also comprise:
The first file determining unit, the new paper sample for receiving client upload is defined as described file to be detected with the paper sample of newly uploading;
Perhaps,
The second file determining unit is used for from the new paper sample of interconnected online collection, and the new paper sample of newly collecting is defined as described file to be detected.
Corresponding with the method that the file behavioural characteristic is detected that the embodiment of the invention provides, the embodiment of the invention also provides a kind of system that the file behavioural characteristic is detected, and referring to Fig. 3, this system can comprise client 301 and server end 302:
Wherein, described client 301 can comprise:
File Upload unit 3011 is used for the paper sample of doubtful malice is uploaded to described server end;
Described server end comprises:
The first file determining unit 3021 to be detected is used for the paper sample of described client upload is defined as sample to be detected; And
The previously described device 3022 that the file behavioural characteristic is detected.
In addition, the embodiment of the invention also provides the another kind of system that the file behavioural characteristic is detected, and referring to Fig. 4, this system can comprise:
Sample collection unit 401 is used for from interconnected online collection paper sample;
The second file determining unit 402 to be detected is used for the paper sample of collecting is defined as file to be detected; And
The previously described device 403 that the file behavioural characteristic is detected.
In a word, in the malicious file pick-up unit and system that the embodiment of the invention provides, the total behavioural characteristic that can show according to the similar file that means no harm is set up the behavioural characteristic storehouse that means no harm of Miscellaneous Documents, like this, when detecting, can at first determine the affiliated classification of file to be detected, and file to be detected is put into sandbox corresponding to this class file, and (this sandbox can be deployed on user's the client device, also can be in server) middle operation, record all behaviors that file to be detected occurs in operational process, and each behavior in the behavioural characteristic storehouse that means no harm that these behaviors are corresponding with this class file is compared, if there is the behavior outside the behavioural characteristic storehouse that means no harm, then file to be detected can be defined as malicious file.By the method, owing to can different files be detected according to classification, therefore, can greatly reduce False Rate, improve the accuracy of testing result.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the equipment that the file behavioural characteristic is detected of the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
The application can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, system, set-top box, programmable consumer electronics, NetPC Network PC, minicomputer system, large computer system based on microprocessor and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.

Claims (14)

1. method that the file behavioural characteristic is detected comprises:
Determine the classification that file to be detected is affiliated;
Described file to be detected put in sandbox corresponding to this classification move, collect the behavior that described file to be detected produces in operational process;
Behavioural characteristic in the behavior that described file to be detected is produced in the operational process non-malicious act feature database corresponding with this classification is compared, the behavioural characteristic that the behavioural characteristic in non-malicious act feature database corresponding to described this classification has for such other non-malicious file;
If there is the behavior outside the described non-malicious act feature database, then should be defined as malicious file by file to be detected.
2. method according to claim 1, describedly determine that the classification under the file to be detected comprises:
According to the file static nature of file to be detected, determine the classification that file to be detected is affiliated.
3. method according to claim 2, described file static nature comprises the cyclic redundancy check (CRC) code CRC of icon, size and/or the code of file.
4. method according to claim 1, describedly determine that the classification under the file to be detected comprises:
If described document source to be detected is in the website, then determine classification under the file to be detected according to the classification under the website.
5. the classification under the method according to claim 1, described file to be detected comprises that private takes class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Traversal directory search game contents, search the dynamic link library file that games window and/or loading have particular path and filename.
6. the classification under the method according to claim 1, described file to be detected comprises plug-in class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Create non-malicious file, search game, load have the dynamic link library file of particular path and filename, to the operation of game process and/or the network operation of non-malice.
7. according to claim 1 to 6 each described methods, also comprise:
Receive the new paper sample of client upload, the paper sample of newly uploading is defined as described file to be detected;
Perhaps,
From the new paper sample of interconnected online collection, the new paper sample of newly collecting is defined as described file to be detected.
8. device that the file behavioural characteristic is detected comprises:
The file class determining unit is used for the classification of determining that file to be detected is affiliated;
The behavior collector unit is used for that described file to be detected is put into sandbox corresponding to this classification and moves, and collects the behavior that described file to be detected produces in operational process;
The feature comparing unit, be used for the behavioural characteristic of described file to be detected in the behavior that operational process the produces non-malicious act feature database corresponding with this classification compared the behavioural characteristic that the behavioural characteristic in non-malicious act feature database corresponding to described this classification has for such other non-malicious file;
The testing result determining unit was if for the behavior that exists outside the described non-malicious act feature database, then should be defined as malicious file by file to be detected.
9. device according to claim 8, described file class determining unit comprises:
The static analysis subelement is used for the file static nature according to file to be detected, determines the classification that file to be detected is affiliated.
10. device according to claim 9, described file static nature comprises the cyclic redundancy check (CRC) code CRC of icon, size and/or the code of file.
11. device according to claim 8, described file class determining unit comprises:
The web analytics subelement if be used for described document source to be detected in the website, is then determined classification under the file to be detected according to the classification under the website.
12. device according to claim 8, the classification under the described file to be detected comprises that private takes class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Traversal directory search game, search the dynamic link library file that games window and/or loading have particular path and filename.
13. device according to claim 8, the classification under the described file to be detected comprises plug-in class, and the behavioural characteristic in non-malicious act feature database corresponding to described this classification comprises:
Create non-malicious file, traversal directory search game, load have the dynamic link library file of particular path and filename, to the operation of game process and/or the network operation of non-malice.
14. to 13 each described devices, also comprise according to claim 8:
The first file determining unit, the new paper sample for receiving client upload is defined as described file to be detected with the paper sample of newly uploading;
Perhaps,
The second file determining unit is used for from the new paper sample of interconnected online collection, and the new paper sample of newly collecting is defined as described file to be detected.
CN201210376077.XA 2012-09-29 2012-09-29 The method that file behavioural characteristic is detected and device Active CN102902924B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210376077.XA CN102902924B (en) 2012-09-29 2012-09-29 The method that file behavioural characteristic is detected and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210376077.XA CN102902924B (en) 2012-09-29 2012-09-29 The method that file behavioural characteristic is detected and device

Publications (2)

Publication Number Publication Date
CN102902924A true CN102902924A (en) 2013-01-30
CN102902924B CN102902924B (en) 2016-04-13

Family

ID=47575151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210376077.XA Active CN102902924B (en) 2012-09-29 2012-09-29 The method that file behavioural characteristic is detected and device

Country Status (1)

Country Link
CN (1) CN102902924B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646213A (en) * 2013-09-26 2014-03-19 北京神州绿盟信息安全科技股份有限公司 Method and device for classifying malicious software
CN103824015A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Application program control method, device and system
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system
CN103902886A (en) * 2014-03-04 2014-07-02 珠海市君天电子科技有限公司 Method and device for detecting third-party application
CN104252447A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 File behavior analysis method and device
CN104252592A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 Method and device for identifying plug-in application program
CN105117644A (en) * 2015-08-26 2015-12-02 福建天晴数码有限公司 Method and system for acquiring Android plug-in program
CN105453104A (en) * 2013-06-12 2016-03-30 软件营地株式会社 File security management apparatus and management method for system protection
CN105718798A (en) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 Private network information amplification based automatic malicious code analysis method and system
CN105956470A (en) * 2016-05-03 2016-09-21 北京金山安全软件有限公司 Method and terminal for intercepting application program behaviors
CN106778241A (en) * 2016-11-28 2017-05-31 东软集团股份有限公司 The recognition methods of malicious file and device
CN107979581A (en) * 2016-10-25 2018-05-01 华为技术有限公司 The detection method and device of corpse feature
WO2018104925A1 (en) * 2016-12-11 2018-06-14 enSilo Ltd. System and methods for detection of cryptoware
CN110866253A (en) * 2018-12-28 2020-03-06 北京安天网络安全技术有限公司 Threat analysis method and device, electronic equipment and storage medium
CN112487432A (en) * 2020-12-10 2021-03-12 杭州安恒信息技术股份有限公司 Method, system and equipment for malicious file detection based on icon matching
CN113407804A (en) * 2021-07-14 2021-09-17 杭州雾联科技有限公司 External hanging accurate marking and identifying method and device based on crawler

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101676903A (en) * 2008-09-19 2010-03-24 众来科技股份有限公司 File control and management device with functions of identification, classification, search and storage and method
CN101924761A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Method for detecting malicious program according to white list
US8176555B1 (en) * 2008-05-30 2012-05-08 Symantec Corporation Systems and methods for detecting malicious processes by analyzing process names and process characteristics
CN102479298A (en) * 2010-11-29 2012-05-30 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN102592086A (en) * 2011-12-28 2012-07-18 奇智软件(北京)有限公司 Method and device for browsing webpages in sandbox

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8176555B1 (en) * 2008-05-30 2012-05-08 Symantec Corporation Systems and methods for detecting malicious processes by analyzing process names and process characteristics
CN101676903A (en) * 2008-09-19 2010-03-24 众来科技股份有限公司 File control and management device with functions of identification, classification, search and storage and method
CN101924761A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Method for detecting malicious program according to white list
CN102479298A (en) * 2010-11-29 2012-05-30 北京奇虎科技有限公司 Program identification method and device based on machine learning
CN102592086A (en) * 2011-12-28 2012-07-18 奇智软件(北京)有限公司 Method and device for browsing webpages in sandbox

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105453104A (en) * 2013-06-12 2016-03-30 软件营地株式会社 File security management apparatus and management method for system protection
CN105453104B (en) * 2013-06-12 2018-10-09 软件营地株式会社 System protection file security control device and management method
CN104252592B (en) * 2013-06-27 2017-07-25 贝壳网际(北京)安全技术有限公司 Method and device for identifying plug-in application program
CN104252447A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 File behavior analysis method and device
CN104252592A (en) * 2013-06-27 2014-12-31 贝壳网际(北京)安全技术有限公司 Method and device for identifying plug-in application program
CN103646213A (en) * 2013-09-26 2014-03-19 北京神州绿盟信息安全科技股份有限公司 Method and device for classifying malicious software
CN103646213B (en) * 2013-09-26 2016-06-01 北京神州绿盟信息安全科技股份有限公司 The sorting technique of a kind of malice software and device
CN103824015A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Application program control method, device and system
CN103825780A (en) * 2014-02-26 2014-05-28 珠海市君天电子科技有限公司 Tag-on program identification method, service and system
CN103824015B (en) * 2014-02-26 2017-05-24 珠海市君天电子科技有限公司 Application program control method, device and system
CN103902886A (en) * 2014-03-04 2014-07-02 珠海市君天电子科技有限公司 Method and device for detecting third-party application
CN105718798A (en) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 Private network information amplification based automatic malicious code analysis method and system
CN105117644A (en) * 2015-08-26 2015-12-02 福建天晴数码有限公司 Method and system for acquiring Android plug-in program
CN105117644B (en) * 2015-08-26 2018-08-28 福建天晴数码有限公司 Acquire Android plug-in program method and system
CN105956470A (en) * 2016-05-03 2016-09-21 北京金山安全软件有限公司 Method and terminal for intercepting application program behaviors
CN107979581A (en) * 2016-10-25 2018-05-01 华为技术有限公司 The detection method and device of corpse feature
WO2018076697A1 (en) * 2016-10-25 2018-05-03 华为技术有限公司 Method and apparatus for detecting zombie feature
US10757135B2 (en) 2016-10-25 2020-08-25 Huawei Technologies Co., Ltd. Bot characteristic detection method and apparatus
US11290484B2 (en) 2016-10-25 2022-03-29 Huawei Technologies Co., Ltd. Bot characteristic detection method and apparatus
CN106778241A (en) * 2016-11-28 2017-05-31 东软集团股份有限公司 The recognition methods of malicious file and device
CN106778241B (en) * 2016-11-28 2020-12-25 东软集团股份有限公司 Malicious file identification method and device
US11244051B2 (en) 2016-12-11 2022-02-08 Fortinet, Inc. System and methods for detection of cryptoware
WO2018104925A1 (en) * 2016-12-11 2018-06-14 enSilo Ltd. System and methods for detection of cryptoware
CN110866253A (en) * 2018-12-28 2020-03-06 北京安天网络安全技术有限公司 Threat analysis method and device, electronic equipment and storage medium
CN110866253B (en) * 2018-12-28 2022-05-27 北京安天网络安全技术有限公司 Threat analysis method and device, electronic equipment and storage medium
CN112487432A (en) * 2020-12-10 2021-03-12 杭州安恒信息技术股份有限公司 Method, system and equipment for malicious file detection based on icon matching
CN113407804A (en) * 2021-07-14 2021-09-17 杭州雾联科技有限公司 External hanging accurate marking and identifying method and device based on crawler

Also Published As

Publication number Publication date
CN102902924B (en) 2016-04-13

Similar Documents

Publication Publication Date Title
CN102902915B (en) The system that file behavior characteristics is detected
CN102902924B (en) The method that file behavioural characteristic is detected and device
Nappa et al. The attack of the clones: A study of the impact of shared code on vulnerability patching
CN103065094B (en) For detecting the system and method that target is the Malware of computer guiding process
CN101213555B (en) Methods and apparatus for dealing with malware
CN112685737A (en) APP detection method, device, equipment and storage medium
CN104517054B (en) Method, device, client and server for detecting malicious APK
CN103065088B (en) Based on the system and method for the ruling detection computations machine security threat of computer user
Chen et al. WebPatrol: Automated collection and replay of web-based malware scenarios
Sejfia et al. Practical automated detection of malicious npm packages
RU2697950C2 (en) System and method of detecting latent behaviour of browser extension
CN107103238A (en) System and method for protecting computer system to exempt from malicious objects activity infringement
Hsu et al. Browserguard: A behavior-based solution to drive-by-download attacks
CN102882875B (en) Active defense method and device
CN104462985A (en) Detecting method and device of bat loopholes
CN102970282A (en) Website security detection system
CN114386032A (en) Firmware detection system and method for power Internet of things equipment
Fell A review of fuzzing tools and methods
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
CN103713945B (en) The recognition methods of game and device
de Vicente Mohino et al. Mmale—a methodology for malware analysis in linux environments
CN102857519B (en) Active defensive system
KR101234066B1 (en) Web / email for distributing malicious code through the automatic control system and how to manage them
CN115001789B (en) Method, device, equipment and medium for detecting collapse equipment
Garcia Firmware modification analysis in programmable logic controllers

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220711

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co., Ltd