CN103839003B - Malicious file detection method and device - Google Patents
Malicious file detection method and device Download PDFInfo
- Publication number
- CN103839003B CN103839003B CN201210478566.6A CN201210478566A CN103839003B CN 103839003 B CN103839003 B CN 103839003B CN 201210478566 A CN201210478566 A CN 201210478566A CN 103839003 B CN103839003 B CN 103839003B
- Authority
- CN
- China
- Prior art keywords
- file
- sample
- journal
- journal file
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of malicious file detection method and device, and its method includes:Obtain sample file to be detected;Sample file is run, and monitors the operation action of sample file, generates journal file;Journal file is analyzed, and malicious file detection is carried out based on preset matched rule.The present invention in virtual machine by running sample file, then monitoring programme is run in virtual machine, record the operation action of sample file, journal file is generated with this, then these journal files are matched by the characterization rules of extraction again, the final malice detection for realizing sample file, the present invention is greatly improved virus analysis efficiency, and new samples that current anti-viral software can not detect or certain class can be found out in time have the sample of specific behavior type, so as to improve the Detection accuracy of Virus Sample.
Description
Technical field
The present invention relates to computer security technique field, more particularly to a kind of malice text based on operation action log analysis
Part detection method and device.
Background technology
At present, spread unchecked without restraint with viral, Malware, Virus Sample analytical technology is also improved constantly, and is passed through
Virus Sample analyze, make virus analysis personnel can Rapid identification virus and understand its behavior, so as to formulate corresponding anti-virus plan
Slightly, virus is effectively intercepted, protects custom system damage.
Newest sample can timely and effectively be got by being currently based on the Antivirus system of cloud, while also bring magnanimity
Sample Storehouse.Because manual analysis virus is more time-consuming, a large amount of diseases being currently skyrocketed through can not be tackled by depending merely on manual analysis
Poison, it is therefore desirable to improve the efficiency of virus analysis with reference to various viral automated analysis technologies.
Existing virus analysis technology mainly includes:It is heuristic virus analysis technology, anti-static virus analysis technology, virtual
Machine testing virus technology and Initiative Defense(Real-time defence)Detection technique, wherein:
Heuristic virus analysis is to judge one using the difference of behavior pattern when virus operation and normal program operation
Whether individual program is virus, and this mode is to draw analysis result by summarizing the operation action of a large amount of viruses, for example is passed through
The activity-summaries such as viral self-starting, propagation, steal-number go out certain behavior pattern rule, and virus is detected with this.But this disease
Malicious analysis efficiency is not high, and Viral diagnosis is not accurate enough.
For anti-static virus analysis technology, Static Analysis Technology is fairly simple in heuristic analysis and detection speed is fast,
But not can do with shell adding, obscure, deform and Polymorph virus, because this viroid has obscured the generation of itself by various technologies
Code, and static analysis can not handle this kind of sample to understand virus behavior so as to judge its malice attribute.
For virtual machine testing virus technology, it can be used for tackling shell adding or add flower instruct, obscure, changeable viruses, virtually
Machine is typically by simulating CPU and file, internal storage management system and system API and then the implementation procedure of simulation code, viral journey
Sequence is performed rather than really performed in the virtual environment of virtual machine, the behavior in monitoring system during running software, according to
These user behaviors logs match some rules, and explanation is found that suspicious sample if matching.But because virtual system compares
Expend system resource, therefore the not complete simulation whole system of this kind of virtual machine.Virus can run some special instructions,
Now if virtual machine does not simulate this instruction, virus oneself is run under virtual machine with regard to that can detect, then can change execution
Flow, for example malicious act etc. is not performed, so as to escape from anti-viral software detection.In addition, this kind of virtual technology is not sufficiently stable,
Client using when compare consuming system resource, cause the operation of user's machine slow.
Initiative Defense(Real-time defence)Detection technique is by carrying out hook to some crucial API in system, recording
These API of which routine call and parameter when calling, by the API sequences of a process run time call can be substantially
The behavior of the program is solved, judges its malice attribute, through being judged as that rogue program can then prevent the rogue program to perform in time.It is this
Although it is smaller that detection technique expends resource, when detecting virus, virus may in systems be run and system is made
Into infringement.Moreover, if virus realizes its function using the non-hook of some anti-viral softwares API, can bypass actively
System of defense.
Therefore, existing Virus Sample analytical technology to virus detection greater risk be present, easily by virus find and around
Cross so that Detection accuracy is not high, and virus analysis efficiency is not also high.
The content of the invention
It is a primary object of the present invention to provide a kind of malicious file detection method and device, it is intended to improve Viral diagnosis standard
The efficiency of true rate and virus analysis.
In order to achieve the above object, the present invention proposes a kind of malicious file detection method, including:
Obtain sample file to be detected;
The sample file is run, and monitors the operation action of the sample file, generates journal file;
The journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
The present invention also proposes a kind of malicious file detection means, including:
Acquisition module, for obtaining sample file to be detected;
Monitoring module is run, for running the sample file, and monitors the operation action of the sample file, generates day
Will file;
Detection module is analyzed, malicious file inspection is carried out for analyzing the journal file, and based on preset matched rule
Survey.
A kind of malicious file detection method and device proposed by the present invention, by running sample file in virtual machine, so
Monitoring programme is run in virtual machine afterwards, records the operation action of sample file, journal file is generated with this, then again by carrying
The characterization rules taken match to these journal files, finally realize the malice detection of sample file, and the present invention can carry significantly
High virus analysis efficiency, and new samples that current anti-viral software can not detect or certain class can be found out in time have specific behavior class
The sample of type, so as to improve the Detection accuracy of Virus Sample.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of malicious file detection method preferred embodiment of the present invention;
Fig. 2 is to run the sample file in malicious file detection method preferred embodiment of the present invention, and monitors the sample
The operation action of this document, generate the schematic flow sheet of journal file;
Fig. 3 is to analyze the journal file in malicious file detection method preferred embodiment of the present invention, and based on preset
Matched rule carries out the schematic flow sheet of malicious file detection;
Fig. 4 is the structural representation of malicious file detection means preferred embodiment of the present invention;
Fig. 5 is the structural representation that monitoring module is run in malicious file detection means preferred embodiment of the present invention;
Fig. 6 is the structural representation that detection module is analyzed in malicious file detection means preferred embodiment of the present invention.
In order that technical scheme is clearer, clear, it is described in further detail below in conjunction with accompanying drawing.
Embodiment
The solution of the embodiment of the present invention is mainly:By running sample file in virtual machine, then in virtual machine
Middle operation monitoring programme, record the operation action of sample file, including the reading related to sample file, registration table, network, process
Write, modification information record, thus generate journal file, then again by the characterization rules of extraction to the progress of these journal files
Match somebody with somebody, it is malice sample to show the sample file if matching, so as to realize the analysis of the Automatic behavior of virus.
As shown in figure 1, present pre-ferred embodiments propose a kind of malicious file detection method, including:
Step S101, obtain sample file to be detected;
Sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected obtained will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and remembered
Behavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages
(Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to know
Not, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sample
Fixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
Step S102, the sample file is run, and monitor the operation action of the sample file, generate journal file;
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systems
Row sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand disease
The behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systems
ProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machine
The file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily record
File).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such as
Generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, even
The information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these malice
Program release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part in
Hold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy void
Plan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sample
Virtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
Step S103, the journal file is analyzed, and malicious file detection is carried out based on preset matched rule.
ProcessMonitor journal file can be generated after each sample file operation, by analyzing the daily record
File is recognized that behavior during sample file operation, mainly includes the correlation of file, registration table, process, the network information etc.
Operation, for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which is closed
A little processes;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rules
The journal file of part.The journal file generated after sample file is run is matched with the above-mentioned matched rule pre-set,
If the malice attributes match of the journal file of some sample file has arrived certain rule, it is this rules and regulations to show the sample file
Then corresponding specific malicious file.
Specifically, as shown in Fig. 2 as the operation sample file, and the operation action of the sample file is monitored, it is raw
Into a kind of embodiment of journal file, above-mentioned steps S102 can include:
Step S1021, context initialization operation is carried out to the virtual machine for running sample file;
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainly
Context initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fast
According to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is entered
Row context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Step S1022, the sample file is copied to the fixation catalogue of virtual machine;
Step S1023, the sample file is run in the virtual machine, and by monitoring tools to institute in running
The operation action for stating sample file is monitored, and generates journal file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied to
Control the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, often
A sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carried
Some control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machine
Monitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, then
Run the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis day
Will file, check the file of its release and calculate its md5 being saved in specified file.
Step S1024, the journal file is copied to the fixation catalogue of physical machine from the virtual machine.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtual
Machine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in figure 3, carry out malicious file detection as the analysis journal file, and based on preset matched rule
A kind of embodiment, above-mentioned steps S103 can include:
Step S1031, the journal file is obtained from the fixation catalogue of the physical machine;
Step S1032, analyze the operation action of the journal file;
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led to
Cross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network information
Deng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, close
Which process;It is connected to the information such as which ip address.
Step S1033, by the malice daily record progress in the operation action of the journal file and preset matched rule
Match somebody with somebody;
Step S1034, if the match is successful, it is malicious file to detect sample file corresponding to the journal file.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sample
Certain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be with
Extracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample such
Log recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related to
The screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's input
QQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code and
Password, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method come
QQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of program
Word, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match window
To realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in system
All windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q,
Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logical
Technical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbers
This document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether have
Any one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db,
QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal file
Trojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous day
Sample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files,
So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is set
The average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " and
All samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number wood
Horse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually found
EXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, it is as follows:
It is as shown in table 1 below that brush bores keyword filtration sample data:
Sample size | The brush detected bores sample size | Brush bores sample proportion |
328 | 110 | 33.5% |
607 | 252 | 41.5% |
370 | 138 | 37.3 |
308 | 152 | 49.3% |
Table 1
QQ catalogues monitoring sample data is as shown in table 2 below:
Table 2
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machine
The operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction again
Matching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in time
New samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus Sample
Rate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample come
Realize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample file
New samples have reference and reference role.
As shown in figure 4, present pre-ferred embodiments propose a kind of malicious file detection means, including:Acquisition module 401,
Monitoring module 402 and analysis detection module 403 are run, wherein:
Acquisition module 401, for obtaining sample file to be detected;
Monitoring module 402 is run, for running the sample file, and monitors the operation action of the sample file, it is raw
Into journal file;
Detection module 403 is analyzed, malicious file is carried out for analyzing the journal file, and based on preset matched rule
Detection.
Wherein, sample file to be detected can not limit it and obtain source, for example can be downloaded from specified location.
The sample file to be detected that acquisition module 401 obtains will be input to Automatic monitoring systems.
By taking virus as an example, the Automatic monitoring systems set by the present embodiment are used for the automatic operating virus of batch and remembered
Behavior during record virus operation obtains journal file, and for analysis, personnel check, so as to quickly understand virus behavior, saves manpower.
Wherein, Automatic monitoring systems can only run exe programs, and the sample file downloaded may have many compressed packages
(Rar, zip, 7z etc.), the file such as dll, sys.Therefore enter row format firstly the need of all sample files to downloading to know
Not, decompression and Screening Treatment, if compressed package is then decompressed using decompression tool, then filter out the exe files in sample
Fixed file is put into the exe files after decompression, the samples sources as Automatic monitoring systems operation.
As it was previously stated, sample file to be detected is originally input to Automatic monitoring systems, transported by Automatic monitoring systems
Row sample file simultaneously monitors the operation action of sample file and obtains journal file, and for analysis, personnel check, quickly to understand disease
The behavior of the malicious files such as poison.
The present embodiment has used virtual software VMware and monitoring tools in Automatic monitoring systems
ProcessMonitor instruments, the operation of above-mentioned instrument, automation control are controlled by AutoIt shell scripts in virtual machine
The file of system output processed is the journal file of each sample file operation action(ProcessMonitor monitors obtained daily record
File).
Wherein, the operation action of sample file includes:To the associative operation of file, registration table, process and the network information, such as
Generate, access, what file deleted;Set, be newly-built, which registry entry deleted;Open, which process closed;, even
The information such as which ip address are connect.
Further, since many rogue programs can discharge other rogue program after operation, therefore it is also required to these malice
Program release file calculated, obtain its MD5, and form Automatic monitoring systems output journal file a part in
Hold.Under normal circumstances, if parent file judges it is malice, then its daughter file discharged is also likely to be malice.
The virtual machine detection technique that prior art uses is placed on client executing mostly, and uses easy void
Plan machine, full simulation operating system, the Automatic monitoring systems that the present embodiment uses do not use in running background sample
Virtual software VMware, can be than more complete simulated operating system, and can reduce the risk for being found and being bypassed by virus.
ProcessMonitor journal file can be generated after each sample file operation, mould is monitored by running
Block 402 analyzes the behavior when journal file is recognized that sample file operation, mainly including file, registration table, process, net
The associative operation of network information etc., for example generate, access, what file deleted;Set, be newly-built, which registry entry deleted;
Open, which process closed;It is connected to the information such as which ip address.
The present embodiment is literary to match the current sample of filtering with this in advance to some specific sample extraction log matches rules
The journal file of part.The journal file and above-mentioned pre-set that analysis detection module 403 generates after sample file is run
Matched with rule, if the malice attributes match of the journal file of some sample file has arrived certain rule, show this
Sample file is specific malicious file corresponding to this rule.
Specifically, as shown in figure 5, as the operation sample file, and the operation action of the sample file is monitored, it is raw
Into a kind of embodiment of journal file, the operation monitoring module 402 can include:Initialization unit 4021, copied cells
4022 and operation monitoring unit 4023, wherein:
Initialization unit 4021, for carrying out context initialization operation to the virtual machine for running sample file;
Copied cells 4022, for the sample file to be copied to the fixation catalogue of virtual machine;
Monitoring unit 4023 is run, for running the sample file in the virtual machine, and passes through monitoring tools pair
The operation action of sample file described in running is monitored, and generates journal file.
The copied cells 4022 is additionally operable to copy to the journal file from the virtual machine fixation mesh of physical machine
Record.
When sample file is run in Automatic monitoring systems and monitoring the operation action of sample file, it is necessary first to certainly
Context initialization operation is carried out to the virtual machine for running sample file in dynamicization monitoring system, that is, recovers virtual machine snapshot, this is fast
According to the virtual machine environment configured before being, control program, bat files etc. are provided with a virtual machine environment, virtual machine is entered
Row context initialization operates, and is the preparation for making virtual machine carry out operation sample file.
Run in virtual machine and supervised using ProcessMonitor instruments current embodiment require that sample file is copied to
Control the operation action of sample file.Therefore, in monitoring, it is necessary to all executable sample programs filtered out before enumerating, often
A sample file is enumerated then to complete once to monitor process automatically.The process uses the VMware instrument vmrun.exe's carried
Some control commands to control the operation of virtual machine by physical machine.
Enumerate sample file is copied to a fixed catalogue of virtual machine first, then run in virtual machine
Monitoring programme, the function of the program is to set ProcessMonitor filters, for filtering out some system programs, then
Run the scheduled time(Such as 10s)After close process, then preserve ProcessMonitor journal file, and initial analysis day
Will file, check the file of its release and calculate its md5 being saved in specified file.
Finally by ProcessMonitor journal file, include the md5 lists of user behaviors log and releasing document, from virtual
Machine copies to the fixation catalogue of physical machine, to analyze journal file.
As shown in fig. 6, carry out malicious file detection as the analysis journal file, and based on preset matched rule
A kind of embodiment, the analysis detection module 403 can include:Acquiring unit 4031, analytic unit 4032, matching unit 4033
And detection unit 4034, wherein:
Acquiring unit 4031, for obtaining the journal file from the fixation catalogue of the physical machine;
Analytic unit 4032, for analyzing the operation action of the journal file;
Matching unit 4033, for by the malice daily record in the operation action of the journal file and preset matched rule
Matched;
Detection unit 4034, for when the malice daily record in the operation action of the journal file and preset matched rule
When the match is successful, it is malicious file to detect sample file corresponding to the journal file.
By taking virus as an example, ProcessMonitor journal file can be generated after each Virus operation, is led to
Cross analyze the journal file be recognized that virus operation when behavior, mainly including file, registration table, process, the network information
Deng associative operation.As generated, accessing, what file being deleted;Set, be newly-built, which registry entry deleted;Open, close
Which process;It is connected to the information such as which ip address.
Daily record rule can be extracted for some specific samples and carrys out filtering log, if the journal file of some sample
Certain rule is fitted on, then it is specific virus corresponding to this rule to illustrate the sample.Such as QQ Trojans for stealing numbers, can be with
Extracting a feature is:QQ automated log on file is deleted, therefore, if it find that having in the user behaviors log of a sample such
Log recording, you can it is QQ Trojans for stealing numbers to judge the sample.
By taking instant messaging QQ as an example, at present in actual applications, screening and QQ steal-number wood that QQ brushes bore program can be related to
The screening of horse, QQ brushes bore the classification for the various brills that can show QQ business after program is run on interface, then prompt user's input
QQ number code and password, and open various brills(Referred to as brush bores)Business, its essence is user cheating, steal user QQ number code and
Password, because these application programs are actually unable in brush and bored.
Bore program because QQ is brushed and mainly utilize social engineering method user cheating, it is typically no using technical method come
QQ passwords are stolen, without specific behavioural characteristic, but this kind of brush, which bores, there are some specific keys on the main program interface of program
Word, this kind of sample can be matched by these keywords, therefore be brushed for QQ and bore program, be the keyword by match window
To realize the detection of malice sample.
After sample file is run in virtual machine, run a QQ brush and bore detection program, the program can be enumerated in system
All windows and these windows subwindow word, then search whether to include following keyword:Brush bore, brush bore, brush Q,
Red brill, Q business, QQ passwords, Q coin, QB, if it find that then showing that the sample is that a QQ brush bores program.
Screening for QQ Trojans for stealing numbers is screened by extracting rule of conduct.Because this kind of QQ Trojans for stealing numbers are logical
Technical method is crossed to steal QQ passwords, for example replace QQ some files etc., the screening rule of conventional QQ Trojans for stealing numbers is as follows:
(1)Close QQ.exe processes;
(2)Access(Release)QQ file under bin catalogues;
(3)Delete QQ Registry.db files(This document preserves QQ auto login informations, many QQ Trojans for stealing numbers
This document, which can be deleted, causes QQ automated log ons to fail, to allow user to input QQ passwords again to realize steal-number);
(4)It has modified QQ.lnk shortcut files so that the lnk files point to QQ Trojans for stealing numbers.
When corresponding screening rule carries out matching judgment, every a line of journal file is read, then judges often to go whether have
Any one in following four character string:Simultaneously exist QQ.exe and Process Exit, QQ Bin, Registry.db,
QQ.lnk。
If include any one in aforementioned four behavior, then it is QQ to be judged as sample file corresponding to the journal file
Trojan for stealing numbers, and its md5 recorded in the text specified.
In actual applications, by configuring plan target an Automatic monitoring systems can be run daily, from the previous day
Sample file in obtain QQ brushes and bore program and QQ Trojans for stealing numbers, by constantly monitoring the temperature and range of these sample files,
So as to obtain the sample file of temperature and range maximum, to carry out emphasis processing.
This example gets following experimental data by test automation monitoring system.Wherein, automatically-monitored system is set
The average time of system one sample file of monitoring is 45s, by testing a few lot sample sheets(In one day " brush bore keyword filtration " and
All samples that " monitoring of QQ catalogues " obtains, the monitoring of QQ catalogues is file of the monitoring in the release of QQ catalogues, due to many steal-number wood
Horse is to realize steal-number in catalogue release DLL, and automation here is to be used for automatic running EXE programs, is actually found
EXE programs are largely QQ Trojans for stealing numbers), four batch datas are randomly selected, wherein, brush bores keyword filtration sample data such as upper table
Shown in 1.QQ catalogues monitor sample data as shown in upper table 2.
Then the present embodiment runs monitoring programme in virtual machine, records sample by running sample file in virtual machine
The operation action of this document, journal file is generated with this, then these journal files carried out by the characterization rules of extraction again
Matching, the malice detection of sample file is finally realized, is greatly improved virus analysis efficiency, and current anti-virus can be found out in time
New samples or certain class that software can not detect have the sample of specific behavior type, accurate so as to improve the detection of Virus Sample
Rate.
In addition, in the follow-up demand for excavating specific sample, can by attempt to analyze the journal file of sample come
Realize, therefore this embodiment scheme has wide range of applications, for excavating specific sample file or most from Massive Sample file
New samples have reference and reference role.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the scope of the invention, every utilization
Equivalent structure or the flow conversion that description of the invention and accompanying drawing content are made, or directly or indirectly it is used in other related skills
Art field, is included within the scope of the present invention.
Claims (10)
- A kind of 1. malicious file detection method, it is characterised in that including:Obtain sample file to be detected;The sample file is run, and monitors the operation action of the sample file, generates journal file;The operation action bag Include:To the associative operation of file, registration table, process and/or the network information;The journal file includes:User behaviors log and sample The MD5 lists of the daughter file discharged after running paper;The journal file is analyzed, and judges whether parent file is malicious file and daughter text based on preset matched rule Whether part is malicious file;The analysis includes the default daily record rule of extraction and carrys out filtering log file, if some sample Journal file has matched certain rule, then it is specific virus corresponding to this rule to illustrate the sample, or, is extracted default The keyword of daily record rule match sample human window realizes the detection of malice sample.
- 2. according to the method for claim 1, it is characterised in that after described the step of obtaining sample file to be detected also Including:To the sample file carry out format identification, decompression and or Screening Treatment, obtain the sample file that can be run.
- 3. according to the method for claim 1, it is characterised in that the operation sample file, and monitor the sample file Operation action, generate journal file the step of include:Context initialization operation is carried out to the virtual machine for running sample file;The sample file is copied to the fixation catalogue of virtual machine;The sample file, and the fortune by monitoring tools to sample file described in running are run in the virtual machine Every trade generates journal file to be monitored.
- 4. according to the method for claim 3, it is characterised in that the operation sample file, and monitor the sample file Operation action, generate journal file the step of also include:The journal file is copied to the fixation catalogue of physical machine from the virtual machine.
- 5. according to the method for claim 4, it is characterised in that the analysis journal file, and advised based on preset matching The step of then carrying out malicious file detection includes:The journal file is obtained from the fixation catalogue of the physical machine;Analyze the operation action of the journal file;The operation action of the journal file is matched with the malice daily record in preset matched rule;If the match is successful, it is malicious file to detect sample file corresponding to the journal file.
- A kind of 6. malicious file detection means, it is characterised in that including:Acquisition module, for obtaining sample file to be detected;Monitoring module is run, for running the sample file, and monitors the operation action of the sample file, generation daily record text Part;The operation action includes:To the associative operation of file, registration table, process and/or the network information;The journal file bag Include:The MD5 lists of the daughter file discharged after user behaviors log and sample file operation;Analyze detection module, for analyzing the journal file, and based on preset matched rule judge parent file whether be Whether malicious file and daughter file are malicious file;The analysis includes the default daily record rule of extraction and carrys out filtering log text Part, if the journal file of some sample has matched certain rule, it is specific corresponding to this rule to illustrate the sample Virus, or, the keyword of the default daily record rule match sample human window of extraction realize the detection of malice sample.
- 7. device according to claim 6, it is characterised in that the acquisition module is additionally operable to carry out the sample file Format identification, decompression and or Screening Treatment, obtain the sample file that can be run.
- 8. the device according to claim 6 or 7, it is characterised in that the operation monitoring module includes:Initialization unit, for carrying out context initialization operation to the virtual machine for running sample file;Copied cells, for the sample file to be copied to the fixation catalogue of virtual machine;Monitoring unit is run, for running the sample file in the virtual machine, and by monitoring tools to running Described in the operation action of sample file be monitored, generate journal file.
- 9. device according to claim 8, it is characterised in that the copied cells is additionally operable to the journal file from institute State the fixation catalogue that virtual machine copies to physical machine.
- 10. device according to claim 8, it is characterised in that the analysis detection module includes:Acquiring unit, for obtaining the journal file from the fixation catalogue of physical machine;Analytic unit, for analyzing the operation action of the journal file;A matching unit, for the malice daily record in the operation action of the journal file and preset matched rule to be carried out Match somebody with somebody;Detection unit, for when the malice log matches success in the operation action of the journal file and preset matched rule When, it is malicious file to detect sample file corresponding to the journal file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210478566.6A CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210478566.6A CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103839003A CN103839003A (en) | 2014-06-04 |
CN103839003B true CN103839003B (en) | 2018-01-30 |
Family
ID=50802488
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210478566.6A Active CN103839003B (en) | 2012-11-22 | 2012-11-22 | Malicious file detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103839003B (en) |
Families Citing this family (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105653947B (en) * | 2014-11-11 | 2019-09-13 | 中国移动通信集团公司 | The method and device of data safety risk is applied in a kind of assessment |
CN105791250B (en) * | 2014-12-26 | 2020-10-02 | 北京奇虎科技有限公司 | Application program detection method and device |
CN105897807A (en) * | 2015-01-14 | 2016-08-24 | 江苏博智软件科技有限公司 | Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics |
US9852295B2 (en) * | 2015-07-14 | 2017-12-26 | Bitdefender IPR Management Ltd. | Computer security systems and methods using asynchronous introspection exceptions |
CN105184162B (en) * | 2015-08-18 | 2019-01-04 | 安一恒通(北京)科技有限公司 | program monitoring method and device |
CN105204973A (en) * | 2015-09-25 | 2015-12-30 | 浪潮集团有限公司 | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform |
CN105224867A (en) * | 2015-10-27 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of based on the Host Security reinforcement means under virtualized environment |
CN106611122A (en) * | 2015-10-27 | 2017-05-03 | 国家电网公司 | Virtual execution-based unknown malicious program offline detection system |
CN105590059B (en) * | 2015-12-18 | 2019-04-23 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
CN105631320B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
CN105608374B (en) * | 2015-12-18 | 2019-04-19 | 北京奇虎科技有限公司 | The detection method and device of virtual machine escape |
CN106599684A (en) * | 2015-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Detection method and system of entity file-free malicious code |
CN105574205B (en) * | 2016-01-18 | 2019-03-19 | 国家电网公司 | The log dynamic analysis system of distributed computing environment |
CN107231245B (en) * | 2016-03-23 | 2021-04-02 | 阿里巴巴集团控股有限公司 | Method and device for reporting monitoring log, and method and device for processing monitoring log |
CN105912932A (en) * | 2016-04-08 | 2016-08-31 | 周宏斌 | Threatening behavior detection system and method |
CN105791323B (en) * | 2016-05-09 | 2019-02-26 | 国家电网公司 | The defence method and equipment of unknown malware |
CN106055976B (en) * | 2016-05-16 | 2021-05-28 | 新华三技术有限公司 | File detection method and sandbox controller |
CN106130960B (en) * | 2016-06-12 | 2019-08-09 | 微梦创科网络科技(中国)有限公司 | Judgement system, load dispatching method and the device of steal-number behavior |
CN106130966B (en) * | 2016-06-20 | 2019-07-09 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
CN106446689A (en) * | 2016-09-02 | 2017-02-22 | 中科信息安全共性技术国家工程研究中心有限公司 | Method for performing automated security detection on android application |
CN106709326A (en) * | 2016-11-24 | 2017-05-24 | 北京奇虎科技有限公司 | Processing method and device for suspicious sample |
CN106682513A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method for target sample file and device |
CN106557701B (en) * | 2016-11-28 | 2019-09-06 | 北京奇虎科技有限公司 | Kernel leak detection method and device based on virtual machine |
CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
CN108256325A (en) * | 2016-12-29 | 2018-07-06 | 中移(苏州)软件技术有限公司 | A kind of method and apparatus of the detection of malicious code mutation |
US10546120B2 (en) * | 2017-09-25 | 2020-01-28 | AO Kaspersky Lab | System and method of forming a log in a virtual machine for conducting an antivirus scan of a file |
CN108363919B (en) * | 2017-10-19 | 2021-04-20 | 北京安天网络安全技术有限公司 | Method and system for generating virus-killing tool |
CN108804916B (en) * | 2017-12-19 | 2022-01-28 | 安天科技集团股份有限公司 | Malicious file detection method and device, electronic equipment and storage medium |
CN110210218B (en) * | 2018-04-28 | 2023-04-14 | 腾讯科技(深圳)有限公司 | Virus detection method and related device |
CN109766699B (en) * | 2018-05-04 | 2022-02-15 | 奇安信安全技术(珠海)有限公司 | Operation behavior intercepting method and device, storage medium and electronic device |
CN111277539B (en) * | 2018-11-16 | 2022-09-02 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
CN110399720B (en) * | 2018-12-14 | 2022-12-16 | 腾讯科技(深圳)有限公司 | File detection method and related device |
CN111368295A (en) * | 2018-12-26 | 2020-07-03 | 中兴通讯股份有限公司 | Malicious sample detection method, device and system and storage medium |
CN109815701B (en) * | 2018-12-29 | 2022-04-22 | 奇安信安全技术(珠海)有限公司 | Software security detection method, client, system and storage medium |
CN111027062A (en) * | 2019-03-29 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Assessment method and device for application collapse state of target range |
CN112580041B (en) * | 2019-09-30 | 2023-07-07 | 奇安信安全技术(珠海)有限公司 | Malicious program detection method and device, storage medium and computer equipment |
CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
CN111143839A (en) * | 2019-12-30 | 2020-05-12 | 厦门服云信息科技有限公司 | Malicious code detection method and device based on virtualization behavior analysis technology |
CN112527672B (en) * | 2020-12-21 | 2021-10-22 | 北京深思数盾科技股份有限公司 | Detection method and equipment for shell adding tool |
CN112560018B (en) * | 2020-12-23 | 2023-10-31 | 苏州三六零智能安全科技有限公司 | Sample file detection method, device, terminal equipment and storage medium |
CN112699176B (en) * | 2021-02-06 | 2023-06-30 | 北京拓普丰联信息科技股份有限公司 | Quick random extraction method, system, terminal and storage medium |
CN112989344B (en) * | 2021-03-16 | 2022-07-05 | 北京理工大学 | Malicious program intelligent detection method, device and system based on hardware tracking technology |
CN116861429B (en) * | 2023-09-04 | 2023-12-08 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
CN101986323A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Method and system for detection of previously unknown malware |
CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8719800B2 (en) * | 2008-06-20 | 2014-05-06 | Vmware, Inc. | Accelerating replayed program execution to support decoupled program analysis |
-
2012
- 2012-11-22 CN CN201210478566.6A patent/CN103839003B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
CN101231682A (en) * | 2007-01-26 | 2008-07-30 | 李贵林 | Computer information safe method |
CN101593249A (en) * | 2008-05-30 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of apocrypha analytical approach and system |
CN101986323A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Method and system for detection of previously unknown malware |
CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
Also Published As
Publication number | Publication date |
---|---|
CN103839003A (en) | 2014-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103839003B (en) | Malicious file detection method and device | |
Galal et al. | Behavior-based features model for malware detection | |
US11423146B2 (en) | Provenance-based threat detection tools and stealthy malware detection | |
US11210390B1 (en) | Multi-version application support and registration within a single operating system environment | |
Mosli et al. | Automated malware detection using artifacts in forensic memory images | |
US8484727B2 (en) | System and method for computer malware detection | |
KR102160659B1 (en) | Detection of anomalous program execution using hardware-based micro-architectural data | |
US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
Sabhadiya et al. | Android malware detection using deep learning | |
EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
US20140181805A1 (en) | System and method for establishing rules for filtering insignificant events for analysis of software program | |
US20150172303A1 (en) | Malware Detection and Identification | |
EP3211558B1 (en) | Multi-threat analyzer array system and method of use | |
US11847214B2 (en) | Machine learning systems and methods for reducing the false positive malware detection rate | |
CN101923617A (en) | Cloud-based sample database dynamic maintaining method | |
KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
US10237285B2 (en) | Method and apparatus for detecting macro viruses | |
Choi et al. | Toward extracting malware features for classification using static and dynamic analysis | |
Sun et al. | Malware virtualization-resistant behavior detection | |
Carlin et al. | Dynamic analysis of malware using run-time opcodes | |
Aktas et al. | Updroid: Updated android malware and its familial classification | |
Sihag et al. | Opcode n-gram based malware classification in android | |
Liu et al. | A system call analysis method with mapreduce for malware detection | |
Shalaginov et al. | Automated intelligent multinomial classification of malware species using dynamic behavioural analysis | |
Bernardi et al. | Process mining meets malware evolution: a study of the behavior of malicious code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |