CN103902898A - Method and device for identifying viruses - Google Patents
Method and device for identifying viruses Download PDFInfo
- Publication number
- CN103902898A CN103902898A CN201210578798.9A CN201210578798A CN103902898A CN 103902898 A CN103902898 A CN 103902898A CN 201210578798 A CN201210578798 A CN 201210578798A CN 103902898 A CN103902898 A CN 103902898A
- Authority
- CN
- China
- Prior art keywords
- file
- code
- virus
- standard feature
- condition code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
Abstract
The embodiment of the invention discloses a method and device for identifying viruses. The method comprises the steps of receiving data flow of files, determining the number of divided file pieces as N according to a preset strategy, dividing the files into N sub files according to N, namely the number of divided file pieces and semantic end marks of the files, calculating hashed values of the N sub files through the hash algorithm in sequence, splicing the hashed values of the N sub pieces in sequence to form feature codes, comparing the feature codes and standard feature codes in a known feature code library, and judging the files as viruses if the similarity of standard feature codes in the known feature code library and the feature codes is higher than a preset similarity. The method and device can be used for comprehensively identifying viruses, including the know virus archetype, the known virus variety, or a part of new viruses.
Description
Technical field
The present invention relates to network security technology field, especially a kind of viral discrimination method and device.
Background technology
In recent years, computing machine obtains a wide range of applications in every field, but thing followed computer virus has brought threat to its practical application.Add latency, infectiousness, the destructiveness of computer virus, make viral prevention work more complicated.Current computer virus has automatically updating function conventionally, the method that virus author is accustomed to using and adds shell, recompiles, viral engineering is revised is among a small circle emitted rapidly virus mutation, and the mode that adopts multiple shared virus module to reconfigure makes new virus, thereby make checking and killing virus software (that is: antivirus software) killing less than the virus after changing.
Realizing in process of the present invention, inventor finds, current computer virus checking and killing method is generally located virus signature by the method that entrance adds skew, and virus signature is corresponding one by one with virus, if virus signature conforms to the condition code storehouse of checking and killing virus software, can be judged to be virus.If after virus adopts preceding method to change, just changed virus signature completely, do not mate with existing condition code storehouse in checking and killing virus software, cause the checking and killing virus software can not killing virus mutation or new virus.Therefore, the checking and killing virus method of present stage can only be carried out this viroid of killing by the method in timely upgrade feature code storehouse.Meanwhile, for new appearance virus, because there is no, condition code is also extremely difficult to be differentiated.
Summary of the invention
Embodiment of the present invention technical matters to be solved is: a kind of viral discrimination method and device are provided, to realize the comprehensive identification to virus, comprise the identification of known viruse prototype, known viruse mutation or part new virus.
The one virus discrimination method that the embodiment of the present invention provides, comprising:
Receive the data stream of file;
Determine that according to preset strategy the file fragmentation of described file counts N, wherein, the value of N is to be greater than 1 integer;
Count the semantic end mark in N and described file according to file fragmentation, described file is divided into N sheet son file;
Use successively hashing algorithm to calculate the hashed value of N sheet son file;
Successively the hashed value of described N sheet son file is spliced, form condition code;
Standard feature code in described condition code and known features code data storehouse is contrasted;
If existence, with the similarity of described condition code higher than the standard feature code of presetting similarity, judges that described file is as virus in known features code data storehouse.
In a specific embodiment of said method, if exist in known features code data storehouse and the similarity of the described condition code standard feature code higher than default similarity, judge that described file comprises as virus:
If exist and the on all four standard feature code of described condition code in known features code data storehouse, judge that described file is as Prototype;
Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of described condition code, judge that described file is as virus mutation or part new virus.
In a specific embodiment of said method, the hashed value that uses successively hashing algorithm to calculate N sheet son file comprises:
Adopt successively hash algorithm to calculate the cryptographic hash of N sheet son file;
Successively the hashed value of described N sheet son file is spliced and comprised: successively the cryptographic hash of described N sheet son file is spliced.
In a specific embodiment of said method, described hash algorithm comprises message digest algorithm MD5;
Described cryptographic hash comprises document.
In a specific embodiment of said method, judge that described file, as after virus, also comprises:
Add described condition code storehouse using described condition code as standard feature code.
The one virus device for identifying that the embodiment of the present invention provides, comprising:
Receiving element, for receiving the data stream of file;
Determining unit, counts N for the file fragmentation of determining described file according to preset strategy, and wherein, the value of N is to be greater than 1 integer;
Cutting unit, for count the semantic end mark of N and described file according to file fragmentation, is divided into N sheet son file by described file;
Computing unit, for using successively hashing algorithm to calculate the hashed value of N sheet son file;
Concatenation unit, for successively the hashed value of described N sheet son file being spliced, forms condition code;
Contrast unit, for contrasting the standard feature code in described condition code and known features code data storehouse;
Identifying unit, for according to the comparing result of contrast unit, if exist in known features code data storehouse and the similarity of the described condition code standard feature code higher than default similarity, judges that described file is as virus.
In a specific embodiment of said apparatus, described identifying unit, specifically according to the comparing result of contrast unit, if exist and the on all four standard feature code of described condition code in known features code data storehouse, judges that described file is as Prototype; Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of described condition code, judge that described file is as virus mutation or part new virus.
In a specific embodiment of said apparatus, described computing unit, specifically adopts hash algorithm to calculate the cryptographic hash of N sheet son file successively;
Described concatenation unit, specifically splices the cryptographic hash of described N sheet son file successively.
In a specific embodiment of said apparatus, described hash algorithm comprises message digest algorithm MD5;
Described cryptographic hash comprises document.
In a specific embodiment of said apparatus, also comprise known features code data storehouse, for storage standards condition code, the corresponding virus of each standard feature code;
Described identifying unit also, for after judging that described file is as virus, adds described condition code storehouse using described condition code as standard feature code.
The viral discrimination method and the device that provide based on the above embodiment of the present invention, receive after the data stream of file, determines that the file fragmentation of file is counted N, and count the semantic end mark in N and file according to file fragmentation according to preset strategy, and file is divided into N sheet son file; Use successively hashing algorithm to calculate the hashed value of N sheet son file, and successively the hashed value of N sheet son file is spliced, form condition code; Then the standard feature code in this condition code and known features code data storehouse is contrasted; If existence, with the similarity of condition code higher than the standard feature code of presetting similarity, judges that file is as virus in known features code data storehouse.Because the embodiment of the present invention is that multiple parts are calculated respectively hashed value and are combined into and judge condition code used by Divide File to be detected, the standard feature code corresponding with known viruse prototype carries out similarity judgement but not crash consistency judgement, identify virus, adopting the condition code of whole file to carry out absoluteness way of contrast with prior art detects compared with viral mode, the embodiment of the present invention has realized the comprehensive identification to virus, comprises the identification of known viruse prototype, known viruse mutation or part new virus; And, because a condition code of the embodiment of the present invention can match with multiple virus and mutation thereof or part new virus, can greatly reduce the demand of the standard feature number of codes corresponding to virus.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Accompanying drawing explanation
The accompanying drawing that forms a part for instructions has been described embodiments of the invention, and is used from explanation principle of the present invention together with describing one.
With reference to accompanying drawing, according to detailed description below, can more be expressly understood the present invention, wherein:
Fig. 1 is the process flow diagram of an embodiment of the present invention's virus discrimination method.
Fig. 2 is the structural representation of an embodiment of the present invention's virus device for identifying.
Embodiment
Describe various exemplary embodiment of the present invention in detail now with reference to accompanying drawing.It should be noted that: unless illustrate in addition, the parts of setting forth in these embodiments and positioned opposite, numeral expression formula and the numerical value of step do not limit the scope of the invention.
, it should be understood that for convenience of description, the size of the various piece shown in accompanying drawing is not to draw according to actual proportionate relationship meanwhile.
Illustrative to the description only actually of at least one exemplary embodiment below, never as any restriction to the present invention and application or use.
May not discuss in detail for the known technology of person of ordinary skill in the relevant, method and apparatus, but in suitable situation, described technology, method and apparatus should be regarded as a part for instructions.
In all examples with discussing shown here, it is exemplary that any occurrence should be construed as merely, rather than as restriction.Therefore, other example of exemplary embodiment can have different values.
It should be noted that: in similar label and letter accompanying drawing below, represent similar terms, therefore, once be defined in an a certain Xiang Yi accompanying drawing, in accompanying drawing subsequently, do not need it to be further discussed.
Fig. 1 is the process flow diagram of an embodiment of the present invention's virus discrimination method.As shown in Figure 1, the viral discrimination method of this embodiment comprises:
110, the data stream of reception file.This file receiving is file to be detected.
120, determine that according to preset strategy the file fragmentation of file to be detected is counted N, wherein, the value of N is to be greater than 1 integer.
Determine that according to preset strategy the file fragmentation of file to be detected counts N, exemplarily, can be according to the traffic type information in file to be detected, source, destination address, file size, the information such as file type, determine that the file fragmentation of file to be detected is counted N.For example, can set in advance the burst number of the file of various types of traffic, the burst number that each file size is corresponding etc.
130, count the semantic end mark in N and file to be detected according to file fragmentation, file is divided into N sheet son file.
Semantic end mark wherein can set in advance, for example, and comma (), branch (; ), fullstop (.) etc.
140, use successively hashing algorithm to calculate the hashed value of N sheet son file.
150, successively the hashed value of N sheet son file is spliced, form condition code.
160, the standard feature code in condition code and known features code data storehouse is contrasted, for example, can use content-based text similarity matching algorithm, condition code is mated to contrast with the standard feature code in known features code data storehouse.The respectively corresponding virus of each standard feature code wherein.
170, if exist in known features code data storehouse and the similarity of the condition code standard feature code higher than default similarity, judge that file to be detected is as virus.
Default similarity wherein, for example, similarity is 80%.
The viral discrimination method that the above embodiment of the present invention provides, receives after the data stream of file, determines that the file fragmentation of file is counted N, and count the semantic end mark in N and file according to file fragmentation according to preset strategy, and file is divided into N sheet son file; Use successively hashing algorithm to calculate the hashed value of N sheet son file, and successively the hashed value of N sheet son file is spliced, form condition code; Then the standard feature code in this condition code and known features code data storehouse is contrasted; If existence, with the similarity of condition code higher than the standard feature code of presetting similarity, judges that file is as virus in known features code data storehouse.Because the embodiment of the present invention is that multiple parts are calculated respectively hashed value and are combined into and judge condition code used by Divide File to be detected, the standard feature code corresponding with known viruse prototype carries out similarity judgement but not crash consistency judgement, identify virus, adopting the condition code of whole file to carry out absoluteness way of contrast with prior art detects compared with viral mode, the embodiment of the present invention has realized the comprehensive identification to virus, comprises the identification of known viruse prototype, known viruse mutation or part new virus; And, because a condition code of the embodiment of the present invention can match with multiple virus and mutation thereof or part new virus, can greatly reduce the demand of the standard feature number of codes corresponding to virus.
Concrete example of virus discrimination method embodiment according to the present invention and unrestricted, in operation 170 embodiment illustrated in fig. 1, if existence, with the similarity of condition code higher than the standard feature code of presetting similarity, judges that file specifically can comprise as virus in known features code data storehouse:
If exist and the on all four standard feature code of condition code in known features code data storehouse, judge that file to be detected is as Prototype;
Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of condition code, judge that file to be detected is as virus mutation or part new virus.
Concrete example of virus discrimination method embodiment according to the present invention and unrestricted, in operation 140 embodiment illustrated in fig. 1, the hashed value that uses successively hashing algorithm to calculate N sheet son file specifically can realize in the following manner: adopt successively hash algorithm to calculate the cryptographic hash of N sheet son file.Correspondingly, in operation 150, successively the hashed value of N sheet son file is spliced and is specially: successively the cryptographic hash of N sheet son file is spliced.
Exemplarily, above-mentioned hash algorithm can be specifically message digest algorithm (MD5), also referred to as digest algorithm.Correspondingly, the cryptographic hash of son file is specially document.In addition, in various embodiments of the present invention, also can adopt other hash algorithm, for example, MD4 etc.
In another embodiment of the present invention's virus discrimination method, judge that file is as after virus, the condition code that this can also be spliced to form adds condition code storehouse as standard feature code, so that condition code storehouse is upgraded in time, more comprehensively identifies known viruse mutation or part new virus.
Fig. 2 is the structural representation of an embodiment of the present invention's virus device for identifying.The viral device for identifying of this embodiment can be used in the present invention above-mentioned each viral discrimination method embodiment.As shown in Figure 2, it comprises receiving element 210, determining unit 220, cutting unit 230, computing unit 240, concatenation unit 250, contrast unit 260 and identifying unit 270.Wherein:
Receiving element 210 is for receiving the data stream of file, and this file is the file to be detected that pending virus detects.
Determining unit 220 is counted N for the file fragmentation of the file to be detected determining receiving element 210 according to preset strategy and receive, and wherein, the value of N is to be greater than 1 integer.
Cutting unit 230, for count the semantic end mark of N and file to be detected according to file fragmentation, is divided into N sheet son file by file to be detected.
Identifying unit 270, for according to the comparing result of contrast unit 260, if exist in known features code data storehouse and the similarity of the condition code standard feature code higher than default similarity, judges that this file to be detected is virus.
The viral device for identifying that the above embodiment of the present invention provides, receives after the data stream of file, determines that the file fragmentation of file is counted N, and count the semantic end mark in N and file according to file fragmentation according to preset strategy, and file is divided into N sheet son file; Use successively hashing algorithm to calculate the hashed value of N sheet son file, and successively the hashed value of N sheet son file is spliced, form condition code; Then the standard feature code in this condition code and known features code data storehouse is contrasted; If existence, with the similarity of condition code higher than the standard feature code of presetting similarity, judges that file is as virus in known features code data storehouse.Because the embodiment of the present invention is that multiple parts are calculated respectively hashed value and are combined into and judge condition code used by Divide File to be detected, the standard feature code corresponding with known viruse prototype carries out similarity judgement but not crash consistency judgement, identify virus, adopting the condition code of whole file to carry out absoluteness way of contrast with prior art detects compared with viral mode, the embodiment of the present invention has realized the comprehensive identification to virus, comprises the identification of known viruse prototype, known viruse mutation or part new virus; And, because a condition code of the embodiment of the present invention can match with multiple virus and mutation thereof or part new virus, can greatly reduce the demand of the standard feature number of codes corresponding to virus.
Concrete example of virus device for identifying embodiment according to the present invention and unrestricted, identifying unit 270 specifically can be according to the comparing result of contrast unit 260, if exist and the on all four standard feature code of condition code in known features code data storehouse, judge that file to be detected is as Prototype; Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of condition code, judge that file to be detected is as virus mutation or part new virus.
According to the present invention, a concrete example of virus device for identifying embodiment is and unrestricted, and computing unit 240 specifically can adopt hash algorithm to calculate the cryptographic hash of N sheet son file successively.Correspondingly, concatenation unit 250 specifically splices the cryptographic hash of N sheet son file successively.Exemplarily, this hash algorithm can comprise message digest algorithm MD5; Correspondingly cryptographic hash comprises document.
Referring to Fig. 2, in another embodiment of the present invention's virus device for identifying, can also comprise known features code data storehouse 280 again, for storage standards condition code, the respectively corresponding virus of each standard feature code wherein.In this embodiment, identifying unit 270 can also be used for, after judging that file to be detected is as virus, its characteristic of correspondence code being added to condition code storehouse as standard feature code.
In this instructions, each embodiment all adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment, same or analogous part cross-references between each embodiment.For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
May realize in many ways method and apparatus of the present invention.For example, can realize method and apparatus of the present invention by any combination of software, hardware, firmware or software, hardware, firmware.The said sequence that is used for the step of described method is only in order to describe, and the step of method of the present invention is not limited to above specifically described order, unless otherwise specified.In addition, in certain embodiments, can be also the program being recorded in recording medium by the invention process, these programs comprise the machine readable instructions for realizing the method according to this invention.Thereby the present invention also covers the recording medium of storing the program for carrying out the method according to this invention.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of programmed instruction, aforesaid program can be stored in a computer read/write memory medium, this program, in the time carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
The embodiment of the present invention and prior art adopt the condition code of whole file to carry out absoluteness way of contrast and detect compared with viral mode, have realized the comprehensive identification to virus, comprise the identification of known viruse prototype, known viruse mutation or part new virus; And, because a condition code of the embodiment of the present invention can match with multiple virus and mutation thereof or part new virus, can greatly reduce the demand of the standard feature number of codes corresponding to virus.
Description of the invention provides for example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is for better explanation principle of the present invention and practical application, thereby and makes those of ordinary skill in the art can understand the present invention's design to be suitable for the various embodiment with various modifications of special-purpose.
Claims (10)
1. a viral discrimination method, is characterized in that, comprising:
Receive the data stream of file;
Determine that according to preset strategy the file fragmentation of described file counts N, wherein, the value of N is to be greater than 1 integer;
Count the semantic end mark in N and described file according to file fragmentation, described file is divided into N sheet son file;
Use successively hashing algorithm to calculate the hashed value of N sheet son file;
Successively the hashed value of described N sheet son file is spliced, form condition code;
Standard feature code in described condition code and known features code data storehouse is contrasted;
If existence, with the similarity of described condition code higher than the standard feature code of presetting similarity, judges that described file is as virus in known features code data storehouse.
2. method according to claim 1, is characterized in that, if exist in known features code data storehouse and the similarity of the described condition code standard feature code higher than default similarity, judges that described file comprises as virus:
If exist and the on all four standard feature code of described condition code in known features code data storehouse, judge that described file is as Prototype;
Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of described condition code, judge that described file is as virus mutation or part new virus.
3. method according to claim 2, is characterized in that, the hashed value that uses successively hashing algorithm to calculate N sheet son file comprises:
Adopt successively hash algorithm to calculate the cryptographic hash of N sheet son file;
Successively the hashed value of described N sheet son file is spliced and comprised: successively the cryptographic hash of described N sheet son file is spliced.
4. method according to claim 3, is characterized in that, described hash algorithm comprises message digest algorithm MD5;
Described cryptographic hash comprises document.
5. according to the method described in claim 1 to 4 any one, it is characterized in that, judge that described file, as after virus, also comprises:
Add described condition code storehouse using described condition code as standard feature code.
6. a viral device for identifying, is characterized in that, comprising:
Receiving element, for receiving the data stream of file;
Determining unit, counts N for the file fragmentation of determining described file according to preset strategy, and wherein, the value of N is to be greater than 1 integer;
Cutting unit, for count the semantic end mark of N and described file according to file fragmentation, is divided into N sheet son file by described file;
Computing unit, for using successively hashing algorithm to calculate the hashed value of N sheet son file;
Concatenation unit, for successively the hashed value of described N sheet son file being spliced, forms condition code;
Contrast unit, for contrasting the standard feature code in described condition code and known features code data storehouse;
Identifying unit, for according to the comparing result of contrast unit, if exist in known features code data storehouse and the similarity of the described condition code standard feature code higher than default similarity, judges that described file is as virus.
7. device according to claim 6, is characterized in that, described identifying unit, specifically according to the comparing result of contrast unit, if exist and the on all four standard feature code of described condition code in known features code data storehouse, judges that described file is as Prototype; Be less than 1 and higher than the standard feature code of default similarity if exist in known features code data storehouse with the similarity of described condition code, judge that described file is as virus mutation or part new virus.
8. device according to claim 7, is characterized in that, described computing unit specifically adopts hash algorithm to calculate the cryptographic hash of N sheet son file successively;
Described concatenation unit, specifically splices the cryptographic hash of described N sheet son file successively.
9. device according to claim 8, is characterized in that, described hash algorithm comprises message digest algorithm MD5;
Described cryptographic hash comprises document.
10. according to the device described in claim 6 to 9 any one, it is characterized in that, also comprise known features code data storehouse, for storage standards condition code, the corresponding virus of each standard feature code;
Described identifying unit also, for after judging that described file is as virus, adds described condition code storehouse using described condition code as standard feature code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578798.9A CN103902898A (en) | 2012-12-27 | 2012-12-27 | Method and device for identifying viruses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210578798.9A CN103902898A (en) | 2012-12-27 | 2012-12-27 | Method and device for identifying viruses |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103902898A true CN103902898A (en) | 2014-07-02 |
Family
ID=50994210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210578798.9A Pending CN103902898A (en) | 2012-12-27 | 2012-12-27 | Method and device for identifying viruses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103902898A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016119279A1 (en) * | 2015-01-26 | 2016-08-04 | 武汉安天信息技术有限责任公司 | Mobile terminal malicious code detection method and apparatus |
| CN108008960A (en) * | 2017-11-09 | 2018-05-08 | 北京航空航天大学 | A kind of feature code generating method towards critical software binary file |
| CN110363002A (en) * | 2019-07-16 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing |
| CN111143829A (en) * | 2019-12-25 | 2020-05-12 | 北京天融信网络安全技术有限公司 | Method and device for determining task risk degree, electronic equipment and storage medium |
| CN111967012A (en) * | 2020-07-13 | 2020-11-20 | 复旦大学 | Abstract generation method for C/C + + code vulnerability patch |
| CN116738428A (en) * | 2023-08-14 | 2023-09-12 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101908116A (en) * | 2010-08-05 | 2010-12-08 | 潘燕辉 | Computer safeguard system and method |
| WO2010151332A1 (en) * | 2009-06-26 | 2010-12-29 | Hbgary, Inc. | Fuzzy hash algorithm |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
-
2012
- 2012-12-27 CN CN201210578798.9A patent/CN103902898A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010151332A1 (en) * | 2009-06-26 | 2010-12-29 | Hbgary, Inc. | Fuzzy hash algorithm |
| CN101908116A (en) * | 2010-08-05 | 2010-12-08 | 潘燕辉 | Computer safeguard system and method |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
Non-Patent Citations (2)
| Title |
|---|
| DUSTIN HURLBUT: ""Fuzzy Hashing for Digital Forensic Investigators"", 《ACCESSDATA》 * |
| 涂浩: ""一种基于特征提取的高效蠕虫自动防御系统"", 《小型微型计算机系统》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016119279A1 (en) * | 2015-01-26 | 2016-08-04 | 武汉安天信息技术有限责任公司 | Mobile terminal malicious code detection method and apparatus |
| CN108008960A (en) * | 2017-11-09 | 2018-05-08 | 北京航空航天大学 | A kind of feature code generating method towards critical software binary file |
| CN110363002A (en) * | 2019-07-16 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing |
| CN111143829A (en) * | 2019-12-25 | 2020-05-12 | 北京天融信网络安全技术有限公司 | Method and device for determining task risk degree, electronic equipment and storage medium |
| CN111143829B (en) * | 2019-12-25 | 2022-04-26 | 北京天融信网络安全技术有限公司 | Method and device for determining task risk degree, electronic equipment and storage medium |
| CN111967012A (en) * | 2020-07-13 | 2020-11-20 | 复旦大学 | Abstract generation method for C/C + + code vulnerability patch |
| CN111967012B (en) * | 2020-07-13 | 2024-03-08 | 复旦大学 | Digest generation method for C/C++ code vulnerability patch |
| CN116738428A (en) * | 2023-08-14 | 2023-09-12 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
| CN116738428B (en) * | 2023-08-14 | 2023-11-10 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103902898A (en) | Method and device for identifying viruses | |
| RU2607231C2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| US7805765B2 (en) | Execution validation using header containing validation data | |
| CN102682098B (en) | Method and device for detecting web page content changes | |
| US20120117080A1 (en) | Indexing and querying hash sequence matrices | |
| US11151249B2 (en) | Applications of a binary search engine based on an inverted index of byte sequences | |
| US20160267270A1 (en) | Method and system for fast inspection of android malwares | |
| US20130139265A1 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| CN103235912B (en) | Trusted process recognition device and trusted process recognition methods | |
| US8868924B1 (en) | System and method for modifying a software distribution package | |
| CN104424402A (en) | Method and device for detecting pirated application program | |
| US20190250911A1 (en) | Apparatus and Method for Identifying Constituent Parts of Software Binaries | |
| CN109446753A (en) | Detect method, apparatus, computer equipment and the storage medium of pirate application program | |
| CN105808583A (en) | File type identification method and device | |
| CN105653949A (en) | Malicious program detection method and device | |
| US10296743B2 (en) | Method and device for constructing APK virus signature database and APK virus detection system | |
| US20220092201A1 (en) | Authentication of files | |
| CN104077527A (en) | Method and device for generating virus detection machine and method and device for virus detection | |
| EP2819054A1 (en) | Flexible fingerprint for detection of malware | |
| CN105138918A (en) | Recognition method and device for secure file | |
| CN103246640B (en) | A kind of method and device detecting repeated text | |
| EP3073390A1 (en) | Document checking device, method, and program | |
| CN108121911A (en) | A kind of software detecting method and device | |
| CN108171014B (en) | Method and system for detecting RTF suspicious file and storage medium | |
| CN115186255B (en) | Industrial host white list extraction method and device, terminal device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140702 |
|
| RJ01 | Rejection of invention patent application after publication |