CN104253797A - Identification method and device for worm virus - Google Patents
Identification method and device for worm virus Download PDFInfo
- Publication number
- CN104253797A CN104253797A CN201310264357.6A CN201310264357A CN104253797A CN 104253797 A CN104253797 A CN 104253797A CN 201310264357 A CN201310264357 A CN 201310264357A CN 104253797 A CN104253797 A CN 104253797A
- Authority
- CN
- China
- Prior art keywords
- identified
- worm
- file
- type virus
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a method and a device for identifying a worm virus, wherein the method comprises the following steps: acquiring behavior characteristic information of a file to be identified in the operation process; judging whether the file to be identified is a worm virus or not according to the behavior characteristic information; and when the behavior represented by the behavior characteristic information conforms to the behavior characteristics of the worm virus, determining that the file to be identified is the worm virus. By adopting the technical scheme provided by the invention, the technical problems of low identification accuracy and the like of the identification method of the worm virus in the related technology are solved, so that the identification accuracy of the worm virus is improved, and the propagation and destruction behaviors of the worm virus are effectively prevented.
Description
Technical field
The present invention relates to network communication field, in particular to a kind of recognition methods and device of worm-type virus.
Background technology
At present, propagate between network and automatically spread the worm-type virus type of breeding and emerge in an endless stream, and its circulation way, propagation conditions are also varied, correspondingly, various killing mode is also varied.
Worm RM in correlation technique, general is all that artificial authenticating document confirms that no is worm, then feature is extracted, by file eigenvalue identification worm, there is following defect in this RM: first, and artificial determination rates is slow, secondly, owing to being the identification based on existing static nature, thus there is hysteresis quality; Secondly, the mode extracted due to condition code is generally the code segment feature of getting the skew of a few place, easily cause identification error, if add shell to the code process at this few place, add flower or obscure process, very large difficulty can be brought to the identification of worm file, thus, by the mode almost None-identified worm mutation of file eigenvalue identification worm.Wherein, add shell and refer to: compress executable file code or resource, decompress during operation operation automatically.Add flower to refer to: in the middle of regular program instruction, insert the instruction run for disturbing disassembler still not affect program, may be some redirects or some invalid codes.
For the problems referred to above in correlation technique, at present effective solution is not yet proposed.
Summary of the invention
For in correlation technique, the recognition methods identification accuracy of worm-type virus is low, efficiency is low, drop into the technical problems such as manpower is large, the invention provides a kind of recognition methods and device of worm-type virus, at least to solve the problems of the technologies described above.
According to an aspect of the present invention, provide a kind of recognition methods of worm-type virus, comprising: obtain the behavior characteristic information of file to be identified in running; Judge whether described file to be identified is worm-type virus according to described behavior characteristic information; When the behavior that described behavior characteristic information represents meets the behavioural characteristic of worm-type virus, determine that described file to be identified is worm-type virus.
Preferably, obtain the behavior characteristic information of file to be identified in running, comprise following one of at least processing procedure: the network operations information obtaining described file to be identified; Obtain described file to be identified to the operation information of system registry.
Preferably, when described behavioral trait information comprises the operation information of described system registry, obtain the behavior characteristic information of file to be identified in running, comprising: after determining that described file to be identified is described worm-type virus, repeatedly run described file to be identified; In the process reruning described file to be identified, monitor the operation that described file to be identified carries out the registration table in running; And the Infection label of described worm-type virus is determined according to the change between the registry information after operating and initial registration table information; According to behavior characteristic information described in the note breath volume table handling information extraction that described Infection label marks.
Preferably, when the behavior that described behavior characteristic information represents meets the behavioural characteristic of worm-type virus, determine that described file to be identified is worm-type virus, comprise: when the behavior that described behavior characteristic information represents has dissemination and destruction, determine that described file to be identified is described worm-type virus.
Preferably, after determining that described file to be identified is worm-type virus, comprising: export the behavior characteristic information corresponding with the described worm-type virus identified.
Preferably, after exporting the behavior characteristic information corresponding with the described worm-type virus identified, comprising: according to the behavior characteristic information corresponding to described worm-type virus, the operation behavior of the described worm-type virus identified is tackled.
According to another aspect of the present invention, provide a kind of recognition device of worm-type virus, comprising: acquisition module, for obtaining the behavior characteristic information of file to be identified in running; Judge module, for judging according to described behavior characteristic information whether described file to be identified is worm-type virus; Determination module, when the behavior for representing in described behavior characteristic information meets the behavioural characteristic of worm-type virus, determines that described file to be identified is worm-type virus.
Preferably, above-mentioned acquisition module, also for performing following one of at least processing procedure: the network operations information obtaining described file to be identified; Obtain described file to be identified to the operation information of system registry.
Preferably, above-mentioned acquisition module, comprising: running unit, for after determining that described file to be identified is described worm-type virus, repeatedly runs described file to be identified; Monitoring unit, in the process reruning described file to be identified, monitors the operation that described file to be identified carries out the registration table in running; And determining unit, the Infection label of described worm-type virus is determined in the registry information after operating for basis and the change between initial registration table information; Extraction unit, the note for marking according to described Infection label ceases behavior characteristic information described in volume table handling information extraction.
Preferably, said apparatus also comprises: output module, for the behavior characteristic information that the described worm-type virus exported with identify is corresponding.
Preferably, said apparatus also comprises: blocking module, for the behavior characteristic information corresponding to described worm-type virus, tackles the operation behavior of the described worm-type virus identified.
Pass through the present invention, adopt and judge that whether this file to be identified is the technological means of worm-type virus according to the behavior characteristic information of file to be identified in running, solve in correlation technique, the technical problem such as the recognition methods identification accuracy of worm-type virus is low, thus improve the accuracy to worm-type virus identification; And multiple file to be identified can be identified by increasing recognition device simultaneously, effectively identify propagation and the destruction of worm-type virus in time, the recognition result of this device can be changed to antivirus software and fire compartment wall, and then indirectly prevents propagation and the destruction of new worm-type virus in time.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the recognition methods of worm-type virus according to the embodiment of the present invention;
Fig. 2 is the structured flowchart of the recognition device of worm-type virus according to the embodiment of the present invention;
Fig. 3 is another structured flowchart of the recognition device of worm-type virus according to the embodiment of the present invention;
Fig. 4 is the flow chart of the recognition methods of worm-type virus according to the preferred embodiment of the invention.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Following examples can be applied in computer, such as, be applied in PC (personalcomputer, referred to as PC).Also can be applied in the mobile terminal that have employed at present in intelligent operating system, and be not limited to this.Operating system for computer or mobile terminal does not have particular/special requirement, as long as the operation of support application program.Such as, following examples can be applied in Windows operating system.
In the present embodiment, provide a kind of recognition methods of worm-type virus, Fig. 1 is the flow chart of the recognition methods of worm-type virus according to the embodiment of the present invention.As shown in Figure 1, the method comprises:
Step S102, obtains the behavior characteristic information of file to be identified in running.
In the present embodiment, the implementation of step S102 has multiple, such as, can be realized by following two kinds of modes:
The first implementation
In running paper process to be identified, obtain the network operations information (i.e. network behavior) of file to be identified.Such as, can be monitored by network interface card, obtain the agreement, port, data content etc. of communication or propagation, and packet can be captured to all communication informations.
Preferably, the network operations information of acquisition can comprise: communication data: network operation behavior during running paper to be identified, mailing address during running paper to be identified, such as procotol (Internet Protocol, referred to as IP) address information such as address, port numbers, domain name, URL(uniform resource locator) (Uniform Resource Locator, referred to as URL), host name, procotol during running paper to be identified, such as data link layer protocol: as Wireless Fidelity (Wireless Fidelity, referred to as WiFi), address resolution protocol (AddressResolutionProtocol, referred to as ARP), Level 2 Tunnel Protocol (Layer2Tunneling Protocol, referred to as L2TP), PPTP (Point to Point Tunneling Protocol, referred to as PPTP) etc., network layer protocol: as IPV4, IPV6, network control message protocol (Internet Control Message Protocol, referred to as ICMP) etc., transport layer protocol: as transmission control protocol/procotol (Transmission Control Protocol, referred to as TCP), User Data Protocol (User Datagram Protocol, referred to as UDP) etc., application layer protocol: as HTML (Hypertext Markup Language) (Hypertext Transfer Protocol, referred to as HTTP), Simple Mail Transfer protocol (Simple Mail Transfer Protocol, referred to as SMTP), file transfer protocol (FTP) (File Transfer Protocol, referred to as FTP), remote procedure call protocol (Remote Procedure Call Protocol, referred to as RPC), SMB (Server Message Block), Secure Shell (Secure Shell, referred to as SSH) agreement, RDP (Remote Desktop Protocol, referred to as RDP) etc., communication data etc. during running paper to be identified.
The second implementation
Obtain described file to be identified to the operation information of system registry.Namely according to file to be identified operation behavior to registration table in running, above-mentioned behavior characteristic information is obtained.Now, above-mentioned behavior characteristic information can be determined according to the change of the registration table after operation and initial registration table.Such as, registry monitoring technology can be adopted, obtain sample each operation to registration table.
Preferably, for the ease of next time, above-mentioned virus is identified, can by determining that the mode of Infection label realizes quick identification, a kind of preferred implementation is as follows: after determining that file to be identified is virus, repeatedly run file to be identified; In the process reruning file to be identified, monitor the operation that file to be identified carries out the registration table in running; And the Infection label of virus is determined according to the change between the registry information after operating and initial registration table information, such as: if contrast operate after registry information and initial registration table information second time when again running file to be identified, the behavior that when behavior after file to be identified reads some registry entry ran from first time, file to be identified reads after this registry entry is different, then think that this registry entry is the Infection label of virus.Like this, the above-mentioned behavior characteristic information of note breath volume table handling information extraction that just can mark according to above-mentioned Infection label.
Wherein, initial registration table information can for one of following: before running file to be identified first registration table initial condition, after running file to be identified first registration table end-state, running in file processes to be identified first, the sequencing of the operation that file to be identified carries out the registration table of running environment and each operation.
In said process, registration table after operating can for one of following: in same running environment, again run above-mentioned file to be identified, be included in run registration table after file to be identified end-state, N(N be not less than 2 natural number) in secondary operation file processes to be identified, the sequencing of the operation that file to be identified carries out the registration table of simulated environment and each operation.
File to be identified comprises following content to the operation that registration table carries out: the registry entry reading, revise or delete simulated environment; Enumerate, revise or delete the subitem of the registry entry of simulated environment; Enumerate, revise or delete the key assignments of the registry entry of simulated environment; Enumerate, revise or delete the key assignments of the registry entry subitem of simulated environment; Read, revise or delete the data of the registry entry of simulated environment; Enumerate, revise or delete the data of the subitem of the registry entry of simulated environment.
The Infection label obtained by the way achieves: using the feature of Infection label as the worm-type virus determined, generates the operable virus base of common antivirus software; Or using Infection label as marker characteristic, classification name is carried out to the worm-type virus determined; Again because worm-type virus can not superinfection, so Infection label can also, as the immune signal of file with this Infection label, avoid the file with this Infection label to be again subject to the infection of worm-type virus.
According to above-mentioned behavior characteristic information, step S104, judges whether file to be identified is worm-type virus;
Step S106, when the behavior that above-mentioned behavior characteristic information represents meets the behavioural characteristic of worm-type virus, determines that described file to be identified is worm-type virus.
When adopting above-mentioned two kinds of implementations, can realize in the following manner: when the behavior represented by above-mentioned network operations information or registry operations information has dissemination and destruction, determining that described file to be identified is described worm-type virus.
By each step above-mentioned, it is identified according to the behavior characteristic information of software to be detected in running owing to have employed, therefore, achieve and identify according to the dynamic behaviour feature of this software to be detected, avoid and carry out the delayed defect of recognition rule that worm-type virus identification causes according to existing static nature; Further, because the direct behavior according to file to be identified identifies, therefore, fundamentally avoid owing to adding shell to worm-type virus file or adding the problem that flower processes the None-identified caused.Thus achieve accurately identifying fast worm-type virus type, effectively prevent propagation and the destruction of worm-type virus.And, because above-mentioned identifying schemes can run in multiple server independently, therefore, can realize simultaneously to the identification of multiple file to be identified, identifying is completely automatic without the need to manual intervention, and identifies rapidly, and does not interfere with each other between multiple server, by increasing number of servers, the new file occurred in a large amount of the Internets can be processed.
In the present embodiment, whether being after worm identifies according to behavior characteristic information to file to be identified, in order to process this worm further, need to export the behavior characteristic information corresponding with the worm identified.Like this, just can to tackle the operation behavior of the worm-type virus identified targetedly according to behavior characteristic information or the process such as killing.Now, the form of fire compartment wall can be shown as the interception of aforesaid operations behavior, be described for the interception of worm-type virus below:
First be described to the dissemination of worm-type virus and destruction:
Judge whether file to be identified connects multiple destination address transmission similar network data, so-called similar network data refer to the data comprising identical network agreement, can be specifically vulnerability exploit data, solution data guessed by password, native codes segment data etc., judge whether file to be identified connects multiple destination address transmission similar network data and be specially: judge that file to be identified sends to the data of each destination address whether to comprise vulnerability exploit data, or judge that file to be identified sends to the data of each destination address whether to comprise password and guesses solution data, or judge that file to be identified sends to the data of each destination address whether to comprise native codes segment data, wherein, when file to be identified connects multiple destination address transmission set of metadata of similar data, file to be identified has dissemination.
Such as, know according to the network information, file to be identified initiates Transmission Control Protocol to multiple destination address, destination port number is the connection of 3389, and be resolved to network data contain conjecture weak passwurd, self program and malicious instructions etc., then judge that file to be identified has dissemination, and be the dissemination being realized propagation by 3389 weak passwurds.
And for example, obtain initiating Transmission Control Protocol to multiple destination address according to the network information, destination port number is the connection of 445, and be resolved to network data and contain and use known bugs, malicious instructions and self program etc., then judge that file to be identified has dissemination, and be the dissemination being realized propagation by RPC protocol bug.
Judge whether the number of times that file to be identified connects same target address is continuously greater than preset times, wherein, when the number of times that file to be identified connects same target address is continuously greater than preset times, then determines that file to be identified has attack.
Such as, obtain file to be identified according to the network information and send data to same destination address, and the data being resolved to transmission are a large amount of http protocol requests sent in the short time, if the number of times that file to be identified connects this destination address exceedes the preset times of setting, then judge that file to be identified has attack, and be attack WEB server being caused to Denial of Service attack.
And for example, obtain file to be identified according to the network information and send data to same destination address, and the data being resolved to transmission are a large amount of smtp protocol requests sent in the short time, and send mail behavior for a large amount of after resolving procotol, if the number of times that file to be identified connects this destination address exceedes the preset times of setting, also the number of times namely sending mail exceedes setting threshold, then judge that file to be identified has attack, and is the attack sending spam attack.
In addition, other behaviors of worm-type virus also can be judged according to the network information.Such as, judge that whether file to be identified is by network operation download file according to the network information, operate download file when files through network to be identified and when performing, determine that file to be identified has regeneration behavior; According to the network information judge file to be identified whether active obtaining to or behavior change after receiving network data, when file acquisition to be identified or after receiving network data during behavior change, determine that file to be identified has the behavior receiving control command.
After according to the above-mentioned behavior of worm-type virus file to be identified being identified, behavior characteristic information (such as communication data) through fire compartment wall is compared with the local worm characteristic information stored, when when the behavior characteristic information of fire compartment wall is identical with worm characteristic information, this behavior characteristic information through fire compartment wall is tackled.Such as, when the communication data feature of the communication data feature of the communication data feature of communication data feature and the dissemination of fire compartment wall, regeneration behavior, the malicious act such as destruction or clogging networks is identical, tackle.Adopt such scheme, can filter the behavior of the worm through fire compartment wall, such as can start with from blockade worm propagation approach, by software or the network hardware, the communication data to PC or gateway device filters, thus stops the propagation of worm-type virus.
In the present embodiment, because needs identify worm under various true environment, in order to the cost that saves manpower and time, above-mentioned file to be identified can be run in a dry run environment, like this, according to different true environments, the identification that corresponding change just can realize above-mentioned worm-type virus is carried out to above-mentioned dry run environment.
Provide a kind of recognition device of worm-type virus in the present embodiment, for realizing above-described embodiment and preferred implementation, having carried out repeating no more of explanation, and below the module related in this device being described.As used below, term " module " can realize the software of predetermined function and/or the combination of hardware.Although the device described by following examples preferably realizes with software, hardware, or the realization of the combination of software and hardware also may and conceived.Fig. 2 is the structured flowchart of the recognition device of worm-type virus according to the embodiment of the present invention.As shown in Figure 2, this device comprises:
Acquisition module 20, is connected to identification module 22, for obtaining the behavior characteristic information of file to be identified in running;
Judge module 22, is connected to determination module 24, for judging according to above-mentioned behavior characteristic information whether described file to be identified is worm-type virus;
Determination module 24, when the behavior for representing in above-mentioned behavior characteristic information meets the behavioural characteristic of worm-type virus, determines that file to be identified is worm-type virus.
By the function that above-mentioned modules realizes, avoid equally carrying out the delayed defect of recognition rule that worm identification causes according to existing static nature; Further, fundamentally avoid owing to adding shell to worm file or adding the problem that flower processes the None-identified caused, thus achieve accurately identifying fast helminth, effectively prevent propagation and the destruction of worm.
In the present embodiment, above-mentioned acquisition module, during for comprising one of following information in described behavior characteristic information, obtains described behavior characteristic information: the network operations information of file to be identified; File to be identified is to the operation information of system registry.In order to realize above-mentioned functions, as shown in Figure 3, above-mentioned acquisition module 20, can also be used for performing following one of at least processing procedure: the network operations information obtaining described file to be identified; Obtain described file to be identified to the operation information of system registry.
In a preferred implementation of the present embodiment, for the ease of next time, above-mentioned virus is identified, can by determining that the mode of Infection label realizes quick identification, for realizing this object, as shown in Figure 3, above-mentioned acquisition module 20 can also comprise following processing unit:
Running unit 200, is connected to monitoring unit 202, for after determining that described file to be identified is described worm-type virus, repeatedly runs described file to be identified;
Monitoring unit 202, in the process reruning described file to be identified, monitors the operation that described file to be identified carries out the registration table in running; And
Determining unit 204, the Infection label of described worm-type virus is determined in the registry information after operating for basis and the change between initial registration table information;
Extraction unit 206, the note for marking according to described Infection label ceases behavior characteristic information described in volume table handling information extraction.
Preferably, in the present embodiment, as shown in Figure 3, said apparatus can include but not limited to following processing module: output module 26, be connected to blocking module 28, for the behavior characteristic information that the worm-type virus exported with identify is corresponding, like this, just can tackle for the behavior of worm-type virus, in order to realize this function, said apparatus can also comprise following processing module: blocking module 28, for the behavior characteristic information corresponding to worm-type virus, tackles the operation behavior of the worm-type virus identified.
As mentioned above, the above-mentioned modules related in the present embodiment both can be realized by software, also can be realized by correspondingly hardware.Such as, above-mentioned modules all can be located within a processor, such as: above-mentioned modules is all in a processor: a kind of processor, comprising: above-mentioned acquisition module 20, judge module 22, and determination module 24; Above-mentioned modules is in a corresponding processor respectively: above-mentioned acquisition module 20, is arranged in first processor; Above-mentioned judge module 22 is arranged in the second processor; Above-mentioned determination module 24 is arranged in the 3rd processor.At least two processing modules wherein can certainly be arranged in same processor.
Describe in detail below in conjunction with a preferred embodiment and relevant drawings.
Fig. 4 is the flow chart of the recognition methods of worm-type virus according to a second embodiment of the present invention, and as shown in Figure 4, the method comprises:
Step S402: obtain file to be identified.
Step S404: run file to be identified in the simulated environment preset.
Step S406: in the process running file to be identified, the network behavior monitoring file to be identified, to obtain the network information, monitors operation that file to be identified carries out the registration table of simulated environment to obtain the first registry information.Wherein, first registry information comprises the initial condition of simulated environment registration table before running file to be identified first, the end-state of simulated environment registration table after running file to be identified first, simulated environment are being run in file processes to be identified first, the sequencing of the operation that file to be identified carries out the registration table of simulated environment and each operation.
Step S408: judge whether file to be identified has dissemination and destruction according to the network information.
When judging whether file to be identified has dissemination, by judging whether file to be identified connects multiple destination address transmission similar network data and judge, wherein, when file to be identified connects multiple destination address transmission similar network data, determine that file to be identified has dissemination; When judging whether file to be identified has attack, by judging that number of times that whether file to be identified connects same target address is continuously greater than preset times and judges, wherein, when the number of times that file to be identified connects same target address is continuously greater than preset times, determine that file to be identified has attack.
Step S410: if file to be identified has dissemination and destruction, then determine that file to be identified is worm-type virus.
Step S412: when determining that file to be identified is worm, again runs file to be identified in simulated environment, also namely in the simulated environment running file to be identified, again runs this file to be identified.
Step S414: in the process again running file to be identified, monitor operation that file to be identified carries out the registration table of simulated environment to obtain the second registry information, wherein, second registry information comprises the simulated environment end-state of registration table, simulated environment after second time runs file to be identified and is running in file processes to be identified in second time, the sequencing of the operation that file to be identified carries out the registration table of simulated environment and each operation.
In above-mentioned first registry information and the second registry information, file to be identified comprises following content to the operation that the registration table of simulated environment carries out: read, amendment or delete the registry entry of simulated environment; Enumerate, revise or delete the subitem of the registry entry of simulated environment; Enumerate, revise or delete the key assignments of the registry entry of simulated environment; Enumerate, revise or delete the key assignments of the registry entry subitem of simulated environment; Read, revise or delete the data of the registry entry of simulated environment; Enumerate, revise or delete the data of the subitem of the registry entry of simulated environment.
Step S416: according to the Infection label of the first registry information and the second registry information determination worm-type virus.Particularly, contrast the first registry information and the second registry information, if there is different information in the two, then can determine the registry entry that this different information is corresponding, Registry Subkeys, the key assignments of registry entry, the key assignments of Registry Subkeys, the data of the data of registry entry or the subitem of registry entry are worm mark, such as, contrast the first registry information and the second registry information, if when second time runs file to be identified again, the behavior that when behavior after file to be identified reads some registry entry ran from first time, file to be identified reads after this registry entry is different, then think that this registry entry is the Infection label of worm-type virus.
In sum, the embodiment of the present invention achieves following beneficial effect: achieve and identify according to the dynamic behaviour feature of this software to be detected, avoids and carries out the delayed defect of recognition rule that worm identification causes according to existing static nature; Further, because the direct behavior according to file to be identified identifies, therefore, fundamentally avoid owing to adding shell to worm file or adding the problem that flower processes the None-identified caused.Thus achieve accurately identifying fast helminth, effectively prevent propagation and the destruction of worm.
In another embodiment, additionally provide a kind of software, this software is for performing the technical scheme described in above-described embodiment and preferred implementation.
In another embodiment, additionally provide a kind of storage medium, store above-mentioned software in this storage medium, this storage medium includes but not limited to: CD, floppy disk, hard disk, scratch pad memory etc.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, and in some cases, step shown or described by can performing with the order be different from herein, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
These are only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. a recognition methods for worm-type virus, is characterized in that, comprising:
Obtain the behavior characteristic information of file to be identified in running;
Judge whether described file to be identified is worm-type virus according to described behavior characteristic information;
When the behavior that described behavior characteristic information represents meets the behavioural characteristic of worm-type virus, determine that described file to be identified is worm-type virus.
2. method according to claim 1, is characterized in that, obtains the behavior characteristic information of file to be identified in running, comprises following one of at least processing procedure:
Obtain the network operations information of described file to be identified;
Obtain described file to be identified to the operation information of system registry.
3. method according to claim 2, is characterized in that, when described behavioral trait information comprises the operation information of described system registry, obtains the behavior characteristic information of file to be identified in running, comprising:
After determining that described file to be identified is described worm-type virus, repeatedly run described file to be identified;
In the process reruning described file to be identified, monitor the operation that described file to be identified carries out the registration table in running; And
The Infection label of described worm-type virus is determined according to the change between the registry information after operating and initial registration table information;
According to behavior characteristic information described in the note breath volume table handling information extraction that described Infection label marks.
4. method according to claim 1, is characterized in that, when the behavior that described behavior characteristic information represents meets the behavioural characteristic of worm-type virus, determines that described file to be identified is worm-type virus, comprising:
When the behavior that described behavior characteristic information represents has dissemination and destruction, determine that described file to be identified is described worm-type virus.
5. the method according to any one of Claims 1-4, is characterized in that, after determining that described file to be identified is worm-type virus, comprising:
Export the behavior characteristic information corresponding with the described worm-type virus identified.
6. method according to claim 5, is characterized in that, after exporting the behavior characteristic information corresponding with the described worm-type virus identified, comprising:
According to the behavior characteristic information corresponding to described worm-type virus, the operation behavior of the described worm-type virus identified is tackled.
7. a recognition device for worm-type virus, is characterized in that, comprising:
Acquisition module, for obtaining the behavior characteristic information of file to be identified in running;
Judge module, for judging according to described behavior characteristic information whether described file to be identified is worm-type virus;
Determination module, when the behavior for representing in described behavior characteristic information meets the behavioural characteristic of worm-type virus, determines that described file to be identified is worm-type virus.
8. device according to claim 7, is characterized in that, described acquisition module, also for performing following one of at least processing procedure:
Obtain the network operations information of described file to be identified;
Obtain described file to be identified to the operation information of system registry.
9. device according to claim 8, is characterized in that, described acquisition module, comprising:
Running unit, for after determining that described file to be identified is described worm-type virus, repeatedly runs described file to be identified;
Monitoring unit, in the process reruning described file to be identified, monitors the operation that described file to be identified carries out the registration table in running; And
Determining unit, the Infection label of described worm-type virus is determined in the registry information after operating for basis and the change between initial registration table information;
Extraction unit, the note for marking according to described Infection label ceases behavior characteristic information described in volume table handling information extraction.
10. the device according to any one of claim 7 to 9, is characterized in that, also comprises:
Output module, for the behavior characteristic information that the described worm-type virus exported with identify is corresponding.
11. devices according to claim 10, is characterized in that, also comprise:
Blocking module, for the behavior characteristic information corresponding to described worm-type virus, tackles the operation behavior of the described worm-type virus identified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310264357.6A CN104253797A (en) | 2013-06-27 | 2013-06-27 | Identification method and device for worm virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310264357.6A CN104253797A (en) | 2013-06-27 | 2013-06-27 | Identification method and device for worm virus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104253797A true CN104253797A (en) | 2014-12-31 |
Family
ID=52188337
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310264357.6A Pending CN104253797A (en) | 2013-06-27 | 2013-06-27 | Identification method and device for worm virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253797A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108063764A (en) * | 2017-12-13 | 2018-05-22 | 北京搜狐新媒体信息技术有限公司 | A kind of network traffics treating method and apparatus |
| CN111163066A (en) * | 2019-12-16 | 2020-05-15 | 苏州哈度软件有限公司 | Network security software system based on cloud computing |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020091940A1 (en) * | 2001-01-05 | 2002-07-11 | Welborn Christopher Michael | E-mail user behavior modification system and mechanism for computer virus avoidance |
| US6973577B1 (en) * | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
| US20060288412A1 (en) * | 2002-05-08 | 2006-12-21 | International Business Machines Corporation | Method and apparatus for determination of the non-replicative behavior of a malicious program |
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| CN1983295A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for recognizing virus |
| CN101350049A (en) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | Method, apparatus and network device for identifying virus document |
| CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
-
2013
- 2013-06-27 CN CN201310264357.6A patent/CN104253797A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6973577B1 (en) * | 2000-05-26 | 2005-12-06 | Mcafee, Inc. | System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state |
| US20020091940A1 (en) * | 2001-01-05 | 2002-07-11 | Welborn Christopher Michael | E-mail user behavior modification system and mechanism for computer virus avoidance |
| US20060288412A1 (en) * | 2002-05-08 | 2006-12-21 | International Business Machines Corporation | Method and apparatus for determination of the non-replicative behavior of a malicious program |
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| CN1983295A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for recognizing virus |
| CN101350049A (en) * | 2007-07-16 | 2009-01-21 | 珠海金山软件股份有限公司 | Method, apparatus and network device for identifying virus document |
| CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108063764A (en) * | 2017-12-13 | 2018-05-22 | 北京搜狐新媒体信息技术有限公司 | A kind of network traffics treating method and apparatus |
| CN111163066A (en) * | 2019-12-16 | 2020-05-15 | 苏州哈度软件有限公司 | Network security software system based on cloud computing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US9654494B2 (en) | Detecting and marking client devices | |
| US10812513B1 (en) | Correlation and consolidation holistic views of analytic data pertaining to a malware attack | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| EP1650633A1 (en) | Method, apparatus and system for enforcing security policies | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| US20170111272A1 (en) | Determining Direction of Network Sessions | |
| CN110519265B (en) | Method and device for defending attack | |
| US20120005743A1 (en) | Internal network management system, internal network management method, and program | |
| US20140189861A1 (en) | System and method for correlating network information with subscriber information in a mobile network environment | |
| CN102404741B (en) | Method and device for detecting abnormal online of mobile terminal | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| CN111800412A (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| CN113810381B (en) | Crawler detection method, web application cloud firewall device and storage medium | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN104253797A (en) | Identification method and device for worm virus | |
| CN109451094B (en) | Method, system, electronic device and medium for acquiring IP address of source station | |
| CN108040124B (en) | Method and device for controlling mobile terminal application based on DNS-Over-HTTP protocol | |
| KR20150026187A (en) | System and Method for dropper distinction | |
| EP2677715A1 (en) | A method and a server for evaluating a request for access to content from a server in a computer network | |
| CN109474572B (en) | Method and system for monitoring and capturing horse release sites based on cluster botnet | |
| CN112202776A (en) | Source station protection method and network equipment | |
| JP6563872B2 (en) | Communication system and communication method | |
| CN106550001B (en) | Redirection method and device | |
| KR101511474B1 (en) | Method for blocking internet access using agent program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141231 |
|
| RJ01 | Rejection of invention patent application after publication |