CN103294949A - Method and device for detecting Trojan horse program - Google Patents
Method and device for detecting Trojan horse program Download PDFInfo
- Publication number
- CN103294949A CN103294949A CN2012100508645A CN201210050864A CN103294949A CN 103294949 A CN103294949 A CN 103294949A CN 2012100508645 A CN2012100508645 A CN 2012100508645A CN 201210050864 A CN201210050864 A CN 201210050864A CN 103294949 A CN103294949 A CN 103294949A
- Authority
- CN
- China
- Prior art keywords
- characteristic information
- key feature
- feature information
- information
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method and a device for detecting a Trojan horse program. The method comprises the following steps: acquiring a systematic process; detecting whether the process contains predetermined key feature information or not based on the process; and when the process contains the predetermined key feature information, determining that the program corresponding to the process is the Trojan horse program.
Description
Technical field
The application relates to the network security technology field, particularly a kind of method and device that detects trojan horse program.
Background technology
Along with continuous progress and the development of network technology, the shopping at network mode is accepted by increasing user and is liked, and this user can be the individual, also can be enterprise.Therefore, it is extremely important that the safety of online transaction just seems, threaten the trojan horse program of online transaction safety a lot of at present, the wooden horse of for example going fishing, distort Transaction Information and transaction flow by kidnapping browser, steal user account password and carry out illegal payment or transaction, in order to ensure transaction security, utilize antivirus software to scan usually and kill virus.
Though above-mentioned prior art is the checking and killing Trojan program to a certain extent, but, because fishing wooden horse malicious act is not obvious, difficult to find based on traditional antivirus software of system action detection wooden horse all the time, can only killing cause dangerous wooden horse, to the effectively killing of wooden horse of the unknown, the efficient that therefore detects wooden horse is low, and system or user are endangered greatly.
Summary of the invention
The application provides a kind of method and apparatus that detects trojan horse program, can't detect unknown wooden horse and detect the inefficient problem of wooden horse in order to solve prior art.
The application provides a kind of method that detects trojan horse program on the one hand, is applied in the system, and described method comprises: the process of obtaining described system; Based on described process, detect whether comprise predetermined key feature information in the described process; When comprising described predetermined key feature information in the described process, the program of determining described process correspondence is trojan horse program.
Preferably, after the described process of obtaining described system, judge also whether described process is trusted process, if then described process is added in the white list.
Preferably, describedly judge whether described process is that trusted process is specially: judge whether described process has signature, if determine that then described process is trusted process.
Preferably, if described process is not signed, judge then whether the parent process of described process has signature, if determine that then described process is trusted process.
Preferably, described predetermined key feature information is the key code characteristic information.
Preferably, described predetermined key feature information is the critical data characteristic information.
Preferably, described predetermined key feature information is crucial address characteristic information.
Preferably, described predetermined key feature information comprises key code characteristic information, critical data characteristic information and crucial address characteristic information, whether comprises predetermined key feature information in the described process of described detection and is specially: detect whether comprise described key code characteristic information, described critical data characteristic information and described crucial address characteristic information in the described process.
Preferably, described predetermined key feature information comprises at least two sub-characteristic informations, and first subcharacter information has first weight in described at least two sub-characteristic informations, and second sub-characteristic information has second weight in described at least two sub-characteristic informations.
The application also provides a kind of device that detects trojan horse program, is applied in the system, and described device comprises: acquiring unit, for the process of obtaining described system; Detecting unit is used for based on described process, detects whether comprise predetermined key feature information in the described process; And determining unit, being used for when described process comprises described predetermined key feature information, the program of determining described process correspondence is trojan horse program.
The application's beneficial effect is as follows:
The embodiment of the present application is set about from the postrun behavior of wooden horse, carry out the wooden horse detection by analyzing its run-time characteristic, it is the process of moving in the analytic system, see the key feature information that whether comprises wooden horse in the process, the program of judging this process correspondence thus is trojan horse program, this mode can detect unknown new wooden horse, thus can before damaging the user, wooden horse just it be disposed, so detect wooden horse efficient height.
Further, whether the embodiment of the present application has signature by the parent process of judging process or this process is determined that process is the trusted process, if words just this process is added in the white list, represent that this process is normal process, so, when detect this process next time, can directly skip, so saved the time of detecting greatly, improve detection efficiency.
In preferred embodiment further, key feature information can be key code characteristic information, critical data characteristic information and/or crucial address characteristic information, key code characteristic information, critical data characteristic information or crucial address characteristic information by to wooden horse postrun behavioural analysis come out, when all being wooden horse abduction browser, these key feature information use, so go to mate these features, whether the program that just can determine this process correspondence is trojan horse program, therefore the accuracy rate height that detects.
Description of drawings
Fig. 1 is the method flow diagram that detects trojan horse program among the application one embodiment;
Fig. 2 is the functional block diagram that detects the device of trojan horse program among the application one embodiment.
Embodiment
The application one embodiment provides a kind of method that detects trojan horse program, is applied in the system, and system has progress information, and this system can use at for example mobile phone, panel computer, in the various electric terminals such as notebook computer.
For making more detail knowledge the application of those skilled in the art, below in conjunction with accompanying drawing the application is described in detail.
As shown in Figure 1, Fig. 1 is the method flow diagram that detects trojan horse program among the application one embodiment, and the method for present embodiment comprises:
Step 110: the process of obtaining system;
Step 112: based on process, whether comprise predetermined key feature information in the detection procedure; And
Step 114: when comprising predetermined key feature information in the process, the program of determining the process correspondence is trojan horse program.
Wherein, in step 110, obtain the process of system, be example with general Windows operating system, as long as on the keyboard of electric terminal, press Ctrl, Alt key and Delete key simultaneously, just can open the Windows task manager, the process tab is arranged in the task manager, if click process tab, the process of the program correspondence that the system that just can demonstrate in tabulation moves.
After step 110, before the step 112, can judge earlier whether the process of obtaining is trusted process, for example by judging whether this process has signature and judge whether this process is credible, if this process has signature, illustrates that then this process is trusted process; If this process is signature not, judge further then whether the parent process of this process has signature, if having, illustrate that then this process is trusted process, so just this process is added in the white list, when detecting this process again next time, as long as judge that this process is whether in white list, just can judge whether this process needs to detect, if do not need, then directly skip, so convenient and swift, save the time of detecting greatly, improved detection efficiency.In other embodiments, can judge by other means also whether a process is trusted process, and the application is not restricted.
In step 112, predetermined key feature information is that the feature according to postrun its runtime of behavioural analysis of trojan horse program obtains, because the fishing wooden horse does not have the system action feature, based on the operating browser example, so just have the key code feature of various all kinds of abduction browsers and critical data feature etc., so in the present embodiment, as long as whether comprise these key feature information in the detection procedure, whether the program that just can judge this process correspondence is trojan horse program.Therefore, the accuracy rate height of checking and killing Trojan, efficient height.
Detailed says, when judging that this process is untrusted process, or skip the step of this judgement, when namely getting access to this process, the internal memory of this process is all toppled over out, this process and each memory node are decoded, and are the decimal system from Binary Conversion for example, or are sexadecimal from Binary Conversion.Further, in the present embodiment, predetermined key feature information can be the key code characteristic information, it also can be the critical data characteristic information, it also can be crucial address characteristic information, certainly, also can be combination in any between key code characteristic information, critical data characteristic information and the crucial address characteristic information.For example detect whether comprise the key code characteristic information in memory mapping area then, detect whether comprise the critical data characteristic information in privately owned memory field, detect whether comprise crucial address feature in the runtime memory field, wherein, detecting key code characteristic information, critical data characteristic information and crucial address information does not have the branch of sequencing, perhaps only detect in three kinds of key feature information any, any two or three kinds.
The key code characteristic information for example is the function call sequence in the program code of process, suspicious program A.exe for example, after startup, the function call sequence of calling certain browser is arranged, first call function FindWindow (TITLE of certain browser) for example, and then call SendMessage (OBJECTRESULT) and obtain IE example in the browser, this is a suspicious calling sequence, so can be used as a key code characteristic information.And the critical data characteristic information for example is the static character string that comprises in the program code of this process, for example suspicious program A.exe has comprised the form data of certain bank at run duration, or the form data of certain payment company, these data all are included in program inside as static information, and these information can be used as the critical data characteristic information.Crucial address characteristic information for example is the URL address of some distinct characteristics of comprising in the program code of this process, the interface IP address that has for example comprised certain payment enterprise among the suspicious program A.exe, xxxx.com/gateway.do, or Web bank's payment interface of certain state bank, xxxx.com/pay.do, these URL addresses all can be used as crucial address characteristic information.
Further, also comprise subcharacter information in each key feature information, for example the key code characteristic information comprise first sub-key code characteristic information: the FindWindows (title)->SendMessage (objectresult), with second sub-key code characteristic information: the SendMessage (objectresult)->Getinstance (window), the first sub-key code characteristic information has first weight, for example be 10, the second sub-key code characteristic information has second weight, for example be that 5, the first weights and second weight can be arranged according to actual needs by those skilled in the art.
When a certain process matches the first sub-key code characteristic information, the weight of the first sub-key code feature affects judged result is 10, be 5 and the second sub-key code characteristic information influences the weight of judged result, if be that trojan horse program only needs 10 weight so judge the program of this process correspondence, whether then just can judge this program according to the first sub-key code characteristic information is trojan horse program, the second sub-key code characteristic information then can not be judged the result separately, and could further judge whether this program is trojan horse program in conjunction with other key feature information of coupling.
Another embodiment of the application also provides a kind of device that detects trojan horse program, is applied in the system, and system has progress information, and this system can use at for example mobile phone, panel computer, in the various electric terminals such as notebook computer.This device can also be used for the method among realization previous embodiment and Fig. 1, please refer to Fig. 2, and this device comprises:
Detecting unit 202 is used for based on process, whether comprises predetermined key feature information in the detection procedure; And
Determining unit 203 is used for when process comprises predetermined key feature information, and the program of determining the process correspondence is trojan horse program.
The operating process of the method by reading detection trojan horse program as described above, how above-mentioned each unit of the device of detection trojan horse program shown in Figure 2 is realized just becoming and has been perfectly clear, therefore, how succinct for instructions just no longer realizes being described in detail to the function of above-mentioned each unit at this.
An embodiment or a plurality of embodiment by in the above-described embodiment among the application can be achieved as follows technique effect at least:
The embodiment of the present application is set about from the postrun behavior of wooden horse, carry out the wooden horse detection by analyzing its run-time characteristic, it is the process of moving in the analytic system, see the key feature information that whether comprises wooden horse in the process, the program of judging this process correspondence thus is trojan horse program, this mode can detect unknown new wooden horse, thus can before damaging the user, wooden horse just it be disposed, so detect wooden horse efficient height.
Further, whether the embodiment of the present application has signature by the parent process of judging process or this process is determined that process is the trusted process, if words just this process is added in the white list, represent that this process is normal process, so, when detect this process next time, can directly skip, so saved the time of detecting greatly, improve detection efficiency.
In preferred embodiment further, key feature information can be key code characteristic information, critical data characteristic information and/or crucial address characteristic information, key code characteristic information, critical data characteristic information or crucial address characteristic information by to wooden horse postrun behavioural analysis come out, when all being wooden horse abduction browser, these key feature information use, so go to mate these features, whether the program that just can determine this process correspondence is trojan horse program, therefore the accuracy rate height that detects.
Obviously, those skilled in the art can carry out various changes and modification and the spirit and scope that do not break away from the application to the application.Like this, if these of the application are revised and modification belongs within the scope of the application's claim and equivalent technologies thereof, then the application also is intended to comprise these changes and modification interior.
Claims (10)
1. method that detects trojan horse program is applied to it is characterized in that in the system that described method comprises:
Obtain the process of described system;
Based on described process, detect whether comprise predetermined key feature information in the described process;
When comprising described predetermined key feature information in the described process, the program of determining described process correspondence is trojan horse program.
2. the method for claim 1 is characterized in that, after the described process of obtaining described system, judges also whether described process is trusted process, if then described process is added in the white list.
3. method as claimed in claim 2 is characterized in that, describedly judges whether described process is that trusted process is specially: judge whether described process has signature, if determine that then described process is trusted process.
4. method as claimed in claim 3 is characterized in that, if described process is not signed, judges then whether the parent process of described process has signature, if determine that then described process is trusted process.
5. the method for claim 1 is characterized in that, described predetermined key feature information is the key code characteristic information.
6. the method for claim 1 is characterized in that, described predetermined key feature information is the critical data characteristic information.
7. the method for claim 1 is characterized in that, described predetermined key feature information is crucial address characteristic information.
8. the method for claim 1, it is characterized in that, described predetermined key feature information comprises key code characteristic information, critical data characteristic information and crucial address characteristic information, whether comprises predetermined key feature information in the described process of described detection and is specially: detect whether comprise described key code characteristic information, described critical data characteristic information and described crucial address characteristic information in the described process.
9. the method for claim 1, it is characterized in that, described predetermined key feature information comprises at least two sub-characteristic informations, first subcharacter information has first weight in described at least two sub-characteristic informations, and second sub-characteristic information has second weight in described at least two sub-characteristic informations.
10. device that detects trojan horse program is applied to it is characterized in that in the system that described device comprises:
Acquiring unit is for the process of obtaining described system;
Detecting unit is used for based on described process, detects whether comprise predetermined key feature information in the described process; And
Determining unit is used for when described process comprises described predetermined key feature information, and the program of determining described process correspondence is trojan horse program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100508645A CN103294949A (en) | 2012-02-29 | 2012-02-29 | Method and device for detecting Trojan horse program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100508645A CN103294949A (en) | 2012-02-29 | 2012-02-29 | Method and device for detecting Trojan horse program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103294949A true CN103294949A (en) | 2013-09-11 |
Family
ID=49095791
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100508645A Pending CN103294949A (en) | 2012-02-29 | 2012-02-29 | Method and device for detecting Trojan horse program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103294949A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378361A (en) * | 2014-10-24 | 2015-02-25 | 苏州阔地网络科技有限公司 | Network intrusion detection method and system |
| CN108363921A (en) * | 2017-07-05 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of method and system for wooden horse of being stolen secret information based on the discovery of process behavior feature |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101059829A (en) * | 2007-05-16 | 2007-10-24 | 珠海金山软件股份有限公司 | Device and method for automatically analyzing course risk grade |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
| CN101594248A (en) * | 2008-05-27 | 2009-12-02 | 奇智软件技术(北京)有限公司 | The remote assistance method of information security and system maintenance, system and server |
| EP2128798A1 (en) * | 2008-05-27 | 2009-12-02 | Deutsche Telekom AG | Unknown malcode detection using classifiers with optimal training sets |
| CN201477598U (en) * | 2009-09-01 | 2010-05-19 | 北京鼎普科技股份有限公司 | Terminal Trojan monitoring device |
-
2012
- 2012-02-29 CN CN2012100508645A patent/CN103294949A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101059829A (en) * | 2007-05-16 | 2007-10-24 | 珠海金山软件股份有限公司 | Device and method for automatically analyzing course risk grade |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
| CN101594248A (en) * | 2008-05-27 | 2009-12-02 | 奇智软件技术(北京)有限公司 | The remote assistance method of information security and system maintenance, system and server |
| EP2128798A1 (en) * | 2008-05-27 | 2009-12-02 | Deutsche Telekom AG | Unknown malcode detection using classifiers with optimal training sets |
| CN201477598U (en) * | 2009-09-01 | 2010-05-19 | 北京鼎普科技股份有限公司 | Terminal Trojan monitoring device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378361A (en) * | 2014-10-24 | 2015-02-25 | 苏州阔地网络科技有限公司 | Network intrusion detection method and system |
| CN108363921A (en) * | 2017-07-05 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of method and system for wooden horse of being stolen secret information based on the discovery of process behavior feature |
| CN108829829A (en) * | 2018-06-15 | 2018-11-16 | 深信服科技股份有限公司 | Detect method, system, device and storage medium that ideal money digs mine program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| EP2852913B1 (en) | Method and apparatus for determining malicious program | |
| US10599843B2 (en) | Identifying whether an application is malicious | |
| US9424424B2 (en) | Client based local malware detection method | |
| US8607340B2 (en) | Host intrusion prevention system using software and user behavior analysis | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| KR102355973B1 (en) | Apparatus and method for detecting smishing message | |
| EP2447878A1 (en) | Web based remote malware detection | |
| CN111683047B (en) | Unauthorized vulnerability detection method, device, computer equipment and medium | |
| JP2014510353A (en) | Risk detection processing method and apparatus for website address | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| WO2018017498A1 (en) | Inferential exploit attempt detection | |
| JP2013168141A (en) | Method for detecting malware | |
| CN103780450A (en) | Browser access web address detection method and system | |
| CN111177727A (en) | Vulnerability detection method and device | |
| CN103294949A (en) | Method and device for detecting Trojan horse program | |
| CN109818972A (en) | A kind of industrial control system information security management method, device and electronic equipment | |
| US10275596B1 (en) | Activating malicious actions within electronic documents | |
| CN111488581A (en) | Weak password vulnerability detection method and device, electronic equipment and computer readable medium | |
| CN113486335B (en) | JNI malicious attack detection method and device based on RASP zero rule | |
| CN112733104B (en) | Account registration request processing method and device | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
| CN113420302A (en) | Host vulnerability detection method and device | |
| US10652277B1 (en) | Identifying and blocking overlay phishing | |
| CN107273168B (en) | A kind of application installation method, mobile terminal and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1184877 Country of ref document: HK |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130911 |
|
| RJ01 | Rejection of invention patent application after publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1184877 Country of ref document: HK |