CN104424437B - Multi-file sample testing method and device and client - Google Patents

Multi-file sample testing method and device and client Download PDF

Info

Publication number
CN104424437B
CN104424437B CN201310381730.6A CN201310381730A CN104424437B CN 104424437 B CN104424437 B CN 104424437B CN 201310381730 A CN201310381730 A CN 201310381730A CN 104424437 B CN104424437 B CN 104424437B
Authority
CN
China
Prior art keywords
file
combination
minimum
sample
executable file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310381730.6A
Other languages
Chinese (zh)
Other versions
CN104424437A (en
Inventor
舒鑫
张楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Conew Network Technology Beijing Co Ltd
Shell Internet Beijing Security Technology Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Beijing Kingsoft Internet Science and Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Conew Network Technology Beijing Co Ltd
Shell Internet Beijing Security Technology Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Beijing Kingsoft Internet Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd, Conew Network Technology Beijing Co Ltd, Shell Internet Beijing Security Technology Co Ltd, Zhuhai Juntian Electronic Technology Co Ltd, Beijing Kingsoft Internet Science and Technology Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201310381730.6A priority Critical patent/CN104424437B/en
Publication of CN104424437A publication Critical patent/CN104424437A/en
Application granted granted Critical
Publication of CN104424437B publication Critical patent/CN104424437B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method, a device and a client for testing a multi-file sample, wherein the method comprises the following steps: acquiring a multi-file sample; matching the N files with a preset minimum combination of independent executable files to generate a first set of W1 minimum combinations of independent executable files; acquiring relationship information among the remaining N-M files, and acquiring a second set with W2 minimum independent executable file combinations in the remaining N-M files according to the relationship information; and determining whether the multi-file sample is a malicious sample according to the W1 minimum independent executable file combinations and the W2 minimum independent executable file combinations. According to the method provided by the embodiment of the invention, the storage of repeated malicious multi-file samples in the sample library can be reduced, the storage space of the sample library is saved, the analysis of the repeated multi-file samples is avoided, the analysis time for analyzing the malicious files contained in the multi-file samples is greatly reduced, and the analysis efficiency is improved.

Description

Test method, device and the client of multifile sample
Technical field
The present invention relates to computer security technique field more particularly to a kind of test method of multifile sample, device and Client.
Background technology
With the development of internet, e-commerce it is prevailing, malicious file into geometric progression explode increase.Malicious file is Refer to virus, worm or Trojan Horse for deliberately performing malice task on the computer systems etc..In malicious file by user Before it was found that, private sensitive data when user surfs the Internet is likely to be stolen, for example, bank account information, credit clip pin Deng.Therefore, huge loss is caused to user, it is huge to the harm of user.At present, it whether analyzes in multifile sample comprising evil The method of meaning file mainly has dynamic behaviour analysis method, and this method has become anti-virus security fields research both at home and abroad at present Hot spot.
In process of the present invention is realized, inventor has found that the prior art has at least the following problems:It at present can be by using Family reports, and the various ways such as honey jar capture obtain the malicious file data of magnanimity, however the malicious file data of magnanimity can cause The sample size stored in the sample database of malicious file is very big, and the memory space that not only sample database occupies is very big, but also passes through For dynamic behaviour analytical multifile sample there are during malicious file, the time of consumption is very long.Further, since multifile Sample usually can generate compressed package files by multiple be packaged, and weight in compressed package files cannot be excluded by dynamic behaviour analysis method Multiple multifile sample leads to the time consumed by the malicious file in the various this document of dynamic behaviour analytical Long, analysis efficiency is low.
Invention content
The present invention is directed at least solve one of above-mentioned technical problem.
For this purpose, first purpose of the present invention is to propose a kind of test method of multifile sample.This method is on the one hand The malice multifile sample that repetition is stored in sample database can be reduced, has saved the memory space of sample database, it on the other hand can be with Avoid to repeat multifile sample analyze, greatly reduce analysis multifile sample in include malicious file analysis when Between, improve analysis efficiency..
Second object of the present invention is to propose a kind of test device of multifile sample.
Third object of the present invention is to propose a kind of client.
To achieve these goals, the test method of the multifile sample of first aspect present invention embodiment includes following step Suddenly:Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;By N number of text Part, which combines to be matched with preset minimum standalone executable file, to generate there is W1 minimum standalone executable file to combine First set, wherein, the first set include M file, wherein, M be more than or equal to 0 and be less than or equal to N integer, W1 To be more than or equal to 0 integer;The relation information between remaining N-M file is obtained, and institute is obtained according to the relation information The second set with W2 minimum standalone executable file combination in remaining N-M file is stated, W2 is more than or equal to 0 Integer;And combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file Type determines whether the multifile sample is malice sample.
On the one hand the test method of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
To achieve these goals, the test device of the multifile sample of second aspect of the present invention embodiment, including:First Acquisition module, for obtaining multifile sample, wherein, the multifile sample includes N number of file, wherein, N is positive integer; Matching module has W1 for combining to match N number of file with preset minimum standalone executable file to generate It is a minimum standalone executable file combination first set, wherein, the first set include M file, wherein, M for more than Integer equal to 0 and less than or equal to N, W1 are the integer more than or equal to 0;Second acquisition module, for obtaining remaining N-M text Relation information between part, and there is W2 minimum solely in the relation information acquisition remaining N-M file The second set of vertical executable file combination, W2 are the integer more than or equal to 0;And judgment module, for according to the W1 The type of minimum standalone executable file combination and described W2 minimum standalone executable file combination determines the multifile sample Whether this is malice sample.
On the one hand the test device of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
To achieve these goals, the client of third aspect present invention embodiment, including:Screen, processor and circuit Plate;On the housing, the circuit board is placed in the space interior that the shell surrounds, the processor for the screen placement It is arranged on the circuit board;The processor is used to handle data, and be specifically used for:Multifile sample is obtained, wherein, it is described Multifile sample includes N number of file, wherein, N is positive integer;By N number of file and preset minimum independent executable text Part combination is matched to generate the first set with W1 minimum standalone executable file combination, wherein, first collection Conjunction includes M file, wherein, M is the integer more than or equal to 0 and less than or equal to N, and W1 is the integer more than or equal to 0;It obtains remaining N-M file between relation information, and according to the relation information obtain in the remaining N-M file with W2 The second set of a minimum standalone executable file combination, W2 are the integer more than or equal to 0;It is and minimum only according to described W1 Whether the type of vertical executable file combination and described W2 minimum standalone executable file combination determines the multifile sample For malice sample.
On the one hand client according to embodiments of the present invention can reduce the malice multifile sample that repetition is stored in sample database This, has saved the memory space of sample database, on the other hand can have been analyzed, greatly reduced to avoid the multiple multifile sample of counterweight The analysis time of malicious file is included in analysis multifile sample, improves analysis efficiency.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description It obtains significantly or is recognized by the practice of the present invention.
Description of the drawings
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Significantly and it is readily appreciated that, wherein,
Fig. 1 is the flow chart of the test method of multifile sample according to an embodiment of the invention;
Fig. 2 is the flow chart according to the test method of the multifile sample of a specific embodiment of the invention;
Fig. 3 is the structure diagram of the test device of multifile sample according to an embodiment of the invention;
Fig. 4 is the structure diagram according to the test device of the multifile sample of a specific embodiment of the invention;
Fig. 5 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention;
Fig. 6 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention;With And
Fig. 7 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached The embodiment of figure description is exemplary, and is only used for explaining the present invention, and is not considered as limiting the invention.On the contrary, this The embodiment of invention includes falling into all changes in the range of the spirit and intension of attached claims, modification and equivalent Object.
In the description of the present invention, it is to be understood that term " first ", " second " etc. are only used for description purpose, without It is understood that indicate or implying relative importance.In the description of the present invention, it should be noted that unless otherwise specific regulation And restriction, term " connected ", " connection " should be interpreted broadly, for example, it may be fixedly connected or be detachably connected, Or it is integrally connected;Can be mechanical connection or electrical connection;It can be directly connected, intermediary can also be passed through It is indirectly connected.For the ordinary skill in the art, the tool of above-mentioned term in the present invention can be understood with concrete condition Body meaning.In addition, in the description of the present invention, unless otherwise indicated, " multiple " are meant that two or more.
Any process described otherwise above or method description are construed as in flow chart or herein, represent to include Module, segment or the portion of the code of the executable instruction of one or more the step of being used to implement specific logical function or process Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discuss suitable Sequence, including according to involved function by it is basic simultaneously in the way of or in the opposite order, to perform function, this should be of the invention Embodiment person of ordinary skill in the field understood.
Below with reference to the accompanying drawings test method, device and the client of multifile sample according to embodiments of the present invention are described.
At present, the multifile sample repeated in compressed package cannot be excluded by dynamic behaviour analysis method, is caused by dynamic The time that malicious file consumes in state behavior analysis method analysis multifile sample is very long, and analysis efficiency is very low.If pass through It identifies the relationship (for example, reading, write-in, operation etc.) in multifile sample between file, and identifies in multifile sample and repeat Paper sample (such as the repeated sample being repeatedly packaged), the multifile sample that identifies and split combination is (such as comprising multiple The multifile sample of executable file) or the incomplete incomplete multifile sample of identification.Then to executable file or more File combination carries out " minimum standalone executable file combination " and differentiates, minimize separation, restore, re-scheduling, as a result, on the one hand can be with The paper sample that repetition is stored in sample database is reduced, the memory space of sample database has been saved, on the other hand can have been answered to avoid counterweight Paper sample analyzed, greatly reduce the analysis time for including malicious file in analysis multifile sample, improve point Analyse efficiency.For this purpose, the present invention proposes a kind of test method of multifile sample.
Fig. 1 is the flow chart of the test method of multifile sample according to an embodiment of the invention, and Fig. 2 is according to this hair The flow chart of the test method of the multifile sample of a bright specific embodiment.
As depicted in figs. 1 and 2, the test method of multifile sample includes:
S11 obtains multifile sample, wherein, multifile sample includes N number of file, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
S12, N number of file is combined to match with preset minimum standalone executable file has W1 minimum to generate The first set of standalone executable file combination, wherein, first set includes M file, wherein, M is more than or equal to 0 and is less than Integer equal to N, W1 are the integer more than or equal to 0.
In one embodiment of the invention, minimum standalone executable file combination includes at least one executable file. Specifically, it in order to realize some function, needs multiple files being combined, which could be realized by multifile combination, Lack the function that any one file can all influence multiple file combinations.Public documents are excluded in multifile combination, it will not Multifile combination comprising public documents is determined as minimum standalone executable file combination.Wherein, if an executable file Alternative document can not be depended on, completes itself all function, then it is independent that the executable file can also be used as a minimum Executable file combines, that is to say, that a minimum standalone executable file combination can also only include an executable file.
In one embodiment of the invention, S12 includes the following steps.
S121, obtain in N number of file combine with preset minimum standalone executable file the first identical file combine or The second file combination that the minimum standalone executable file combination that person is predetermined includes.Specifically, judge whether have in N number of file Have and combine identical first file combination with preset minimum standalone executable file, and by identical first file Combination is marked.For example, file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt are included in multifile sample, in advance If minimum standalone executable file be combined as 1.exe+1.dll, then by multifile sample file combine 1.exe+1.dll It is combined as the first file.
The second file whether there is the minimum standalone executable file being predetermined combination to include in N number of file is judged simultaneously Combination, and by by comprising the second file composite marking combined for incomplete file.For example, file is included in multifile sample 1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll, by multifile sample File combination 1.dll in this is combined as the second file, and labeled as incomplete file combination.
S122, according to the combination of the first file and the second file combination producing first set, wherein, the number of the first file combination It measures as W1.Specifically, the first file combination after label and the second file are added in combination to first set.
S13 obtains the relation information between remaining N-M file, and obtains remaining N-M text according to relation information The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0.
In one embodiment of the invention, relation information includes inclusion relation, release relationship, dependence, pass coexists It is one or more in system, bundle relation.Above-mentioned relation information is exemplified below:
(1), inclusion relation refers to contain another file B in compressed file or decompressing files A, then referred to as A packets Containing B, the relationship between A and B is referred to as inclusion relation;
(2), relationship is discharged, when referring to executable file A operations, generates new file B, then referred to as A discharges B, A and B Between relationship be referred to as release relationship;
(3), dependence refers to that executable file A has to rely on file B and could complete itself function, if file B is not In the presence of can not then complete itself due function, then referred to as A relies on B, and the relationship between A and B is referred to as dependence;
(4), Coexistence refers to that file A and file B are relied on by executable file C, lacks file A or file B, Executable file C can not complete itself due function, then referred to as A and B must coexist, and the relationship between A and B is referred to as Coexistence;
(5), bundle relation refers to that file A and file B are included by executable file C or simultaneously by executable text Part C discharges, but file A is relied on during file B differences by executable file C, then referred to as file A and B are tied, between A and B Relationship be referred to as bundle relation.
In one embodiment of the invention, minimum executable file combination and incomplete file in first set are combined Comprising file removed from N number of file of multifile sample, i.e., by M file in first set from the N of multifile sample It is removed in a file.
In one embodiment of the invention, S13 includes the following steps.
Whether S131 is judged in N-M file comprising executable file.
S132, if running executable file, and record executable file comprising executable file in N-M file With the relation information of alternative document in N-M file.Wherein, if wrapped in executable file operation failure or N-M file Containing the file for being not belonging to preset minimum standalone executable file combination, then the executable file and this document are only deposited Shelves.
S133 obtains the executable file in N-M file.
S134, according to the corresponding relation information of executable file judge executable file and with the relevant text of executable file Whether minimum standalone executable file combination is formed between part.
S135 if it is determined that forming minimum standalone executable file combination, then adds in second set.
S14, the type combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file Determine whether multifile sample is malice sample.
In one embodiment of the invention, S14 includes the following steps:
S141, if combined in first set or second set comprising known malice minimum standalone executable file, Judge multifile sample for malice sample.
In one embodiment of the invention, the minimum standalone executable file combination of malice has stored in sample before being Malice minimum standalone executable file in this library combines or can be the malice minimum standalone executable file group just identified It closes.
In one embodiment of the invention, S141 is further comprising the steps of:
S1411, by the first file combination and the second file combine respectively with known malice minimum standalone executable file Combination is matched.
S1412, if the first file combination any of combined with known malice minimum standalone executable file it is identical, Then judge to combine comprising known malice minimum standalone executable file in first set.For example, text is included in multifile sample Part 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt, wherein, minimum independent executable text is included in multifile sample Part combines 1.exe+1.dll.If it is known that malice minimum standalone executable file combination in there are 1.exe+1.dll, i.e. sample The minimum standalone executable file combination 1.exe+1.dll of malice is included in this library, it is determined that known evil is included in first set The minimum standalone executable file combination of meaning, that is to say, that the multifile sample is malice sample.
S1413, if any of the second file combination is included by the combination of known malice minimum standalone executable file, And by comprising the combination of the second file in file not for public documents, then judge minimum comprising known malice in first set Standalone executable file combines.For example, comprising file 1.dll, 2.dll and 3.txt in multifile sample, if it is known that malice There are 1.exe+1.dll in minimum standalone executable file combination, i.e., the minimum standalone executable file of malice is included in sample database Combine 1.exe+1.dll.Since file 1.dll belongs to the minimum standalone executable file combination 1.exe+1.dll of known malice, And file 1.dll is not system file nor common language runtime file, it is determined that known evil is included in first set The minimum standalone executable file combination of meaning, that is to say, that the multifile sample is malice sample.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is Integer more than or equal to 0 and less than or equal to N, after judging multifile sample for non-malicious sample, S14 further includes following step Suddenly.
S142, the malice sample during remaining N-M-Q file is recorded respectively with test sample before match.
S143, if any of remaining N-M-Q file and malice sample there are inclusion relation/or bundle relation/ Or release relationship, and then judge more than certain threshold value there are inclusion relation/or bundle relation/or the malice sample for discharging relationship Multifile sample is risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships. If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising The multifile sample of this document is risk sample.
On the one hand the test method of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
In order to realize above-described embodiment, the present invention also proposes a kind of test device of multifile sample.
A kind of test device of multifile sample, including:First acquisition module, for obtaining multifile sample, wherein, it is more Paper sample includes N number of file, wherein, N is positive integer;Matching module, for by N number of file with it is preset it is minimum independent can File combination is performed to be matched to generate the first set with W1 minimum standalone executable file combination, wherein, first Set includes M file, wherein, M is the integer more than or equal to 0 and less than or equal to N, and W1 is the integer more than or equal to 0;Second obtains Modulus block for obtaining the relation information between remaining N-M file, and obtains remaining N-M text according to relation information The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And judge mould Block, the type for being combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file determine more Whether paper sample is malice sample.
Fig. 3 is the structure diagram of the test device of multifile sample according to an embodiment of the invention.
As shown in figure 3, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained Modulus block 130 and judgment module 140.
Specifically, the first acquisition module 110 is used to obtain multifile sample, wherein, multifile sample includes N number of text Part, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
Matching module 120 is used to combine N number of file with preset minimum standalone executable file and matches to generate First set with W1 minimum standalone executable file combination, wherein, first set includes M file, wherein, M is big In the integer equal to 0 and less than or equal to N, W1 is the integer more than or equal to 0.In one embodiment of the invention, it is minimum independent Executable file combination includes at least one executable file.More specifically, in order to realize some function, need multiple files It is combined, which could be realized by multifile combination, multiple file combinations can all be influenced by lacking any one file Function.Public documents are excluded in multifile combination, the multifile combination not comprising public documents are determined as minimum independent Executable file combines.Wherein, if an executable file can not depend on alternative document, itself all function is completed, So the executable file can also be used as a minimum standalone executable file combination, that is to say, that a minimum is independent can An executable file can also only be included by performing file combination.
Second acquisition module 130 is used to obtain the relation information between remaining N-M file, and obtain according to relation information The second set with W2 minimum standalone executable file combination in remaining N-M file is taken, W2 is more than or equal to 0 Integer.In one embodiment of the invention, relation information include inclusion relation, release relationship, dependence, Coexistence, It is one or more in bundle relation.
In one embodiment of the invention, the second acquisition module 130 combines executable file minimum in first set The file included with incomplete file combination is removed from N number of file of multifile sample, i.e., by M file in first set It is removed from N number of file of multifile sample.
Judgment module 140 is used for according to W1 minimum standalone executable file combination and W2 minimum standalone executable file The type of combination determines whether multifile sample is malice sample.
On the one hand the test device of multifile sample according to embodiments of the present invention can reduce to store repeating in sample database Malice multifile sample, saved the memory space of sample database, on the other hand can to avoid the multiple multifile sample of counterweight into Row analysis greatly reduces the analysis time for including malicious file in analysis multifile sample, improves analysis efficiency.
Fig. 4 is the structure diagram according to the test device of the multifile sample of a specific embodiment of the invention.
As shown in figure 4, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122.
Specifically, acquiring unit 121 for obtain in N number of file combined with preset minimum standalone executable file it is identical The first file combination or be predetermined minimum standalone executable file combination include the second file combination.More specifically, Whether acquiring unit 121 judges to have in N number of file combines identical first with preset minimum standalone executable file File combines, and the combination of identical first file is marked.For example, in multifile sample comprising file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt, preset minimum standalone executable file are combined as 1.exe+1.dll, then obtain Unit 121 is taken to combine the file combination 1.exe+1.dll in multifile sample as the first file.
Acquiring unit 121 judges whether there is the minimum standalone executable file combination packet being predetermined in N number of file simultaneously The the second file combination contained, and by by comprising the second file composite marking combined for incomplete file.For example, multifile sample In comprising file 1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll, Acquiring unit 121 combines the file combination 1.dll in multifile sample, and labeled as incomplete file group as the second file It closes.
Generation unit 122 is used for according to the combination of the first file and the second file combination producing first set, wherein, the first text The quantity of part combination is W1.Specifically, generation unit 122 by after label the first file combination and the second file be added in combination to First set.
The test device of multifile sample according to embodiments of the present invention, by obtain in N number of file with preset minimum The minimum standalone executable file that standalone executable file combines identical the first file combination or is predetermined combines what is included Second file combines, and can be combined and the second file combination producing first set according to the first file.
Fig. 5 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in figure 5, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit 135 and adding device 136.
Specifically, whether the first judging unit 131 is used to judge in N-M file comprising executable file.
When running unit 132 is used to include executable file in N-M file, executable file is run.
Recording unit 133 is used to record the relation information of alternative document in executable file and N-M file.Wherein, such as Fruit running unit 132 runs preset minimum independent executable comprising being not belonging in executable file failure or N-M file File combination file, then recording unit 133 executable file and this document are achieved.
Acquiring unit 134 is used to obtain the executable file in N-M file.
Second judgment unit 135 is used to judge executable file and with that can hold according to the corresponding relation information of executable file Whether minimum standalone executable file combination is formed between the style of writing relevant file of part.
Adding device 136 is used to when judging to form minimum standalone executable file combination, then add in second set.
The test device of multifile sample according to embodiments of the present invention, by obtaining between remaining N-M file Relation information, can be obtained according to the relation information in the remaining N-M file has W2 minimum is independent can hold The second set of style of writing part combination
Fig. 6 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in fig. 6, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit 135 and adding device 136, judgment module 140 include:Third judging unit 141,142 and the 4th judging unit of matching unit 143。
Specifically, third judging unit 141 is used in first set or second set minimum solely comprising known malice During vertical executable file combination, judge multifile sample for malice sample.In one embodiment of the invention, malice is minimum solely Vertical executable file combination has stored in the malice minimum standalone executable file combination in sample database, Huo Zheke before being For the malice minimum standalone executable file combination just identified.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is Integer more than or equal to 0 and less than or equal to N, after judgment module 140 judges multifile sample for non-malicious sample, matching is single The malice sample that member 142 is used for during remaining N-M-Q file is recorded respectively with test sample before matches;And
4th judging unit 143 be used for any of remaining N-M-Q file and malice sample there are inclusion relation/ Or bundle relation/or release relationship, and there are inclusion relation/or bundle relation/or to discharge the malice sample of relationship be more than certain During threshold value, judge multifile sample for risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships. If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising The multifile sample of this document is risk sample.
The test device of multifile sample according to embodiments of the present invention, it can be determined that whether multifile sample is malice sample Sheet or risk sample.
Fig. 7 is the structure diagram according to the test device of the multifile sample of another specific embodiment of the invention.
As shown in fig. 7, the test device of multifile sample includes:First acquisition module 110, matching module 120, second are obtained Modulus block 130 and judgment module 140, wherein, matching module 120 includes:Acquiring unit 121 and generation unit 122, second obtains Module 130 includes:First judging unit 131, running unit 132, recording unit 133, acquiring unit 134, second judgment unit 135 and adding device 136, judgment module 140 include:Third judging unit 141,142 and the 4th judging unit of matching unit 143, wherein, third judging unit 141 includes:Coupling subelement 1411, the first judgment sub-unit 1412 and second judge that son is single Member 1413.
Specifically, coupling subelement 1411 be used for by the first file combination and the second file combine respectively with known malice Minimum standalone executable file combination is matched.
First judgment sub-unit 1412 is used to independently hold in any of the first file combination and known malice minimum When part combination of composing a piece of writing is identical, judge to combine comprising known malice minimum standalone executable file in first set.It is for example, mostly literary Comprising file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt in part sample, wherein, comprising most in multifile sample Small standalone executable file combines 1.exe+1.dll.If it is known that malice minimum standalone executable file combination in exist Comprising the minimum standalone executable file combination 1.exe+1.dll of malice in 1.exe+1.dll, i.e. sample database, then first judges son Unit 1412 determines to combine comprising known malice minimum standalone executable file in first set, that is to say, that the multifile Sample is malice sample.
Second judgment sub-unit 1413 is used to independently be held by known malice minimum in any of the second file combination Style of writing part combination includes, and by comprising the second file combination in file be public documents when, judge to wrap in first set It is combined containing known malice minimum standalone executable file.For example, in multifile sample comprising file 1.dll, 2.dll and 3.txt, if it is known that the combination of malice minimum standalone executable file in there are 1.exe+1.dll, i.e., comprising disliking in sample database The minimum standalone executable file combination 1.exe+1.dll of meaning.Since file 1.dll belongs to, known malice is minimum independently to be can perform File combines 1.exe+1.dll, and file 1.dll is not system file nor common language runtime file, then second sentences Disconnected subelement 1413 determines to combine comprising known malice minimum standalone executable file in first set, that is to say, that this is more Paper sample is malice sample.
The test device of multifile sample according to embodiments of the present invention, it can be determined that whether comprising known in first set Malice minimum standalone executable file combination.
In order to realize above-described embodiment, the present invention also proposes a kind of client.
In one embodiment of the invention, client can be personal computer PC, notebook, smart mobile phone, tablet The hardware devices such as computer, personal digital assistant.Client includes:Screen, processor and circuit board;Screen disposes on the shell, Circuit board is placed in the space interior that shell surrounds, and processor is set on circuit boards;Processor is used to handle data.
Specifically, processor is used to perform following steps:
S11 ' obtains multifile sample, wherein, multifile sample includes N number of file, wherein, N is positive integer.
In one embodiment of the invention, multifile sample can be mostly multifile compressed package or multifile sample also Can be the paper sample stored with any multifile storage mode, for example, by network upload by compressed package be packaged Multifile sample or the multifile sample that is stored in multiple files in USB flash disk etc..
S12 ', N number of file is combined to match with preset minimum standalone executable file has W1 most to generate The first set of small standalone executable file combination, wherein, first set includes M file, wherein, M is more than or equal to 0 and small In the integer equal to N, W1 is the integer more than or equal to 0.
In one embodiment of the invention, minimum standalone executable file combination includes at least one executable file. Specifically, it in order to realize some function, needs multiple files being combined, which could be realized by multifile combination, Lack the function that any one file can all influence multiple file combinations.Public documents are excluded in multifile combination, it will not Multifile combination comprising public documents is determined as minimum standalone executable file combination.Wherein, if an executable file Alternative document can not be depended on, completes itself all function, then it is independent that the executable file can also be used as a minimum Executable file combines, that is to say, that a minimum standalone executable file combination can also only include an executable file.
In one embodiment of the invention, S12 ' includes the following steps.
S121 ', obtain in N number of file combine with preset minimum standalone executable file the first identical file combine or The second file combination that the minimum standalone executable file combination that person is predetermined includes.Specifically, judge whether have in N number of file Have and combine identical first file combination with preset minimum standalone executable file, and by identical first file Combination is marked.For example, file 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt are included in multifile sample, in advance If minimum standalone executable file be combined as 1.exe+1.dll, then by multifile sample file combine 1.exe+1.dll It is combined as the first file.
The second file whether there is the minimum standalone executable file being predetermined combination to include in N number of file is judged simultaneously Combination, and by by comprising the second file composite marking combined for incomplete file.For example, file is included in multifile sample 1.dll, 2.dll and 3.txt, if preset minimum standalone executable file is combined as 1.exe+1.dll, by multifile sample File combination 1.dll in this is combined as the second file, and labeled as incomplete file combination.
S122 ', according to the combination of the first file and the second file combination producing first set, wherein, the combination of the first file Quantity is W1.Specifically, the first file combination after label and the second file are added in combination to first set.
S13 ' obtains the relation information between remaining N-M file, and N-M remaining according to relation information acquisition The second set with W2 minimum standalone executable file combination in file, W2 is the integer more than or equal to 0.
In one embodiment of the invention, relation information includes inclusion relation, release relationship, dependence, pass coexists It is one or more in system, bundle relation.Above-mentioned relation information is exemplified below:
(1), inclusion relation refers to contain another file B in compressed file or decompressing files A, then referred to as A packets Containing B, the relationship between A and B is referred to as inclusion relation;
(2), relationship is discharged, when referring to executable file A operations, generates new file B, then referred to as A discharges B, A and B Between relationship be referred to as release relationship;
(3), dependence refers to that executable file A has to rely on file B and could complete itself function, if file B is not In the presence of can not then complete itself due function, then referred to as A relies on B, and the relationship between A and B is referred to as dependence;
(4), Coexistence refers to that file A and file B are relied on by executable file C, lacks file A or file B, Executable file C can not complete itself due function, then referred to as A and B must coexist, and the relationship between A and B is referred to as Coexistence;
(5), bundle relation refers to that file A and file B are included by executable file C or simultaneously by executable text Part C discharges, but file A is relied on during file B differences by executable file C, then referred to as file A and B are tied, between A and B Relationship be referred to as bundle relation.
In one embodiment of the invention, minimum executable file combination and incomplete file in first set are combined Comprising file removed from N number of file of multifile sample, i.e., by M file in first set from the N of multifile sample It is removed in a file.
In one embodiment of the invention, S13 ' includes the following steps
Whether S131 ' is judged in N-M file comprising executable file.
S132 ', if running executable file, and record executable file comprising executable file in N-M file With the relation information of alternative document in N-M file.Wherein, if wrapped in executable file operation failure or N-M file Containing the file for being not belonging to preset minimum standalone executable file combination, then the executable file and this document are achieved.
S133 ' obtains the executable file in N-M file.
S134 ', according to the corresponding relation information of executable file judge executable file and with executable file it is relevant Whether minimum standalone executable file combination is formed between file.
S135 ' if it is determined that forming minimum standalone executable file combination, then adds in second set.
S14 ', the type combined according to W1 minimum standalone executable file combination and W2 minimum standalone executable file Determine whether multifile sample is malice sample.
In one embodiment of the invention, S14 ' includes the following steps:
S141 ', if combined in first set or second set comprising known malice minimum standalone executable file, Judge multifile sample for malice sample.
In one embodiment of the invention, the minimum standalone executable file combination of malice has stored in sample before being Malice minimum standalone executable file in this library combines or can be the malice minimum standalone executable file group just identified It closes.
In one embodiment of the invention, S141 ' is further comprising the steps of:
S1411 ', by the first file combination and the second file combine respectively with known malice minimum standalone executable file Combination is matched.
S1412 ', if any of the first file combination combines phase with known malice minimum standalone executable file Together, then judge to combine comprising known malice minimum standalone executable file in first set.For example, it is included in multifile sample File 1.exe, 2.exe, 3.exe, 1.dll, 2.dll and 3.txt, wherein, comprising minimum independent executable in multifile sample File combines 1.exe+1.dll.If it is known that the combination of malice minimum standalone executable file in there are 1.exe+1.dll, i.e., The minimum standalone executable file combination 1.exe+1.dll of malice is included in sample database, it is determined that comprising known in first set The minimum standalone executable file combination of malice, that is to say, that the multifile sample is malice sample.
S1413 ' is wrapped if any of the second file combination is combined by known malice minimum standalone executable file Contain, and by comprising the combination of the second file in file not for public documents, then judge to include known malice in first set Minimum standalone executable file combination.For example, comprising file 1.dll, 2.dll and 3.txt in multifile sample, if it is known that There are 1.exe+1.dll in the minimum standalone executable file combination of malice, i.e., minimum independent executable comprising malice in sample database File combines 1.exe+1.dll.Since file 1.dll belongs to the minimum standalone executable file combination 1.exe+ of known malice 1.dll, and file 1.dll is not system file nor common language runtime file, it is determined that comprising in first set The malice minimum standalone executable file combination known, that is to say, that the multifile sample is malice sample.
In one embodiment of the invention, W2 minimum standalone executable file combination includes Q file, wherein, Q is Integer more than or equal to 0 and less than or equal to N, after judging multifile sample for non-malicious sample, processor is additionally operable to:
S142 ', the malice sample during remaining N-M-Q file is recorded respectively with test sample before match.
S143 ', if any of remaining N-M-Q file and malice sample there are inclusion relation/or bundle relation/ Or release relationship, and then judge more than certain threshold value there are inclusion relation/or bundle relation/or the malice sample for discharging relationship Multifile sample is risk sample.
In one embodiment of the invention, threshold value is that there are inclusion relation/or bundle relations/or release relationship with file The combination of known malice minimum standalone executable file and whole ratios of the minimum standalone executable files combination of known malice Example value.
For example, including file 1.exe, 2.exe and flag.txt in multifile sample, wherein file 1.exe and 2.exe is equal Belong to the combination of non-malicious minimum standalone executable file, but minimums of the file f lag.txt for malice in record before is only The file that vertical executable file combination discharges when performing, therefore we can say that this document and malice sample there are release relationships. If this document by 90% malice sample binding or comprising or release, it is determined that this document be risk file, comprising The multifile sample of this document is risk sample.
On the one hand client according to embodiments of the present invention can reduce the malice multifile sample that repetition is stored in sample database This, has saved the memory space of sample database, on the other hand can have been analyzed, greatly reduced to avoid the multiple multifile sample of counterweight The analysis time of malicious file is included in analysis multifile sample, improves analysis efficiency.
It should be appreciated that in an embodiment of the present invention, mobile terminal can be mobile phone, tablet computer, personal digital assistant, E-book etc. has the hardware device of various operating systems.
It should be appreciated that each section of the present invention can be realized with hardware, software, firmware or combination thereof.Above-mentioned In embodiment, software that multiple steps or method can in memory and by suitable instruction execution system be performed with storage Or firmware is realized.If for example, with hardware come realize in another embodiment, can be under well known in the art Any one of row technology or their combination are realized:With for the logic gates to data-signal realization logic function Discrete logic, have suitable combinational logic gate circuit application-specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
In the description of this specification, reference term " one embodiment ", " example ", " is specifically shown " some embodiments " The description of example " or " some examples " etc. means specific features, structure, material or the spy for combining the embodiment or example description Point is contained at least one embodiment of the present invention or example.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiments or example in combine in an appropriate manner.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that:Not In the case of being detached from the principle of the present invention and objective a variety of change, modification, replacement and modification can be carried out to these embodiments, this The range of invention is limited by claim and its equivalent.

Claims (27)

1. a kind of test method of multifile sample, which is characterized in that include the following steps:
Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;
N number of file is combined to match with preset minimum standalone executable file, there is W1 minimum independently to generate The first set of executable file combination, wherein, the first set includes M file, wherein, M is more than or equal to 0 and is less than Integer equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as not wrapping in multifile combination Multifile combination containing public documents;
The relation information between remaining N-M file is obtained, and the remaining N-M text is obtained according to the relation information The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And
The type combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file Determine whether the multifile sample is malice sample.
2. the method as described in claim 1, which is characterized in that by N number of file and preset minimum independent executable text Part combination is matched to be further comprised with generating the first set with described W1 minimum standalone executable file combination:
Obtain in N number of file combine with the preset minimum standalone executable file the first identical file combine or It is combined by the second file that the preset minimum standalone executable file combination includes;And
According to first set described in first file combination and the second file combination producing, wherein, the first file combination Quantity be W1.
3. the method as described in claim 1, which is characterized in that the relation information obtained between remaining N-M file Further comprise:
Whether judge in the N-M file comprising executable file;And
If the executable file is run, and record the executable text comprising executable file in the N-M file The relation information of alternative document in part and the N-M file.
4. method as claimed in claim 3, which is characterized in that described that the remaining N-M text is obtained according to relation information W2 minimum standalone executable file combination in part further comprises:
Obtain the executable file in the N-M file;
The executable file and related to the executable file is judged according to the corresponding relation information of the executable file File between whether form the combination of minimum standalone executable file;And
If it is determined that form the minimum standalone executable file combination, then by the executable file and with the executable text The relevant file of part adds in the second set.
5. method as claimed in claim 3, which is characterized in that the relation information includes inclusion relation, release relationship, relies on It is one or more in relationship, Coexistence, bundle relation.
6. method as claimed in claim 2, which is characterized in that described according to W1 minimum standalone executable file combination and institute The type for stating W2 minimum standalone executable file combination determines whether the multifile sample is that malice sample further comprises:
If combined in the first set or the second set comprising known malice minimum standalone executable file, sentence The multifile sample that breaks is malice sample.
7. method as claimed in claim 6, which is characterized in that judge whether included in the first set according to following steps The minimum standalone executable file combination of known malice:
First file combination and second file combination independently be can perform into text with the known malice minimum respectively Part combination is matched;
If any of first file combination is combined identical with known malice minimum standalone executable file, judge The known minimum standalone executable file combination of malice is included in the first set;And
If any of described second file combination is included, and wrapped by the combination of known malice minimum standalone executable file File in the second file combination contained is not public documents, then judges minimum solely comprising known malice in the first set Vertical executable file combination.
8. method as claimed in claim 6, which is characterized in that described W2 minimum standalone executable file combination includes Q File, wherein, Q is the integer more than or equal to 0 and less than or equal to N, after judging the multifile sample for non-malicious sample, It further includes:
Malice sample during remaining N-M-Q file is recorded respectively with test sample before matches;And
If any of described remaining N-M-Q file and the malice sample there are inclusion relation/or bundle relation/or Release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship is more than certain threshold value, Then judge the multifile sample for risk sample.
9. method as claimed in claim 8, which is characterized in that the threshold value is that there are inclusion relations/or bundle with the file The known minimum standalone executable file of malice for tying up relationship/or release relationship is combined with all known malice most The ratio value of small standalone executable file combination.
10. a kind of test device of multifile sample, which is characterized in that including:
First acquisition module, for obtaining multifile sample, wherein, the multifile sample includes N number of file, wherein, N is Positive integer;
Matching module matches to generate tool for N number of file to be combined with preset minimum standalone executable file There is the first set of W1 minimum standalone executable file combination, wherein, the first set includes M file, wherein, M is Integer more than or equal to 0 and less than or equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as more The multifile for not including public documents in file combination combines;
Second acquisition module for obtaining the relation information between remaining N-M file, and is obtained according to the relation information The second set with W2 minimum standalone executable file combination in the remaining N-M file, W2 is more than or equal to 0 Integer;And
Judgment module, for according to described W1 minimum standalone executable file combination and described W2 minimum independent executable text The type of part combination determines whether the multifile sample is malice sample.
11. device as claimed in claim 10, which is characterized in that the matching module includes:
Acquiring unit combines identical the with the preset minimum standalone executable file for obtaining in N number of file The second file that one file is combined or included by the preset minimum standalone executable file combination combines;And
Generation unit, for the first set according to first file combination and the second file combination producing, wherein, it is described The quantity of first file combination is W1.
12. device as claimed in claim 10, which is characterized in that second acquisition module includes:
First judging unit, for whether judging in the N-M file comprising executable file;
Running unit, in the N-M file include executable file when, run the executable file;And
Recording unit, for recording the relation information of alternative document in the executable file and the N-M file.
13. device as claimed in claim 12, which is characterized in that second acquisition module further includes:
Acquiring unit, for obtaining the executable file in the N-M file;
Second judgment unit, for according to the corresponding relation information of the executable file judge the executable file and with institute It states and minimum standalone executable file combination whether is formed between the relevant file of executable file;And
Adding device, for when judging to form the minimum standalone executable file combination, then by the executable file and File relevant with the executable file adds in the second set.
14. device as claimed in claim 12, which is characterized in that the relation information include inclusion relation, release relationship, according to It is one or more in the relationship of relying, Coexistence, bundle relation.
15. device as claimed in claim 11, which is characterized in that the judgment module includes:
Third judging unit, for being included in the first set or the second set, known malice is minimum can independently to be held When part of composing a piece of writing combines, judge the multifile sample for malice sample.
16. device as claimed in claim 15, which is characterized in that the third judging unit includes:
Coupling subelement, for by first file combination and second file combine respectively with the known malice most Small standalone executable file combination is matched;
First judgment sub-unit, in any of first file combination and the minimum independent executable text of known malice When part combination is identical, judge in the first set comprising the known minimum standalone executable file combination of malice;And
Second judgment sub-unit, for minimum independent executable literary by known malice in any of second file combination Part combination include, and by comprising the second file combination in file be public documents when, judge to wrap in the first set It is combined containing known malice minimum standalone executable file.
17. device as claimed in claim 15, which is characterized in that described W2 minimum standalone executable file combination includes Q A file, wherein, Q is the integer more than or equal to 0 and less than or equal to N, judges that the multifile sample is in the judgment module After non-malicious sample, the judgment module further includes:
Matching unit, for by remaining N-M-Q file respectively with test sample before record in malice sample carry out Match;And
4th judging unit includes pass for existing in any of described remaining N-M-Q file and the malice sample System/or bundle relation/or release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship When this is more than certain threshold value, judge the multifile sample for risk sample.
18. device as claimed in claim 17, which is characterized in that the threshold value be and the file there are inclusion relation/or Bundle relation/or the known minimum standalone executable file combination of malice for discharging relationship and all known malice The ratio value of minimum standalone executable file combination.
19. a kind of client for being used to test multifile sample, which is characterized in that including:Screen, processor and circuit board;
On the shell, the circuit board is placed in the space interior that the shell surrounds, and the processor is set for the screen placement It puts on the circuit board;
The processor is used to handle data, and be specifically used for:
Multifile sample is obtained, wherein, the multifile sample includes N number of file, wherein, N is positive integer;
N number of file is combined to match with preset minimum standalone executable file, there is W1 minimum independently to generate The first set of executable file combination, wherein, the first set includes M file, wherein, M is more than or equal to 0 and is less than Integer equal to N, W1 are the integer more than or equal to 0, and the minimum standalone executable file is combined as not wrapping in multifile combination Multifile combination containing public documents;
The relation information between remaining N-M file is obtained, and the remaining N-M text is obtained according to the relation information The second set with W2 minimum standalone executable file combination in part, W2 is the integer more than or equal to 0;And
The type combined according to described W1 minimum standalone executable file combination and described W2 minimum standalone executable file Determine whether the multifile sample is malice sample.
20. client as claimed in claim 19, which is characterized in that can independently hold N number of file and preset minimum Style of writing part combination is matched further is wrapped with generating the first set with described W1 minimum standalone executable file combination It includes:
Obtain in N number of file combine with the preset minimum standalone executable file the first identical file combine or It is combined by the second file that the preset minimum standalone executable file combination includes;And
According to first set described in first file combination and the second file combination producing, wherein, the first file combination Quantity be W1.
21. client as claimed in claim 19, which is characterized in that the relationship obtained between remaining N-M file Information further comprises:
Whether judge in the N-M file comprising executable file;And
If the executable file is run, and record the executable text comprising executable file in the N-M file The relation information of alternative document in part and the N-M file.
22. client as claimed in claim 21, which is characterized in that described that the remaining N-M is obtained according to relation information W2 minimum standalone executable file combination in a file further comprises:
Obtain the executable file in the N-M file;
The executable file and related to the executable file is judged according to the corresponding relation information of the executable file File between whether form the combination of minimum standalone executable file;And
If it is determined that form the minimum standalone executable file combination, then by the executable file and with the executable text The relevant file of part adds in the second set.
23. client as claimed in claim 21, which is characterized in that the relation information include inclusion relation, release relationship, It is one or more in dependence, Coexistence, bundle relation.
24. client as claimed in claim 20, which is characterized in that described according to W1 minimum standalone executable file combination Determine whether the multifile sample is that malice sample is further with the type of described W2 minimum standalone executable file combination Including:
If combined in the first set or the second set comprising known malice minimum standalone executable file, sentence The multifile sample that breaks is malice sample.
25. client as claimed in claim 24, which is characterized in that the processor judges described first according to following steps Whether the known minimum standalone executable file combination of malice is included in set:
First file combination and second file combination independently be can perform into text with the known malice minimum respectively Part combination is matched;
If any of first file combination is combined identical with known malice minimum standalone executable file, judge The known minimum standalone executable file combination of malice is included in the first set;
If any of described second file combination is included, and wrapped by the combination of known malice minimum standalone executable file File in the second file combination contained is not public documents, then judges minimum solely comprising known malice in the first set Vertical executable file combination.
26. client as claimed in claim 24, which is characterized in that described W2 minimum standalone executable file combination includes Q file, wherein, Q is the integer more than or equal to 0 and less than or equal to N, and the processor is judging the multifile sample to be non- After malice sample, the processor is additionally operable to:
Malice sample during remaining N-M-Q file is recorded respectively with test sample before matches;And
If any of described remaining N-M-Q file and the malice sample there are inclusion relation/or bundle relation/or Release relationship, and the malice sample there are inclusion relation/or bundle relation/or release relationship is more than certain threshold value, Then judge the multifile sample for risk sample.
27. client as claimed in claim 26, which is characterized in that the threshold value be and the file there are inclusion relation/ Or bundle relation/or release relationship the minimum standalone executable file combination of the known malice and all described known dislike The ratio value of the minimum standalone executable file combination of meaning.
CN201310381730.6A 2013-08-28 2013-08-28 Multi-file sample testing method and device and client Active CN104424437B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310381730.6A CN104424437B (en) 2013-08-28 2013-08-28 Multi-file sample testing method and device and client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310381730.6A CN104424437B (en) 2013-08-28 2013-08-28 Multi-file sample testing method and device and client

Publications (2)

Publication Number Publication Date
CN104424437A CN104424437A (en) 2015-03-18
CN104424437B true CN104424437B (en) 2018-07-10

Family

ID=52973367

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310381730.6A Active CN104424437B (en) 2013-08-28 2013-08-28 Multi-file sample testing method and device and client

Country Status (1)

Country Link
CN (1) CN104424437B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112256637A (en) * 2020-10-19 2021-01-22 贝壳技术有限公司 File management method and device based on abstract syntax tree and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1627699A (en) * 2004-06-24 2005-06-15 西安交通大学 Method for self-adapting testing access of abnormal files
CN101753570A (en) * 2008-12-18 2010-06-23 赛门铁克公司 methods and systems for detecting malware
CN102737186A (en) * 2012-06-26 2012-10-17 腾讯科技(深圳)有限公司 Malicious file identification method, device and storage medium
CN102855440A (en) * 2012-09-13 2013-01-02 北京奇虎科技有限公司 Method, device and system for detecting packed executable files
CN103106365A (en) * 2013-01-25 2013-05-15 北京工业大学 Detection method for malicious application software on mobile terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8037536B2 (en) * 2007-11-14 2011-10-11 Bank Of America Corporation Risk scoring system for the prevention of malware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1627699A (en) * 2004-06-24 2005-06-15 西安交通大学 Method for self-adapting testing access of abnormal files
CN101753570A (en) * 2008-12-18 2010-06-23 赛门铁克公司 methods and systems for detecting malware
CN102737186A (en) * 2012-06-26 2012-10-17 腾讯科技(深圳)有限公司 Malicious file identification method, device and storage medium
CN102855440A (en) * 2012-09-13 2013-01-02 北京奇虎科技有限公司 Method, device and system for detecting packed executable files
CN103106365A (en) * 2013-01-25 2013-05-15 北京工业大学 Detection method for malicious application software on mobile terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于统计特征值的文件类型识别算法";郑洁等;《计算机工程》;20070131;第33卷(第1期);全文 *

Also Published As

Publication number Publication date
CN104424437A (en) 2015-03-18

Similar Documents

Publication Publication Date Title
US10394686B2 (en) Static feature extraction from structured files
Fitzgerald et al. Using NLP techniques for file fragment classification
Li et al. Experimental study of fuzzy hashing in malware clustering analysis
CN102034043B (en) Malicious software detection method based on file static structure attributes
CN109784056B (en) Malicious software detection method based on deep learning
US10165001B2 (en) Method and device for processing computer viruses
Breitinger et al. FRASH: A framework to test algorithms of similarity hashing
CN109684840A (en) Based on the sensitive Android malware detection method for calling path
CN107608750A (en) Counter operation in state machine lattice
Poisel et al. A comprehensive literature review of file carving
Upchurch et al. Variant: a malware similarity testing framework
Liao Pe-header-based malware study and detection
WO2013118006A1 (en) Automatic synthesis of unit tests for security testing
Immanuel et al. Android cache taxonomy and forensic process
Hand et al. Bin-Carver: Automatic recovery of binary executable files
CN108415668B (en) Chip excitation method, device, system, computer equipment and storage medium
CN103699837B (en) A kind of method of scanning file and terminal unit
Feng et al. Seqmobile: An efficient sequence-based malware detection system using rnn on mobile devices
CN104424437B (en) Multi-file sample testing method and device and client
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
CN110210216B (en) Virus detection method and related device
US20180089432A1 (en) System and method for characterizing malware
Wang et al. Detection of packed executables using support vector machines
EP3761181A1 (en) Analysis device, analysis method, and storage medium in which analysis program is recorded
CN110766402B (en) Transaction sequence dependency vulnerability detection method, system, electronic device and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant