CN103942491A - Internet malicious code disposal method - Google Patents

Internet malicious code disposal method Download PDF

Info

Publication number
CN103942491A
CN103942491A CN201310729190.6A CN201310729190A CN103942491A CN 103942491 A CN103942491 A CN 103942491A CN 201310729190 A CN201310729190 A CN 201310729190A CN 103942491 A CN103942491 A CN 103942491A
Authority
CN
China
Prior art keywords
malicious code
suspicious sample
suspicious
analysis
internet
Prior art date
Application number
CN201310729190.6A
Other languages
Chinese (zh)
Inventor
严寒冰
李轶夫
王永刚
赵忠华
姚珊
徐剑
Original Assignee
国家计算机网络与信息安全管理中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国家计算机网络与信息安全管理中心 filed Critical 国家计算机网络与信息安全管理中心
Priority to CN201310729190.6A priority Critical patent/CN103942491A/en
Publication of CN103942491A publication Critical patent/CN103942491A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The invention discloses an Internet malicious code disposal method which includes the steps that firstly, suspicious samples are matched, Hash values of suspicious sample files are calculated and compared with analyzed samples, whether analysis is performed or not is judged, if yes, analyzed results of the suspicious samples are directly sent back, and if not, the second step is executed; secondly, an antivirus engine is called for performing virus scanning on the suspicious samples which are not analyzed, whether the suspicious samples belong to known malicious codes or not is judged, if yes, information of the malicious codes is obtained, and if not, the third step is executed; thirdly, if the suspicious samples belong to unknown malicious codes, comprehensive dynamic analyzing is performed, and a malicious code analyzing report is obtained. According to the intelligent malicious code disposal method, various suspicious codes can be automatically and rapidly analyzed, the malicious code analyzing report is generated, and a basis is provided for studying a malicious code resisting and removing method.

Description

A kind of internet malicious code method of disposal

Technical field

The present invention relates to Internet technical field, particularly relate to a kind of internet malicious code method of disposal.

Background technology

Network, in the Share of information and resources facilitating, due to its diversified route of transmission and complicated applied environment, has brought various security risks to user.The invasion of malicious code becomes numerous personal users in recent years and uses and in computing machine and smart mobile phone process, need the primary safety problem faced.Malicious code invasion is gently wasted system resource, is distorted user's browser or the pop-up advertisement page, heavy steal subscriber data, classified papers, even destroy system by modes such as breaking space file, disk formats, cause huge economic loss to user.For enterprise, once inner sensitive information leakage, or internal network destroyed, and the loss causing is all very fatal.

Under this background, malicious code analysis system fast, can identify fast and effectively to malicious code dangerous act, and blocking-up and removing to malicious code provides favourable foundation.Malicious code analysis technology mainly comprises two kinds: Static Analysis Technology and dynamic analysis technology.

Static Analysis Technology refers in the situation that not moving malicious code, the method of utilizing the static nature of analysis tool to malicious code and functional module to analyze, utilize Static Analysis Method, feature string, the feature code section etc. of malicious code can be found, the process flow diagram of functional module He each functional module of malicious code can also be obtained.The benefit of static analysis is to avoid the destruction of malicious code implementation to analytic system.Malicious code is from being made up of computer instruction in essence, whether consider the semanteme of the computer instruction that forms malicious code according to analytic process, Static Analysis Method can be divided into two types of the analytical approach based on code characteristic and the analytical approachs based on code semanteme.Traditional static analysis, the method detecting based on code characteristic can not stop the attack of increasing unknown malicious code.Present malicious code has adopted distortion, blurring mapping, the technology such as polymorphic, and the analytical approach based on condition code can not be analyzed accurately to malicious code, and it is high to fail to report rate of false alarm.At present, the kind of the illegal programs such as virus, wooden horse increases sharply, changes continuous quickening, and the harm bringing is day by day serious, and the extraction of condition code must lag behind the appearance of illegal program.

Dynamic analysis technology, judges that according to the dynamic behaviour feature of program (as self-starting item etc. is set at registration table) whether it is suspicious exactly.Malicious code will reach certain object, must carry out some operation to system, such as adding startup item, network connection, establishment process, registry operations, file operation etc.By carry out malicious code in virtual environment, and record the various actions in its operational process, just can obtain more really the information about malicious code.Dynamic behaviour is analyzed has the feature of the rogue program that can detect condition code the unknown, so become the focus of the area researches such as at present domestic and international anti-virus, anti-wooden horse.

Summary of the invention

The technical problem to be solved in the present invention is to provide a kind of internet malicious code method of disposal, of the prior art malicious code is failed to report to the problem that rate of false alarm is high in order to solve.

For solving the problems of the technologies described above, the invention provides a kind of internet malicious code method of disposal, comprising:

Step S101, mates suspicious sample, calculates the cryptographic hash of suspicious sample presents, contrasts with analyzing samples, judges whether to analyze, and if so, directly returns to the existing analysis result of this suspicious sample; If not, go to step S102;

Step S102, for the suspicious sample of not analyzing, calls antivirus engine and carries out virus scan, judges that whether this suspicious sample belongs to known malicious code, if so, obtains the information of this malicious code; If not, go to step S103;

Step S103, in the time that suspicious sample belongs to unknown malicious code, carries out comprehensive performance analysis, obtains malicious code analysis report.

Further, in the time that the malicious code of suspicious sample is computer malevolence code, adopt virtual machine technique to carry out performance analysis.

Further, in the time that the malicious code operation platform of suspicious sample is mobile phone malicious code, in simulator or real handset, move malicious code program, record the dynamic behaviour in malicious code operational process, utilize the factory reset functional model of reduction analysis environments of mobile phone.

Further, by client by the suspicious sample end of uploading onto the server.

Further, receive after the suspicious sample of client upload, suspicious sample is preserved, and suspicious sample information and pending analysis task are deposited in customer information database.

Further, suspicious sample is dynamically started in virtual machine environment, monitor its behavioral activity, after analysis finishes, analysis result is deposited in customer information database.

Beneficial effect of the present invention is as follows:

The method that the present invention adopts static analysis and performance analysis to combine, robotization is the various malicious codes of analysis computer system and intelligent mobile phone system fast, generate malicious code analysis report.In report, provide the information such as title, hazard rating of known malicious code, can accurately, comprehensively describe its feature and behavior for unknown malicious code, provide foundation for studying malicious code defending and sweep-out method.

Brief description of the drawings

Fig. 1 is the process flow diagram of a kind of internet malicious code method of disposal in the embodiment of the present invention.

Embodiment

Below in conjunction with accompanying drawing and embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, does not limit the present invention.

As shown in Figure 1, the embodiment of the present invention relates to a kind of internet malicious code method of disposal, comprising:

Step S101, mates suspicious sample, calculates Hash (HASH) value of suspicious sample presents, contrasts with the sample of analyzing, and judges whether to analyze, and if so, directly returns to the existing analysis result of this suspicious sample, shortens analysis time; If not, go to step S102.

Step S102, for the suspicious sample of not analyzing, calls antivirus engine and carries out virus scan, judge whether this suspicious sample belongs to known malicious code, if so, obtain the information of this malicious code, for example, obtain the information such as this malicious code title, kind, hazard rating; If not, go to step S103.

Step S103, in the time that suspicious sample belongs to unknown malicious code, carries out comprehensive performance analysis, obtains malicious code analysis report.

In this step, according to the malicious code operation platform difference of suspicious sample, be divided into computer malevolence code and mobile phone malicious code.For computer malevolence code, adopt virtual machine technique to carry out performance analysis; What in virtual machine, the dynamic behaviour of malicious code can be complete represents, and is convenient to the recovery of Realization analysis environment.For mobile phone malicious code, in simulator or real handset, move malicious code program, record the dynamic behaviour in malicious code operational process, utilize the factory reset functional model of reduction analysis environments of mobile phone.

Said method adopts distributed system with global mode management of system resource, and it can be any dispatch network resource of user, and scheduling process is " transparent ".In the time that user submits a task to, distributed system comprises many distributed servers, can in system, select most suitable server, processes user's job invocation to this server.In this process, user can't recognize the existence that has multiple servers, and whole system just looks like that a server is the same.Native system is carried out for adapting to multitask when, has adopted the method for the corresponding multiple servers of same function.In running process, will be carried out the different task receiving by multiple distributed servers, the distribution of task is responsible for by control center, reaches the effect of tasks in parallel processing simultaneously, accelerates the speed of system Processing tasks.Distributed server has three classes, is respectively MD5 match server, scanning server, Analysis server.Same class server can have multiple, and overall control center carries out the server that task divides timing meeting first to find corresponding types according to the kind of task, new task is distributed to the server of waiting task number minimum, thereby utilizes better distributed computer resource.

Distributed system comprises automatically analyzing malicious codes subsystem, and this subsystem comprises:

1, client

User signs in to malicious code analysis system website by client, by suspicious sample by the HTTP end of uploading onto the server; The malicious code analysis report that reception server end returns, report represents with form web page.

2, control center

Be responsible for coordinating modules treatment scheme; Comprise modules to assign processing command and receive and ordered result.It is the administration module that distributed system is carried out task scheduling.

3, sample receives and registration

The suspicious sample information that receives client upload, is saved in local disk by suspicious sample presents, and suspicious sample information and pending analysis task is deposited in database.

4, sample process module

Sample process module comprises scan sample submodule and sample analysis submodule.

A, scan sample submodule:

Sample characteristics coupling: be responsible for the suspicious sample that user is newly uploaded and the sample of analyzing in the past and mate, matching algorithm adopts MD5.If the match is successful, directly return to former analysis result.Here used file characteristic matching technique, this module can have been made to distributed system.

Antivirus engine sample virus investigation: the unsuccessful suspicious sample of coupling is scanned by antivirus engine, judge whether it is known malicious code.If it is return to the information such as the title of malicious code.Here used virus scan technology, this module can have been made to distributed system.

B, sample analysis submodule

Sample characteristics is analyzed in the environment such as virtual machine, and suspicious sample is dynamically started, and monitors its behavioral activity, mainly comprises the aspects such as file, process, registration table, network connection, startup item; After analysis finishes, analysis result is deposited in customer information database.Here used behavioral analysis technology and virtual machine technique, this module has been made to distributed system.

5, report generation module

This module, receiving after the report generation order that control center assigns, is read relevant information from customer information database, generates malicious code analysis report, and malicious code analysis report is turned back to client.

6, customer information database

Preserve the sample information that client uploads, the analysis result of suspicious sample also deposits in customer information database, and malicious code analysis report is also finally to generate according to the related content of this database.

The method that the present invention adopts static analysis and performance analysis to combine, robotization is the various malicious codes of analysis computer system and intelligent mobile phone system fast, generate malicious code analysis report.In report, provide the information such as title, hazard rating of known malicious code, can accurately, comprehensively describe its feature and behavior for unknown malicious code, provide foundation for studying malicious code defending and sweep-out method.

Although be example object, the preferred embodiments of the present invention are disclosed, it is also possible those skilled in the art will recognize various improvement, increase and replacement, therefore, scope of the present invention should be not limited to above-described embodiment.

Claims (6)

1. an internet malicious code method of disposal, is characterized in that, comprising:
Step S101, mates suspicious sample, calculates the cryptographic hash of suspicious sample presents, contrasts with analyzing samples, judges whether to analyze, and if so, directly returns to the existing analysis result of this suspicious sample; If not, go to step S102;
Step S102, for the suspicious sample of not analyzing, calls antivirus engine and carries out virus scan, judges that whether this suspicious sample belongs to known malicious code, if so, obtains the information of this malicious code; If not, go to step S103;
Step S103, in the time that suspicious sample belongs to unknown malicious code, carries out comprehensive performance analysis, obtains malicious code analysis report.
2. internet as claimed in claim 1 malicious code method of disposal, is characterized in that, in the time that the malicious code of suspicious sample is computer malevolence code, adopts virtual machine technique to carry out performance analysis.
3. internet as claimed in claim 1 malicious code method of disposal, it is characterized in that, in the time that the malicious code operation platform of suspicious sample is mobile phone malicious code, in simulator or real handset, move malicious code program, record the dynamic behaviour in malicious code operational process, utilize the factory reset functional model of reduction analysis environments of mobile phone.
4. internet malicious code method of disposal as claimed in claim 2 or claim 3, is characterized in that, by client by the suspicious sample end of uploading onto the server.
5. internet as claimed in claim 4 malicious code method of disposal, is characterized in that, receives after the suspicious sample of client upload, suspicious sample is preserved, and suspicious sample information and pending analysis task are deposited in customer information database.
6. internet as claimed in claim 5 malicious code method of disposal, is characterized in that, suspicious sample is dynamically started in virtual machine environment, monitors its behavioral activity, after analysis finishes, analysis result is deposited in customer information database.
CN201310729190.6A 2013-12-25 2013-12-25 Internet malicious code disposal method CN103942491A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310729190.6A CN103942491A (en) 2013-12-25 2013-12-25 Internet malicious code disposal method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310729190.6A CN103942491A (en) 2013-12-25 2013-12-25 Internet malicious code disposal method

Publications (1)

Publication Number Publication Date
CN103942491A true CN103942491A (en) 2014-07-23

Family

ID=51190158

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310729190.6A CN103942491A (en) 2013-12-25 2013-12-25 Internet malicious code disposal method

Country Status (1)

Country Link
CN (1) CN103942491A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363240A (en) * 2014-11-26 2015-02-18 国家电网公司 Unknown threat comprehensive detection method based on information flow behavior validity detection
CN104573519A (en) * 2015-01-30 2015-04-29 北京瑞星信息技术有限公司 File scanning method and system
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN106874765A (en) * 2017-03-03 2017-06-20 努比亚技术有限公司 A kind of Malware hold-up interception method, device and terminal
CN106919840A (en) * 2017-03-03 2017-07-04 努比亚技术有限公司 The detection method and device of a kind of Malware

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
US7458099B1 (en) * 2002-10-07 2008-11-25 Symantec Corporation Selective detection of malicious computer code
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
CN201477598U (en) * 2009-09-01 2010-05-19 北京鼎普科技股份有限公司 Terminal Trojan monitoring device
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN102708309A (en) * 2011-07-20 2012-10-03 北京邮电大学 Automatic malicious code analysis method and system
CN102811213A (en) * 2011-11-23 2012-12-05 北京安天电子设备有限公司 Fuzzy hashing algorithm-based malicious code detection system and method
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
US8490186B1 (en) * 2008-07-01 2013-07-16 Mcafee, Inc. System, method, and computer program product for detecting unwanted data based on scanning associated with a payload execution and a behavioral analysis

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
US7458099B1 (en) * 2002-10-07 2008-11-25 Symantec Corporation Selective detection of malicious computer code
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
US8490186B1 (en) * 2008-07-01 2013-07-16 Mcafee, Inc. System, method, and computer program product for detecting unwanted data based on scanning associated with a payload execution and a behavioral analysis
CN201477598U (en) * 2009-09-01 2010-05-19 北京鼎普科技股份有限公司 Terminal Trojan monitoring device
CN102254111A (en) * 2010-05-17 2011-11-23 北京知道创宇信息技术有限公司 Malicious site detection method and device
CN102708309A (en) * 2011-07-20 2012-10-03 北京邮电大学 Automatic malicious code analysis method and system
CN102811213A (en) * 2011-11-23 2012-12-05 北京安天电子设备有限公司 Fuzzy hashing algorithm-based malicious code detection system and method
CN102663284A (en) * 2012-03-21 2012-09-12 南京邮电大学 Malicious code identification method based on cloud computing
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘颖: ""Windows环境恶意代码检测技术研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363240A (en) * 2014-11-26 2015-02-18 国家电网公司 Unknown threat comprehensive detection method based on information flow behavior validity detection
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN104573519A (en) * 2015-01-30 2015-04-29 北京瑞星信息技术有限公司 File scanning method and system
CN104573519B (en) * 2015-01-30 2018-04-13 北京瑞星网安技术股份有限公司 file scanning method and system
CN106874765A (en) * 2017-03-03 2017-06-20 努比亚技术有限公司 A kind of Malware hold-up interception method, device and terminal
CN106919840A (en) * 2017-03-03 2017-07-04 努比亚技术有限公司 The detection method and device of a kind of Malware

Similar Documents

Publication Publication Date Title
US9910988B1 (en) Malware analysis in accordance with an analysis plan
US10567386B2 (en) Split serving of computer code
US10021129B2 (en) Systems and methods for malware detection and scanning
US10218740B1 (en) Fuzzy hash of behavioral results
US9596255B2 (en) Honey monkey network exploration
US9715588B2 (en) Method of detecting a malware based on a white list
Costin et al. A large-scale analysis of the security of embedded firmwares
Feizollah et al. A study of machine learning classifiers for anomaly-based mobile botnet detection
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
EP2756437B1 (en) Device-tailored whitelists
CA2975395C (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
Tian et al. Differentiating malware from cleanware using behavioural analysis
US9519781B2 (en) Systems and methods for virtualization and emulation assisted malware detection
CA2797584C (en) Behavioral signature generation using clustering
EP2447877B1 (en) System and method for detection of malware and management of malware-related information
Alazab et al. Towards understanding malware behaviour by the extraction of API calls
Canali et al. Prophiler: a fast filter for the large-scale detection of malicious web pages
Lanzi et al. Accessminer: using system-centric models for malware protection
US9906547B2 (en) Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
CN102314561B (en) Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
US9300682B2 (en) Composite analysis of executable content across enterprise network
Bayer et al. A View on Current Malware Behaviors.
CN103617395B (en) Method, device and system for intercepting advertisement programs based on cloud security
US10375102B2 (en) Malicious web site address prompt method and router

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140723