CN104424437B - Multi-file sample testing method and device and client - Google Patents
Multi-file sample testing method and device and client Download PDFInfo
- Publication number
- CN104424437B CN104424437B CN201310381730.6A CN201310381730A CN104424437B CN 104424437 B CN104424437 B CN 104424437B CN 201310381730 A CN201310381730 A CN 201310381730A CN 104424437 B CN104424437 B CN 104424437B
- Authority
- CN
- China
- Prior art keywords
- file
- combination
- minimum
- sample
- executable file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a device and a client for testing a multi-file sample, wherein the method comprises the following steps: acquiring a multi-file sample; matching the N files with a preset minimum combination of independent executable files to generate a first set of W1 minimum combinations of independent executable files; acquiring relationship information among the remaining N-M files, and acquiring a second set with W2 minimum independent executable file combinations in the remaining N-M files according to the relationship information; and determining whether the multi-file sample is a malicious sample according to the W1 minimum independent executable file combinations and the W2 minimum independent executable file combinations. According to the method provided by the embodiment of the invention, the storage of repeated malicious multi-file samples in the sample library can be reduced, the storage space of the sample library is saved, the analysis of the repeated multi-file samples is avoided, the analysis time for analyzing the malicious files contained in the multi-file samples is greatly reduced, and the analysis efficiency is improved.
Description
Technical field
The present invention relates to computer security technique field more particularly to a kind of test method of multifile sample, device and
Client.
Background technology
With the development of internet, e-commerce it is prevailing, malicious file into geometric progression explode increase.Malicious file is
Refer to virus, worm or Trojan Horse for deliberately performing malice task on the computer systems etc..In malicious file by user
Before it was found that, private sensitive data when user surfs the Internet is likely to be stolen, for example, bank account information, credit clip pin
Deng.Therefore, huge loss is caused to user, it is huge to the harm of user.At present, it whether analyzes in multifile sample comprising evil
The method of meaning file mainly has dynamic behaviour analysis method, and this method has become anti-virus security fields research both at home and abroad at present
Hot spot.
In process of the present invention is realized, inventor has found that the prior art has at least the following problems:It at present can be by using
Family reports, and the various ways such as honey jar capture obtain the malicious file data of magnanimity, however the malicious file data of magnanimity can cause
The sample size stored in the sample database of malicious file is very big, and the memory space that not only sample database occupies is very big, but also passes through
For dynamic behaviour analytical multifile sample there are during malicious file, the time of consumption is very long.Further, since multifile
Sample usually can generate compressed package files by multiple be packaged, and weight in compressed package files cannot be excluded by dynamic behaviour analysis method
Multiple multifile sample leads to the time consumed by the malicious file in the various this document of dynamic behaviour analytical
Long, analysis efficiency is low.
Invention content
The present invention is directed at least solve one of above-mentioned technical problem.
For this purpose, first purpose of the present invention is to propose a kind of test method of multifile sample.This method is on the one hand
The malice multifile sample that repetition is stored in sample database can be reduced, has saved the memory space of sample database, it on the other hand can be with
Avoid to repeat multifile sample analyze, greatly reduce analysis multifile sample in include malicious file analysis when
Between, improve analysis efficiency..
Second object of the present invention is to propose a kind of test device of multifile sample.
Third object of the present invention is to propose a kind of client.
To achieve these goals, the test method of the multifile sample of first aspect present invention embodiment includes following step
Suddenly:Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;By N number of text
Part, which combines to be matched with preset minimum standalone executable file, to generate there is W1 minimum standalone executable file to combine
First set, wherein, the first set include M file, wherein, M be more than or equal to 0 and be less than or equal to N integer, W1
To be more than or equal to 0 integer;The relation information between remaining N-M file is obtained, and institute is obtained according to the relation information
The second set with W2 minimum standalone executable file combination in remaining N-M file is stated, W2 is more than or equal to 0
Integer;And combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file
Type determines whether the multifile sample is malice sample.
On the one hand the test method of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database
Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into
Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
To achieve these goals, the test device of the multifile sample of second aspect of the present invention embodiment, including:First
Acquisition module, for obtaining multifile sample, wherein, the multifile sample includes N number of file, wherein, N is positive integer;
Matching module has W1 for combining to match N number of file with preset minimum standalone executable file to generate
It is a minimum standalone executable file combination first set, wherein, the first set include M file, wherein, M for more than
Integer equal to 0 and less than or equal to N, W1 are the integer more than or equal to 0;Second acquisition module, for obtaining remaining N-M text
Relation information between part, and there is W2 minimum solely in the relation information acquisition remaining N-M file
The second set of vertical executable file combination, W2 are the integer more than or equal to 0;And judgment module, for according to the W1
The type of minimum standalone executable file combination and described W2 minimum standalone executable file combination determines the multifile sample
Whether this is malice sample.
On the one hand the test device of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database
Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into
Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
To achieve these goals, the client of third aspect present invention embodiment, including:Screen, processor and circuit
Plate;On the housing, the circuit board is placed in the space interior that the shell surrounds, the processor for the screen placement
It is arranged on the circuit board;The processor is used to handle data, and be specifically used for:Multifile sample is obtained, wherein, it is described
Multifile sample includes N number of file, wherein, N is positive integer;By N number of file and preset minimum independent executable text
Part combination is matched to generate the first set with W1 minimum standalone executable file combination, wherein, first collection
Conjunction includes M file, wherein, M is the integer more than or equal to 0 and less than or equal to N, and W1 is the integer more than or equal to 0;It obtains remaining
N-M file between relation information, and according to the relation information obtain in the remaining N-M file with W2
The second set of a minimum standalone executable file combination, W2 are the integer more than or equal to 0;It is and minimum only according to described W1
Whether the type of vertical executable file combination and described W2 minimum standalone executable file combination determines the multifile sample
For malice sample.
On the one hand client according to embodiments of the present invention can reduce the malice multifile sample that repetition is stored in sample database
This, has saved the memory space of sample database, on the other hand can have been analyzed, greatly reduced to avoid the multiple multifile sample of counterweight
The analysis time of malicious file is included in analysis multifile sample, improves analysis efficiency.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description
It obtains significantly or is recognized by the practice of the present invention.
Description of the drawings
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Significantly and it is readily appreciated that, wherein,
Fig. 1 is the flow chart of the test method of multifile sample according to an embodiment of the invention;
Fig. 2 is the flow chart according to the test method of the multifile sample of a specific embodiment of the invention;
Fig. 3 is the structure diagram of the test device of multifile sample according to an embodiment of the invention;
Fig. 4 is the structure diagram according to the test device of the multifile sample of a specific embodiment of the invention;
Fig. 5 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention;
Fig. 6 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention;With
And
Fig. 7 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, and is only used for explaining the present invention, and is not considered as limiting the invention.On the contrary, this
The embodiment of invention includes falling into all changes in the range of the spirit and intension of attached claims, modification and equivalent
Object.
In the description of the present invention, it is to be understood that term " first ", " second " etc. are only used for description purpose, without
It is understood that indicate or implying relative importance.In the description of the present invention, it should be noted that unless otherwise specific regulation
And restriction, term " connected ", " connection " should be interpreted broadly, for example, it may be fixedly connected or be detachably connected,
Or it is integrally connected;Can be mechanical connection or electrical connection;It can be directly connected, intermediary can also be passed through
It is indirectly connected.For the ordinary skill in the art, the tool of above-mentioned term in the present invention can be understood with concrete condition
Body meaning.In addition, in the description of the present invention, unless otherwise indicated, " multiple " are meant that two or more.
Any process described otherwise above or method description are construed as in flow chart or herein, represent to include
Module, segment or the portion of the code of the executable instruction of one or more the step of being used to implement specific logical function or process
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discuss suitable
Sequence, including according to involved function by it is basic simultaneously in the way of or in the opposite order, to perform function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
Below with reference to the accompanying drawings test method, device and the client of multifile sample according to embodiments of the present invention are described.
At present, the multifile sample repeated in compressed package cannot be excluded by dynamic behaviour analysis method, is caused by dynamic
The time that malicious file consumes in state behavior analysis method analysis multifile sample is very long, and analysis efficiency is very low.If pass through
It identifies the relationship (for example, reading, write-in, operation etc.) in multifile sample between file, and identifies in multifile sample and repeat
Paper sample (such as the repeated sample being repeatedly packaged), the multifile sample that identifies and split combination is (such as comprising multiple
The multifile sample of executable file) or the incomplete incomplete multifile sample of identification.Then to executable file or more
File combination carries out " minimum standalone executable file combination " and differentiates, minimize separation, restore, re-scheduling, as a result, on the one hand can be with
The paper sample that repetition is stored in sample database is reduced, the memory space of sample database has been saved, on the other hand can have been answered to avoid counterweight
Paper sample analyzed, greatly reduce the analysis time for including malicious file in analysis multifile sample, improve point
Analyse efficiency.For this purpose, the present invention proposes a kind of test method of multifile sample.
Fig. 1 is the flow chart of the test method of multifile sample according to an embodiment of the invention, and Fig. 2 is according to this hair
The flow chart of the test method of the multifile sample of a bright specific embodiment.
As depicted in figs. 1 and 2, the test method of multifile sample includes:
S11 obtains multifile sample, wherein, multifile sample includes N number of file, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also
Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged
Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
S12, N number of file is combined to match with preset minimum standalone executable file has W1 minimum to generate
The first set of standalone executable file combination, wherein, first set includes M file, wherein, M is more than or equal to 0 and is less than
Integer equal to N, W1 are the integer more than or equal to 0.
In one embodiment of the invention, minimum standalone executable file combination includes at least one executable file.
Specifically, it in order to realize some function, needs multiple files being combined, which could be realized by multifile combination,
Lack the function that any one file can all influence multiple file combinations.Public documents are excluded in multifile combination, it will not
Multifile combination comprising public documents is determined as minimum standalone executable file combination.Wherein, if an executable file
Alternative document can not be depended on, completes itself all function, then it is independent that the executable file can also be used as a minimum
Executable file combines, that is to say, that a minimum standalone executable file combination can also only include an executable file.
In one embodiment of the invention, S12 includes the following steps.
S121, obtain in N number of file combine with preset minimum standalone executable file the first identical file combine or
The second file combination that the minimum standalone executable file combination that person is predetermined includes.Specifically, judge whether have in N number of file
Have and combine identical first file combination with preset minimum standalone executable file, and by identical first file
Combination is marked.For example, file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt are included in multifile sample, in advance
If minimum standalone executable file be combined as 1.exe+1.dll, then by multifile sample file combine 1.exe+1.dll
It is combined as the first file.
The second file whether there is the minimum standalone executable file being predetermined combination to include in N number of file is judged simultaneously
Combination, and by by comprising the second file composite marking combined for incomplete file.For example, file is included in multifile sample
1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll, by multifile sample
File combination 1.dll in this is combined as the second file, and labeled as incomplete file combination.
S122, according to the combination of the first file and the second file combination producing first set, wherein, the number of the first file combination
It measures as W1.Specifically, the first file combination after label and the second file are added in combination to first set.
S13 obtains the relation information between remaining N-M file, and obtains remaining N-M text according to relation information
The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0.
In one embodiment of the invention, relation information includes inclusion relation, release relationship, dependence, pass coexists
It is one or more in system, bundle relation.Above-mentioned relation information is exemplified below:
(1), inclusion relation refers to contain another file B in compressed file or decompressing files A, then referred to as A packets
Containing B, the relationship between A and B is referred to as inclusion relation;
(2), relationship is discharged, when referring to executable file A operations, generates new file B, then referred to as A discharges B, A and B
Between relationship be referred to as release relationship;
(3), dependence refers to that executable file A has to rely on file B and could complete itself function, if file B is not
In the presence of can not then complete itself due function, then referred to as A relies on B, and the relationship between A and B is referred to as dependence;
(4), Coexistence refers to that file A and file B are relied on by executable file C, lacks file A or file B,
Executable file C can not complete itself due function, then referred to as A and B must coexist, and the relationship between A and B is referred to as
Coexistence;
(5), bundle relation refers to that file A and file B are included by executable file C or simultaneously by executable text
Part C discharges, but file A is relied on during file B differences by executable file C, then referred to as file A and B are tied, between A and B
Relationship be referred to as bundle relation.
In one embodiment of the invention, minimum executable file combination and incomplete file in first set are combined
Comprising file removed from N number of file of multifile sample, i.e., by M file in first set from the N of multifile sample
It is removed in a file.
In one embodiment of the invention, S13 includes the following steps.
Whether S131 is judged in N-M file comprising executable file.
S132, if running executable file, and record executable file comprising executable file in N-M file
With the relation information of alternative document in N-M file.Wherein, if wrapped in executable file operation failure or N-M file
Containing the file for being not belonging to preset minimum standalone executable file combination, then the executable file and this document are only deposited
Shelves.
S133 obtains the executable file in N-M file.
S134, according to the corresponding relation information of executable file judge executable file and with the relevant text of executable file
Whether minimum standalone executable file combination is formed between part.
S135 if it is determined that forming minimum standalone executable file combination, then adds in second set.
S14, the type combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file
Determine whether multifile sample is malice sample.
In one embodiment of the invention, S14 includes the following steps:
S141, if combined in first set or second set comprising known malice minimum standalone executable file,
Judge multifile sample for malice sample.
In one embodiment of the invention, the minimum standalone executable file combination of malice has stored in sample before being
Malice minimum standalone executable file in this library combines or can be the malice minimum standalone executable file group just identified
It closes.
In one embodiment of the invention, S141 is further comprising the steps of:
S1411, by the first file combination and the second file combine respectively with known malice minimum standalone executable file
Combination is matched.
S1412, if the first file combination any of combined with known malice minimum standalone executable file it is identical,
Then judge to combine comprising known malice minimum standalone executable file in first set.For example, text is included in multifile sample
Part 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt, wherein, minimum independent executable text is included in multifile sample
Part combines 1.exe+1.dll.If it is known that malice minimum standalone executable file combination in there are 1.exe+1.dll, i.e. sample
The minimum standalone executable file combination 1.exe+1.dll of malice is included in this library, it is determined that known evil is included in first set
The minimum standalone executable file combination of meaning, that is to say, that the multifile sample is malice sample.
S1413, if any of the second file combination is included by the combination of known malice minimum standalone executable file,
And by comprising the combination of the second file in file not for public documents, then judge minimum comprising known malice in first set
Standalone executable file combines.For example, comprising file 1.dll, 2.dll and 3.txt in multifile sample, if it is known that malice
There are 1.exe+1.dll in minimum standalone executable file combination, i.e., the minimum standalone executable file of malice is included in sample database
Combine 1.exe+1.dll.Since file 1.dll belongs to the minimum standalone executable file combination 1.exe+1.dll of known malice,
And file 1.dll is not system file nor common language runtime file, it is determined that known evil is included in first set
The minimum standalone executable file combination of meaning, that is to say, that the multifile sample is malice sample.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is
Integer more than or equal to 0 and less than or equal to N, after judging multifile sample for non-malicious sample, S14 further includes following step
Suddenly.
S142, the malice sample during remaining N-M-Q file is recorded respectively with test sample before match.
S143, if any of remaining N-M-Q file and malice sample there are inclusion relation/or bundle relation/
Or release relationship, and then judge more than certain threshold value there are inclusion relation/or bundle relation/or the malice sample for discharging relationship
Multifile sample is risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file
The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice
Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal
Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only
The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships.
If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising
The multifile sample of this document is risk sample.
On the one hand the test method of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database
Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into
Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
In order to realize above-described embodiment, the present invention also proposes a kind of test device of multifile sample.
A kind of test device of multifile sample, including:First acquisition module, for obtaining multifile sample, wherein, it is more
Paper sample includes N number of file, wherein, N is positive integer;Matching module, for by N number of file with it is preset it is minimum independent can
File combination is performed to be matched to generate the first set with W1 minimum standalone executable file combination, wherein, first
Set includes M file, wherein, M is the integer more than or equal to 0 and less than or equal to N, and W1 is the integer more than or equal to 0;Second obtains
Modulus block for obtaining the relation information between remaining N-M file, and obtains remaining N-M text according to relation information
The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And judge mould
Block, the type for being combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file determine more
Whether paper sample is malice sample.
Fig. 3 is the structure diagram of the test device of multifile sample according to an embodiment of the invention.
As shown in figure 3, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained
Modulus block 130 and judgment module 140.
Specifically, the first acquisition module 110 is used to obtain multifile sample, wherein, multifile sample includes N number of text
Part, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also
Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged
Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
Matching module 120 is used to combine N number of file with preset minimum standalone executable file and matches to generate
First set with W1 minimum standalone executable file combination, wherein, first set includes M file, wherein, M is big
In the integer equal to 0 and less than or equal to N, W1 is the integer more than or equal to 0.In one embodiment of the invention, it is minimum independent
Executable file combination includes at least one executable file.More specifically, in order to realize some function, need multiple files
It is combined, which could be realized by multifile combination, multiple file combinations can all be influenced by lacking any one file
Function.Public documents are excluded in multifile combination, the multifile combination not comprising public documents are determined as minimum independent
Executable file combines.Wherein, if an executable file can not depend on alternative document, itself all function is completed,
So the executable file can also be used as a minimum standalone executable file combination, that is to say, that a minimum is independent can
An executable file can also only be included by performing file combination.
Second acquisition module 130 is used to obtain the relation information between remaining N-M file, and obtain according to relation information
The second set with W2 minimum standalone executable file combination in remaining N-M file is taken, W2 is more than or equal to 0
Integer.In one embodiment of the invention, relation information include inclusion relation, release relationship, dependence, Coexistence,
It is one or more in bundle relation.
In one embodiment of the invention, the second acquisition module 130 combines executable file minimum in first set
The file included with incomplete file combination is removed from N number of file of multifile sample, i.e., by M file in first set
It is removed from N number of file of multifile sample.
Judgment module 140 is used for according to W1 minimum standalone executable file combination and W2 minimum standalone executable file
The type of combination determines whether multifile sample is malice sample.
On the one hand the test device of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database
Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into
Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
Fig. 4 is the structure diagram according to the test device of the multifile sample of a specific embodiment of the invention.
As shown in figure 4, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained
Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122.
Specifically, acquiring unit 121 for obtain in N number of file combined with preset minimum standalone executable file it is identical
The first file combination or be predetermined minimum standalone executable file combination include the second file combination.More specifically,
Whether acquiring unit 121 judges to have in N number of file combines identical first with preset minimum standalone executable file
File combines, and the combination of identical first file is marked.For example, in multifile sample comprising file 1.exe,
2.exe, 3.exe, 1.dll, 2.dll and 3.txt, preset minimum standalone executable file are combined as 1.exe+1.dll, then obtain
Unit 121 is taken to combine the file combination 1.exe+1.dll in multifile sample as the first file.
Acquiring unit 121 judges whether there is the minimum standalone executable file combination packet being predetermined in N number of file simultaneously
The the second file combination contained, and by by comprising the second file composite marking combined for incomplete file.For example, multifile sample
In comprising file 1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll,
Acquiring unit 121 combines the file combination 1.dll in multifile sample, and labeled as incomplete file group as the second file
It closes.
Generation unit 122 is used for according to the combination of the first file and the second file combination producing first set, wherein, the first text
The quantity of part combination is W1.Specifically, generation unit 122 by after label the first file combination and the second file be added in combination to
First set.
The test device of multifile sample according to embodiments of the present invention, by obtain in N number of file with preset minimum
The minimum standalone executable file that standalone executable file combines identical the first file combination or is predetermined combines what is included
Second file combines, and can be combined and the second file combination producing first set according to the first file.
Fig. 5 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in figure 5, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained
Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains
Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit
135 and adding device 136.
Specifically, whether the first judging unit 131 is used to judge in N-M file comprising executable file.
When running unit 132 is used to include executable file in N-M file, executable file is run.
Recording unit 133 is used to record the relation information of alternative document in executable file and N-M file.Wherein, such as
Fruit running unit 132 runs preset minimum independent executable comprising being not belonging in executable file failure or N-M file
File combination file, then recording unit 133 executable file and this document are achieved.
Acquiring unit 134 is used to obtain the executable file in N-M file.
Second judgment unit 135 is used to judge executable file and with that can hold according to the corresponding relation information of executable file
Whether minimum standalone executable file combination is formed between the style of writing relevant file of part.
Adding device 136 is used to when judging to form minimum standalone executable file combination, then add in second set.
The test device of multifile sample according to embodiments of the present invention, by obtaining between remaining N-M file
Relation information, can be obtained according to the relation information in the remaining N-M file has W2 minimum is independent can hold
The second set of style of writing part combination
Fig. 6 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in fig. 6, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained
Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains
Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit
135 and adding device 136, judgment module 140 include:Third judging unit 141,142 and the 4th judging unit of matching unit
143。
Specifically, third judging unit 141 is used in first set or second set minimum solely comprising known malice
During vertical executable file combination, judge multifile sample for malice sample.In one embodiment of the invention, malice is minimum solely
Vertical executable file combination has stored in the malice minimum standalone executable file combination in sample database, Huo Zheke before being
For the malice minimum standalone executable file combination just identified.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is
Integer more than or equal to 0 and less than or equal to N, after judgment module 140 judges multifile sample for non-malicious sample, matching is single
The malice sample that member 142 is used for during remaining N-M-Q file is recorded respectively with test sample before matches;And
4th judging unit 143 be used for any of remaining N-M-Q file and malice sample there are inclusion relation/
Or bundle relation/or release relationship, and there are inclusion relation/or bundle relation/or to discharge the malice sample of relationship be more than certain
During threshold value, judge multifile sample for risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file
The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice
Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal
Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only
The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships.
If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising
The multifile sample of this document is risk sample.
The test device of multifile sample according to embodiments of the present invention, it can be determined that whether multifile sample is malice sample
Sheet or risk sample.
Fig. 7 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in fig. 7, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained
Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains
Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit
135 and adding device 136, judgment module 140 include:Third judging unit 141,142 and the 4th judging unit of matching unit
143, wherein, third judging unit 141 includes:Coupling subelement 1411, the first judgment sub-unit 1412 and second judge that son is single
Member 1413.
Specifically, coupling subelement 1411 be used for by the first file combination and the second file combine respectively with known malice
Minimum standalone executable file combination is matched.
First judgment sub-unit 1412 is used to independently hold in any of the first file combination and known malice minimum
When part combination of composing a piece of writing is identical, judge to combine comprising known malice minimum standalone executable file in first set.It is for example, mostly literary
Comprising file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt in part sample, wherein, comprising most in multifile sample
Small standalone executable file combines 1.exe+1.dll.If it is known that malice minimum standalone executable file combination in exist
Comprising the minimum standalone executable file combination 1.exe+1.dll of malice in 1.exe+1.dll, i.e. sample database, then first judges son
Unit 1412 determines to combine comprising known malice minimum standalone executable file in first set, that is to say, that the multifile
Sample is malice sample.
Second judgment sub-unit 1413 is used to independently be held by known malice minimum in any of the second file combination
Style of writing part combination includes, and by comprising the second file combination in file be public documents when, judge to wrap in first set
It is combined containing known malice minimum standalone executable file.For example, in multifile sample comprising file 1.dll, 2.dll and
3.txt, if it is known that the combination of malice minimum standalone executable file in there are 1.exe+1.dll, i.e., comprising disliking in sample database
The minimum standalone executable file combination 1.exe+1.dll of meaning.Since file 1.dll belongs to, known malice is minimum independently to be can perform
File combines 1.exe+1.dll, and file 1.dll is not system file nor common language runtime file, then second sentences
Disconnected subelement 1413 determines to combine comprising known malice minimum standalone executable file in first set, that is to say, that this is more
Paper sample is malice sample.
The test device of multifile sample according to embodiments of the present invention, it can be determined that whether comprising known in first set
Malice minimum standalone executable file combination.
In order to realize above-described embodiment, the present invention also proposes a kind of client.
In one embodiment of the invention, client can be personal computer PC, notebook, smart mobile phone, tablet
The hardware devices such as computer, personal digital assistant.Client includes:Screen, processor and circuit board;Screen disposes on the shell,
Circuit board is placed in the space interior that shell surrounds, and processor is set on circuit boards;Processor is used to handle data.
Specifically, processor is used to perform following steps:
S11 ' obtains multifile sample, wherein, multifile sample includes N number of file, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also
Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged
Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
S12 ', N number of file is combined to match with preset minimum standalone executable file has W1 most to generate
The first set of small standalone executable file combination, wherein, first set includes M file, wherein, M is more than or equal to 0 and small
In the integer equal to N, W1 is the integer more than or equal to 0.
In one embodiment of the invention, minimum standalone executable file combination includes at least one executable file.
Specifically, it in order to realize some function, needs multiple files being combined, which could be realized by multifile combination,
Lack the function that any one file can all influence multiple file combinations.Public documents are excluded in multifile combination, it will not
Multifile combination comprising public documents is determined as minimum standalone executable file combination.Wherein, if an executable file
Alternative document can not be depended on, completes itself all function, then it is independent that the executable file can also be used as a minimum
Executable file combines, that is to say, that a minimum standalone executable file combination can also only include an executable file.
In one embodiment of the invention, S12 ' includes the following steps.
S121 ', obtain in N number of file combine with preset minimum standalone executable file the first identical file combine or
The second file combination that the minimum standalone executable file combination that person is predetermined includes.Specifically, judge whether have in N number of file
Have and combine identical first file combination with preset minimum standalone executable file, and by identical first file
Combination is marked.For example, file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt are included in multifile sample, in advance
If minimum standalone executable file be combined as 1.exe+1.dll, then by multifile sample file combine 1.exe+1.dll
It is combined as the first file.
The second file whether there is the minimum standalone executable file being predetermined combination to include in N number of file is judged simultaneously
Combination, and by by comprising the second file composite marking combined for incomplete file.For example, file is included in multifile sample
1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll, by multifile sample
File combination 1.dll in this is combined as the second file, and labeled as incomplete file combination.
S122 ', according to the combination of the first file and the second file combination producing first set, wherein, the combination of the first file
Quantity is W1.Specifically, the first file combination after label and the second file are added in combination to first set.
S13 ' obtains the relation information between remaining N-M file, and N-M remaining according to relation information acquisition
The second set with W2 minimum standalone executable file combination in file, W2 is the integer more than or equal to 0.
In one embodiment of the invention, relation information includes inclusion relation, release relationship, dependence, pass coexists
It is one or more in system, bundle relation.Above-mentioned relation information is exemplified below:
(1), inclusion relation refers to contain another file B in compressed file or decompressing files A, then referred to as A packets
Containing B, the relationship between A and B is referred to as inclusion relation;
(2), relationship is discharged, when referring to executable file A operations, generates new file B, then referred to as A discharges B, A and B
Between relationship be referred to as release relationship;
(3), dependence refers to that executable file A has to rely on file B and could complete itself function, if file B is not
In the presence of can not then complete itself due function, then referred to as A relies on B, and the relationship between A and B is referred to as dependence;
(4), Coexistence refers to that file A and file B are relied on by executable file C, lacks file A or file B,
Executable file C can not complete itself due function, then referred to as A and B must coexist, and the relationship between A and B is referred to as
Coexistence;
(5), bundle relation refers to that file A and file B are included by executable file C or simultaneously by executable text
Part C discharges, but file A is relied on during file B differences by executable file C, then referred to as file A and B are tied, between A and B
Relationship be referred to as bundle relation.
In one embodiment of the invention, minimum executable file combination and incomplete file in first set are combined
Comprising file removed from N number of file of multifile sample, i.e., by M file in first set from the N of multifile sample
It is removed in a file.
In one embodiment of the invention, S13 ' includes the following steps
Whether S131 ' is judged in N-M file comprising executable file.
S132 ', if running executable file, and record executable file comprising executable file in N-M file
With the relation information of alternative document in N-M file.Wherein, if wrapped in executable file operation failure or N-M file
Containing the file for being not belonging to preset minimum standalone executable file combination, then the executable file and this document are achieved.
S133 ' obtains the executable file in N-M file.
S134 ', according to the corresponding relation information of executable file judge executable file and with executable file it is relevant
Whether minimum standalone executable file combination is formed between file.
S135 ' if it is determined that forming minimum standalone executable file combination, then adds in second set.
S14 ', the type combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file
Determine whether multifile sample is malice sample.
In one embodiment of the invention, S14 ' includes the following steps:
S141 ', if combined in first set or second set comprising known malice minimum standalone executable file,
Judge multifile sample for malice sample.
In one embodiment of the invention, the minimum standalone executable file combination of malice has stored in sample before being
Malice minimum standalone executable file in this library combines or can be the malice minimum standalone executable file group just identified
It closes.
In one embodiment of the invention, S141 ' is further comprising the steps of:
S1411 ', by the first file combination and the second file combine respectively with known malice minimum standalone executable file
Combination is matched.
S1412 ', if any of the first file combination combines phase with known malice minimum standalone executable file
Together, then judge to combine comprising known malice minimum standalone executable file in first set.For example, it is included in multifile sample
File 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt, wherein, comprising minimum independent executable in multifile sample
File combines 1.exe+1.dll.If it is known that the combination of malice minimum standalone executable file in there are 1.exe+1.dll, i.e.,
The minimum standalone executable file combination 1.exe+1.dll of malice is included in sample database, it is determined that comprising known in first set
The minimum standalone executable file combination of malice, that is to say, that the multifile sample is malice sample.
S1413 ' is wrapped if any of the second file combination is combined by known malice minimum standalone executable file
Contain, and by comprising the combination of the second file in file not for public documents, then judge to include known malice in first set
Minimum standalone executable file combination.For example, comprising file 1.dll, 2.dll and 3.txt in multifile sample, if it is known that
There are 1.exe+1.dll in the minimum standalone executable file combination of malice, i.e., minimum independent executable comprising malice in sample database
File combines 1.exe+1.dll.Since file 1.dll belongs to the minimum standalone executable file combination 1.exe+ of known malice
1.dll, and file 1.dll is not system file nor common language runtime file, it is determined that comprising in first set
The malice minimum standalone executable file combination known, that is to say, that the multifile sample is malice sample.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is
Integer more than or equal to 0 and less than or equal to N, after judging multifile sample for non-malicious sample, processor is additionally operable to:
S142 ', the malice sample during remaining N-M-Q file is recorded respectively with test sample before match.
S143 ', if any of remaining N-M-Q file and malice sample there are inclusion relation/or bundle relation/
Or release relationship, and then judge more than certain threshold value there are inclusion relation/or bundle relation/or the malice sample for discharging relationship
Multifile sample is risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file
The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice
Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal
Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only
The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships.
If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising
The multifile sample of this document is risk sample.
On the one hand client according to embodiments of the present invention can reduce the malice multifile sample that repetition is stored in sample database
This, has saved the memory space of sample database, on the other hand can have been analyzed, greatly reduced to avoid the multiple multifile sample of counterweight
The analysis time of malicious file is included in analysis multifile sample, improves analysis efficiency.
It should be appreciated that in an embodiment of the present invention, mobile terminal can be mobile phone, tablet computer, personal digital assistant,
E-book etc. has the hardware device of various operating systems.
It should be appreciated that each section of the present invention can be realized with hardware, software, firmware or combination thereof.Above-mentioned
In embodiment, software that multiple steps or method can in memory and by suitable instruction execution system be performed with storage
Or firmware is realized.If for example, with hardware come realize in another embodiment, can be under well known in the art
Any one of row technology or their combination are realized:With for the logic gates to data-signal realization logic function
Discrete logic, have suitable combinational logic gate circuit application-specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
In the description of this specification, reference term " one embodiment ", " example ", " is specifically shown " some embodiments "
The description of example " or " some examples " etc. means specific features, structure, material or the spy for combining the embodiment or example description
Point is contained at least one embodiment of the present invention or example.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiments or example in combine in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that:Not
In the case of being detached from the principle of the present invention and objective a variety of change, modification, replacement and modification can be carried out to these embodiments, this
The range of invention is limited by claim and its equivalent.
Claims (27)
1. a kind of test method of multifile sample, which is characterized in that include the following steps:
Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;
N number of file is combined to match with preset minimum standalone executable file, there is W1 minimum independently to generate
The first set of executable file combination, wherein, the first set includes M file, wherein, M is more than or equal to 0 and is less than
Integer equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as not wrapping in multifile combination
Multifile combination containing public documents;
The relation information between remaining N-M file is obtained, and the remaining N-M text is obtained according to the relation information
The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And
The type combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file
Determine whether the multifile sample is malice sample.
2. the method as described in claim 1, which is characterized in that by N number of file and preset minimum independent executable text
Part combination is matched to be further comprised with generating the first set with described W1 minimum standalone executable file combination:
Obtain in N number of file combine with the preset minimum standalone executable file the first identical file combine or
It is combined by the second file that the preset minimum standalone executable file combination includes;And
According to first set described in first file combination and the second file combination producing, wherein, the first file combination
Quantity be W1.
3. the method as described in claim 1, which is characterized in that the relation information obtained between remaining N-M file
Further comprise:
Whether judge in the N-M file comprising executable file;And
If the executable file is run, and record the executable text comprising executable file in the N-M file
The relation information of alternative document in part and the N-M file.
4. method as claimed in claim 3, which is characterized in that described that the remaining N-M text is obtained according to relation information
W2 minimum standalone executable file combination in part further comprises:
Obtain the executable file in the N-M file;
The executable file and related to the executable file is judged according to the corresponding relation information of the executable file
File between whether form the combination of minimum standalone executable file;And
If it is determined that form the minimum standalone executable file combination, then by the executable file and with the executable text
The relevant file of part adds in the second set.
5. method as claimed in claim 3, which is characterized in that the relation information includes inclusion relation, release relationship, relies on
It is one or more in relationship, Coexistence, bundle relation.
6. method as claimed in claim 2, which is characterized in that described according to W1 minimum standalone executable file combination and institute
The type for stating W2 minimum standalone executable file combination determines whether the multifile sample is that malice sample further comprises:
If combined in the first set or the second set comprising known malice minimum standalone executable file, sentence
The multifile sample that breaks is malice sample.
7. method as claimed in claim 6, which is characterized in that judge whether included in the first set according to following steps
The minimum standalone executable file combination of known malice:
First file combination and second file combination independently be can perform into text with the known malice minimum respectively
Part combination is matched;
If any of first file combination is combined identical with known malice minimum standalone executable file, judge
The known minimum standalone executable file combination of malice is included in the first set;And
If any of described second file combination is included, and wrapped by the combination of known malice minimum standalone executable file
File in the second file combination contained is not public documents, then judges minimum solely comprising known malice in the first set
Vertical executable file combination.
8. method as claimed in claim 6, which is characterized in that described W2 minimum standalone executable file combination includes Q
File, wherein, Q is the integer more than or equal to 0 and less than or equal to N, after judging the multifile sample for non-malicious sample,
It further includes:
Malice sample during remaining N-M-Q file is recorded respectively with test sample before matches;And
If any of described remaining N-M-Q file and the malice sample there are inclusion relation/or bundle relation/or
Release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship is more than certain threshold value,
Then judge the multifile sample for risk sample.
9. method as claimed in claim 8, which is characterized in that the threshold value is that there are inclusion relations/or bundle with the file
The known minimum standalone executable file of malice for tying up relationship/or release relationship is combined with all known malice most
The ratio value of small standalone executable file combination.
10. a kind of test device of multifile sample, which is characterized in that including:
First acquisition module, for obtaining multifile sample, wherein, the multifile sample includes N number of file, wherein, N is
Positive integer;
Matching module matches to generate tool for N number of file to be combined with preset minimum standalone executable file
There is the first set of W1 minimum standalone executable file combination, wherein, the first set includes M file, wherein, M is
Integer more than or equal to 0 and less than or equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as more
The multifile for not including public documents in file combination combines;
Second acquisition module for obtaining the relation information between remaining N-M file, and is obtained according to the relation information
The second set with W2 minimum standalone executable file combination in the remaining N-M file, W2 is more than or equal to 0
Integer;And
Judgment module, for according to described W1 minimum standalone executable file combination and described W2 minimum independent executable text
The type of part combination determines whether the multifile sample is malice sample.
11. device as claimed in claim 10, which is characterized in that the matching module includes:
Acquiring unit combines identical the with the preset minimum standalone executable file for obtaining in N number of file
The second file that one file is combined or included by the preset minimum standalone executable file combination combines;And
Generation unit, for the first set according to first file combination and the second file combination producing, wherein, it is described
The quantity of first file combination is W1.
12. device as claimed in claim 10, which is characterized in that second acquisition module includes:
First judging unit, for whether judging in the N-M file comprising executable file;
Running unit, in the N-M file include executable file when, run the executable file;And
Recording unit, for recording the relation information of alternative document in the executable file and the N-M file.
13. device as claimed in claim 12, which is characterized in that second acquisition module further includes:
Acquiring unit, for obtaining the executable file in the N-M file;
Second judgment unit, for according to the corresponding relation information of the executable file judge the executable file and with institute
It states and minimum standalone executable file combination whether is formed between the relevant file of executable file;And
Adding device, for when judging to form the minimum standalone executable file combination, then by the executable file and
File relevant with the executable file adds in the second set.
14. device as claimed in claim 12, which is characterized in that the relation information include inclusion relation, release relationship, according to
It is one or more in the relationship of relying, Coexistence, bundle relation.
15. device as claimed in claim 11, which is characterized in that the judgment module includes:
Third judging unit, for being included in the first set or the second set, known malice is minimum can independently to be held
When part of composing a piece of writing combines, judge the multifile sample for malice sample.
16. device as claimed in claim 15, which is characterized in that the third judging unit includes:
Coupling subelement, for by first file combination and second file combine respectively with the known malice most
Small standalone executable file combination is matched;
First judgment sub-unit, in any of first file combination and the minimum independent executable text of known malice
When part combination is identical, judge in the first set comprising the known minimum standalone executable file combination of malice;And
Second judgment sub-unit, for minimum independent executable literary by known malice in any of second file combination
Part combination include, and by comprising the second file combination in file be public documents when, judge to wrap in the first set
It is combined containing known malice minimum standalone executable file.
17. device as claimed in claim 15, which is characterized in that described W2 minimum standalone executable file combination includes Q
A file, wherein, Q is the integer more than or equal to 0 and less than or equal to N, judges that the multifile sample is in the judgment module
After non-malicious sample, the judgment module further includes:
Matching unit, for by remaining N-M-Q file respectively with test sample before record in malice sample carry out
Match;And
4th judging unit includes pass for existing in any of described remaining N-M-Q file and the malice sample
System/or bundle relation/or release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship
When this is more than certain threshold value, judge the multifile sample for risk sample.
18. device as claimed in claim 17, which is characterized in that the threshold value be and the file there are inclusion relation/or
Bundle relation/or the known minimum standalone executable file combination of malice for discharging relationship and all known malice
The ratio value of minimum standalone executable file combination.
19. a kind of client for being used to test multifile sample, which is characterized in that including:Screen, processor and circuit board;
On the shell, the circuit board is placed in the space interior that the shell surrounds, and the processor is set for the screen placement
It puts on the circuit board;
The processor is used to handle data, and be specifically used for:
Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;
N number of file is combined to match with preset minimum standalone executable file, there is W1 minimum independently to generate
The first set of executable file combination, wherein, the first set includes M file, wherein, M is more than or equal to 0 and is less than
Integer equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as not wrapping in multifile combination
Multifile combination containing public documents;
The relation information between remaining N-M file is obtained, and the remaining N-M text is obtained according to the relation information
The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And
The type combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file
Determine whether the multifile sample is malice sample.
20. client as claimed in claim 19, which is characterized in that can independently hold N number of file and preset minimum
Style of writing part combination is matched further is wrapped with generating the first set with described W1 minimum standalone executable file combination
It includes:
Obtain in N number of file combine with the preset minimum standalone executable file the first identical file combine or
It is combined by the second file that the preset minimum standalone executable file combination includes;And
According to first set described in first file combination and the second file combination producing, wherein, the first file combination
Quantity be W1.
21. client as claimed in claim 19, which is characterized in that the relationship obtained between remaining N-M file
Information further comprises:
Whether judge in the N-M file comprising executable file;And
If the executable file is run, and record the executable text comprising executable file in the N-M file
The relation information of alternative document in part and the N-M file.
22. client as claimed in claim 21, which is characterized in that described that the remaining N-M is obtained according to relation information
W2 minimum standalone executable file combination in a file further comprises:
Obtain the executable file in the N-M file;
The executable file and related to the executable file is judged according to the corresponding relation information of the executable file
File between whether form the combination of minimum standalone executable file;And
If it is determined that form the minimum standalone executable file combination, then by the executable file and with the executable text
The relevant file of part adds in the second set.
23. client as claimed in claim 21, which is characterized in that the relation information include inclusion relation, release relationship,
It is one or more in dependence, Coexistence, bundle relation.
24. client as claimed in claim 20, which is characterized in that described according to W1 minimum standalone executable file combination
Determine whether the multifile sample is that malice sample is further with the type of described W2 minimum standalone executable file combination
Including:
If combined in the first set or the second set comprising known malice minimum standalone executable file, sentence
The multifile sample that breaks is malice sample.
25. client as claimed in claim 24, which is characterized in that the processor judges described first according to following steps
Whether the known minimum standalone executable file combination of malice is included in set:
First file combination and second file combination independently be can perform into text with the known malice minimum respectively
Part combination is matched;
If any of first file combination is combined identical with known malice minimum standalone executable file, judge
The known minimum standalone executable file combination of malice is included in the first set;
If any of described second file combination is included, and wrapped by the combination of known malice minimum standalone executable file
File in the second file combination contained is not public documents, then judges minimum solely comprising known malice in the first set
Vertical executable file combination.
26. client as claimed in claim 24, which is characterized in that described W2 minimum standalone executable file combination includes
Q file, wherein, Q is the integer more than or equal to 0 and less than or equal to N, and the processor is judging the multifile sample to be non-
After malice sample, the processor is additionally operable to:
Malice sample during remaining N-M-Q file is recorded respectively with test sample before matches;And
If any of described remaining N-M-Q file and the malice sample there are inclusion relation/or bundle relation/or
Release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship is more than certain threshold value,
Then judge the multifile sample for risk sample.
27. client as claimed in claim 26, which is characterized in that the threshold value be and the file there are inclusion relation/
Or bundle relation/or release relationship the minimum standalone executable file combination of the known malice and all described known dislike
The ratio value of the minimum standalone executable file combination of meaning.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310381730.6A CN104424437B (en) | 2013-08-28 | 2013-08-28 | Multi-file sample testing method and device and client |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310381730.6A CN104424437B (en) | 2013-08-28 | 2013-08-28 | Multi-file sample testing method and device and client |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104424437A CN104424437A (en) | 2015-03-18 |
CN104424437B true CN104424437B (en) | 2018-07-10 |
Family
ID=52973367
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310381730.6A Active CN104424437B (en) | 2013-08-28 | 2013-08-28 | Multi-file sample testing method and device and client |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104424437B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112256637A (en) * | 2020-10-19 | 2021-01-22 | 贝壳技术有限公司 | File management method and device based on abstract syntax tree and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1627699A (en) * | 2004-06-24 | 2005-06-15 | 西安交通大学 | Method for self-adapting testing access of abnormal files |
CN101753570A (en) * | 2008-12-18 | 2010-06-23 | 赛门铁克公司 | methods and systems for detecting malware |
CN102737186A (en) * | 2012-06-26 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Malicious file identification method, device and storage medium |
CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
CN103106365A (en) * | 2013-01-25 | 2013-05-15 | 北京工业大学 | Detection method for malicious application software on mobile terminal |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8037536B2 (en) * | 2007-11-14 | 2011-10-11 | Bank Of America Corporation | Risk scoring system for the prevention of malware |
-
2013
- 2013-08-28 CN CN201310381730.6A patent/CN104424437B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1627699A (en) * | 2004-06-24 | 2005-06-15 | 西安交通大学 | Method for self-adapting testing access of abnormal files |
CN101753570A (en) * | 2008-12-18 | 2010-06-23 | 赛门铁克公司 | methods and systems for detecting malware |
CN102737186A (en) * | 2012-06-26 | 2012-10-17 | 腾讯科技(深圳)有限公司 | Malicious file identification method, device and storage medium |
CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
CN103106365A (en) * | 2013-01-25 | 2013-05-15 | 北京工业大学 | Detection method for malicious application software on mobile terminal |
Non-Patent Citations (1)
Title |
---|
"基于统计特征值的文件类型识别算法";郑洁等;《计算机工程》;20070131;第33卷(第1期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN104424437A (en) | 2015-03-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10394686B2 (en) | Static feature extraction from structured files | |
Fitzgerald et al. | Using NLP techniques for file fragment classification | |
Li et al. | Experimental study of fuzzy hashing in malware clustering analysis | |
CN102034043B (en) | Malicious software detection method based on file static structure attributes | |
CN109784056B (en) | Malicious software detection method based on deep learning | |
US10165001B2 (en) | Method and device for processing computer viruses | |
Breitinger et al. | FRASH: A framework to test algorithms of similarity hashing | |
CN109684840A (en) | Based on the sensitive Android malware detection method for calling path | |
CN107608750A (en) | Counter operation in state machine lattice | |
Poisel et al. | A comprehensive literature review of file carving | |
Upchurch et al. | Variant: a malware similarity testing framework | |
Liao | Pe-header-based malware study and detection | |
WO2013118006A1 (en) | Automatic synthesis of unit tests for security testing | |
Immanuel et al. | Android cache taxonomy and forensic process | |
Hand et al. | Bin-Carver: Automatic recovery of binary executable files | |
CN108415668B (en) | Chip excitation method, device, system, computer equipment and storage medium | |
CN103699837B (en) | A kind of method of scanning file and terminal unit | |
Feng et al. | Seqmobile: An efficient sequence-based malware detection system using rnn on mobile devices | |
CN104424437B (en) | Multi-file sample testing method and device and client | |
CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
CN110210216B (en) | Virus detection method and related device | |
US20180089432A1 (en) | System and method for characterizing malware | |
Wang et al. | Detection of packed executables using support vector machines | |
EP3761181A1 (en) | Analysis device, analysis method, and storage medium in which analysis program is recorded | |
CN110766402B (en) | Transaction sequence dependency vulnerability detection method, system, electronic device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |