CN103839003A - Malicious file detection method and device - Google Patents
Malicious file detection method and device Download PDFInfo
- Publication number
- CN103839003A CN103839003A CN201210478566.6A CN201210478566A CN103839003A CN 103839003 A CN103839003 A CN 103839003A CN 201210478566 A CN201210478566 A CN 201210478566A CN 103839003 A CN103839003 A CN 103839003A
- Authority
- CN
- China
- Prior art keywords
- file
- sample
- sample file
- virtual machine
- journal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a malicious file detection method and device. The method includes the steps of obtaining a sample file to be detected; operating the sample file, monitoring operation behaviors of the sample file and generating a log file; analyzing the log file, and carrying out malicious file detection based on a preset matching rule. The sample file is operated in a virtual machine, a monitoring program is operated in the virtual machine, the operation behaviors of the sample file are recorded to generate the log file, then the log file is matched according to an extracted feature rule, and finally malicious file detection of the sample file is achieved. By means of the method, virus analysis efficiency can be greatly improved, new samples which can not be detected by anti-virus programs in the prior art or a certain type of samples of a specific behavior type can be found timely, and accordingly detection accuracy of virus samples is improved.
Description
Technical field
The present invention relates to computer security technique field, relate in particular to a kind of malicious file detection method and device based on operation action log analysis.
Background technology
At present; along with without restraint spreading unchecked of virus, Malware; Virus Sample analytical technology is also improved constantly; analyze by Virus Sample; make virus analysis personnel can Rapid identification virus understand its behavior; thereby formulate corresponding anti-virus strategy, virus is effectively tackled, protection custom system is avoided destroying.
Antivirus system based on cloud can get up-to-date sample timely and effectively at present, has also brought the Sample Storehouse of magnanimity simultaneously.Because manual analysis virus relatively wastes time and energy, depend merely on manual analysis and cannot tackle a large amount of viruses of current growth at full speed, therefore need to improve in conjunction with various viral automated analysis technology the efficiency of virus analysis.
Existing virus analysis technology mainly comprises: heuristic virus analysis technology, anti-static virus analysis technology, virtual machine detect virus technology and Initiative Defense (Real-time defence) detection technique, wherein:
Heuristic virus analysis is that the difference of the behavior pattern while utilizing virus operation and program normally to move judges whether a program is virus, this mode is that the operation action by summing up a large amount of viruses draws analysis result, such as going out certain behavior pattern rule by activity-summaries such as viral self-starting, propagation, steal-number, detect virus with this.But this virus analysis efficiency is not high, and virus detects not accurate enough.
For anti-static virus analysis technology, in heuristic analysis, Static Analysis Technology is fairly simple and detection speed is fast, but not can do with add shell, obscure, distortion and polymorphic virus, because this viroid by various technology fuzzy the code of self, thereby and static analysis cannot process this class sample understand virus behavior judge its malice attribute.
Detect virus technology for virtual machine, can with deal with add shell or add colored instruction, obscure, changeable viruses, virtual machine is generally by the implementation of simulation CPU and file, internal storage management system and system API and then simulation code, Virus is carried out rather than is carried out really in the virtual environment of virtual machine, behavior when the interior running software of supervisory system, mate some rules according to these user behaviors logs, if matched, illustrate and found suspicious sample.But because virtual system relatively expends system resource, therefore this class virtual machine is not simulated whole system completely.Virus can be moved some special instructions, if now virtual machine is not simulated this instruction, virus just can detect and oneself run under virtual machine, can change execution flow process, such as not carrying out malicious act etc., detects thereby escape from anti-viral software.In addition, this class virtual technology is stable not, relatively expends system resource in the time that client is used, and causes subscriber set operation slowly.
Initiative Defense (Real-time defence) detection technique is by some the crucial API in system are carried out to hook, these API that recorded which routine call and the parameter while calling, can roughly understand the behavior of this program by the API sequence of a process run time call, judge its malice attribute, can stop in time this rogue program to be carried out through being judged as rogue program.Although this detection technique consumes resources is less,, in the time virus being detected, virus may be moved and system caused to infringement in system.And, if virus adopt some anti-viral softwares not the API of hook realize its function, can walk around Active Defending System Against.
Therefore, there is greater risk to viral detection in existing Virus Sample analytical technology, is easily found and walk around by virus, makes Detection accuracy not high, and virus analysis efficiency is not high yet.
Summary of the invention
Fundamental purpose of the present invention is to provide a kind of malicious file detection method and device, is intended to improve the efficiency of viral Detection accuracy and virus analysis.
In order to achieve the above object, the present invention proposes a kind of malicious file detection method, comprising:
Obtain sample file to be detected;
Move described sample file, and monitor the operation action of described sample file, generate journal file;
Analyze described journal file, and carry out malicious file detection based on preset matched rule.
The present invention also proposes a kind of malicious file pick-up unit, comprising:
Acquisition module, for obtaining sample file to be detected;
Operation monitoring module, for moving described sample file, and monitors the operation action of described sample file, generates journal file;
Analyzing and testing module, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.
A kind of malicious file detection method and device that the present invention proposes, by move sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, the present invention can improve virus analysis efficiency greatly, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of malicious file detection method of the present invention preferred embodiment;
Fig. 2 moves described sample file in malicious file detection method of the present invention preferred embodiment, and monitors the operation action of described sample file, generates the schematic flow sheet of journal file;
Fig. 3 analyzes described journal file in malicious file detection method of the present invention preferred embodiment, and carries out the schematic flow sheet of malicious file detection based on preset matched rule;
Fig. 4 is the structural representation of malicious file pick-up unit of the present invention preferred embodiment;
Fig. 5 is the structural representation of operation monitoring module in malicious file pick-up unit of the present invention preferred embodiment;
Fig. 6 is the structural representation of analyzing and testing module in malicious file pick-up unit of the present invention preferred embodiment.
In order to make technical scheme of the present invention clearer, clear, be described in further detail below in conjunction with accompanying drawing.
Embodiment
The solution of the embodiment of the present invention is mainly: by move sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, comprise sample file, registration table, network, read-write that process is relevant, revise information recording, generate thus journal file, and then by the feature rule of extracting, these journal files are mated, if matched, show that this sample file is for malice sample, thereby realize viral Automatic behavior analysis.
As shown in Figure 1, preferred embodiment of the present invention proposes a kind of malicious file detection method, comprising:
Step S101, obtains sample file to be detected;
Sample file to be detected can not limit it and obtain source, such as downloading from assigned address.
The sample file to be detected obtaining will be input to Automatic monitoring systems.
Take virus as example, behavior when the set Automatic monitoring systems of the present embodiment also record virus operation for automatic operating virus in batches obtains journal file, checks, thereby understands virus behavior fast, saving manpower for analyst.
Wherein, Automatic monitoring systems can only be moved exe program, and the sample file of downloading may have the files such as a lot of compressed packages (rar, zip, 7z etc.), dll, sys.Therefore first need all sample files to downloading to carry out format identification, decompression and Screening Treatment, if using, compressed package separates press tool decompress(ion), then the exe file filtering out after exe file and the decompress(ion) in sample is put into fixing file, as the sample source of Automatic monitoring systems operation.
Step S102, moves described sample file, and monitors the operation action of described sample file, generates journal file;
As previously mentioned, sample file to be detected is originally input to Automatic monitoring systems, obtain journal file by Automatic monitoring systems operations sample file the operation action of monitoring sample file, check for analyst, to understand virus fast and wait the behavior of malicious files.
The present embodiment is in Automatic monitoring systems, virtual software VMware and monitoring tools ProcessMonitor instrument are used, in virtual machine, control the operation of above-mentioned instrument by AutoIt shell script, the file of automation control system output is the journal file (ProcessMonitor monitors the journal file obtaining) of each sample file operation action.
Wherein, the operation action of sample file comprises: to the associative operation of file, registration table, process and the network information, as generated, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; , connected the information such as which ip address.
In addition, because a lot of rogue programs can discharge other rogue program after operation, therefore also need the file that these rogue programs are discharged to calculate, obtain its MD5, and form a part of content of the journal file of Automatic monitoring systems output.Under normal circumstances, if the judgement of parent file is malice, the daughter file of its release is also likely maliciously so.
The virtual machine detection technique that prior art adopts is to be placed on client executing mostly, and use is easy virtual machine, not complete simulated operating system, the Automatic monitoring systems that the present embodiment uses are at running background sample, and use virtual software VMware, can be than more complete simulated operating system, and can reduce the risk of being found by virus and walk around.
Step S103, analyzes described journal file, and carries out malicious file detection based on preset matched rule.
After each sample file operation, can generate the journal file of a ProcessMonitor, behavior can recognize sample file operation by analyzing this journal file time, mainly comprise the associative operation of file, registration table, process, the network information etc., such as generating, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.
The present embodiment to some specific sample extraction daily record matched rules, mates with this journal file that filters current sample file in advance.The journal file generating after sample file operation is mated with the above-mentioned matched rule setting in advance, if the malice attributes match of the journal file of certain sample file has arrived certain rule, show that this sample file is the specific malicious file that this rule is corresponding.
Particularly, as shown in Figure 2, as moving described sample file, and monitor the operation action of described sample file, generate a kind of embodiment of journal file, above-mentioned steps S102 can comprise:
Step S1021, carries out context initialization operation to the virtual machine of operation sample file;
When moving sample file and monitor the operation action of sample file in Automatic monitoring systems, first need the virtual machine of operation sample file being carried out to context initialization operation in Automatic monitoring systems, recover virtual machine snapshot, the virtual machine environment that this snapshot configures before being, in virtual machine environment, be provided with control program, bat file etc., virtual machine is carried out to context initialization operation, is to make virtual machine carry out the preliminary work of operation sample file.
Step S1022, copies to described sample file the fixing catalogue of virtual machine;
Step S1023 moves described sample file in described virtual machine, and by monitoring tools, the operation action of sample file described in operational process is monitored, and generates journal file.
The present embodiment need to copy to sample file in virtual machine and move and use ProcessMonitor instrument to monitor the operation action of sample file.Therefore,, in the time of monitoring, all sample programs of carrying out that filter out before need to enumerating, often enumerate a sample file and complete automatic monitoring process one time.Some control commands of the instrument vmrun.exe that this process carries with VMware are come by the operation of physical machine control virtual machine.
First a sample file of enumerating is copied to a fixing catalogue of virtual machine, then move the watchdog routine in virtual machine, the function of this program is that ProcessMonitor filtrator is set, be used for filtering out some system programs, then move rear rev down process rev of the schedule time (such as 10s), then preserve the journal file of ProcessMonitor, and initial analysis journal file, check the file of its release and calculate its md5 to be saved in specified file.
Step S1024, copies to described journal file the fixing catalogue of physical machine from described virtual machine.
Finally, by the journal file of ProcessMonitor, comprise the md5 list of user behaviors log and releasing document, copy to the fixing catalogue of physical machine from virtual machine, to journal file is analyzed.
As shown in Figure 3, as analyzing described journal file, and a kind of embodiment that carries out malicious file detection based on preset matched rule, above-mentioned steps S103 can comprise:
Step S1031, obtains described journal file from the fixing catalogue of described physical machine;
Step S1032, analyzes the operation action of described journal file;
Take virus as example, after each Virus operation, can generate the journal file of a ProcessMonitor, the behavior can recognize virus operation by analyzing this journal file time, mainly comprises the associative operations such as file, registration table, process, the network information.As generated, access, deleted any file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.
Step S1033, mates the operation action of described journal file with the malice daily record in preset matched rule;
Step S1034, if the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
Can extract daily record rule for some specific samples and filter daily record, if the journal file of certain sample has matched certain rule, illustrate that this sample is the specific virus that this rule is corresponding.Such as for QQ Trojan for stealing numbers, can extract a feature and be: delete the automatic log file of QQ, therefore, if find there is such log recording in the user behaviors log of a sample, can judge that this sample is QQ Trojan for stealing numbers.
Take instant messaging QQ as example, at present in actual applications, can relate to the screening of QQ brush brill program and the screening of QQ Trojan for stealing numbers, after the operation of QQ brush brill program, can on interface, show the classification of the various brills of QQ business, then point out user to input QQ number and password, and open the business of various brills (being called for short brush bores), its essence is user cheating, steal user's QQ number and password, because in fact these application programs can not brush brill.
Because QQ brush brill program is mainly to utilize social engineering method user cheating, generally do not adopt technical method to steal QQ password, there is no specific behavioural characteristic, but there are some specific key words on the master routine interface of this class brush brill program, can mate this class sample by these key words, therefore for QQ brush brill program, be the detection that realizes malice sample by the key word of match window.
After sample file moves in virtual machine, move a QQ brush and bore trace routine, this program can be enumerated the word of the subwindow of all windows in system and these windows, then search and whether comprise following key word: brush bores, brush bores, brush Q, red brill, Q business, QQ password, Q coin, QB, if found, show that this sample is a QQ brush brill program.
To screen by extracting rule of conduct for the screening of QQ Trojan for stealing numbers.Because this class QQ Trojan for stealing numbers is to steal QQ password by technical method, such as replacing some files etc. of QQ, the screening rule of conventional QQ Trojan for stealing numbers is as follows:
(1) closed QQ.exe process;
(2) access (release) QQ file under bin catalogue;
(3) deleted the Registry.db file (this file is preserved QQ auto login information, and a lot of QQ Trojans for stealing numbers can be deleted this file and make QQ automatically login inefficacy, realize steal-number to allow user again input QQ password) of QQ;
(4) revise QQ.lnk shortcut file, made this lnk file point to QQ Trojan for stealing numbers.
In the time that corresponding screening rule carries out matching judgment, read every a line of journal file, then judge whether every row has any in following four character strings: have QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk simultaneously.
If comprise any in above-mentioned four behaviors, just judge that the sample file that this journal file is corresponding is QQ Trojan for stealing numbers, and its md5 is recorded in the text of appointment so.
In actual applications, can be by configuration plan target, move Automatic monitoring systems every day one time, from the sample file of the previous day, obtain QQ brush brill program and QQ Trojan for stealing numbers, by temperature and the range of continuous these sample files of monitoring, thereby the sample file of the temperature of obtaining and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation supervisory system.Wherein, be 45s the averaging time of setting a sample file of Automatic monitoring systems monitoring, by testing these (all samples that in a day, " brush bores keyword filtration " and " monitoring of QQ catalogue " obtain of several lot samples, the monitoring of QQ catalogue is the file that monitoring discharges in QQ catalogue, because a lot of Trojans for stealing numbers are to discharge DLL in this catalogue to realize steal-number, and the robotization is here for operation EXE program automatically, in fact the EXE program major part finding is QQ Trojan for stealing numbers), randomly draw four batch datas, as follows:
It is as shown in table 1 below that brush bores keyword filtration sample data:
| Sample size | The brush detecting bores sample size | Brush bores sample proportion |
| 328 | 110 | 33.5% |
| 607 | 252 | 41.5% |
| 370 | 138 | 37.3 |
| 308 | 152 | 49.3% |
Table 1
QQ catalogue monitoring sample data is as shown in table 2 below:
Table 2
The present embodiment by moving sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, can greatly improve virus analysis efficiency, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.
In addition, in demand for follow-up excavation specific sample, all can realize by the journal file of attempting analyzing samples, therefore the present embodiment scheme has wide range of applications, and has reference and reference role for excavate specific sample file or up-to-date sample standard deviation from Massive Sample file.
As shown in Figure 4, preferred embodiment of the present invention proposes a kind of malicious file pick-up unit, comprising: acquisition module 401, operation monitoring module 402 and analyzing and testing module 403, wherein:
Acquisition module 401, for obtaining sample file to be detected;
Analyzing and testing module 403, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.
Wherein, sample file to be detected can not limit it and obtain source, such as downloading from assigned address.
The sample file to be detected that acquisition module 401 obtains will be input to Automatic monitoring systems.
Take virus as example, behavior when the set Automatic monitoring systems of the present embodiment also record virus operation for automatic operating virus in batches obtains journal file, checks, thereby understands virus behavior fast, saving manpower for analyst.
Wherein, Automatic monitoring systems can only be moved exe program, and the sample file of downloading may have the files such as a lot of compressed packages (rar, zip, 7z etc.), dll, sys.Therefore first need all sample files to downloading to carry out format identification, decompression and Screening Treatment, if using, compressed package separates press tool decompress(ion), then the exe file filtering out after exe file and the decompress(ion) in sample is put into fixing file, as the sample source of Automatic monitoring systems operation.
As previously mentioned, sample file to be detected is originally input to Automatic monitoring systems, obtain journal file by Automatic monitoring systems operations sample file the operation action of monitoring sample file, check for analyst, to understand virus fast and wait the behavior of malicious files.
The present embodiment is in Automatic monitoring systems, virtual software VMware and monitoring tools ProcessMonitor instrument are used, in virtual machine, control the operation of above-mentioned instrument by AutoIt shell script, the file of automation control system output is the journal file (ProcessMonitor monitors the journal file obtaining) of each sample file operation action.
Wherein, the operation action of sample file comprises: to the associative operation of file, registration table, process and the network information, as generated, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; , connected the information such as which ip address.
In addition, because a lot of rogue programs can discharge other rogue program after operation, therefore also need the file that these rogue programs are discharged to calculate, obtain its MD5, and form a part of content of the journal file of Automatic monitoring systems output.Under normal circumstances, if the judgement of parent file is malice, the daughter file of its release is also likely maliciously so.
The virtual machine detection technique that prior art adopts is to be placed on client executing mostly, and use is easy virtual machine, not complete simulated operating system, the Automatic monitoring systems that the present embodiment uses are at running background sample, and use virtual software VMware, can be than more complete simulated operating system, and can reduce the risk of being found by virus and walk around.
After each sample file operation, can generate the journal file of a ProcessMonitor, behavior can recognize sample file operation by operation monitoring module 402 these journal files of analysis time, mainly comprise the associative operation of file, registration table, process, the network information etc., such as generating, access, deleted what file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.
The present embodiment to some specific sample extraction daily record matched rules, mates with this journal file that filters current sample file in advance.Analyzing and testing module 403 is mated the journal file generating after sample file operation with the above-mentioned matched rule setting in advance, if the malice attributes match of the journal file of certain sample file has arrived certain rule, show that this sample file is the specific malicious file that this rule is corresponding.
Particularly, as shown in Figure 5, as the described sample file of operation, and monitor the operation action of described sample file, a kind of embodiment that generates journal file, described operation monitoring module 402 can comprise: initialization unit 4021, copied cells 4022 and operation monitoring unit 4023, wherein:
Copied cells 4022, for copying to described sample file the fixing catalogue of virtual machine;
Described copied cells 4022 is also for copying to described journal file the fixing catalogue of physical machine from described virtual machine.
When moving sample file and monitor the operation action of sample file in Automatic monitoring systems, first need the virtual machine of operation sample file being carried out to context initialization operation in Automatic monitoring systems, recover virtual machine snapshot, the virtual machine environment that this snapshot configures before being, in virtual machine environment, be provided with control program, bat file etc., virtual machine is carried out to context initialization operation, is to make virtual machine carry out the preliminary work of operation sample file.
The present embodiment need to copy to sample file in virtual machine and move and use ProcessMonitor instrument to monitor the operation action of sample file.Therefore,, in the time of monitoring, all sample programs of carrying out that filter out before need to enumerating, often enumerate a sample file and complete automatic monitoring process one time.Some control commands of the instrument vmrun.exe that this process carries with VMware are come by the operation of physical machine control virtual machine.
First a sample file of enumerating is copied to a fixing catalogue of virtual machine, then move the watchdog routine in virtual machine, the function of this program is that ProcessMonitor filtrator is set, be used for filtering out some system programs, then move rear rev down process rev of the schedule time (such as 10s), then preserve the journal file of ProcessMonitor, and initial analysis journal file, check the file of its release and calculate its md5 to be saved in specified file.
Finally, by the journal file of ProcessMonitor, comprise the md5 list of user behaviors log and releasing document, copy to the fixing catalogue of physical machine from virtual machine, to journal file is analyzed.
As shown in Figure 6, as analyzing described journal file, and a kind of embodiment that carries out malicious file detection based on preset matched rule, described analyzing and testing module 403 can comprise: acquiring unit 4031, analytic unit 4032, matching unit 4033 and detecting unit 4034, wherein:
Acquiring unit 4031, obtains described journal file for the fixing catalogue from described physical machine;
Detecting unit 4034, when for the malice daily record when the operation action of described journal file and preset matched rule, the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
Take virus as example, after each Virus operation, can generate the journal file of a ProcessMonitor, the behavior can recognize virus operation by analyzing this journal file time, mainly comprises the associative operations such as file, registration table, process, the network information.As generated, access, deleted any file; Arrange, newly-built, deleted which registry entry; Open, closed which process; The information such as which ip address are connected.
Can extract daily record rule for some specific samples and filter daily record, if the journal file of certain sample has matched certain rule, illustrate that this sample is the specific virus that this rule is corresponding.Such as for QQ Trojan for stealing numbers, can extract a feature and be: delete the automatic log file of QQ, therefore, if find there is such log recording in the user behaviors log of a sample, can judge that this sample is QQ Trojan for stealing numbers.
Take instant messaging QQ as example, at present in actual applications, can relate to the screening of QQ brush brill program and the screening of QQ Trojan for stealing numbers, after the operation of QQ brush brill program, can on interface, show the classification of the various brills of QQ business, then point out user to input QQ number and password, and open the business of various brills (being called for short brush bores), its essence is user cheating, steal user's QQ number and password, because in fact these application programs can not brush brill.
Because QQ brush brill program is mainly to utilize social engineering method user cheating, generally do not adopt technical method to steal QQ password, there is no specific behavioural characteristic, but there are some specific key words on the master routine interface of this class brush brill program, can mate this class sample by these key words, therefore for QQ brush brill program, be the detection that realizes malice sample by the key word of match window.
After sample file moves in virtual machine, move a QQ brush and bore trace routine, this program can be enumerated the word of the subwindow of all windows in system and these windows, then search and whether comprise following key word: brush bores, brush bores, brush Q, red brill, Q business, QQ password, Q coin, QB, if found, show that this sample is a QQ brush brill program.
To screen by extracting rule of conduct for the screening of QQ Trojan for stealing numbers.Because this class QQ Trojan for stealing numbers is to steal QQ password by technical method, such as replacing some files etc. of QQ, the screening rule of conventional QQ Trojan for stealing numbers is as follows:
(1) closed QQ.exe process;
(2) access (release) QQ file under bin catalogue;
(3) deleted the Registry.db file (this file is preserved QQ auto login information, and a lot of QQ Trojans for stealing numbers can be deleted this file and make QQ automatically login inefficacy, realize steal-number to allow user again input QQ password) of QQ;
(4) revise QQ.lnk shortcut file, made this lnk file point to QQ Trojan for stealing numbers.
In the time that corresponding screening rule carries out matching judgment, read every a line of journal file, then judge whether every row has any in following four character strings: have QQ.exe and Process Exit, QQ Bin, Registry.db, QQ.lnk simultaneously.
If comprise any in above-mentioned four behaviors, just judge that the sample file that this journal file is corresponding is QQ Trojan for stealing numbers, and its md5 is recorded in the text of appointment so.
In actual applications, can be by configuration plan target, move Automatic monitoring systems every day one time, from the sample file of the previous day, obtain QQ brush brill program and QQ Trojan for stealing numbers, by temperature and the range of continuous these sample files of monitoring, thereby the sample file of the temperature of obtaining and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation supervisory system.Wherein, be 45s the averaging time of setting a sample file of Automatic monitoring systems monitoring, by testing these (all samples that in a day, " brush bores keyword filtration " and " monitoring of QQ catalogue " obtain of several lot samples, the monitoring of QQ catalogue is the file that monitoring discharges in QQ catalogue, because a lot of Trojans for stealing numbers are to discharge DLL in this catalogue to realize steal-number, and the robotization is here for operation EXE program automatically, in fact the EXE program major part finding is QQ Trojan for stealing numbers), randomly draw four batch datas, wherein, brush bores keyword filtration sample data as shown in Table 1.QQ catalogue monitoring sample data is as above shown in table 2.
The present embodiment by moving sample file in virtual machine, then operation monitoring program in virtual machine, record the operation action of sample file, generate journal file with this, and then by the feature rule of extracting, these journal files are mated, the malice that finally realizes sample file detects, can greatly improve virus analysis efficiency, and can find out in time new samples or certain class that current anti-viral software cannot detect and have the sample of specific behavior type, thereby improve the Detection accuracy of Virus Sample.
In addition, in demand for follow-up excavation specific sample, all can realize by the journal file of attempting analyzing samples, therefore the present embodiment scheme has wide range of applications, and has reference and reference role for excavate specific sample file or up-to-date sample standard deviation from Massive Sample file.
The foregoing is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or flow process conversion that utilizes instructions of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical field, be all in like manner included in scope of patent protection of the present invention.
Claims (11)
1. a malicious file detection method, is characterized in that, comprising:
Obtain sample file to be detected;
Move described sample file, and monitor the operation action of described sample file, generate journal file;
Analyze described journal file, and carry out malicious file detection based on preset matched rule.
2. method according to claim 1, is characterized in that, described in also comprise after obtaining the step of sample file to be detected:
To described sample file carry out format identification, decompression and or Screening Treatment, obtain the sample file that can move.
3. method according to claim 1, is characterized in that, described operation sample file, and monitor the operation action of described sample file, the step that generates journal file comprises:
Virtual machine to operation sample file carries out context initialization operation;
Described sample file is copied to the fixing catalogue of virtual machine;
In described virtual machine, move described sample file, and by monitoring tools, the operation action of sample file described in operational process is monitored, generate journal file.
4. method according to claim 3, is characterized in that, described operation sample file, and monitor the operation action of described sample file, the step that generates journal file also comprises:
Described journal file is copied to the fixing catalogue of physical machine from described virtual machine.
5. method according to claim 4, is characterized in that, described analysis journal file, and step based on preset matched rule carries out malicious file detection comprises:
Obtain described journal file from the fixing catalogue of described physical machine;
Analyze the operation action of described journal file;
The operation action of described journal file is mated with the malice daily record in preset matched rule;
If the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
6. according to the method described in any one in claim 1-5, it is characterized in that, described operation action comprises: to the associative operation of file, registration table, process and/or the network information; Described journal file comprises: the md5 list of the daughter file discharging after user behaviors log and sample file operation.
7. a malicious file pick-up unit, is characterized in that, comprising:
Acquisition module, for obtaining sample file to be detected;
Operation monitoring module, for moving described sample file, and monitors the operation action of described sample file, generates journal file;
Analyzing and testing module, for analyzing described journal file, and carries out malicious file detection based on preset matched rule.
8. device according to claim 7, is characterized in that, described acquisition module also for described sample file is carried out format identification, decompression and or Screening Treatment, obtain the sample file that can move.
9. according to the device described in claim 7 or 8, it is characterized in that, described operation monitoring module comprises:
Initialization unit, for carrying out context initialization operation to the virtual machine of operation sample file;
Copied cells, for copying to described sample file the fixing catalogue of virtual machine;
Operation monitoring unit, for moving described sample file at described virtual machine, and monitors the operation action of sample file described in operational process by monitoring tools, generates journal file.
10. device according to claim 9, is characterized in that, described copied cells is also for copying to described journal file the fixing catalogue of physical machine from described virtual machine.
11. devices according to claim 9, is characterized in that, described analyzing and testing module comprises:
Acquiring unit, obtains described journal file for the fixing catalogue from described physical machine;
Analytic unit, for analyzing the operation action of described journal file;
Matching unit, for mating the operation action of described journal file with the malice daily record of preset matched rule;
Detecting unit, when for the malice daily record when the operation action of described journal file and preset matched rule, the match is successful, detecting the sample file that described journal file is corresponding is malicious file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478566.6A CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210478566.6A CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103839003A true CN103839003A (en) | 2014-06-04 |
| CN103839003B CN103839003B (en) | 2018-01-30 |
Family
ID=50802488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210478566.6A Active CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103839003B (en) |
Cited By (43)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105204973A (en) * | 2015-09-25 | 2015-12-30 | 浪潮集团有限公司 | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform |
| CN105224867A (en) * | 2015-10-27 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of based on the Host Security reinforcement means under virtualized environment |
| CN105574205A (en) * | 2016-01-18 | 2016-05-11 | 国家电网公司 | Dynamic log analyzing system for distributed computing environment |
| CN105590059A (en) * | 2015-12-18 | 2016-05-18 | 北京奇虎科技有限公司 | Method and device for detecting virtual machine escape |
| CN105631320A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of virtual machine escape |
| CN105653947A (en) * | 2014-11-11 | 2016-06-08 | 中国移动通信集团公司 | Method and device for assessing application data security risk |
| CN105791250A (en) * | 2014-12-26 | 2016-07-20 | 北京奇虎科技有限公司 | Application detection method and device |
| CN105791323A (en) * | 2016-05-09 | 2016-07-20 | 国家电网公司 | Novel defending method and device for unknown malicious software |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN105912932A (en) * | 2016-04-08 | 2016-08-31 | 周宏斌 | Threatening behavior detection system and method |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN106130960A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN106130966A (en) * | 2016-06-20 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
| CN106446689A (en) * | 2016-09-02 | 2017-02-22 | 中科信息安全共性技术国家工程研究中心有限公司 | Method for performing automated security detection on android application |
| WO2017028459A1 (en) * | 2015-08-18 | 2017-02-23 | 安一恒通(北京)科技有限公司 | Program monitoring method and apparatus |
| CN106557701A (en) * | 2016-11-28 | 2017-04-05 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
| CN106599684A (en) * | 2015-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Detection method and system of entity file-free malicious code |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN106682513A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method for target sample file and device |
| CN106709326A (en) * | 2016-11-24 | 2017-05-24 | 北京奇虎科技有限公司 | Processing method and device for suspicious sample |
| CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
| CN107231245A (en) * | 2016-03-23 | 2017-10-03 | 阿里巴巴集团控股有限公司 | Report method and device, the method and device of processing monitoring daily record of monitoring daily record |
| CN107851153A (en) * | 2015-07-14 | 2018-03-27 | 比特梵德知识产权管理有限公司 | Use asynchronous abnormal computer safety system and the method for testing oneself |
| CN108256325A (en) * | 2016-12-29 | 2018-07-06 | 中移(苏州)软件技术有限公司 | A kind of method and apparatus of the detection of malicious code mutation |
| CN108363919A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of virus special anti-virus tool generation method and system |
| CN108804916A (en) * | 2017-12-19 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | Detection method, device, electronic equipment and the storage medium of malicious file |
| CN109558207A (en) * | 2017-09-25 | 2019-04-02 | 卡巴斯基实验室股份制公司 | The system and method for carrying out the log of the anti-virus scan of file are formed in virtual machine |
| CN105608374B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
| CN109711169A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Means of defence and device, system, storage medium, the electronic device of system file |
| CN109815701A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Detection method, client, system and the storage medium of software security |
| CN110210218A (en) * | 2018-04-28 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN110399720A (en) * | 2018-12-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of file detection |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN111027062A (en) * | 2019-03-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Assessment method and device for application collapse state of target range |
| CN111143839A (en) * | 2019-12-30 | 2020-05-12 | 厦门服云信息科技有限公司 | Malicious code detection method and device based on virtualization behavior analysis technology |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
| WO2020135232A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Malicious sample detection method, apparatus and system, and storage medium |
| CN112527672A (en) * | 2020-12-21 | 2021-03-19 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
| CN112560018A (en) * | 2020-12-23 | 2021-03-26 | 苏州三六零智能安全科技有限公司 | Sample file detection method and device, terminal equipment and storage medium |
| CN112580041A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Malicious program detection method and device, storage medium and computer equipment |
| CN112699176A (en) * | 2021-02-06 | 2021-04-23 | 北京拓普丰联信息工程有限公司 | Rapid random extraction method, system, terminal and storage medium |
| CN112989344A (en) * | 2021-03-16 | 2021-06-18 | 北京理工大学 | Malicious program intelligent detection method, device and system based on hardware tracking technology |
| CN116861429A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
| US20090320009A1 (en) * | 2008-06-20 | 2009-12-24 | Vmware, Inc. | Decoupling dynamic program analysis from execution in virtual environments |
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN101986323A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Method and system for detection of previously unknown malware |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
-
2012
- 2012-11-22 CN CN201210478566.6A patent/CN103839003B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
| CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
| US20090320009A1 (en) * | 2008-06-20 | 2009-12-24 | Vmware, Inc. | Decoupling dynamic program analysis from execution in virtual environments |
| CN101986323A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Method and system for detection of previously unknown malware |
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653947A (en) * | 2014-11-11 | 2016-06-08 | 中国移动通信集团公司 | Method and device for assessing application data security risk |
| CN105791250B (en) * | 2014-12-26 | 2020-10-02 | 北京奇虎科技有限公司 | Application program detection method and device |
| CN105791250A (en) * | 2014-12-26 | 2016-07-20 | 北京奇虎科技有限公司 | Application detection method and device |
| CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
| CN107851153A (en) * | 2015-07-14 | 2018-03-27 | 比特梵德知识产权管理有限公司 | Use asynchronous abnormal computer safety system and the method for testing oneself |
| WO2017028459A1 (en) * | 2015-08-18 | 2017-02-23 | 安一恒通(北京)科技有限公司 | Program monitoring method and apparatus |
| CN105204973A (en) * | 2015-09-25 | 2015-12-30 | 浪潮集团有限公司 | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform |
| CN105224867A (en) * | 2015-10-27 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of based on the Host Security reinforcement means under virtualized environment |
| CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
| CN105590059A (en) * | 2015-12-18 | 2016-05-18 | 北京奇虎科技有限公司 | Method and device for detecting virtual machine escape |
| CN105631320B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
| CN105608374B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
| CN105590059B (en) * | 2015-12-18 | 2019-04-23 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
| CN105631320A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of virtual machine escape |
| CN106599684A (en) * | 2015-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Detection method and system of entity file-free malicious code |
| CN105574205B (en) * | 2016-01-18 | 2019-03-19 | 国家电网公司 | The log dynamic analysis system of distributed computing environment |
| CN105574205A (en) * | 2016-01-18 | 2016-05-11 | 国家电网公司 | Dynamic log analyzing system for distributed computing environment |
| CN107231245A (en) * | 2016-03-23 | 2017-10-03 | 阿里巴巴集团控股有限公司 | Report method and device, the method and device of processing monitoring daily record of monitoring daily record |
| CN105912932A (en) * | 2016-04-08 | 2016-08-31 | 周宏斌 | Threatening behavior detection system and method |
| CN105791323A (en) * | 2016-05-09 | 2016-07-20 | 国家电网公司 | Novel defending method and device for unknown malicious software |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN106130960A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN106130960B (en) * | 2016-06-12 | 2019-08-09 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
| CN106130966B (en) * | 2016-06-20 | 2019-07-09 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
| CN106130966A (en) * | 2016-06-20 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
| CN106446689A (en) * | 2016-09-02 | 2017-02-22 | 中科信息安全共性技术国家工程研究中心有限公司 | Method for performing automated security detection on android application |
| CN106709326A (en) * | 2016-11-24 | 2017-05-24 | 北京奇虎科技有限公司 | Processing method and device for suspicious sample |
| WO2018095099A1 (en) * | 2016-11-24 | 2018-05-31 | 北京奇虎科技有限公司 | Method and device for processing suspicious samples |
| CN106557701B (en) * | 2016-11-28 | 2019-09-06 | 北京奇虎科技有限公司 | Kernel leak detection method and device based on virtual machine |
| CN106557701A (en) * | 2016-11-28 | 2017-04-05 | 北京奇虎科技有限公司 | kernel leak detection method and device based on virtual machine |
| CN106682513A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method for target sample file and device |
| CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
| CN108256325A (en) * | 2016-12-29 | 2018-07-06 | 中移(苏州)软件技术有限公司 | A kind of method and apparatus of the detection of malicious code mutation |
| CN109558207B (en) * | 2017-09-25 | 2023-05-26 | 卡巴斯基实验室股份制公司 | System and method for forming log for anti-virus scanning of file in virtual machine |
| CN109558207A (en) * | 2017-09-25 | 2019-04-02 | 卡巴斯基实验室股份制公司 | The system and method for carrying out the log of the anti-virus scan of file are formed in virtual machine |
| CN108363919B (en) * | 2017-10-19 | 2021-04-20 | 北京安天网络安全技术有限公司 | Method and system for generating virus-killing tool |
| CN108363919A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of virus special anti-virus tool generation method and system |
| CN108804916B (en) * | 2017-12-19 | 2022-01-28 | 安天科技集团股份有限公司 | Malicious file detection method and device, electronic equipment and storage medium |
| CN108804916A (en) * | 2017-12-19 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | Detection method, device, electronic equipment and the storage medium of malicious file |
| CN110210218B (en) * | 2018-04-28 | 2023-04-14 | 腾讯科技(深圳)有限公司 | Virus detection method and related device |
| CN110210218A (en) * | 2018-04-28 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of viral diagnosis |
| CN109711169A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Means of defence and device, system, storage medium, the electronic device of system file |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
| CN111277539B (en) * | 2018-11-16 | 2022-09-02 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
| CN110399720A (en) * | 2018-12-14 | 2019-11-01 | 腾讯科技(深圳)有限公司 | A kind of method and relevant apparatus of file detection |
| CN110399720B (en) * | 2018-12-14 | 2022-12-16 | 腾讯科技(深圳)有限公司 | File detection method and related device |
| WO2020135232A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Malicious sample detection method, apparatus and system, and storage medium |
| CN109815701A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Detection method, client, system and the storage medium of software security |
| CN109815701B (en) * | 2018-12-29 | 2022-04-22 | 奇安信安全技术(珠海)有限公司 | Software security detection method, client, system and storage medium |
| CN111027062A (en) * | 2019-03-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Assessment method and device for application collapse state of target range |
| CN112580041A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Malicious program detection method and device, storage medium and computer equipment |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN111143839A (en) * | 2019-12-30 | 2020-05-12 | 厦门服云信息科技有限公司 | Malicious code detection method and device based on virtualization behavior analysis technology |
| CN112527672B (en) * | 2020-12-21 | 2021-10-22 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
| CN112527672A (en) * | 2020-12-21 | 2021-03-19 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
| CN112560018A (en) * | 2020-12-23 | 2021-03-26 | 苏州三六零智能安全科技有限公司 | Sample file detection method and device, terminal equipment and storage medium |
| CN112560018B (en) * | 2020-12-23 | 2023-10-31 | 苏州三六零智能安全科技有限公司 | Sample file detection method, device, terminal equipment and storage medium |
| CN112699176A (en) * | 2021-02-06 | 2021-04-23 | 北京拓普丰联信息工程有限公司 | Rapid random extraction method, system, terminal and storage medium |
| CN112699176B (en) * | 2021-02-06 | 2023-06-30 | 北京拓普丰联信息科技股份有限公司 | Quick random extraction method, system, terminal and storage medium |
| CN112989344A (en) * | 2021-03-16 | 2021-06-18 | 北京理工大学 | Malicious program intelligent detection method, device and system based on hardware tracking technology |
| CN112989344B (en) * | 2021-03-16 | 2022-07-05 | 北京理工大学 | Malicious program intelligent detection method, device and system based on hardware tracking technology |
| CN116861429A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
| CN116861429B (en) * | 2023-09-04 | 2023-12-08 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103839003B (en) | 2018-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103839003A (en) | Malicious file detection method and device | |
| US11423146B2 (en) | Provenance-based threat detection tools and stealthy malware detection | |
| Galal et al. | Behavior-based features model for malware detection | |
| EP3506139B1 (en) | Malware detection in event loops | |
| CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN107992751B (en) | Real-time threat detection method based on branch behavior model | |
| Sabhadiya et al. | Android malware detection using deep learning | |
| CN102413142A (en) | Active defense method based on cloud platform | |
| US10237285B2 (en) | Method and apparatus for detecting macro viruses | |
| WO2018017498A1 (en) | Inferential exploit attempt detection | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| EP3531329A1 (en) | Anomaly-based-malicious-behavior detection | |
| US11822666B2 (en) | Malware detection | |
| Zuo | Defense of Computer Network Viruses Based on Data Mining Technology. | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN112182569A (en) | File identification method, device, equipment and storage medium | |
| Lim et al. | Mal-ONE: A unified framework for fast and efficient malware detection | |
| CN103139169A (en) | Virus detection system and method based on network behavior | |
| Yuan et al. | Research of intrusion detection system on android | |
| Bernardi et al. | Process mining meets malware evolution: a study of the behavior of malicious code | |
| US12067117B2 (en) | Efficient usage of sandbox environments for malicious and benign documents with macros | |
| CN115964709A (en) | Malicious document detection method, electronic device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |