CN103810427A - Mining method and system for malicious code hiding behaviors - Google Patents

Mining method and system for malicious code hiding behaviors Download PDF

Info

Publication number
CN103810427A
CN103810427A CN201410058889.9A CN201410058889A CN103810427A CN 103810427 A CN103810427 A CN 103810427A CN 201410058889 A CN201410058889 A CN 201410058889A CN 103810427 A CN103810427 A CN 103810427A
Authority
CN
China
Prior art keywords
malicious code
condition
behavior
hiding
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410058889.9A
Other languages
Chinese (zh)
Other versions
CN103810427B (en
Inventor
王蕊
林子敏
张道娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201410058889.9A priority Critical patent/CN103810427B/en
Publication of CN103810427A publication Critical patent/CN103810427A/en
Application granted granted Critical
Publication of CN103810427B publication Critical patent/CN103810427B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a mining method and system for malicious code hiding behaviors. The method includes the steps that malicious codes are operated in a virtual environment; whether related instructions and functions related with hiding behavior routes are included in instruction information and function information executed by the malicious codes or not is judged; if execution information related with time delay hiding is detected, the malicious codes are made to continuously execute follow-up instructions and functions through ending corresponding time delay behaviors; if execution information related with conditional judgment hiding is detected, the execution information is classified according to conditional judgment, and possible execution routes of the malicious codes are mined through meeting execution conditions of different routes; analyzed various behavior route information executed by the malicious codes is used for generating a malicious code behavior route tree. The malicious code hiding behaviors avoiding analyzing in the modes of time delay hiding and conditional judgment hiding can be effectively mined, the various hiding behavior routes possibly existing are effectively found out, and the capacity for analyzing and mining the malicious code hiding behaviors is improved.

Description

A kind of malicious code is hidden behavior method for digging and system
Technical field
The invention belongs to network security technology field, be specifically related to a kind of malicious code and hide behavior method for digging and system.
Background technology
Be accompanied by the development of information-based constantly propelling and technology, the malicious code technology of one of its important threat, also in continuous progress, to be analyzed and is detected in order to hide, and hiding ability, deformability and the viability of malicious code constantly strengthening.Malicious code has been hidden some harmful acts of self by various technological means, cause common analysis and testing tool its malicious act cannot be detected in time, destroys thereby produce in needs the security that threatens internet and computer system.
At present, the hiding means of malicious code mainly comprise: (1) hides its trace, such as progress information etc. in system.(2) self comprise normal behaviour path and malicious act path, just implement malicious act under certain condition.For example in the time detecting analysis and testing environment, just hide its malicious act, thereby hide detection.Traditional performance analysis means can only be analyzed the behavior path of the current execution of malicious code conventionally, and analyzing and testing is to the existence in the behavior of hiding and path well.Therefore, the analysis ability in the hiding behavior of raising malicious code and path becomes a major issue that needs solution in malicious code protection.
In existing malicious code analysis method, all paths that static analysis can multianalysis malicious code comprises, thus excavate the hiding behavior that it may exist, but under normal circumstances, the source code of malicious code cannot obtain, want to analyze and expect, only depend on dis-assembling decompiling software.But malicious code can use some obfuscations to disturb this class software conventionally, cause it to be difficult to accurately reduction code.Although and performance analysis can be obtained its behavior in malicious code implementation, be confined to single execution route, can only obtain the behavior path showing in current implementation.For the malicious code that has multiple behavior path, especially in multiple harmless behavior path, hide the malicious code in a malicious act path, cannot effectively carry out analysis.
Along with the development of malicious code analysis detection technique, malicious code developer also constantly updates its technological means, in order to hide analyzing and testing, occur that thereby detecting Virtual Analysis environment hides the method for behavior at present, and only had the hiding means of just implementing under given conditions its malicious act.For malicious code analysis and prevention work have brought huge challenge.
Research malicious code is hidden the analytical approach of behavior, thereby analyzes fully and effectively the hiding behavior of malicious code, further effectively instructs malicious code to detect, and is the important foundation problem in malicious code defending work.The subject matter that current malicious code is hidden in behavior analysis method has: the behavior that in a period of time, malicious code is carried out is only analyzed in performance analysis, easily fails to report for the behavior that some time delays are hiding; Performance analysis process can only be analyzed the behavior of current execution, cannot implement effectively to analyze to the recessive malicious act path just occurring under specified conditions, hides the malicious code of malicious act cannot implement effective analysis for surveying running environment and condition; Performance analysis is to follow the trail of passive analysis mostly, lacks effective method of initiatively excavating the hiding behavior of malicious code.
Summary of the invention
The object of the present invention is to provide a kind of malicious code to hide behavior method for digging and system, by analyze time delay and the conditional control statement that may exist in malicious code run time version in dynamic running process, for it provides the condition that meets its behavior path that may carry out, initiatively trigger its possible potential hiding behavior, thereby the hiding behavior of initiatively excavating out malicious code, realizes and hides behavioural analysis.
To the effect that of the present invention: malicious code to be analyzed is moved in controllable environment, monitor its execution information, for time delay execution and two kinds of hiding behaviors of condition judgment, by monitoring relevant instruction and the function realized, meet to its input the correlated condition that the behavior of hiding is carried out, make it carry out corelation behaviour path, realize the excavation of the behavior of hiding.
Particularly, the technical solution used in the present invention is as follows:
A kind of malicious code is hidden behavior method for digging, and its step comprises:
1) in virtual environment, move malicious code, monitor malicious code is carried out one by one command information and function information;
2) judge and in command information that malicious code is carried out and function information, whether have instruction and the function of hiding behavior path coherence, described hiding behavior comprise that time delay is hidden and condition judgment is hidden two classes;
3) if detect, time delay hides relevant execution information, makes malicious code continue to carry out its subsequent instructions and function by finishing corresponding time delay behavior;
4) if detect, condition judgment hides relevant execution information, according to its condition judgment classification, by meeting the executive condition in its different paths, excavates the possible execution route of malicious code;
5) the multiple probable behavior routing information that malicious code analysis being completed is carried out represents with the form of tree, generates malicious code behavior path tree.
Further, the command information that the malicious code described in step 1) is carried out and the method for supervising of function information are: malicious code to be analyzed is run in hardware simulation environment, and by dynamic dis-assembling, the instruction sequence that monitor malicious code is carried out; By hook function, monitoring related function information.
Further, step 2) instruction and the function of described hiding behavior path coherence, can be by user's self-defining as required, in the present invention, be mainly divided into that time delay is hidden and condition judgment is hidden two classes.
Further, step 2) described time delay hides and refers to that malicious code passes through the appearance that some means postpone malicious acts, to hide the performance analysis of finite analysis event; Described condition judgment is hidden and is referred to that malicious code is before carrying out malicious act, and by judging some executive conditions, such as system and network state etc. are just carried out malicious act in the time that certain condition meets.
Further, the time delay described in step 3) is hidden and is mainly comprised by the time delay of sleep function and the hiding behavior of the conventional time delay of circulation time delay two classes.
Further, the method for the corresponding time delay behavior of end described in step 3) is: for sleep function, finish this function by being adjusted into its time afterwards the hardware time; For circulation time delay, realize by the method for revising corresponding registers zone bit end loop.
Further, condition judgment described in step 4) is hidden and is mainly comprised: user interactions condition and independent condition judge two large classes, wherein user interaction condition refers to and has judged whether user's incoming event (comprising mouse and KeyEvent), and independent judgment condition just judges all kinds of sorts of systems and the network conditions etc. that do not need manual intervention in the process of implementation.
Further, the method of the executive condition in the satisfied different paths described in step 4) is: analyze the condition judgment statement in malicious code implementation, for user interactions condition judgment, in the time finding to wait for the condition judgment statement of keyboard and mouse event, start that corresponding function call module sends corresponding keyboard and mouse message meets its executive condition; Judge for independent condition, preservation condition judges system image (snapshot) and judgment expression when statement occurs, then continue to carry out, when current path is finished, can fall back on the position of preserving reflection, change the result of its Rule of judgment, excavate hiding execution route thereby make it carry out other paths, if run in the process of implementation repeatedly condition judgment, judge possible conditional value by the result of all judgment expression in calculating path.
A kind of malicious code is hidden behavior digging system, and it comprises:
Hardware simulator, for virtual execution environment with operation and monitor malicious code;
Command information monitoring module, is integrated in the instruction translation module of hardware simulator, the command information of carrying out for monitor and record malicious code at operational process;
Function information monitoring module, is integrated in hardware simulator, and link order information monitoring logging modle, at malicious code operational process, and the function information of carrying out by decision instruction redirect and emulated memory data monitoring malicious code;
Condition judgment analysis module, link order information monitoring module and function information monitoring module, the condition judgment statement in instruction and the function information of carrying out for detection of malicious code;
Condition entry module, the virtual execution environment of condition of contact discriminatory analysis module and hardware simulator, for generation of making code carry out the needed condition entry in different behaviors path in analytic process;
Operation image module, connects virtual execution environment, condition judgment analysis module and the condition entry module of hardware simulator, for recording multiple system and the code status reflection of carrying out may execution route time before every paths;
Behavior tree builds module, link order information monitoring module, function information monitoring module, condition analysis judge module and condition entry module, the different behavior path construction of the malicious code obtaining for basis malicious code behavior path tree.
Advantage of the present invention and good effect are as follows:
The present invention is directed to the problem that malicious code performance analysis is confined to finite time single-pathway, by analyzing the hiding behavioral approach that malicious code is conventional, utilize monitoring judgement and the analytical approach of initiatively excavating under controllable environment, can effectively excavate malicious code and hide the hiding behavior of hiding analysis with the hiding mode of condition judgment by time delay, effectively find its multiple hiding behavior path that may exist, thereby improved hiding behavioural analysis and the mining ability of malicious code.
Accompanying drawing explanation
Fig. 1 is that malicious code is hidden behavior method for digging process flow diagram.
Fig. 2 is that malicious code is hidden behavior digging system module map.
Embodiment
Below by specific embodiments and the drawings, the present invention will be further described.
As shown in Figure 1, malicious code of the present invention is hidden behavior method for digging, comprises the steps:
1, monitor and record command information and the function information of malicious code Dynamic Execution.
The present invention uses hardware simulator dynamic operation in virtual opetrating system malicious code to be analyzed, and in hardware simulator, monitors and record instruction and function information that malicious code is carried out.Instruction monitoring, by the intermediate translation module of hardware simulator, is used the method for dis-assembling to realize instruction fetch one by one, and records corresponding command information.Function information monitoring, by recognition system data structure in virtual memory, calculates corresponding function call address, then relatively judging whether to have called and need the function of monitoring and record corresponding information by instruction jump address and function call address.
2, judge whether to occur hiding instruction and the function of behavior path coherence.
By malicious code being commonly used to the analysis of the behavior of hiding, in the present invention, the conventional hiding behavior of malicious code is divided into time delay and hides and the hiding two large classes of condition judgment.Time delay is hidden and is referred to that malicious code carries out malicious act by time delay and hide the behavior hidden method of the detection of performance analysis environment, condition judgment is hidden and is referred to that malicious code is by judging some systems, network and user interactions condition, is only meeting the hidden method of just carrying out malicious act under certain condition.
The hiding method of time delay generally includes the time delay and the large class of circulation time delay two that use sleep function.For the time delay of sleep function, the present invention carries out sleep function check by the mode of hook function.For circulation time delay, in the instruction of carrying out by monitor malicious code, whether contain circulation, when finding there is circulation time, be further analyzed.
Hide for condition judgment, the present invention is divided into user interactions condition and the large class of independent judgment condition two according to whether comprising user interactions.In malicious code implementation, in the time monitoring condition judgment statement, record relevant information, build corresponding image file and record all kinds of status informations of current system and malicious code execution, be then submitted to subsequent step condition judgment statement is further analyzed and is processed.
3, the time delay detecting is hidden to behavior, make malicious code continue to carry out by finishing its corresponding delay behavior.
Process accordingly for the time delay detecting in step 2 behavior of hiding.In the time detecting that sleep function is called, read the delay time in storehouse, after then the time of hardware simulator being adjusted to corresponding delay time, condition is met, thereby make malicious code further carry out follow-up behavior.
In the time detecting that circulation exists.Analysis identifies the instruction that Cycle Stream of Control shifts forward, in the time again carrying out this transfer instruction, by the mode to its antiposition by the corresponding zone bit of EFLAGS register in virtual cpu, circulation is finished, thereby make malicious code start to carry out follow-up behavior.
The hiding behavior that 4, may cause the condition judgment statement detecting, by meeting its different condition, excavates potential hiding behavior path.
In the time of condition judgment statement that step 2 detects, analyze the condition of its judgement, according to whether having user interactions to carry out different processing, in the time of needs user interactions, judged whether that user's mouse and KeyEvent occur, now, by calling corresponding mouse interface function do_mouse and keyboard interface function do_send_key sends corresponding mouse and Keyboard Message, to meet the executive condition of follow-up behavior.Meanwhile, before calling the corresponding interface function, record corresponding system image, after having analyzed this path, return to this reflection, analyze another and do not meet the behavioural information when mutual, to obtain comparatively comprehensively malicious code behavior.Here it should be noted that, because whether most of malicious codes have user to input to judge whether in true environment but not in analysis environments by detecting, because, the likelihood ratio that meets the malicious act that may carry out under user interactions condition is larger, and therefore we first analyze the behavior under this satisfied condition.
If independent judgment condition, do not need the condition of user interactions, analyze and judge statement and preserve current system and video.From condition judgment statement for the first time, saved system reflection and current Rule of judgment, then analyze possible different subsequent branches path.Execute after a paths, get back to the system image at corresponding Rule of judgment place, then carry out different conditional branchings.Thereby excavate the different behaviors path that malicious code may be carried out.It should be noted that if continue to occur other condition judgment statements a paths is follow-up, adopt the mode of recurrence successively to analyze.In addition, the present invention is in order to reduce the consumption in impossible path, all condition judgment statement in storing path in analytic process, in the time that new condition judgment statement produces, by calculating all condition judgment in this path, only analyze and meet the true potential path that all path conditions are the data result generation of actual capabilities.
5, the behavior path construction that malicious code may be carried out is malicious code behavior path tree.
By above-mentioned analysis, can excavate the hiding behavior that malicious code may exist.The malicious code various actions that the present invention excavates Dynamic Execution represent with the structure of tree.The construction process of malicious code behavior path tree is as follows: the Article 1 information that malicious code is carried out starts to generate behavior tree; After this, next information of every execution is added this tree to as child node; In the time detecting that time delay hides Info, at corresponding execution information node mark time delay condition, then continue to add follow-up child node; In the time condition judgment statement being detected, judge information in corresponding node preservation condition, then add different child nodes according to different conditions and represent follow-up execution subtree, it is the saved system reflection corresponding node of mark afterwards, after a paths is played in analysis, get back to corresponding node and add other subtrees, until be finished.
Above embodiment is only in order to technical scheme of the present invention to be described but not be limited; those of ordinary skill in the art can modify or be equal to replacement technical scheme of the present invention; and not departing from the spirit and scope of the present invention, protection scope of the present invention should be as the criterion with described in claim.

Claims (10)

1. malicious code is hidden a behavior method for digging, and its step comprises:
1) in virtual environment, move malicious code, monitor malicious code is carried out one by one command information and function information;
2) judge and in command information that malicious code is carried out and function information, whether have instruction and the function of hiding behavior path coherence, described hiding behavior comprise that time delay is hidden and condition judgment is hidden two classes;
3) if detect, time delay hides relevant execution information, makes malicious code continue to carry out its subsequent instructions and function by finishing corresponding time delay behavior;
4) if detect, condition judgment hides relevant execution information, according to its condition judgment classification, by meeting the executive condition in its different paths, excavates the possible execution route of malicious code;
5) the multipath behavioural information that malicious code performance analysis being completed is carried out represents with the form of tree, generates malicious code behavior path tree.
2. the method for claim 1, is characterized in that: described time delay is hidden to comprise and called two kinds of the time delay of sleep function and circulation time delays.
3. the method for claim 1, it is characterized in that: described condition judgment is hidden and comprised that user interactions condition and independent condition judge two large classes, wherein user interactions condition refers to and has judged whether that user's incoming event, independent condition are to judge in the process of implementation all kinds of sorts of systems and the network conditions that do not need manual intervention.
4. method as claimed in claim 3, is characterized in that: described user's incoming event comprises mouse and KeyEvent.
5. method as claimed any one in claims 1 to 3, it is characterized in that, the hiding disposal route of described time delay is: in the time detecting that sleep function is called, read the delay time in storehouse, then after the time of hardware simulator being adjusted to corresponding delay time, condition is met, thereby make malicious code further carry out follow-up behavior; In the time detecting that circulation exists, analysis identifies the instruction that Cycle Stream of Control shifts forward, in the time again carrying out this transfer instruction, by the corresponding zone bit of EFLAGS register to the mode of its antiposition in virtual cpu being made circulation finish, thereby make malicious code start to carry out follow-up behavior.
6. method as claimed any one in claims 1 to 3, it is characterized in that, disposal route when condition judgment statement detected is: the condition of analyzing its judgement, while there is user interactions condition judgment, record corresponding system image, send corresponding mouse and Keyboard Message to meet the executive condition of follow-up behavior by calling mouse interface function do_mouse and keyboard interface function do_send_key, after having analyzed this path, return to this reflection, analyze another and do not meet the behavioural information when mutual; For independent judgment condition, analyze and judge statement and preserve current system reflection and Rule of judgment, obtain its possible different subsequent branches path, execute after a paths, get back to corresponding system image and carry out different conditional branchings, thereby excavate the possible different behaviors path of malicious code.
7. method as claimed in claim 6, is characterized in that: in the analytic process of independent judgment condition, if continue to occur other condition judgment statements a paths is follow-up, adopt the mode of recurrence successively to analyze.
8. method as claimed in claim 7, it is characterized in that: all condition judgment statement in storing path in analytic process, in the time that new condition judgment statement produces, by calculating all condition judgment in this path, only analyze and meet the true potential path that all path conditions are the data result generation of actual capabilities, to reduce the consumption in impossible path.
9. the method for claim 1, is characterized in that, the construction process of described malicious code behavior path tree is: the Article 1 information of carrying out using malicious code starts generation behavior tree as initial father node; After this, next information of every execution is added this tree to as child node; In the time detecting that time delay hides Info, at corresponding execution information node mark time delay condition, then continue to add follow-up child node; In the time condition judgment statement being detected, judge information in corresponding node preservation condition, then add different child nodes according to different conditions and represent follow-up execution subtree, it is the saved system reflection corresponding node of mark afterwards, after a paths is played in analysis, get back to corresponding node and add other subtrees, until be finished.
10. malicious code is hidden a behavior digging system, it is characterized in that, comprising:
Hardware simulator, for virtual execution environment with operation and monitor malicious code;
Command information monitoring module, is integrated in the instruction translation module of hardware simulator, the command information of carrying out for monitor and record malicious code at operational process;
Function information monitoring module, is integrated in hardware simulator, and link order information monitoring logging modle, at malicious code operational process, and the function information of carrying out by decision instruction redirect and emulated memory data monitoring malicious code;
Condition judgment analysis module, link order information monitoring module and function information monitoring module, the condition judgment statement in instruction and the function information of carrying out for detection of malicious code;
Condition entry module, the virtual execution environment of condition of contact discriminatory analysis module and hardware simulator, for generation of making code carry out the needed condition entry in different behaviors path in analytic process;
Operation image module, connects virtual execution environment, condition judgment analysis module and the condition entry module of hardware simulator, for recording multiple system and the code status reflection of carrying out may execution route time before every paths;
Behavior tree builds module, connects described command information monitoring module, function information monitoring module, condition analysis judge module and condition entry module, the different behavior path construction of the malicious code malicious code behavior path tree obtaining for basis.
CN201410058889.9A 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system Active CN103810427B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410058889.9A CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410058889.9A CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Publications (2)

Publication Number Publication Date
CN103810427A true CN103810427A (en) 2014-05-21
CN103810427B CN103810427B (en) 2016-09-21

Family

ID=50707180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410058889.9A Active CN103810427B (en) 2014-02-20 2014-02-20 A kind of malicious code hidden behaviour method for digging and system

Country Status (1)

Country Link
CN (1) CN103810427B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104933359A (en) * 2015-05-19 2015-09-23 西北大学 Multi-execution path construction method for malicious software
WO2016078323A1 (en) * 2014-11-20 2016-05-26 华为技术有限公司 Malware detection method and apparatus
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN108304721A (en) * 2018-03-21 2018-07-20 河北师范大学 A kind of malicious code detection system
CN108875372A (en) * 2017-12-29 2018-11-23 哈尔滨安天科技股份有限公司 A kind of code detection method, device, electronic equipment and storage medium
CN110516445A (en) * 2019-08-07 2019-11-29 南方电网科学研究院有限责任公司 Identification method and device for anti-detection malicious code and storage medium
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885224A (en) * 2005-06-23 2006-12-27 福建东方微点信息安全有限责任公司 Computer anti-virus protection system and method
US20110283361A1 (en) * 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN102984140A (en) * 2012-11-21 2013-03-20 中国人民解放军国防科学技术大学 Malicious software feature fusion analytical method and system based on shared behavior segments

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885224A (en) * 2005-06-23 2006-12-27 福建东方微点信息安全有限责任公司 Computer anti-virus protection system and method
US20110283361A1 (en) * 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN102984140A (en) * 2012-11-21 2013-03-20 中国人民解放军国防科学技术大学 Malicious software feature fusion analytical method and system based on shared behavior segments

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016078323A1 (en) * 2014-11-20 2016-05-26 华为技术有限公司 Malware detection method and apparatus
US10565371B2 (en) 2014-11-20 2020-02-18 Huawei Technologies Co., Ltd. Malware detection method and malware detection apparatus
US10963558B2 (en) 2014-11-20 2021-03-30 Huawei Technologies Co., Ltd. Malware detection method and malware detection apparatus
CN104933359A (en) * 2015-05-19 2015-09-23 西北大学 Multi-execution path construction method for malicious software
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN105791323B (en) * 2016-05-09 2019-02-26 国家电网公司 The defence method and equipment of unknown malware
CN108875372A (en) * 2017-12-29 2018-11-23 哈尔滨安天科技股份有限公司 A kind of code detection method, device, electronic equipment and storage medium
CN108304721A (en) * 2018-03-21 2018-07-20 河北师范大学 A kind of malicious code detection system
CN110516445A (en) * 2019-08-07 2019-11-29 南方电网科学研究院有限责任公司 Identification method and device for anti-detection malicious code and storage medium
CN113572730A (en) * 2021-06-15 2021-10-29 郑州云智信安安全技术有限公司 Implementation method for actively and automatically trapping honeypots based on web

Also Published As

Publication number Publication date
CN103810427B (en) 2016-09-21

Similar Documents

Publication Publication Date Title
CN103810427A (en) Mining method and system for malicious code hiding behaviors
EP3654217B1 (en) Malware detection
Quetschlich et al. MQT Bench: Benchmarking software and design automation tools for quantum computing
Ma et al. Shadow attacks: automatically evading system-call-behavior based malware detection
US9262416B2 (en) Purity analysis using white list/black list analysis
CN109002721A (en) Mining analysis method for information security vulnerability
Abusnaina et al. Dl-fhmc: Deep learning-based fine-grained hierarchical learning approach for robust malware classification
CN105022957A (en) Method for detecting malicious program on demand, electronic device and user interface thereof
US20130074057A1 (en) Selecting Functions for Memoization Analysis
KR20190041912A (en) System for detecting security vulnerability based on binary, method and program thereof
CN104008329B (en) Software privacy leak behavior detection method and system based on virtualization technology
CN110909358A (en) Shaping vulnerability detection method based on dynamic and static analysis
Kantarcioglu et al. Adversarial data mining: Big data meets cyber security
CN104424354A (en) Detecting Anomalous User Behavior Using Generative Models of User Actions
WO2014074164A1 (en) Memoizing with read only side effects
US9721120B2 (en) Preventing unauthorized calls to a protected function
CN103399812A (en) Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization
CN111695119A (en) Web vulnerability detection method based on fine-grained static taint analysis and symbolic execution
CN103365699A (en) System API and running character string extraction method and system based on APK
Pawlowski et al. Probfuscation: an obfuscation approach using probabilistic control flows
CN105164642A (en) Operating system support for contracts
Jiang et al. Function-level obfuscation detection method based on graph convolutional networks
KR20210045122A (en) Apparatus and method for generating test input a software using symbolic execution
Waly et al. A complete framework for kernel trace analysis
CN107729747A (en) A kind of heap overflow detection method towards binary program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant