CN103679034A - Computer virus analyzing system based on body and virus feature extraction method - Google Patents
Computer virus analyzing system based on body and virus feature extraction method Download PDFInfo
- Publication number
- CN103679034A CN103679034A CN201310750929.1A CN201310750929A CN103679034A CN 103679034 A CN103679034 A CN 103679034A CN 201310750929 A CN201310750929 A CN 201310750929A CN 103679034 A CN103679034 A CN 103679034A
- Authority
- CN
- China
- Prior art keywords
- virus
- sample
- rule
- computer virus
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention provides a computer virus analyzing system based on a body and a computer virus feature extraction method. According to the computer virus analyzing system, key system calling and memory information is obtained on a Pin platform, the data dependency relationship and the control dependency relationship are extracted according to the existing knowledge, behavior dependency graphs are built for showing behavior characteristics for describing virus semantics, a computer virus body system is built, and the self-adaption feature learning and body building is realized under the condition of virus sample increase. The system and the method have the advantages that through extracting the computer virus feature and body building, the relationship between virus behaviors and instructions is found in a fine grit way, and the computer virus is described, so the goal of accurately analyzing and judging the computer virus is reached.
Description
Technical field
The invention belongs to computer virus analysis field, be specifically related to a kind of computer virus analytic system and feature extracting method thereof based on body.
Background technology
Computer virus (Computer Virus) is the destruction computer function that inserts in computer program of organizer or destroys data, affect computing machine use and one group of computer instruction or program code that can self-replacation.Different from " virus " medically, computer virus is not naturally occurring, is one group of instruction set or program code that some people utilizes computer software and the establishment of the intrinsic fragility of hardware.It can hide by certain approach inner at the storage medium (or program) of computing machine, when reaching certain condition, be activated, method by revising other programs is put into other programs by the accurate copy of oneself or the form that may develop, thereby infect other programs, computer resource is destroyed.
At present, conventional method for detecting virus is feature code method.Feature code method is to detect the simplest, the minimum method of expense of known viruse.Its realization is to gather known viruse sample, sets up virus database.When virus detects beginning, open detected file, search hereof, checks in file whether contain the virus pattern code in virus database.If find to have virus pattern code in detected file, because feature code is corresponding one by one with virus, just can conclude, quilt is looked into suffers from for which kind of virus in file.
Now, computer virus analysis and testing tool are practical, especially by the computer virus testing tool to the analysis of Virus Sample, extraction condition code and Virus Sample character.These computer virus testing tools are to use statistical study, fuzzy diagnosis and machine learning method, find the eigenwert of sample, combined with virtual machine technology and heuristic scanning technique, the existence of detected characteristics code.The methods such as the similar and/or secondary detection of these computer virus testing tool Graphics Applications, according to similarity between program, with characteristic similarity, virus is carried out to family classification, wherein because parts of traditional virus has its obvious characteristic code and changes less, people understand more deep to some morphology of virus, so condition code obviously or eigenwert can comparatively complete description virus and virus mutation character in the situation that, viral testing tool is respond well.
But along with intellectual technology development, it is all two aspects of affairs that virus establishment detects forever with virus, along with new virus and virus mutation constantly occur, in addition the use of viral deformation technology, not obvious in condition code, or eigenwert can not complete description virus and the situation of virus mutation character under, active computer virus detects and easily causes and detect unsuccessfully.
Summary of the invention
In order to address the above problem, the inventor is for the deficiencies in the prior art, through design and researchp repeatedly, the invention provides a kind of computer virus analytic system and feature extracting method thereof based on body, this invention can reach and adapt to virus mutation and the object of accurate analysis and judgement computer virus comparatively.
According to a first aspect of the present invention, a kind of computer virus analytic system based on body is provided, it obtains Critical system call and memory information on Pin platform, according to existing knowledge, extract data dependence relation and control dependence, structure behavior dependency graph represents to describe the semantic behavioural characteristic of virus, with this, set up computer virus main body system, in the situation that Virus Sample increases, realize adaptive feature learning and body and build.
Preferably, on Pin platform, the trail file that contains Critical system call and memory information that obtains sample to be detected is processed in operation, according to the content of the set up rule base of describing typical behavior, analyze trail file and extract data dependence relation and control dependence.
Further, build digraph and represent to describe the semantic behavioural characteristic of virus, and and rule match, draw the performance degree of each rule.
More preferably, with the performance degree of each rule of obtaining, set up computer virus body, sample to be tested is calculated by similarity, determine in the position of viral ontology knowledge tree, provide the result of systematic analysis.
Particularly, the computer virus analytic system based on body comprises as lower module:
(1) Pin platform processes module, it uses the program of writing on Pin platform to process to computer virus sample, is output as trail file, Critical system call flow process and memory information that trail file comprises Virus Sample;
(2) have the function rule base module of automatic renewal, its use experience knowledge, realizes means by studying the programming of computer virus typical case behavior, extracts data dependence relation and controls the typical behavior that dependence represents known computer virus;
(3) rule match module, the sample trail file that rule match module is exported after to Pin platform processes is analyzed line by line, draw whole functions of this sample trail file and order and the dependence of data, mate with the rule in rule base, output matching concrete outcome, is used ontology knowledge to process and classification coupling concrete outcome;
(4) ontology management module, it has structure and query function, and the body of setting up exists with the form of OWL formatted file; The body of setting up has the versatility of general body, and known viruse is utilized to known features, uses ontology knowledge by prot é g é api manual construction body;
(5) adaptive learning modules of body, for ever-increasing Virus Sample, is used clustering algorithm, in viral ontology knowledge tree, adds emerging virus characteristic and viral species;
(6) body similarity computing module, to providing the Virus Sample of rule match result, carries out the similarity of attribute and calculates, and provides position in viral ontology knowledge tree, draws the net result of virus analysis.
Preferably, ontology management module has realized interpolation or deletion or the modification of manual classification, attribute, example, and can realize the function of virus inquiry;
According to a second aspect of the present invention, a kind of computer virus feature extracting method based on above-mentioned computer virus analytic system is provided, described computer virus feature extracting method comprises the following steps:
1) rule in rule base module is the description of crucial various typical virus behavior write method, rule in rule base module is coordination and the combination between Critical system call, adopts sequence description to represent that the appearance order of api function equates with parameter between each api function and the logical relation of cause and effect;
2) API providing with Pin writes Pintool and extracts operating code characteristic, is output as sample trail file, Critical system call and the memory information arranged chronologically that sample trail file has comprised sample;
3) the sample trail file that rule match module is exported after to Pin platform processes is lined by line scan, neighbouring relations in rule base are expressed as to matrix, by the relation in matrix, have or not appearance, the digraph in usage data structure represent in sample critical system function and order and the dependence of data;
4) digraph mates with the rule in rule base, draws and the form of mating of each rule, and to represent appearance order and the degree of behavior, the matching result of all behaviors is recorded in tag file.
Preferably, the described API providing with Pin writes Pintool and extracts operating code characteristic, for using Pin platform processes module to unknown file sample process.
Computer virus analytic system and virus characteristic extracting method thereof based on body provided by the present invention obtains Critical system call, memory information on Pin platform, according to existing knowledge, extract data dependence relation and control dependence, structure behavior dependency graph represents to describe the semantic behavioural characteristic of virus, with this, set up computer virus main body system, in the situation that Virus Sample increases, realize adaptive feature learning and body and build.Thereby in the situation that Virus Sample increases, realized adaptive feature learning and Ontology Clustering and build algorithm, thereby reach adaptation virus mutation, the object of accurate analysis and judgement computer virus comparatively.
Embodiment
Below in conjunction with the modules in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only a part of embodiment of the present invention, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.Additionally, protection scope of the present invention only should be limited to following concrete module or design parameter.
Computer virus analytic system based on body comprises as lower module: (1) Pin platform processes module, it uses the program of writing on Pin platform to process to computer virus sample, be output as trail file, Critical system call flow process, memory information that trail file comprises Virus Sample.(2) have the function rule base module of automatic renewal, use experience knowledge, realizes means by studying the programming of computer virus typical case behavior, uses extraction data dependence relation and control dependence to represent the typical behavior of known computer virus.(3) rule match module, the sample trail file that rule match module is exported after to Pin platform processes is analyzed line by line, draw whole functions of this document and order and the dependence of data, mate with the rule in rule base, output matching concrete outcome, coupling concrete outcome is used ontology knowledge to process and classification, comprises follow-up three modules relevant to body.(4) ontology management module, have and build and query function, the body of setting up exists with the form of OWL formatted file, and it has the versatility of general body, known viruse is utilized to known features, use ontology knowledge by prot é g é api manual construction body.Realized manual classification, attribute, the interpolation of example, deletes, and the operations such as modification realize the function that virus is inquired about on this basis.(5) adaptive learning modules of body, for ever-increasing Virus Sample, is used clustering algorithm, in viral ontology knowledge tree, adds emerging virus characteristic and viral species.(6) body similarity computing module, to providing the Virus Sample of rule match result, carries out the similarity of attribute and calculates, and provides position in viral ontology knowledge tree, draws the net result of virus analysis.
Computer virus analytic system virus characteristic extracting method based on body comprises the following steps:
1) rule in rule base module is the description of crucial various typical virus behavior write method, be coordination and the combination between Critical system call, adopt sequence description to represent that the appearance order of api function equates with some parameter between each api function and the logical relation of cause and effect.
2) API providing with Pin writes Pintool and extracts operating code characteristic, uses Pin platform processes module to unknown file sample process, is output as trail file, Critical system call, the memory information arranged chronologically that have comprised sample.
3) the sample trail file that rule match module is exported after to Pin platform processes is lined by line scan, neighbouring relations in rule base are expressed as to matrix, by the relation in matrix, have or not appearance, the digraph in usage data structure represent in sample critical system function and order and the dependence of data.
4) digraph mates with the rule in rule base, draws and the form of mating of each rule, and to represent appearance order and the degree of behavior, the matching result of all behaviors is recorded in tag file.
For making the object, technical solutions and advantages of the present invention clearer, below embodiment of the present invention is described further in detail.
In order to reach, adapt to new virus and virus mutation, comparatively accurate analysis with judgement computer virus object, not obvious in condition code, or eigenwert can not complete description virus and the situation of virus mutation character under, improve and detect accuracy, the embodiment of the present invention provides a kind of computer virus analytic system and computer virus feature extracting method based on body, described below:
1, Pin platform processes module in this programme, the committed step of its realization is to have collected the relevant WinAPI function of virus behavior, according to number of parameters and type in its prototype, writes plug-in mounting function, makes Pin can search the efficient function object relevant with virus analysis.
The program plug-in mounting platform tools that PinShi Intel Company provides, supports IA-32, the Linux on Intel (R) 64 and IA64 framework and Windows executable program, and network address is pintool.org/.Pin by executable program insert Anywhere the arbitrary code that C or C++ write, make Pin to be appended in process.Pin carries out concrete plug-in mounting task and need realize by definition Pintool.
The API that this module provides with Pin writes Pintool and realizes the operating viral code feature of extraction, comprises the following step of writing:
1) initialization: first call PIN_InitSymbols, call afterwards PIN_Init initialization Pin system.Open output file stream, in order to subsequent result output.
2) registered callbacks function: use IMG_AddInstrumentFunction registration self-defined call back function, to the function list relevant with virus behavior by collecting in this method, search and obtain efficient function object, carry out instrumentation operations, plug-in mounting function is for to write according to number of parameters and type in WinAPI function prototype.
3) use Pin_StartProgram () to start by the code of plug-in mounting, output to destination file.
Pin instrument itself provides service manual, and its conventional using method is that those skilled in the art user is known, and the embodiment of the present invention does not repeat them here.
The function rule base module 2, with automatic renewal, use experience knowledge, realizes means by studying the programming of computer virus typical case behavior, uses extraction data dependence relation and control dependence to represent the typical behavior of known computer virus.Rule is the description of crucial various typical virus behavior write method, is coordination and the combination between Critical system call, adopts sequence description to represent that the appearance order of api function equates with some parameter between each api function and the logical relation of cause and effect.
If new API combination in the processing procedure of following step 3, repeatedly appears in a fairly large number of sample, according to its well-regulated significance level of distance and distance, setting threshold, is increased in rule base new behavior.
3, the sample trail file that rule match module is exported after to Pin platform processes is lined by line scan, neighbouring relations in rule base are expressed as to matrix, by the relation in matrix, have or not appearance, the digraph in usage data structure represent in sample critical system function and order and the dependence of data.Digraph mates with the rule in rule base, the expression sequence in (2) namely, draw the form of mating with each rule, to represent appearance order and the degree of behavior, the matching result of all behaviors is recorded in tag file, be output as tag file, Output rusults re-uses ontology knowledge and processes and classification, comprises follow-up three modules relevant to body.
Three modules relevant to body, are respectively ontology management modules, body adaptive learning modules and body similarity computing module.These modules are all under netbeans platform, adopt java language to write, and have designed following algorithm to carrying out the calculating of similarity degree, by prot é g é api, carry out the manipulation to body, realize the structure of body, inquiry and management.
4, ontology management module, have and build and query function, the body of setting up exists with the form of OWL formatted file, and it has the versatility of general body, known viruse is utilized to known features, use ontology knowledge by prot é g é api manual construction body.Realized manual classification, attribute, the interpolation of example, deletes, and the operations such as modification realize the function of viral knowledge query on this basis.
Virus inquiry inquiry is inquired about for certain concrete viral knowledge, mainly by keyword query, the key word kind of using be title key word and function key word.
1) when key word is Virus Name, with the key word obtaining and the Virus Name of viral knowledge tree, compare, obtain required virus, and show viral father node, the details such as child node and attribute.
2) when key word is function title, with object properties and data attribute in the key word obtaining and viral ontology knowledge tree, compare, show the Property Name that inquires to obtain, and by showing that its domain and range enrich query contents
By above-mentioned steps, can to the viral knowledge having existed in body, inquire about according to demand.
5, the adaptive learning modules of body, for ever-increasing Virus Sample, use clustering algorithm, in viral ontology knowledge tree, add emerging virus characteristic and viral species, make viral body more perfect, mainly contain two kinds of disposal routes below: in class, example produces obvious cluster phenomenon, and the generation of new class is described; The distance of the example that different class (between brother) comprises diminishes, and cluster again, may produce new class.The adaptive learning algorithm key step of designed viral body is as follows:
Setting threshold s, a, b.
2) when the example in a certain class reaches certain quantity s, these examples are carried out to cluster, calculate the distance of cluster centre, while being greater than a in the presence of distance, by these examples divisions, and add new virus taxis in tree.
3) calculate the similarity degree between the example that adjacent two classes (between the brotgher of node) comprise, if similarity degree is greater than threshold value b, and be greater than the similarity degree between the example of original place class, readjust the position of example, produce new class.
6, body similarity computing module, detects sample to providing the virus of rule match result, carries out the similarity of attribute and calculates, and provides position in viral ontology knowledge tree, draws the net result of virus analysis.
Wherein use the similarity calculating method of sample and viral attribute.First virus have thickness granularity behavioural characteristic, and next has had its API sequence that need to call of current behavioural characteristic.According to existing knowledge, typical case's virus is set up the behavioural characteristic tree of the contents such as API that comprise level between behavior, logic, sequential relationship and behavior.The upper layer node of characteristics tree is coarsegrain behavior, and child node is the small grain size behavior that forms father node, and leaf node is the API method of calling for completing this behavior, between leaf node and between child node, have with or relation, call the sequential relationships such as order.Rule match result by unknown sample, according to regular sequential relationship and API information, set up sample characteristics tree, the level of coverage of comparative sample characteristics tree in virus characteristic tree, the similarity degree that calculates sample characteristics tree and virus characteristic tree, described concrete steps are as follows:
Set integer m and n, represent respectively same node point number and different node number.
From root node, begin, adopt depth-first traversal algorithm, on the same position of each two nodes relatively in tree, for a certain node, only have one tree to exist, be considered as different nodes, n adds 1.The value that is father node is identical, and the degree of depth is identical, compares the value of two nodes, and difference n adds 1.If identical, turn (3).
Child node to two nodes, check nodal value equates, sequential relationship relatively, checking computations with or relation, if all identical, m adds 1; Otherwise, n+1.
The similarity that draws both is Sim (V
1, V
2)=m/ (m+n) (V
1for sample to be tested, V
2for virus).
By above-mentioned steps, completed the comparison to all virus and new samples in viral ontology knowledge tree, obtained one group of similarity, determined that maximum similarity, in the position of viral body tree, provides classification results and definite feature.
In sum, the embodiment of the present invention provides a kind of computer virus analytic system and computer virus feature extracting method based on body, the present invention moves and processes the trail file that contains Critical system call and memory information that obtains sample to be detected on Pin platform, according to the content of the set up rule base of describing typical behavior, analyzing trail file extracts data dependence relation and controls dependence, build digraph and represent to describe the semantic behavioural characteristic of virus, and and rule match, draw the performance degree of each rule, with this, set up computer virus body equally, sample to be tested is calculated by similarity, determine the position in viral ontology knowledge tree, provide the result of systematic analysis.In the situation that Virus Sample increases, realized adaptive feature learning and Ontology Clustering and built algorithm, thereby reached adaptation virus mutation, comparatively accurate analysis and the object that judges computer virus.
The above; be only the present invention's embodiment preferably, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.This area those skilled in the art are appreciated that in the situation that do not deviate from the spirit and scope of the present invention of claims definition, can in form and details, make various modifications.
Claims (8)
1. the computer virus analytic system based on body, it is characterized in that, on Pin platform, obtain Critical system call and memory information, according to existing knowledge, extract data dependence relation and control dependence, structure behavior dependency graph represents to describe the semantic behavioural characteristic of virus, with this, set up computer virus main body system, in the situation that Virus Sample increases, realize adaptive feature learning and body and build.
2. the computer virus analytic system based on body according to claim 1, it is characterized in that, on Pin platform, the trail file that contains Critical system call and memory information that obtains sample to be detected is processed in operation, according to the content of the set up rule base of describing typical behavior, analyze trail file and extract data dependence relation and control dependence.
3. the computer virus analytic system based on body according to claim 1 and 2, is characterized in that, build digraph and represent to describe the semantic behavioural characteristic of virus, and and rule match, draw the performance degree of each rule.
4. the computer virus analytic system based on body according to claim 3, it is characterized in that, performance degree with each rule of obtaining is set up computer virus body, from investigating sample characteristics tree at the level of coverage of virus characteristic tree, sample to be tested is calculated by similarity, determine in the position of viral ontology knowledge tree, provide the result of systematic analysis.
5. according to the arbitrary described computer virus analytic system based on body in claim 1-4, it is characterized in that, the computer virus analytic system based on body comprises as lower module:
(1) Pin platform processes module, it uses the program of writing on Pin platform to process to computer virus sample, is output as trail file, Critical system call flow process and memory information that trail file comprises Virus Sample;
(2) there is the function rule base module of automatic renewal, its use experience knowledge, programming by research computer virus typical case behavior realizes means, extract data dependence relation and control the typical behavior that dependence represents known computer virus, to the new API combination that (3) repeatedly occur in processing below, according to adding rule base with existing rule distance distance;
(3) rule match module, the sample trail file that rule match module is exported after to Pin platform processes is analyzed line by line, draw whole functions of this sample trail file and order and the dependence of data, mate with the rule in rule base, output matching concrete outcome, is used ontology knowledge to process and classification coupling concrete outcome;
(4) ontology management module, it has structure and query function, and the body of setting up exists with the form of OWL formatted file; The body of setting up has the versatility of general body, and known viruse is utilized to known features, uses ontology knowledge by prot é g é api manual construction body;
(5) adaptive learning modules of body, for ever-increasing Virus Sample, is used clustering algorithm, in viral ontology knowledge tree, adds emerging virus characteristic and viral species;
(6) body similarity computing module, to providing the Virus Sample of rule match result, carries out the similarity of attribute and calculates, and provides position in viral ontology knowledge tree, draws the net result of virus analysis.
6. the computer virus analytic system based on body according to claim 5, is characterized in that, ontology management module has realized interpolation or deletion or the modification of manual classification, attribute, example, and can realize the function of virus inquiry.
7. a virus characteristic extracting method for the computer virus analytic system based on described in claim 1-6, described computer virus feature extracting method comprises the following steps:
1) rule in rule base module is the description of crucial various typical virus behavior write method, rule in rule base module is coordination and the combination between Critical system call, adopts sequence description to represent that the appearance order of api function equates with parameter between each api function and the logical relation of cause and effect;
2) API providing with Pin writes Pintool and extracts operating code characteristic, is output as sample trail file, Critical system call and the memory information arranged chronologically that sample trail file has comprised sample;
3) the sample trail file that rule match module is exported after to Pin platform processes is lined by line scan, neighbouring relations in rule base are expressed as to matrix, by the relation in matrix, have or not appearance, the digraph in usage data structure represent in sample critical system function and order and the dependence of data;
4) digraph mates with the rule in rule base, draws and the form of mating of each rule, and to represent appearance order and the degree of behavior, the matching result of all behaviors is recorded in tag file.
8. computer virus feature extracting method according to claim 7, is characterized in that, the described API providing with Pin writes Pintool and extracts operating code characteristic, uses Pin platform processes module to unknown file sample process.The key step that Pin platform processes module realizes is to have collected viral relevant WinAPI function, according to number of parameters and type in its prototype, writes plug-in mounting function, makes Pin can search the efficient function object relevant with virus analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310750929.1A CN103679034B (en) | 2013-12-26 | 2013-12-26 | A kind of computer virus analytic system based on body and feature extracting method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310750929.1A CN103679034B (en) | 2013-12-26 | 2013-12-26 | A kind of computer virus analytic system based on body and feature extracting method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103679034A true CN103679034A (en) | 2014-03-26 |
| CN103679034B CN103679034B (en) | 2016-04-13 |
Family
ID=50316544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310750929.1A Expired - Fee Related CN103679034B (en) | 2013-12-26 | 2013-12-26 | A kind of computer virus analytic system based on body and feature extracting method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103679034B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105740711A (en) * | 2016-01-29 | 2016-07-06 | 哈尔滨工业大学深圳研究生院 | Malicious code detection method and system based on kernel object behavior body |
| CN105830060A (en) * | 2014-02-06 | 2016-08-03 | 富士施乐株式会社 | Information processing device, information processing program, storage medium, and information processing method |
| CN107038380A (en) * | 2017-04-14 | 2017-08-11 | 华中科技大学 | A kind of leak detection method and system based on performance of program tree |
| CN109145601A (en) * | 2017-06-27 | 2019-01-04 | 英特尔公司 | Malware detection system attack prevents |
| CN110457903A (en) * | 2019-07-24 | 2019-11-15 | 腾讯科技(深圳)有限公司 | A kind of virus analysis method, apparatus, equipment and medium |
| CN111143848A (en) * | 2019-12-31 | 2020-05-12 | 成都科来软件有限公司 | System for recording sample behaviors and formulating virus rules |
| CN112767135A (en) * | 2021-01-26 | 2021-05-07 | 北京健康之家科技有限公司 | Rule engine configuration method and device, storage medium and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
| CN101853200A (en) * | 2010-05-07 | 2010-10-06 | 北京大学 | High-efficiency dynamic software vulnerability exploiting method |
| US20120144488A1 (en) * | 2010-12-01 | 2012-06-07 | Symantec Corporation | Computer virus detection systems and methods |
| US20130174257A1 (en) * | 2010-08-18 | 2013-07-04 | Qizhi Software (Beijing) Company Limited | Active Defense Method on The Basis of Cloud Security |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
-
2013
- 2013-12-26 CN CN201310750929.1A patent/CN103679034B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101162485A (en) * | 2006-10-11 | 2008-04-16 | 飞塔信息科技(北京)有限公司 | Method and system for processing computer malicious code |
| CN101853200A (en) * | 2010-05-07 | 2010-10-06 | 北京大学 | High-efficiency dynamic software vulnerability exploiting method |
| US20130174257A1 (en) * | 2010-08-18 | 2013-07-04 | Qizhi Software (Beijing) Company Limited | Active Defense Method on The Basis of Cloud Security |
| US20120144488A1 (en) * | 2010-12-01 | 2012-06-07 | Symantec Corporation | Computer virus detection systems and methods |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105830060A (en) * | 2014-02-06 | 2016-08-03 | 富士施乐株式会社 | Information processing device, information processing program, storage medium, and information processing method |
| CN105740711A (en) * | 2016-01-29 | 2016-07-06 | 哈尔滨工业大学深圳研究生院 | Malicious code detection method and system based on kernel object behavior body |
| CN105740711B (en) * | 2016-01-29 | 2018-08-31 | 哈尔滨工业大学深圳研究生院 | A kind of malicious code detecting method and system based on kernel objects behavior ontology |
| CN107038380A (en) * | 2017-04-14 | 2017-08-11 | 华中科技大学 | A kind of leak detection method and system based on performance of program tree |
| CN107038380B (en) * | 2017-04-14 | 2019-07-05 | 华中科技大学 | A kind of leak detection method and system based on performance of program tree |
| CN109145601A (en) * | 2017-06-27 | 2019-01-04 | 英特尔公司 | Malware detection system attack prevents |
| CN110457903A (en) * | 2019-07-24 | 2019-11-15 | 腾讯科技(深圳)有限公司 | A kind of virus analysis method, apparatus, equipment and medium |
| CN111143848A (en) * | 2019-12-31 | 2020-05-12 | 成都科来软件有限公司 | System for recording sample behaviors and formulating virus rules |
| CN112767135A (en) * | 2021-01-26 | 2021-05-07 | 北京健康之家科技有限公司 | Rule engine configuration method and device, storage medium and computer equipment |
| CN112767135B (en) * | 2021-01-26 | 2024-02-27 | 北京水滴科技集团有限公司 | Configuration method and device of rule engine, storage medium and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103679034B (en) | 2016-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ren et al. | Label noise reduction in entity typing by heterogeneous partial-label embedding | |
| Jia et al. | A practical approach to constructing a knowledge graph for cybersecurity | |
| Uwagbole et al. | Applied machine learning predictive analytics to SQL injection attack detection and prevention | |
| Bedi et al. | Community detection in social networks | |
| CN107609052B (en) | A kind of generation method and device of the domain knowledge map based on semantic triangle | |
| Klinkmüller et al. | Increasing recall of process model matching by improved activity label matching | |
| CN103679034B (en) | A kind of computer virus analytic system based on body and feature extracting method thereof | |
| Peng et al. | Astroturfing detection in social media: a binary n‐gram–based approach | |
| CN109543410B (en) | Malicious code detection method based on semantic mapping association | |
| TW202020691A (en) | Feature word determination method and device and server | |
| Alami et al. | Cybercrime profiling: Text mining techniques to detect and predict criminal activities in microblog posts | |
| CN102523311B (en) | Illegal domain name recognition method and device | |
| CN113609261B (en) | Vulnerability information mining method and device based on knowledge graph of network information security | |
| Wisse et al. | Scripting dna: Identifying the javascript programmer | |
| CN110324273A (en) | A kind of Botnet detection method combined based on DNS request behavior with domain name constitutive characteristic | |
| Rehs | A supervised machine learning approach to author disambiguation in the Web of Science | |
| Liu et al. | Functions-based CFG embedding for malware homology analysis | |
| Wang et al. | Chinese hypernym-hyponym extraction from user generated categories | |
| Skoumas et al. | On quantifying qualitative geospatial data: A probabilistic approach | |
| CN113392399A (en) | Malicious software classification method, device, equipment and medium | |
| Sirsat et al. | Mining knowledge from text repositories using information extraction: A review | |
| CN110502669A (en) | The unsupervised chart dendrography learning method of lightweight and device based on the side N DFS subgraph | |
| Sharma et al. | Analysis of clustering algorithms in biological networks | |
| Rattan et al. | Detecting high level similarities in source code and beyond | |
| CN111930545B (en) | SQL script processing method, SQL script processing device and SQL script processing server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160413 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |