CN103428212A - Malicious code detection and defense method - Google Patents
Malicious code detection and defense method Download PDFInfo
- Publication number
- CN103428212A CN103428212A CN2013103433429A CN201310343342A CN103428212A CN 103428212 A CN103428212 A CN 103428212A CN 2013103433429 A CN2013103433429 A CN 2013103433429A CN 201310343342 A CN201310343342 A CN 201310343342A CN 103428212 A CN103428212 A CN 103428212A
- Authority
- CN
- China
- Prior art keywords
- program
- malicious code
- defence
- network
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
Different from other malicious code detection and defense methods, a malicious code detection and defense method is characterized in that a malicious code detection and defense system is built by the aid of a centerless network based on P2P (peer-to-peer). Running of an unknown program cannot be stopped, the unknown program can be monitored in the subsequent running process, mass data obtained by monitoring the program are processed to obtain some strategies, the strategies are similar to conditioned reflex and tell a defense portion how to process a certain program, a response portion tells the defense portion what to do for a certain program, and the main content includes terminating malicious processes, terminating network connection, recovering broken registry keys, recovering broken files, preventing a kernel module from loading and modifying, recovering services and recovering tampered kernel information. The malicious code detection and defense method has the advantages that autonomic update and rapid response are realized, a user and the program are transparent, and after effects are avoided.
Description
Technical field
The present invention is that a kind of malicious code detects and the method for defence, from other malicious code, detect and defence method is different be the present invention used based on P2P without central site network, built a malicious code and detected and system of defense.
Background technology
Traditional malicious code can be divided into virus, worm, wooden horse etc., and, along with the rise of ecommerce that depends on computer etc., virus, worm, wooden horse etc. no longer include obvious boundary.Most malicious codes are to produce under the driving of interests, manufacturedly are used for stealing various accounts and money and goods.Whether general malicious code detects and carries out and can be divided into Static Detection and detection of dynamic according to code.Static Detection comprises verification and comparison, the inspection of feature string, heuristic scanning, logic analysis and Network Sniffing etc.Detection of dynamic comprises integrity detection, system call tracking, code emulation, Sandboxing etc.Typical fail-safe software has all adopted the wherein malicious code detection technique of several types, but all there is defect in various degree in these technology, in order to tackle the malicious code of continuous generation, fail-safe software need to usually upgrade the upgrading virus base, and these renewal upgrade datas all need have server to provide.
Summary of the invention
The objective of the invention is to realize that a kind of malicious code without Centroid detects and the method for defence.
The present invention is by the following technical solutions to achieve these goals:
A kind of method that malicious code detects and defends is characterized in that comprising the following steps:
Step 1, detection, for unknown program, do not stop its operation, and can monitor it in follow-up running, and exchange the various information about this unknown program with other client in network, once find the malicious act of certain program, with regard to other client in advertised network;
Step 2, response, the response part is the stage of deal with data, the mass data that test section obtains obtains defence policies in the response part by processing,
Step 3, defence, process malicious code with and the impact that brings, the response part tells that the defence part is moved for certain program, main contents comprise following some:
1. termination malicious process;
2. stopping network connects;
3. recover destroyed registry key;
4. recover destroyed file;
5. stop kernel module to load, revise, Resume service, recover the kernel information be tampered.
In technique scheme, the number that test section obtains is divided into two classes:
One, the behavior that program is carried out: comprise the access to file, the access of registration table, the use of network,
Two, program is carried out the abnormal of back operation system or application program: the application program that comprises file manager, process manager system component and installation can not normally be used.
In technique scheme, in the behavior that program is carried out and the impact of these behaviors, can cause the abnormal a series of behaviors that occur and program to carry out the abnormal of back operation system or application program, notice defence part is recovered the modification of these behaviors to file, registration table, form this series of strategy of reply, these policy class are similar to conditioned reflex, tell the defence section processes certain program, the distributed response to network that the response part is comprised of a plurality of main frames, these main frames are connected to each other by network, share each other the data that get.
The present invention has following beneficial effect:
One, the autonomous renewal: do not need connection server to upgrade virus database or policy database, the response part can independently be formulated new strategy according to the data of obtaining;
Two, fast reaction: once find malicious code on a client in the P2P network, can give other clients by this information sharing rapidly;
Three, user transparent: for the user, all operations can not need user's participation, and the response part can be processed automatically;
Four, program is transparent: for unknown program, client allows its to carry out, and is not assert that it can carry out always before it is malicious code;
Five, no sequel: find after malicious code to recover file that malicious code revises, registration table etc., deleting after malicious code not can be influential to operating system, application program.
The accompanying drawing explanation
Fig. 1 is the P2P network that in the present invention, a plurality of main frames form.
Embodiment
The invention provides system inclusion test, response, three parts of defence.
(1) detect
Detection is a part crucial in the present invention, and it similarly is the camera in market.Detection completes by monitoring point is set, and monitoring point is arranged on the following aspects:
1. the establishment of process, termination, thread creation far away, memory read-write, the loading of dynamic link library;
2. the network port is monitored, data transmit-receive, and the protocol interfaces such as HTTP that provide of operating system etc.;
3. the increase of registry key, deletion, modification, and file corresponding to registry key;
4. the deletion of operating system file, modification, the establishment of file under system directory, copy, move, delete, and the installation of application program, copies, moves, deletes;
5. the loading of kernel module, modification etc., the establishment of service, startup, modification etc., the modification of SPI, BHO, SSDT etc.
Detection is the stage of Data Collection, by detecting, can collect the various data that operating system is relevant with application program.
(2) response
Response is the stage of deal with data, and the mass data of obtaining by detection need to process to obtain defence policies.The response part is similar to people's nerve center, and test section is similar to receptor, and the defence part is similar to effector.Adopt intelligent algorithm to realize the response part, with collecting the data of coming, train to make a series of strategy.These policy class are similar to conditioned reflex, can tell how the defence part processes certain program.The distributed response to network that the response part is comprised of a plurality of main frames, these main frames are connected to each other by network, share each other the data that get.
(3) defence
Defend this part be mainly process malicious code with and the impact that brings.The response part tells what the defence part should do for certain program.Main contents comprise following some:
1. termination malicious process;
2. stopping network connects;
3. recover destroyed registry key;
4. recover destroyed file;
5. stop kernel module to load, revise, Resume service, recover the kernel information be tampered.
The work of defence part has great importance for whole system, and its existence makes whole system have the ability of self-regeneration.
In a system be comprised of a plurality of computers, once there be unknown code to enter this network, test section will start supervision to it, record etc., and system does not stop unknown code to be carried out, and can normally use various programs like this.If confirm that this is a malicious code, computers all in whole system all can be to this malicious code immunity.If certain computer is destroyed by malicious code, defence part can be recovered destroyed file, data etc.Some malicious code does not destroy host operating system, but can steal private data, and the present invention can stop malicious code to steal private data in this case.
As shown in Figure 1, in the network consisted of many computers such as A, B, C, D, E, a client-side program all is installed on each computer, these clients that are positioned on a plurality of different computers have formed a malicious code detection and system of defense.This malicious code based on P2P detects and defence method, it is characterized in that comprising following part:
One, functional module part
Client comprises various functional modules:
Process module: the establishment of monitoring process, termination, thread creation far away, memory read-write, the loading of dynamic link library.
Mixed-media network modules mixed-media: the monitoring network port is monitored, data transmit-receive, and the protocol interfaces such as HTTP that provide of operating system etc.;
Registry module: monitor increase, deletion, the modification of registry key, and file corresponding to registry key;
File module: the deletion of monitor operating system file, modification, the establishment of file under system directory, copy, move, delete, monitor application program installation, copy, move, delete;
Kernel module: the loading of supervision kernel module, modification etc., the establishment of supervision service, startup, modification etc., the modification of SPI, BHO, SSDT etc.
P2P module: set up the communication port between client, for the response part provides communication support.
Two, test section
1. for unknown program, do not stop its operation, and can monitor it in follow-up running, and exchange the various information about this unknown program with other client in network, the user can normally use the various programs that there is no digital signature like this.
2. once find the malicious act of certain program, with regard to other client in advertised network, if also there is this program to carry out on other computer, so just add this program to blacklist, by the time determine that this program is this program that just stops after malicious code.
Three, response and recovered part
1. a plurality of client-side program in network are shared the data that obtain, and by the analysis to these data, judge the type of a unknown program.For a unknown program, it can be divided into to following type:
A) legal procedure, do not comprise any malicious code, and this class method joins white list, can relax the monitoring to this class method.
B) the uncertain program that whether comprises malicious code, this class method may trigger malicious act under given conditions, needs this class method of monitoring, still, should not stop the operation of this class method.
C) rogue program completely, this class method is the qualitative program for wooden horse, virus etc., does not comprise the function of user's needs, so forbids the execution of this class method.
1. a unknown program is arranged in operation on hypothesis Fig. 1 Computer A, but A is by exchanging discovery with B, B and by A qualitative be wooden horse, A just stops this program so, if B is the type of uncertain this program also, A and other computer just judge the type of A by shared information so, if temporarily can't judge type with regard to qualitative be the uncertain program that whether comprises malicious code.
2. some program may be destroyed system or user's file, by the analysis to these program daily records, can reduce these destroyed files.Suppose that a unknown program on Fig. 1 Computer A has deleted the several important procedure under the system directory, but the client terminal to discover A afterwards on computer A is not legal procedure, will recover so the file that A deletes, these files can recover or other computers recoveries from local backup.
3. some program may be destroyed registration table, by the analysis to these program daily records, can reduce these destroyed registry key.Suppose that a unknown program on Fig. 1 Computer A has deleted or revised several in the registration table, the client terminal to discover A on A just recovers the registry key that A deletes after legal procedure.
Claims (3)
1. a malicious code detects and the method for defence, it is characterized in that comprising the following steps:
Step 1, detection, for unknown program, do not stop its operation, and can monitor it in follow-up running, and exchange the various information about this unknown program with other client in network, once find the malicious act of certain program, with regard to other client in advertised network;
Step 2, response, the response part is the stage of deal with data, the mass data that test section obtains obtains defence policies in the response part by processing,
Step 3, defence, process malicious code with and the impact that brings, the response part tells that the defence part is moved for certain program, main contents comprise following some:
1. termination malicious process;
2. stopping network connects;
3. recover destroyed registry key;
4. recover destroyed file;
5. stop kernel module to load, revise, Resume service, recover the kernel information be tampered.
2. the method that a kind of malicious code according to claim 1 detects and defends is characterized in that:
The number that test section obtains is divided into two classes:
One, the behavior that program is carried out: comprise the access to file, the access of registration table, the use of network,
Two, program is carried out the abnormal of back operation system or application program: the application program that comprises file manager, process manager system component and installation can not normally be used.
3. the method that a kind of malicious code according to claim 2 detects and defends is characterized in that:
In the behavior that program is carried out and the impact of these behaviors, can cause the abnormal a series of behaviors that occur and program to carry out the abnormal of back operation system or application program, notice defence part is recovered the modification of these behaviors to file, registration table, form this series of strategy of reply, these policy class are similar to conditioned reflex, tell the defence section processes certain program, the distributed response to network that the response part is comprised of a plurality of main frames, these main frames are connected to each other by network, share each other the data that get.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103433429A CN103428212A (en) | 2013-08-08 | 2013-08-08 | Malicious code detection and defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013103433429A CN103428212A (en) | 2013-08-08 | 2013-08-08 | Malicious code detection and defense method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103428212A true CN103428212A (en) | 2013-12-04 |
Family
ID=49652389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013103433429A Pending CN103428212A (en) | 2013-08-08 | 2013-08-08 | Malicious code detection and defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103428212A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096414A (en) * | 2016-06-24 | 2016-11-09 | 北京奇虎科技有限公司 | Application recovery method, device and terminal |
| CN107004085A (en) * | 2014-12-27 | 2017-08-01 | 英特尔公司 | For managing the technology to the security threat of computing system using user mutual |
| CN107211011A (en) * | 2014-11-25 | 2017-09-26 | 恩西洛有限公司 | System and method for Malicious Code Detection |
| CN107612905A (en) * | 2017-09-15 | 2018-01-19 | 广西电网有限责任公司电力科学研究院 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
| CN108985051A (en) * | 2018-08-02 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of intrusion prevention method and system of Behavior-based control tracking |
| CN110795730A (en) * | 2018-10-23 | 2020-02-14 | 北京安天网络安全技术有限公司 | Method, system and storage medium for thoroughly eliminating malicious files |
| CN110879884A (en) * | 2019-11-14 | 2020-03-13 | 维沃移动通信有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
| CN114553539A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Method and device for defending malicious program and related equipment |
| CN114676421A (en) * | 2022-03-18 | 2022-06-28 | 山东鼎夏智能科技有限公司 | Method and device for protecting security software |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1314638A (en) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
| CN1710906A (en) * | 2005-07-08 | 2005-12-21 | 清华大学 | P2P worm defending system |
| CN1725759A (en) * | 2004-07-21 | 2006-01-25 | 微软公司 | Containment of worms |
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN101154253A (en) * | 2006-09-26 | 2008-04-02 | 北京软通科技有限责任公司 | Computer security protection method and computer security protection instrument |
| CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
| CN101699787A (en) * | 2009-11-09 | 2010-04-28 | 南京邮电大学 | Worm detection method used for peer-to-peer network |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN103023983A (en) * | 2011-11-24 | 2013-04-03 | 卡巴斯基实验室封闭式股份公司 | System and method for distributing processing of computer security tasks |
-
2013
- 2013-08-08 CN CN2013103433429A patent/CN103428212A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1314638A (en) * | 2001-04-29 | 2001-09-26 | 北京瑞星科技股份有限公司 | Method, system and medium for detecting and clearing known and anknown computer virus |
| CN1725759A (en) * | 2004-07-21 | 2006-01-25 | 微软公司 | Containment of worms |
| CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN1710906A (en) * | 2005-07-08 | 2005-12-21 | 清华大学 | P2P worm defending system |
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101154253A (en) * | 2006-09-26 | 2008-04-02 | 北京软通科技有限责任公司 | Computer security protection method and computer security protection instrument |
| CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
| CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
| CN101699787A (en) * | 2009-11-09 | 2010-04-28 | 南京邮电大学 | Worm detection method used for peer-to-peer network |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN103023983A (en) * | 2011-11-24 | 2013-04-03 | 卡巴斯基实验室封闭式股份公司 | System and method for distributing processing of computer security tasks |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107211011A (en) * | 2014-11-25 | 2017-09-26 | 恩西洛有限公司 | System and method for Malicious Code Detection |
| CN107004085A (en) * | 2014-12-27 | 2017-08-01 | 英特尔公司 | For managing the technology to the security threat of computing system using user mutual |
| CN107004085B (en) * | 2014-12-27 | 2021-06-25 | 英特尔公司 | Techniques for managing security threats to a computing system with user interaction |
| CN106096414A (en) * | 2016-06-24 | 2016-11-09 | 北京奇虎科技有限公司 | Application recovery method, device and terminal |
| CN106096414B (en) * | 2016-06-24 | 2019-12-31 | 北京奇虎科技有限公司 | Application program recovery method and device and terminal |
| CN107612905A (en) * | 2017-09-15 | 2018-01-19 | 广西电网有限责任公司电力科学研究院 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
| CN108985051A (en) * | 2018-08-02 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of intrusion prevention method and system of Behavior-based control tracking |
| CN110795730A (en) * | 2018-10-23 | 2020-02-14 | 北京安天网络安全技术有限公司 | Method, system and storage medium for thoroughly eliminating malicious files |
| CN110879884A (en) * | 2019-11-14 | 2020-03-13 | 维沃移动通信有限公司 | Information processing method, information processing device, electronic equipment and storage medium |
| CN114553539A (en) * | 2022-02-22 | 2022-05-27 | 深信服科技股份有限公司 | Method and device for defending malicious program and related equipment |
| CN114676421A (en) * | 2022-03-18 | 2022-06-28 | 山东鼎夏智能科技有限公司 | Method and device for protecting security software |
| CN114676421B (en) * | 2022-03-18 | 2022-12-27 | 山东鼎夏智能科技有限公司 | Method and device for protecting security software |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103428212A (en) | Malicious code detection and defense method | |
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
| US9280664B2 (en) | Apparatus and method for blocking activity of malware | |
| JP5011436B2 (en) | Method and apparatus for detecting malicious acts of a computer program | |
| US8453244B2 (en) | Server, user device and malware detection method thereof | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| US20140201806A1 (en) | Runtime risk detection based on user, application, and system action sequence correlation | |
| EP3220307B1 (en) | System and method of performing an antivirus scan of a file on a virtual machine | |
| CN108293044A (en) | System and method for detecting malware infection via domain name service flow analysis | |
| US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
| CN110417718B (en) | Method, device, equipment and storage medium for processing risk data in website | |
| US10061683B2 (en) | Systems and methods for collecting error data to troubleshoot product errors | |
| JP2019079492A (en) | System and method for detection of anomalous events on the basis of popularity of convolutions | |
| TW201104489A (en) | Method and system for cleaning malicious software and computer program product and storage medium | |
| US10320816B1 (en) | Systems and methods for uniquely identifying malicious advertisements | |
| CN110505246B (en) | Client network communication detection method, device and storage medium | |
| KR20090031393A (en) | Web shell monitoring system and method based on pattern detection | |
| US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| CN101996287B (en) | Method and system for removing malicious software | |
| CN103699838A (en) | Identification method and equipment of viruses | |
| KR102221726B1 (en) | Endpoint detection and response terminal device and method | |
| Kono et al. | An unknown malware detection using execution registry access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Xiaosong Inventor after: Chen Ruidong Inventor after: Niu Weina Inventor after: Wang Dong Inventor after: Chen Ting Inventor after: Liao Jun Inventor after: Zhang Fan Inventor after: Zhang Lei Inventor before: Chen Ting Inventor before: Zhang Xiaosong Inventor before: Chen Ruidong Inventor before: Niu Weina Inventor before: Wang Dong Inventor before: Liao Jun Inventor before: Zhang Fan Inventor before: Zhang Lei |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: QU YANG WU LEYAO LIU YANCONG SHI YONGJUN SHEN LONGZE QU YANG ZHANG JUNBO ZHANG XUEWEN TO: WU LEYAO LIU YANCONG SHI YONGJUN SHEN LONGZE QU YANG QU YANG ZHANG JUNBO ZHANG XUEWEN |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20131204 |