CN102930210B - Rogue program behavior automated analysis, detection and classification system and method - Google Patents
Rogue program behavior automated analysis, detection and classification system and method Download PDFInfo
- Publication number
- CN102930210B CN102930210B CN201210408358.9A CN201210408358A CN102930210B CN 102930210 B CN102930210 B CN 102930210B CN 201210408358 A CN201210408358 A CN 201210408358A CN 102930210 B CN102930210 B CN 102930210B
- Authority
- CN
- China
- Prior art keywords
- behavior
- sample
- sandbox
- api
- rogue program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of rogue program behavior automated analysis, detection and classification system and method.This system comprises static analysis module, sandbox dispatching management module, sandbox monitoring module, behavior abstract module and detection and classification module.The present invention compared with prior art has the following advantages: the first, the present invention is based on the behavior monitoring technology of instruction set simulation environment.Second, the present invention builds Virtual Internet by means such as environment configurations and amendment server programs in sandbox, simulate general network service, the operation such as the dns resolution that rogue program is initiated, http access, file download, Email login, mail sending can successful execution, rogue program is inveigled to produce hostile network behavior, guarantee that these network behaviors can not damage host and live network simultaneously, overcome the shortcomings such as rogue program network behavior cannot fully show in rogue program dynamic behaviour analysis.
Description
Technical field
The invention belongs to security of system and network security association area, further relate to the method for rogue program dynamic behaviour automated analysis.The present invention is used for the foundation to known malicious program dynamic behaviour rule, and judges the pin-point accuracy of unknown rogue program dynamic behaviour.
Background technology
At rogue program analysis field, in order to obtain the behavioural characteristic of rogue program more accurately, more comprehensively, more rapidly, adopt dynamic behaviour automatic partition analysis method.
A kind of method of rogue program performance analysis is disclosed in the patented claim " rogue program dynamic behaviour automatic analysis system and method " (publication number: CN101154258, the applying date: 2007.08.14) of University of Electronic Science and Technology.The concrete steps of this performance analysis comprise: (1) initialisation unit starts object binary program; (2) initialisation unit loads virtual execution unit and behavior monitoring parts; (3) assembly instruction of dis-assembling component retrieval target program binary code stream; (4) virtual execution unit section generates corresponding execution block; (5) Behavior-Based control parts judge the malicious act that whether exists in fundamental block in rule base; (6) if there is malicious act, control is given behavioural analysis parts, record this malicious act; (7) the every bar instruction in virtual execution fundamental block; (8), after stopping analysis, behavioural analysis parts submit malicious act analysis report to.Although the method provides robotization rogue program dynamic behaviour analytic system, can be used for dividing the coarseness of unknown rogue program dynamic behaviour, but due to the simulation etc. that this system lacks static analysis to rogue program, lacks host event simulation, lacks hosted environment simulation, lacks common network environment, so this system is very not comprehensive to the acquisition of the dynamic behaviour of rogue program; And this system only can be analyzed binary executable, to extended formatting file as service routine, dll file or non-PE file all can not be analyzed, the limitation that system uses is very large; Meanwhile, this system is abstract to how carrying out behavior after acquisition rogue program behavioural characteristic, and how to carry out analysis classification to the malicious act of unknown binary program and fail to provide method.In sum, these deficiencies have influence on the practicality of this system, accuracy and classification effectiveness.
Summary of the invention
The present invention is directed to the deficiency of technology of existing rogue program analysis, detection and classification, propose a kind of static analysis, performance analysis combines with network analysis, abstract rogue program automated analysis, the detection and classification method combined with integrated study of behavior.Target is to provide the stronger rogue program automated analysis of practicality, detection and classification system and method, it supports load operating PE file and common non-PE file, support the monitoring completely that rogue program is performed, process during monitor malicious program load and execution is injected, registry operations, internal memory operation, the Host behaviors such as file operation and network redirection, DNS addressing, ftp connects, http accesses, email logs in and waits network behavior with transmission, there is provided process, internal memory, file, registration table, hosted environment, the malice access behavior of the sorts of systems resources such as network, USB flash disk is provided to insert, the simulation of the host event such as CD insertion.Simultaneously, according to rogue program automated analysis generate report to the behavior of each rogue program carry out systematization, regularization abstract, form rogue program behavioural characteristic storehouse, integrated learning approach is utilized to analyze these behavioural characteristics and quantize, set up disaggregated model, effectively improve the accuracy rate to unknown sample document classification.
The sandbox monitoring that the present invention is realized by Intel Virtualization Technology, obtain rogue program static information and catch rogue program behavioural characteristic, the rogue program of Behavior-based control feature detects and the method for this whole set of system of classifying realizes rogue program automated analysis and Accurate classification, with solve condition code in prior art extract difficulty large, be difficult to tackle complicated add shell, the rogue program of polymorphic and deformation technology, rogue program behavior catch imperfect, behavior is abstract and detect the shortcomings such as sorting technique is indefinite, improves verification and measurement ratio and the classification accuracy of rogue program.
Rogue program automated analysis provided by the invention, detection and classification system include following module:
1. static analysis module: before sandbox performance analysis is carried out to sample file, static analysis can be carried out to the structure of executable file (PF file), to obtain the information relevant to sample as much as possible, the static analysis being obtained sample file by these information is reported, and various reports afterwards become the most original Data Source of behavior abstract module.
2. sandbox dispatching management module: the present invention includes multiple sandbox, needs independently sandbox dispatching management module and manages the transmission of each sandbox, concordant sample and data, controls the flow process of sample automated analysis.Sandbox dispatching management module controls the startup of each sandbox and exits, and realizes and the message exchange of each sandbox and file transfer, controls execution and the hosted environment simulation of sample.Generally speaking, sandbox dispatching management module is a module of assisting the robotization of sandbox monitoring module to complete corresponding function, is an important supplementary module.
3. sandbox monitoring module: sandbox monitoring module is with the API Calls of catching specific process and initiating and parameter thereof for main target, and extract this procedure load module and operating system is its relevant kernel data that it is safeguarded simultaneously.
The present invention uses the software virtual machine based on the simulator Qemu that increases income, and explains that enforcement division divides core code to modify to the instruction during its CPU simulates, and realizes the object of monitoring specific process Host behavior.This behavior monitoring technology based on instruction set simulation environment can realize the kernel module such as system call, process from bottom to top and reconstruct the behavior obtained in rogue program Dynamic Execution from instruction-level, and the sandbox environment that host and rogue program perform is isolated, largely avoid rogue program in the process of implementation on the impact of host.
Stablize execution to overcome the Rogue program caused owing to revising monitored program source code in traditional API hold-up interception method, be easily detected the existence of analysis tool with escape monitoring, collect operating system nucleus data time, need driver, the shortcomings such as technical difficulty is large, sandbox monitoring module is with not modifying target program, the execution of silent monitoring test procedure, collecting multiple available information is target.Monitored program operates in client operating system, and the monitoring of program behavior realizes there is being the Qemu watch-dog unit of more highly privileged grade than client operating system.Because behavior monitoring is implemented in higher prerogative grade, test procedure is difficult to escape analysis, and without the need to revising test procedure source code.
4. behavior abstract module: complete after the catching of the execution of rogue program and API at sandbox monitoring module, can obtain the report of api function that this sample program run duration uses and parameter thereof.But this API report is directly used in rogue program classification, there are some obstacles, so need the abstract behavior obtaining sample performance from API sequence.This by abstract for sample API sequence be the process of sample behavior, be called " behavior is abstract ".
Rogue program sample is through sandbox analysis, and what obtain is its API Calls sequence.Although this calling sequence contains the more information relevant to rogue program behavior, in subsequent classification algorithm process, and generate in the process of report of people's easy understand, the abstraction hierarchy degree of API sequence is too low.So need to define some rules, by abstract for API Calls sequence be algorithm easy to handle data mode, further also need to be abstracted into the expression form into people's easy understand.
5. detection and classification module: rogue program Detection task is many classification task of a standard.In order to judge whether the Study document that user submits to is rogue program, if need to judge further to belong to any rogue program, first disaggregated model must be set up.
Native system adopts the thought of integrated study to set up disaggregated model.The thought of integrated study uses different strategies that a large problem is divided into some minor issues and solves respectively, or generating multiple learner solves the same problem, then by Integrated Strategy, the Output rusults of different sub-classifier is synthesized, obtain single final Output rusults.Generating multiple sorter to put to the vote, effectively can improve the accuracy rate of classification problem, is the core of algorithm design in native system.
Ensemble Learning Algorithms is divided into two key links: sub-classifier generates and combining classifiers.AdaBoost algorithm classical in the study of native system selective enhancement is as integrated framework, and trade-off decision tree algorithm C4.5 is as sub-classifier generating algorithm.
The present invention compared with prior art has the following advantages:
First, the present invention is based on the behavior monitoring technology of instruction set simulation environment, system call can be realized from bottom to top from instruction-level, the kernel modules such as process reconstruct the behavior obtained in rogue program Dynamic Execution, because behavior monitoring is implemented in higher prerogative grade, test procedure is difficult to escape analysis, and without the need to revising test procedure source code, therefore overcome in traditional API hold-up interception method owing to revising the stable execution of Rogue program that monitored program source code causes, easily be detected the existence of analysis tool to escape monitoring, driver is needed when collecting operating system nucleus data, the shortcomings such as technical difficulty is large.
Second, the present invention builds Virtual Internet by means such as environment configurations and amendment server programs in sandbox, simulate general network service, the operation such as the dns resolution that rogue program is initiated, http access, file download, Email login, mail sending can successful execution, rogue program is inveigled to produce hostile network behavior, guarantee that these network behaviors can not damage host and live network simultaneously, overcome the shortcomings such as rogue program network behavior cannot fully show in rogue program dynamic behaviour analysis.
3rd, the present invention simulates multiple host event and hosted environment by the means such as environment configurations and program in sandbox, make that rogue program inserts USB flash disk, CD inserts, the network shared files folder event such as connection or to microphone, make a video recording first-class environment sensitive time can both successfully show follow-up behavior, inveigle rogue program to produce more behavior, overcome rogue program dynamic behaviour analyze in rogue program responsive to host event or hosted environment time cannot the abundant shortcoming such as expression behaviour.
4th, present invention achieves a kind of abstract algorithm for rogue program behavior, the rogue program behavior raw data obtained by treatment and analysis sandbox, the abstract behavior data of neat, the less redundancy of the form that can obtain.The behavior abstract algorithm can obtain fast can for the data of follow-up behavior detection and classification algorithm, for subsequent algorithm provides good data basis, overcome the shortcomings such as the abstract speed of traditional behavior abstract algorithm is slow, representation is complicated, versatility is not strong.
5th, the present invention employs advanced Ensemble Learning Algorithms AdaBoost in rogue program behavioral value and assorting process.As one of modern machines study ten large algorithms, sorter more weak for some performances can be combined by adaptive line by AdaBoost algorithm, obtains the sorter that performance is stronger, and implicit expression Optimum Classification border, avoids the negative effect that over-fitting brings simultaneously.In rogue program behavioral value and assorting process, adopt AdaBoost algorithm, effectively can improve classification accuracy, especially for the extensive accuracy rate of new samples.Overcome undesirable, the easy over-fitting of classifying quality in traditional rogue program behavioral value and assorting process and cause the shortcomings such as generalization ability difference.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of rogue program behavior automated analysis of the present invention, detection and classification system and method;
Fig. 2 is the system assumption diagram of rogue program behavior automated analysis of the present invention, detection and classification system and method sandbox monitoring module;
Fig. 3 is interworking flow process figure between rogue program behavior automated analysis of the present invention, the sandbox monitoring module of detection and classification system and method and sandbox dispatching management module.
Fig. 4 is the Qemu watch-dog cell operation figure of rogue program behavior automated analysis of the present invention, detection and classification system and method.
Fig. 5 is the behavior abstract schematic of rogue program behavior automated analysis of the present invention, detection and classification system and method.
Fig. 6 is the abstract process flow diagram of behavior of rogue program behavior automated analysis of the present invention, detection and classification system and method.
Embodiment
Below in conjunction with specific embodiment, the present invention is described in detail.
With reference to figure 1, step 1, first static analysis module carries out static analysis to the structure that can perform sample file, whether the compiler version of acquisition sample, structure time, multi-lingual information, the joint information of PE file, the importing table of PE file, PE file add shell and add shell type etc., static analysis module will obtain the information relevant to rogue program, and in conjunction with the rogue program performance analysis information that sandbox monitoring module obtains, for the classification of last Ensemble classifier algorithm provides abundanter data.
Step 2, after static analysis completes, sample file will enter performance analysis automation process.The dynamic analysis process of sample file will by the automatic management of sandbox dispatching management module.Sandbox dispatching management module starts sandbox, sample file is uploaded to GuestOS unit, sample is run in GuestOS unit, the execution of the Qemu watch-dog unit monitors sample in sandbox monitoring module or loading, produce the report of the API sequence of sample file, the network packet that in sandbox monitoring module, the network packet monitoring function monitoring GuestOS unit of GuestOS unit produces, produces the network packet report of sample file.After sample execution normal termination or time-out terminate, if be non-EXE sample file, the snapshot contrast of registration table and file system will be carried out, produce registration table, File Snapshot comparison report.These reports are transferred to sandbox dispatching management module by together with the file generated in sample implementation, and these reports carry out the abstract raw data of behavior by being to a rogue program sample.
Fig. 2 is the system assumption diagram of sandbox monitoring module.Describe the architecture of sandbox monitoring module in figure in detail, and sandbox monitoring module carries out mutual situation by sandbox dispatching management module and host.Sandbox monitoring module comprises: as the GuestOS unit of rogue program virtual execution environment; Transformed total system simulator Qemu watch-dog unit.GuestOS unit includes the functions such as network packet monitoring, snapshot contrast, host event simulation, and Qemu watch-dog unit includes progress recognizing and multi-process is monitored, API monitors, API dependence is analyzed and the function such as redundant data filtration.2a-2b introduces the function of each unit respectively in detail below, and workflow.
2a) .GuestOS (client operating system) unit is the environment running rogue program sample, and we select WindowsXP operating system as GuestOS.GuestOS unit is connected by virtual network with between host, is responsible for mutual by sandbox dispatching management module.
With reference to figure 3, describe GuestOS unit in detail and sandbox dispatching management module is carried out alternately, and the workflow of GuestOS unit operations rogue program sample.Introduce this workflow in detail below.
I> sandbox dispatching management module starts sandbox, by virtual network, sample file is uploaded to GuestOS unit from host.
Ii>GuestOS starts the monitoring of Intrusion Detection based on host packet.Start to perform sample file.
Iii>Qemu watch-dog unit sends the message that terminates of sample analysis to sandbox dispatching management module after sample file normal termination or time-out terminate.
If iv> sample file is not executable file, carry out registration table and file system snapshot comparison, generating snapshot comparison is reported, otherwise directly carries out next step.
If v> sample file releases alternative document in the process of implementation, then these files are passed to host by virtual network, otherwise directly carry out next step.
Network packet monitoring report is passed to host by vi>GuestOS unit.
Vii> sandbox dispatching management module closes sandbox.
2b) .Qemu watch-dog unit has more highly privileged grade, for the behavior of monitoring objective program than GuestOS unit.Qemu watch-dog unit uses the software virtual machine based on the simulator Qemu that increases income, but explains that enforcement division divides core code to modify to the instruction during its CPU simulates, and realizes the object of monitoring specific process Host behavior.
With reference to figure 4, describe the course of work of Qemu watch-dog unit, introduce this course of work in detail below.
Whether the current process run of i>Qemu watch-dog unit identification is target process, if not target process, then directly lets slip execution, otherwise carries out next step.
If ii> performs API entrance place code, then preserve and return an address to return-address stack, and call front end call back function, front end call back function reads the in value of in and in_out parameter when API entrance place code performs.
If what iii> performed is not API entrance place code, then compare with return-address stack stack top element, if unequal, then illustrate that the current API called is the API of nesting allocation, the API of these nesting allocations does not represent the real behavior of program but the inside of operating system realizes, and performs so let slip and does not monitor.Otherwise if equal, then call rear end call back function, rear end call back function reads the value of rreturn value and out parameter when calling and returning, revise accordingly afterwards to return-address stack.
Qemu watch-dog unit uses the software virtual machine based on the simulator Qemu that increases income, but the instruction in CPU simulation is explained that enforcement division divides core code to modify, amendment Qemu process in relate to multiple technological difficulties, below 2c-2g introduce each technological difficulties and solution of the present invention respectively.
2c) the progress recognizing of .Qemu watch-dog unit: the virtual machine without transformation is only strictly simulated computer hardware, simulation CPU performs the process of each instruction, and does not understand " process " concept of operating system level.From Qemu watch-dog, upwards monitor the target process run in client operating system, first must reconstruct all processes of current operation in client operating system in Qemu watch-dog, only when target process is scheduled execution, carry out catching of behavioral data.
The method that native system carries out progress recognizing at Qemu watch-dog unit is: sandbox monitoring module is before each translation BOB(beginning of block) performs, utilize virtual memory read/write function, with kernel data structure KPCR (KernelProcessControlRegion, core processor control zone) be clue, find in system current just in the EPROCESS structure start address of executive process.Then, judge whether current be just target process at executive process by the process name preserved in EPROCESS (perform bulk process block) structure, if then therefrom read operation system assignment give the page directory base value of this process.Afterwards, the value stored in this value and virtual CR3 register is compared, judges whether monitoring process performs.Only carry out behavioral data collection when target process performs.
2d) .API calls analytical framework and the call back function reading parameter: Qemu carries out instruction simulation in units of fundamental block, and each code block all terminates with jump instruction.Thus, the code at its entrance place of any API is all positioned at the beginning of a translation block.In the beginning of translation block, based on the principle that API entry address is compared, just can realize at Qemu watch-dog unit the API Calls that formula of mourning in silence monitors specific process initiation.API in each monitoring has call back function corresponding with it, is responsible for from virtual memory, read the call parameters passing to this API.API monitoring is realized by needs amendment Qemu instruction translation routine, inserts call back function invocation framenort wherein, before API entry point code performs, judges whether that needs call corresponding call back function and to get parms information by framing program.
The acquisition of API Calls parameter is the core that behavioral data gathers, and only obtains API Calls name and is not enough to analyze rogue program behavior.When performing API entrance place's code, use virtual memory function reading just can read return address from the address of virtual ESP register instruction, from the address of ESP+4 instruction, read first parameter, from the address of ESP+8 instruction, read second parameter, by that analogy.During API Calls, the parameter (as character string, structure etc.) more than 32, to point to the actual value that this parameter pointer replaces parameter.For these parameters, what once reading virtual memory obtained is only the memory address of parameter in internal memory, to analysis without any effect, repeatedly must read virtual memory until read the actual value of parameter.
API monitoring is completed by the call back function of two-part, front end call back function reads the in value of in parameter (input parameter) and in_out parameter (input/output argument) when API entrance place code performs, rear end call back function reads the value of rreturn value and out parameter (output parameter) when calling and returning.Front and back end call back function is communicated by common buffer, cooperating.
Use API entry address relative method, the API inevitably monitoring nesting allocation is another major issue.Operating system, when realizing certain API, likely calls other API.Such as CopyFile indirect call CreateFile and WriteFi1e completes its function.The API of these nesting allocations does not represent the real behavior of program but the inside of operating system realizes.In order to filter this class nesting allocation API, call back function invocation framenort safeguards a return-address stack.Only export record when stack level is 1 to filter nested API.
2e). page fault process: virtual memory is simulated by Qemu process heap space, and the various information needed for data acquisition are all positioned at wherein.In local host, locate the data in virtual memory, walking around Qemu virtual memory simulation routine, directly to read information needed be the core technology of collecting target process behavioral data in Qemu watch-dog unit formula of mourning in silence.But, because Windows virtual memory management adopts " lazy strategy ", if desired the data read are not at virtual memory, but time in virtual hard disk, read virtual memory by force and can cause page fault, the analysis process abnormal end performed in client operating system, destroys the normal execution of monitoring process, is can not be received.
In order to avoid causing the normal execution of page fault failure analysis program when analyst extracts behavioral data from virtual memory, sandbox monitoring module uses " three-step approach " to solve this problem.
Detailed process is as follows: first test whether there is the phenomenon that skips leaf before reading, skip leaf if occur, wait for that this page is transferred virtual memory, if wait for unsuccessful, the data in this address space are read by force by routine analyzer, trigger client operating system page fault process routine, by skip leaf and call in virtual memory, then attempt again reading data.
In order to improve execution efficiency, in sandbox monitoring module, and the read-write of not all virtual memory all uses " three-step approach ", but only when most possibly skipping leaf, performs above page fault avoidance strategy.In Windows system, the data (32 parameters) directly read from stack can not cause and skip leaf, and character string and structure parameter under normal circumstances little also can not the initiation of data volume skip leaf, and all do not need to carry out test of skipping leaf.Only when relating to I/O process or large buffer area read-write, just likely there is page fault.
2f) .API dependence is analyzed and is filtered with redundant data: in API Calls, if the rreturn value of certain API or out parameter are the in parameters of another API, so claims to exist between these two API to call dependence.After the API Calls successfully intercepting and capturing specific process initiation, API Calls sequential analysis still faces following three difficult problems.The, in order to resist API frequency statistics and API time series analysis, writing of part rogue program employs redundancy API insertion and API rearrangement, makes API sequential calling sequence be difficult to portray the characteristic behavior of rogue program; The second, the behavioral data of performance analysis operationally collection monitoring program, owing to there is circulation and search in program, causes some API to repeat to call, and bears for follow-up behavior analytic band has carried out heavy data; Three, WindowsAPI exists ambiguity, and such as CreateFile opens file, and creates file, opens named pipes, or creates named pipes etc., and this just causes API Calls not really to be equivalent to program behavior.
Although API Calls frequency and API Calls sequential can change, between API to call dependence relatively stable, and to Existence dependency relationship between the API of same target repetitive operation.Based on this, below the API dependence analysis in Qemu watch-dog unit and redundant data filtering function complex process, three kinds of situations are to extract the characteristic behavior of rogue program.The first, under windows platform, handle represents system resource, is according to merging into the repetitive operation of same resource once with handle.The second, event is injected to process and monitors.3rd, the ambiguity of Create series A PI is eliminated by dependence analysis.
2g). multi-process is monitored: the multi-process monitoring function in Qemu watch-dog unit injects the behavior of the process that is injected into for the subprocess and process monitoring host process establishment.In host process operational process, automatically identifying and adding needs the new target process of monitoring to be the difficult point that multi-process is monitored.Sandbox monitoring module, to catch API Calls for core, therefore, realizes multi-process monitoring still from API angle.
The first step of multi-process monitoring obtains the process name needing monitoring process, when operating system initialization process, is called clue with process, finds operating system to distribute to the value of the page directory plot of this process.For this behavior of establishment subprocess, realize by this core A PI of monitoring NtCreateProcess.The front end call back function that transformation NtCreateProcess is corresponding, from call parameters, extract the process name of the process of being created, by the run-time memory analytical approach introduced, find the value of this process page directory plot above, pass to API Calls Governance framework, to realize the expansion of subprocess monitoring.Second step, progress recognizing function in Qemu watch-dog unit safeguards the list of a responsive page directory base value, before each translation block performs, compare with the value stored in virtual CR3 register, when virtual CR3 register is switched to any one responsive page directory base value, the API monitoring function in Qemu watch-dog unit is started working.
Process is injected the monitoring of behavior and is mainly divided into identification process to inject behavior and extracts process name two steps of the process that is injected into, the analysis of dependence between multiple API when all relating to operation.When process injection realizes usually from process is enumerated, potential process is injected into because each is one by enumeration process, progress recognizing function safeguards that an overall process injects event-template, when monitoring EnumProcess, Process32First and Process32Next etc. and being called for the API that process is enumerated, fill in a process for each found process and inject event-template, the information such as record the process name, process ID, process handle.The Core API that implementation process injects comprises: OpenProcess, VirtualAllocEx, WriteProcessMemory.Revise the front end call back function corresponding with these API, when these API are called, inject event-template, more new template by the corresponding process of call parameters index, until WriteProcessMemory successfully calls, indicate that process injects the generation of event.At this moment read from template and be injected into process name, find the page directory plot of this process, then pass to progress recognizing function, just successfully interpolation is injected into process is monitoring objective.The automatic analysis of API Calls Governance framework meeting is subsequently injected into the behavior that process is initiated.
Step 3, after rogue program sample performance analysis terminates, will obtain a series of report, and these reports will be processed by behavior abstract module, obtain sample behavior.
5 behavior abstract schematic by reference to the accompanying drawings, the key step of behavior abstract module is: raw data is cleared up, behavior is abstract, behavior stores.The abstract process flow diagram of 6 behavior by reference to the accompanying drawings, each step of behavior abstract module will be refined as multiple detailed rules and regulations.Be described in detail below.
3a). raw data is cleared up: owing to existing in original API sequence, some are invalid, the api function of redundancy calls record, in order to prevent these records from having an impact to the abstract step of behavior below, in this step original API time series technique file is cleared up.
Cleaned api function is needed to comprise following a few class.
<i>.API calls name and the identical N continuous API Calls of call parameters, only retains first, N-1 API Calls after removing.
N continuous is secondary can not show more behavior with the same api function of same parameter call, cause extra computation burden can on the contrary follow-up behavior abstraction process.
<ii>. invalid handle parameter
In raw data cleaning logic, maintain the handle information table of the overall situation, any valid function import the handle parameter or rreturn value that the function before handle should be all spreads out of into.If find that certain function employs not appear at handle in overall handle information table as importing parameter into, so can think that this function call is invalid.
<iii>. invalid handle value is employed.
What some handle value represented is invalid handle, is nonsensical to the use of these handles, so think that this function call is invalid.
3b). behavior is abstract: this step is the core of the abstract flow process of whole behavior, first from database, read predefined behavior abstraction rule, afterwards according to these abstraction rules, the API sequential recording file after cleaning is resolved, obtain the behavioural information of sample.
Because the API Calls record of catching stores with the form of text, so the abstract process of behavior is reading to text file and resolving.After opening API sequential recording file, analyze one by one for API Calls function records all in file, for the api function that each is caught, have several situation that may occur as follows:
<i>. this function and behavior abstract irrelevant.
Namely this function is not Key Functions, and in this case, this function more normally can not carry out any operation, such as Sleep, GetSystemTime etc. to system core part.This class function can directly be skipped.
<ii>. this function can form auxiliary behavior.
If this function is Key Functions and can form auxiliary behavior, in this case, need the parameter obtaining this function to go forward side by side row relax, such as character string conversion and synthesis etc., be then temporarily stored into database by the auxiliary behavior formed.
<iii>. this function can form abstract behavior.
If this function is Key Functions and can form abstract behavior, in this case, need the parameter obtaining this function to go forward side by side row relax, such as character string conversion and synthesis etc., then by the abstract behavior that formed stored in database.After whole file analysis completes, these abstract behaviors expand to decision vector by according to predetermined extension rule.
3c). behavior stores: for the ease of the process of subsequent classification algorithm, the data drawn in behavior abstraction process, comprise abstract behavior and decision vector will be stored in database, simultaneously in the process of sample analysis, situation for actual sample the rule abstract to behavior may carry out to a certain degree change, to adapt to the feature of concrete sample class.
Step 4, after behavior is abstract, will obtains the behavioural information of sample and be stored in a database, along with increasing of training sample, will store a large amount of sample behavioural informations in database.In order to judge whether the Study document that user submits to is rogue program, or belonging to any rogue program, first must set up disaggregated model.Native system adopts integrated study thought to utilize the behavioural information of training sample to set up disaggregated model, by training multiple sub-classifier to vote same sample classification result, to improve the nicety of grading in many classification situation.
Ensemble Learning Algorithms is divided into two key links: sub-classifier generates and combining classifiers.From the feature of algorithm process data, the data that sandbox behavior monitoring and static analysis collect have API sequence, file static nature, network packet etc.These data come from different data sources, are discrete type categorical datas; Require from Detection task, require that sorting algorithm can process many classification problems instead of simple two classification.Comprehensive above requirement, Systematic selection classical decision tree C4.5 algorithm is as sub-classifier algorithm.
System uses decision Tree algorithms as sub-classifier algorithm, and AdaBoost algorithm, as Integrated Algorithm, strengthens rogue program detection and classification result.
Step 5, the result export rogue program behavior report, detecting and classify.
Should be understood that, for those of ordinary skills, can be improved according to the above description or convert, and all these improve and convert the protection domain that all should belong to claims of the present invention.
Claims (6)
1. rogue program behavior automated analysis, a detection and classification system, is characterized in that, comprises as lower module:
(1). static analysis module: before sandbox performance analysis is carried out to sample file, static analysis can be carried out to the structure of executable file, obtain the information relevant to sample, the static analysis being obtained sample file by the described information relevant to sample is reported, and various reports afterwards become the most original Data Source of behavior abstract module;
(2). sandbox dispatching management module: sandbox dispatching management module manages the transmission of each sandbox, concordant sample and data, controls the flow process of sample automated analysis; Sandbox dispatching management module controls the startup of each sandbox and exits, and realizes and the message exchange of each sandbox and file transfer, controls execution and the hosted environment simulation of sample;
(3). sandbox monitoring module: sandbox monitoring module is with the API Calls of catching specific process and initiating and parameter thereof for main target, and extract this procedure load module and operating system is its relevant kernel data that it is safeguarded simultaneously; The present invention uses the software virtual machine based on the simulator Qemu that increases income, and explains that enforcement division divides core code to modify to the instruction during its CPU simulates; This behavior monitoring technology based on instruction set simulation environment can realize the kernel module such as system call, process from bottom to top and reconstruct the behavior obtained in rogue program Dynamic Execution from instruction-level, and the sandbox environment that host and rogue program perform is isolated;
(4). behavior abstract module: complete after the catching of the execution of rogue program and API at sandbox monitoring module, can obtain the report of api function that this sample program run duration uses and parameter thereof; The abstract behavior obtaining sample performance from API sequence;
(5). detection and classification module: rogue program Detection task is many classification task of a standard; If need to judge further to belong to any rogue program, first disaggregated model must be set up; The thought of integrated study is adopted to set up disaggregated model, the thought of integrated study uses different strategies that a large problem is divided into some minor issues and solves respectively, or generating multiple learner solves the same problem, then by Integrated Strategy, the Output rusults of different sub-classifier is synthesized, obtain single final Output rusults;
Sandbox monitoring module comprises: as the GuestOS unit of rogue program virtual execution environment; Transformed total system simulator Qemu watch-dog unit; GuestOS unit includes network packet monitoring, snapshot contrast, host event analog functuion, and Qemu watch-dog unit includes progress recognizing and multi-process is monitored, API monitors, API dependence is analyzed and redundant data filtering function;
The Qemu watch-dog unit of sandbox monitoring module has more highly privileged grade, for the behavior of monitoring objective program than GuestOS unit; Qemu watch-dog unit uses the software virtual machine based on the simulator Qemu that increases income, but explains that enforcement division divides core code to modify to the instruction during its CPU simulates, and realizes the object of monitoring specific process Host behavior;
The method that described Qemu watch-dog unit carries out progress recognizing is: sandbox monitoring module is before each translation BOB(beginning of block) performs, utilize virtual memory read/write function, with core processor control zone for clue, find in system current just in the perform bulk process block structure start address of executive process; Then, judge whether current be just target process at executive process by the process name preserved in perform bulk process block structure, if then therefrom read operation system assignment give the page directory base value of this process; Afterwards, the value stored in this page directory base value and virtual CR3 register is compared, judges whether monitoring process performs; Only carry out behavioral data collection when target process performs;
Multi-process monitoring function in Qemu watch-dog unit injects the behavior of the process that is injected into for the subprocess and process monitoring host process establishment; The method that native system carries out multi-process monitoring is: the first step, obtains the process name needing monitoring process, when operating system initialization process, is called clue with process, finds operating system to distribute to the value of the page directory plot of this process; For this behavior of establishment subprocess, realize by this core A PI of monitoring NtCreateProcess; The front end call back function that transformation NtCreateProcess is corresponding, the process name of the process of being created is extracted from call parameters, the method of progress recognizing is carried out by described Qemu watch-dog unit, find the value of this process page directory plot, pass to API Calls Governance framework, to realize the expansion of subprocess monitoring; Second step, progress recognizing function in Qemu watch-dog unit safeguards the list of a responsive page directory base value, before each translation block performs, compare with the value stored in virtual CR3 register, when virtual CR3 register is switched to any one responsive page directory base value, the API monitoring function in Qemu watch-dog unit is started working.
2. rogue program behavior automated analysis according to claim 1, detection and classification system, is characterized in that: GuestOS unit is the environment running rogue program sample, selects WindowsXP operating system as GuestOS; GuestOS unit is connected by virtual network with between host, is responsible for mutual by sandbox dispatching management module.
3. according to claim 1-2 arbitrary described rogue program behavior automated analysis, detection and classification system, it is characterized in that: the normal execution causing page fault failure analysis program when described sandbox monitoring module uses " three-step approach " to avoid analyst to extract behavioral data from virtual memory; Detailed process is as follows: first test whether there is the phenomenon that skips leaf before reading, skip leaf if occur, wait for that this page is transferred virtual memory, if wait for unsuccessful, read this existence by force by routine analyzer to skip leaf phenomenon, the data be not simultaneously transferred within the stand-by period in the address space address space of virtual memory, trigger client operating system page fault process routine, by skip leaf and call in virtual memory, then attempt again reading data;
In sandbox monitoring module, and the read-write of not all virtual memory all uses " three-step approach ", but only when most possibly skipping leaf, performs above page fault avoidance strategy; In Windows system, the data directly read from stack can not cause and skip leaf, and character string and structure parameter under normal circumstances little also can not the initiation of data volume skip leaf, and all do not need to carry out test of skipping leaf; Only when relating to I/O process or large buffer area read-write, just likely there is page fault.
4. rogue program behavior automated analysis according to claim 1, detection and classification system, is characterized in that: the method that native system process of carrying out injects behavior monitoring is:
The first step, identification process injects behavior: when process injection realizes usually from process is enumerated, when monitoring EnumProcess, Process32First and Process32Next and being called for the API that process is enumerated, fill in a process for each found process and inject event-template, record the process name, process ID, process handle information; The Core API that implementation process injects comprises: OpenProcess, VirtualAllocEx, WriteProcessMemory; Revise the front end call back function corresponding with these API, when these API are called, inject event-template, more new template by the corresponding process of call parameters index, until WriteProcessMemory successfully calls, indicate that process injects the generation of event;
Second step, extracts the process name of the process that is injected into: read from template and be injected into process name, find the page directory plot of this process, then pass to progress recognizing function, and just successfully interpolation is injected into process is monitoring objective; The automatic analysis of API Calls Governance framework meeting is subsequently injected into the behavior that process is initiated.
5. rogue program behavior automated analysis, a detection and classification method, it is characterized in that, step is as follows:
Step (1), first static analysis module carries out static analysis to the structure that can perform sample file, obtains the static information that can perform sample file;
Step (2), after static analysis completes, sample file will enter performance analysis automation process: the dynamic analysis process of sample file will by the automatic management of sandbox dispatching management module, sandbox dispatching management module starts sandbox, sample file is uploaded to GuestOS unit, sample is run at GuestOS unit, the execution of sandbox monitoring module monitoring sample or loading, produce the report of the API sequence of sample file, the network packet that network packet watchdog routine GuestOS unit produces, produces the network packet report of sample file, after sample execution normal termination or time-out terminate, if be non-EXE sample file, the snapshot contrast of registration table and file system will be carried out, produce registration table, File Snapshot comparison report, the report of the API sequence of described sample file, the network packet report of sample file and the network packet report of sample file are transferred to sandbox dispatching management module by together with the file generated in sample implementation, the report of the API sequence of described sample file, the network packet report of sample file and the network packet report of sample file carry out the abstract raw data of behavior by being to a rogue program sample,
Step (3), after rogue program sample performance analysis terminates, the report of the API sequence of sample file, the network packet report of sample file and the network packet report of sample file will be obtained, the report of the API sequence of described sample file, the network packet of sample file are reported and the network packet report of sample file will be processed by behavior abstract module, obtain sample behavior;
Step (4), after behavior is abstract, will obtains the behavioural information of sample and be stored in a database, along with increasing of training sample, will store a large amount of sample behavioural informations in database; Adopting integrated study thought to utilize the behavioural information of training sample to set up disaggregated model, by training multiple sub-classifier, same sample classification result being voted;
Step (5), the result export rogue program behavior report, detecting and classify.
6. rogue program behavior automated analysis according to claim 5, detection and classification method, is characterized in that: the key step that behavior is abstract:
(1) raw data cleaning;
(2) behavior is abstract;
(3) behavior stores;
The api function of raw data cleaning comprises following a few class:
(1) API Calls name and the identical N continuous of a call parameters API Calls, only retains first, N-1 API Calls after removing;
(2) if find that certain function employs not appear at handle in overall handle information table as importing parameter into, think that this function call is invalid;
(3) what some handle value represented is invalid handle, is nonsensical to the use of these handles, so think that this function call is invalid;
The abstract process of behavior is the process analyzed one by one API Calls function records all in file, for the api function that each is caught, has several situation that may occur as follows:
(1) this function and behavior abstract irrelevant:
Namely this function is not Key Functions, and in this case, this function is that some can not carry out any operation to system core part, and this class function is directly skipped;
(2) this function can form auxiliary behavior:
If this function is Key Functions and can form auxiliary behavior, in this case, need the parameter obtaining this function to go forward side by side row relax, then the auxiliary behavior formed is temporarily stored into database;
(3) this function can form abstract behavior:
If this function is Key Functions and can form abstract behavior, in this case, need the parameter obtaining this function to go forward side by side row relax, then by the abstract behavior that formed stored in database; After whole file analysis completes, these abstract behaviors expand to decision vector by according to predetermined extension rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210408358.9A CN102930210B (en) | 2012-10-14 | 2012-10-14 | Rogue program behavior automated analysis, detection and classification system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210408358.9A CN102930210B (en) | 2012-10-14 | 2012-10-14 | Rogue program behavior automated analysis, detection and classification system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102930210A CN102930210A (en) | 2013-02-13 |
| CN102930210B true CN102930210B (en) | 2015-11-25 |
Family
ID=47645007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210408358.9A Active CN102930210B (en) | 2012-10-14 | 2012-10-14 | Rogue program behavior automated analysis, detection and classification system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102930210B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
Families Citing this family (73)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150509B (en) * | 2013-03-15 | 2015-10-28 | 长沙文盾信息技术有限公司 | A kind of virus detection system based on virtual execution |
| CN103152224B (en) * | 2013-03-21 | 2015-12-02 | 中国科学院信息工程研究所 | A kind of method and system of real-time dynamic monitoring analog network |
| CN104252594B (en) * | 2013-06-27 | 2019-04-02 | 贝壳网际(北京)安全技术有限公司 | virus detection method and device |
| CN104252447A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | File behavior analysis method and device |
| CN103368965B (en) * | 2013-07-18 | 2018-04-17 | 北京随方信息技术有限公司 | A kind of method of work that network security specification is mapped as to the attribute specification corresponding to network |
| CN103902903A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Malicious code analyzing method and system based on dynamic sandbox environment |
| CN103679032B (en) * | 2013-12-13 | 2017-05-17 | 北京奇虎科技有限公司 | Method and device for preventing malicious software |
| CN103942491A (en) * | 2013-12-25 | 2014-07-23 | 国家计算机网络与信息安全管理中心 | Internet malicious code disposal method |
| US9769189B2 (en) | 2014-02-21 | 2017-09-19 | Verisign, Inc. | Systems and methods for behavior-based automated malware analysis and classification |
| CN103927484B (en) * | 2014-04-21 | 2017-03-08 | 西安电子科技大学宁波信息技术研究院 | Rogue program behavior catching method based on Qemu simulator |
| US9411959B2 (en) | 2014-09-30 | 2016-08-09 | Juniper Networks, Inc. | Identifying an evasive malicious object based on a behavior delta |
| CN105678164B (en) | 2014-11-20 | 2018-08-14 | 华为技术有限公司 | Detect the method and device of Malware |
| CN104715190B (en) * | 2015-02-03 | 2018-02-06 | 中国科学院计算技术研究所 | A kind of monitoring method and system of the program execution path based on deep learning |
| CN105989283B (en) | 2015-02-06 | 2019-08-09 | 阿里巴巴集团控股有限公司 | A kind of method and device identifying virus mutation |
| WO2016127037A1 (en) * | 2015-02-06 | 2016-08-11 | Alibaba Group Holding Limited | Method and device for identifying computer virus variants |
| CN105488414A (en) * | 2015-09-25 | 2016-04-13 | 深圳市安之天信息技术有限公司 | Method and system for preventing malicious codes from detecting virtual environments |
| CN105468977A (en) * | 2015-12-14 | 2016-04-06 | 厦门安胜网络科技有限公司 | Method and device for Android malicious software classification based on Naive Bayes |
| CN105631321B (en) * | 2015-12-24 | 2019-05-21 | 北京奇虎科技有限公司 | A kind of detection method and device of virtual machine process information |
| CN106921608B (en) * | 2015-12-24 | 2019-11-22 | 华为技术有限公司 | A kind of detection terminal security situation method, apparatus and system |
| CN105427096B (en) * | 2015-12-25 | 2020-02-07 | 北京奇虎科技有限公司 | Payment security sandbox implementation method and system and application program monitoring method and system |
| CN107229866B (en) * | 2016-03-23 | 2021-02-26 | 全球能源互联网研究院 | Method for checking and monitoring mobile application security in BYOD environment |
| CN105893848A (en) * | 2016-04-27 | 2016-08-24 | 南京邮电大学 | Precaution method for Android malicious application program based on code behavior similarity matching |
| CN107786413B (en) * | 2016-08-24 | 2022-03-22 | 中兴通讯股份有限公司 | Method for browsing e-mail and user terminal |
| CN106384047B (en) * | 2016-08-26 | 2019-11-15 | 青岛天龙安全科技有限公司 | APP detects unknown behavior acquisition and judgment method |
| US10015180B1 (en) * | 2016-09-23 | 2018-07-03 | EMC IP Holding Company LLC | Asynchronous domain name server resolution with automated classification of domain type |
| CN106529293B (en) * | 2016-11-09 | 2019-11-05 | 东巽科技(北京)有限公司 | A kind of sample class determination method for malware detection |
| CN106778241B (en) * | 2016-11-28 | 2020-12-25 | 东软集团股份有限公司 | Malicious file identification method and device |
| CN106709349B (en) * | 2016-12-15 | 2019-10-29 | 中国人民解放军国防科学技术大学 | A kind of malicious code classification method based on various dimensions behavioural characteristic |
| CN106874760A (en) * | 2016-12-23 | 2017-06-20 | 浙江工业大学 | A kind of Android malicious code sorting techniques based on hierarchy type SimHash |
| CN106874763B (en) * | 2017-01-16 | 2020-09-25 | 西安电子科技大学 | Android software malicious behavior triggering system and method for simulating user behavior |
| US10885189B2 (en) * | 2017-05-22 | 2021-01-05 | Microsoft Technology Licensing, Llc | Isolated container event monitoring |
| CN107330332A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of leak detection method for Android mobile phone APP |
| CN107330329A (en) * | 2017-06-30 | 2017-11-07 | 北京金山安全管理系统技术有限公司 | The authentication method and device of application file |
| CN107742079B (en) * | 2017-10-18 | 2020-02-21 | 杭州安恒信息技术股份有限公司 | Malicious software identification method and system |
| CN108133139B (en) * | 2017-11-28 | 2020-06-26 | 西安交通大学 | Android malicious application detection system based on multi-operation environment behavior comparison |
| CN109840417B (en) * | 2017-11-28 | 2020-12-01 | 清华大学 | Malicious software detection method and device |
| CN108134784B (en) * | 2017-12-19 | 2021-08-31 | 东软集团股份有限公司 | Webpage classification method and device, storage medium and electronic equipment |
| CN108038375A (en) * | 2017-12-21 | 2018-05-15 | 北京星河星云信息技术有限公司 | A kind of malicious file detection method and device |
| CN109472143A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to the method and system extorting software and being automatically analyzed |
| CN108121914B (en) * | 2018-01-17 | 2021-04-13 | 四川神琥科技有限公司 | Document divulgence protection tracking system |
| CN108337153B (en) * | 2018-01-19 | 2020-10-23 | 论客科技(广州)有限公司 | Method, system and device for monitoring mails |
| CN108628615B (en) * | 2018-03-22 | 2022-03-04 | 创新先进技术有限公司 | Method, device and equipment for detecting abandoned codes |
| CN108959919A (en) * | 2018-05-25 | 2018-12-07 | 合肥利元杰信息科技有限公司 | A kind of technological service program downloading system |
| CN108881192B (en) * | 2018-06-04 | 2021-10-22 | 上海交通大学 | Encryption type botnet detection system and method based on deep learning |
| WO2020000335A1 (en) * | 2018-06-29 | 2020-01-02 | Intel Corporation | Systems and methods of restricting access to kernel memory |
| CN108985060A (en) * | 2018-07-04 | 2018-12-11 | 中共中央办公厅电子科技学院 | A kind of extensive Android Malware automated detection system and method |
| CN110941826B (en) * | 2018-09-21 | 2022-08-09 | 武汉安天信息技术有限责任公司 | Malicious android software detection method and device |
| CN110765457A (en) * | 2018-12-24 | 2020-02-07 | 哈尔滨安天科技集团股份有限公司 | Method and device for identifying homologous attack based on program logic and storage device |
| CN109684040B (en) * | 2018-12-26 | 2019-11-19 | 广州市品高软件股份有限公司 | A kind of cloud function execution system and method suitable for LINUX operating system |
| CN109784053B (en) * | 2018-12-29 | 2021-04-27 | 360企业安全技术(珠海)有限公司 | Method and device for generating filter rule, storage medium and electronic device |
| CN110351259A (en) * | 2019-06-28 | 2019-10-18 | 深圳数位传媒科技有限公司 | A kind of method and device obtaining APP authentication information based on network packet capturing |
| CN110688196B (en) * | 2019-08-22 | 2022-03-01 | 曲阜师范大学 | Message processing method of virtual machine under multi-man intelligent cloud service |
| CN110580408B (en) * | 2019-09-19 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Data processing method and electronic equipment |
| CN110781081B (en) * | 2019-10-12 | 2024-04-09 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
| CN110837641A (en) * | 2019-11-13 | 2020-02-25 | 电子科技大学广东电子信息工程研究院 | Malicious software detection method and detection system based on memory analysis |
| CN111190813B (en) * | 2019-12-17 | 2022-09-20 | 南京理工大学 | Android application network behavior information extraction system and method based on automatic testing |
| CN111143839A (en) * | 2019-12-30 | 2020-05-12 | 厦门服云信息科技有限公司 | Malicious code detection method and device based on virtualization behavior analysis technology |
| CN111259379A (en) * | 2020-01-13 | 2020-06-09 | 中孚安全技术有限公司 | Method for analyzing malicious program by sandbox |
| CN111414616B (en) * | 2020-03-03 | 2023-03-28 | 清华大学深圳国际研究生院 | SGX malicious software detection method and system |
| CN112087452B (en) * | 2020-09-09 | 2022-11-15 | 北京元心科技有限公司 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
| CN112765604A (en) * | 2020-12-30 | 2021-05-07 | 上海磐御网络科技有限公司 | Network safety system based on artificial intelligence |
| CN112699369A (en) * | 2021-01-12 | 2021-04-23 | 安芯网盾(北京)科技有限公司 | Method and device for detecting abnormal login through stack backtracking |
| US11930019B2 (en) | 2021-04-21 | 2024-03-12 | Saudi Arabian Oil Company | Methods and systems for fast-paced dynamic malware analysis |
| CN113268734B (en) * | 2021-04-27 | 2023-11-24 | 中国科学院信息工程研究所 | Key host event identification method based on information flow analysis |
| CN113438273B (en) * | 2021-05-21 | 2022-08-16 | 中国科学院信息工程研究所 | User-level simulation method and device for application program in Internet of things equipment |
| CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
| CN113468075A (en) * | 2021-08-14 | 2021-10-01 | 康剑萍 | Security testing method and system for server-side software |
| CN114077741B (en) * | 2021-11-01 | 2022-12-09 | 清华大学 | Software supply chain safety detection method and device, electronic equipment and storage medium |
| CN113918950A (en) * | 2021-12-14 | 2022-01-11 | 成都无糖信息技术有限公司 | Sandbox construction method based on simulation execution |
| CN114491509B (en) * | 2022-01-28 | 2024-07-30 | 济南大学 | Malicious program behavior analysis processing method and system based on sandbox |
| CN115344834A (en) * | 2022-10-19 | 2022-11-15 | 北京网藤科技有限公司 | Application safe operation method and device, electronic equipment and computer readable medium |
| CN116089955B (en) * | 2022-12-01 | 2023-09-26 | 之江实验室 | System call denoising method and device based on windows operating system |
| CN117235686B (en) * | 2023-10-30 | 2024-01-30 | 杭州海康威视数字技术股份有限公司 | Data protection method, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
| CN101458630A (en) * | 2008-12-30 | 2009-06-17 | 中国科学院软件研究所 | Self-modifying code identification method based on hardware emulator |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
| CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
| CN102521206A (en) * | 2011-12-16 | 2012-06-27 | 天津大学 | Lead optimization method for SVM-RFE (support vector machine-recursive feature elimination) based on ensemble learning thought |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1495616B1 (en) * | 2002-04-17 | 2010-05-05 | Computer Associates Think, Inc. | Detecting and countering malicious code in enterprise networks |
-
2012
- 2012-10-14 CN CN201210408358.9A patent/CN102930210B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101226570A (en) * | 2007-09-05 | 2008-07-23 | 江启煜 | Method for monitoring and eliminating generalized unknown virus |
| CN101458630A (en) * | 2008-12-30 | 2009-06-17 | 中国科学院软件研究所 | Self-modifying code identification method based on hardware emulator |
| CN101782954A (en) * | 2009-01-20 | 2010-07-21 | 联想(北京)有限公司 | Computer and abnormal progress detection method |
| CN102254111A (en) * | 2010-05-17 | 2011-11-23 | 北京知道创宇信息技术有限公司 | Malicious site detection method and device |
| CN102521206A (en) * | 2011-12-16 | 2012-06-27 | 天津大学 | Lead optimization method for SVM-RFE (support vector machine-recursive feature elimination) based on ensemble learning thought |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106960154A (en) * | 2017-03-30 | 2017-07-18 | 兴华永恒(北京)科技有限责任公司 | A kind of rogue program dynamic identifying method based on decision-tree model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102930210A (en) | 2013-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102930210B (en) | Rogue program behavior automated analysis, detection and classification system and method | |
| Harang et al. | SOREL-20M: A large scale benchmark dataset for malicious PE detection | |
| US11481492B2 (en) | Method and system for static behavior-predictive malware detection | |
| US9417859B2 (en) | Purity analysis using white list/black list analysis | |
| JP6860070B2 (en) | Analytical equipment, log analysis method and analysis program | |
| CN103608765B (en) | Virtual machine snapshotting and analysis | |
| US20130067445A1 (en) | Determination of Function Purity for Memoization | |
| RU91213U1 (en) | SYSTEM OF AUTOMATIC COMPOSITION OF DESCRIPTION AND CLUSTERING OF VARIOUS, INCLUDING AND MALIMENTAL OBJECTS | |
| CN101923617A (en) | Cloud-based sample database dynamic maintaining method | |
| CN111931179A (en) | Cloud malicious program detection system and method based on deep learning | |
| CN113076538B (en) | Method for extracting embedded privacy policy of mobile application APK file | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| An et al. | An empirical study of crash-inducing commits in mozilla firefox | |
| Vadrevu et al. | Maxs: Scaling malware execution with sequential multi-hypothesis testing | |
| CN102446167B (en) | A kind of logic-based template is to the method and apparatus of complex characters string logical process | |
| CN114626069A (en) | Threat modeling method and device | |
| CN103646213B (en) | The sorting technique of a kind of malice software and device | |
| CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
| CN107885489A (en) | A kind of method and system of quick detection real name registration data index | |
| Sali et al. | Ram forensics: The analysis and extraction of malicious processes from memory image using gui based memory forensic toolkit | |
| CN113360397A (en) | Regression testing method, device, equipment and storage medium of system function | |
| Al-Sharif et al. | Towards the memory forensics of oop execution behavior | |
| CN105095047B (en) | A kind of operating system monitoring method and device for extracting first floor system behavioural characteristic | |
| CN115203057B (en) | Low code test automation method, device, equipment and storage medium | |
| de Silva et al. | Anomaly Detection in Microservice Systems Using Autoencoders |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 210008 No. 12, Yunnan Road, Nanjing, Jiangsu Applicant after: JIANGSU JINLING SCI&TECH GROUP CO., LTD. Address before: 210008 No. 12, Yunnan Road, Nanjing, Jiangsu Applicant before: Jiangsu Jinling Technology Group Corp. |
|
| CB03 | Change of inventor or designer information |
Inventor after: Zou Yan Inventor after: Liu Jiangang Inventor after: Miao Qiguang Inventor after: Song Jianfeng Inventor after: Xie Guosheng Inventor after: Cao Ying Inventor after: Huang Youcheng Inventor after: Liu Jiachen Inventor after: Zheng Chunyang Inventor before: Zou Yan Inventor before: Liu Jiangang Inventor before: Miao Qiguang Inventor before: Cao Ying Inventor before: Xie Guosheng Inventor before: Huang Youcheng Inventor before: Liu Jiachen Inventor before: Zheng Chunyang |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: JIANGSU JINLING SCIENCE + TECHNOLOGY GROUP CORPORATION TO: JIANGSU JINLING SCIENCE + TECHNOLOGY GROUP CO., LTD. Free format text: CORRECT: INVENTOR; FROM: ZOU YAN LIU JIANGANG MIAO QIGUANG CAO YING XIE GUOSHENG HUANG YOUCHENG LIUJIACHEN ZHENG CHUNYANG TO: ZOU YAN LIU JIANGANG MIAO QIGUANG SONG JIANFENG XIE GUOSHENG CAO YING HUANG YOUCHENG LIU JIACHEN ZHENG CHUNYANG |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |