CN105718798A - Private network information amplification based automatic malicious code analysis method and system - Google Patents
Private network information amplification based automatic malicious code analysis method and system Download PDFInfo
- Publication number
- CN105718798A CN105718798A CN201510506490.7A CN201510506490A CN105718798A CN 105718798 A CN105718798 A CN 105718798A CN 201510506490 A CN201510506490 A CN 201510506490A CN 105718798 A CN105718798 A CN 105718798A
- Authority
- CN
- China
- Prior art keywords
- file
- described file
- information
- network
- private network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention proposes a private network information amplification based automatic malicious code analysis method and system. The method comprises the following steps of detecting a file by a public network detection system, and interrupting the file if the file is judged to be malicious; allowing the file to enter an internal-network user terminal if the file is not malicious; acquiring and judging whether a file source received by the user terminal is from a known source or not by a private network detection system, dynamically analyzing the file if the file source is a non-known file, and amplifying the information of the file if the file source is malicious; and deploying the amplified information into the private network detection system for tracking and detecting an internal network. By the method, the information safety of a user can be protected on the premise of protecting the privacy safety of the user, the defense capability of the network is enhanced by a self-leaning mode, and the safety of a network environment where the user is located is improved.
Description
Technical field
The present invention relates to computer network security field, particularly to a kind of automatically analyzing malicious codes method and system amplified based on private network information.
Background technology
Along with the development of computer and communication technology, the safety of user profile and secrecy have become a vital problem.The features such as opening, interconnectivity and sharing that computer network has make network information security presence congenital defect, add the security breaches in systems soft ware and the strict control being short of, cause network vulnerable, therefore the measure that network security is taked should be able in all directions for various different threats, the confidentiality of Logistics networks information, integrity and availability.
Existing cloud detection scheme, need that unknown file is uploaded to high in the clouds to detect, but some private file or classified papers etc. are existed for individual or enterprises and institutions, it is not easy to be uploaded to other servers detect, do not detect in this locality, when being also not easy to carry out cloud detection, blindly use file to may result in malicious code and run.
Summary of the invention
The invention provides a kind of automatically analyzing malicious codes method and system amplified based on private network information, solve private file and cannot be carried out outer net uploading detection, the problem that Intranet does not possess power of test;Make Intranet by the mode of self study, power of test can be promoted, unknown private file is detected.
A kind of automatically analyzing malicious codes method amplified based on private network information, including:
Obtain the file that network transmits, detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;
Private network detection system obtains and judges whether the document source that user terminal receives is known, if it is, described file can be opened safely, is otherwise dynamically analyzed by described file;
Dynamically analyze: run and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
Information portion after amplifying is deployed in private network detection system, for Intranet being tracked detection.
In described method, described operation also monitors described file, judge whether malice is particularly as follows: be sent to designated analysis virtual machine by described file for described file, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.
In described method, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
A kind of automatically analyzing malicious codes system amplified based on private network information, including:
Global network detection server, for obtaining the file that network transmits, is detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;
Private network detection server, including privately owned cloud analysis module, dynamic analysis module and information deployment module;
Whether the document source that described privately owned cloud analysis module receives for obtaining and judge user terminal is known, if it is, described file can be opened safely, otherwise described file is submitted to dynamic analysis module;
Described dynamic analysis module is used for running and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
Information deployment module, for being deployed in private network detection server, for Intranet is tracked detection by the information portion after amplification.
In described system, described dynamic analysis module runs and monitors described file, judge whether malice is particularly as follows: described file is sent to designated analysis virtual machine to described file by dynamic analysis module, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.
In described system, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
The present invention proposes a kind of automatically analyzing malicious codes method and system amplified based on private network information, by the detection system of global network, file is detected, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;Utilizing private network detection system to obtain and judge whether the document source that user terminal receives is known, if unknown file, then described file is dynamically analyzed, if for maliciously, file being carried out information amplification;And the information portion after amplifying is deployed in private network detection system, for Intranet being tracked detection.The present invention can under the premise of the personal secrets of protection user, the information security of protection user, and is promoted the defence capability of network by self study mode, promotes the safety of user place network environment.
In order to protect privacy and the information security of user, the present invention proposes a kind of computer virus defense ability in a network environment that can promote can effectively ensure again individual, the solution of the information security of enterprises and institutions, build private network dynamic analysis system, when have can not disclosed in, the file that safety is unknown, such as individual privacy file and enterprises and institutions' classified papers etc., just can it be submitted to is deployed in inside the dynamic analysis system of private network, analyze its behavioral pattern, extract the feature of malicious code, the more more fully features extracted are deployed to private network detection system and carry out the whole network tracking, this has reached again the effect of a kind of Machine self-learning simultaneously, so both ensure that file security, improve again computer virus defense ability in network environment.
Accompanying drawing explanation
In order to be illustrated more clearly that the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of automatically analyzing malicious codes method flow diagram amplified based on private network information of the present invention;
Fig. 2 is a kind of automatically analyzing malicious codes system structure schematic diagram amplified based on private network information of the present invention.
Detailed description of the invention
In order to make those skilled in the art be more fully understood that the technical scheme in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, and below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The invention provides a kind of automatically analyzing malicious codes method and system amplified based on private network information, solve private file and cannot be carried out outer net uploading detection, the problem that Intranet does not possess power of test;Make Intranet by the mode of self study, power of test can be promoted, unknown private file is detected.
A kind of automatically analyzing malicious codes method amplified based on private network information, as it is shown in figure 1, include:
S101: obtain the file that network transmits, detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;The file that wherein network transmits, it is possible to for the file downloaded to or Email attachment etc.;Global network detection system can use known any a detection product;
S102: private network detection system obtains and judge whether the document source that user terminal receives is known, if it is, described file can be opened safely, otherwise performs S103;
S103: dynamically analyze: run and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
S104: be deployed in private network detection system by the information portion after amplifying, for being tracked detection to Intranet.
In described method, described operation also monitors described file, judge whether malice is particularly as follows: be sent to designated analysis virtual machine by described file for described file, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.Analyze the behavioral pattern feature being summed up malicious file by machine autonomic learning.
In described method, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
Present invention also offers a kind of automatically analyzing malicious codes system amplified based on private network information, as in figure 2 it is shown, include:
Global network detection server 201, for obtaining the file that network transmits, is detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;
Private network detection server 202, including privately owned cloud analysis module 202-1, dynamic analysis module 202-2 and information deployment module 202-3;
Whether the document source that described privately owned cloud analysis module receives for obtaining and judge user terminal is known, if it is, described file can be opened safely, otherwise described file is submitted to dynamic analysis module;
Described dynamic analysis module is used for running and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
Information deployment module, for being deployed in private network detection server, for Intranet is tracked detection by the information portion after amplification.
In described system, described dynamic analysis module runs and monitors described file, judge whether malice is particularly as follows: described file is sent to designated analysis virtual machine to described file by dynamic analysis module, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.
In described system, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
The present invention proposes a kind of automatically analyzing malicious codes method and system amplified based on private network information, by the detection system of global network, file is detected, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;Utilizing private network detection system to obtain and judge whether the document source that user terminal receives is known, if unknown file, then described file is dynamically analyzed, if for maliciously, file being carried out information amplification;And the information portion after amplifying is deployed in private network detection system, for Intranet being tracked detection.The present invention can under the premise of the personal secrets of protection user, the information security of protection user, and is promoted the defence capability of network by self study mode, promotes the safety of user place network environment.
In order to protect privacy and the information security of user, the present invention proposes a kind of computer virus defense ability in a network environment that can promote can effectively ensure again individual, the solution of the information security of enterprises and institutions, build private network dynamic analysis system, when have can not disclosed in, the file that safety is unknown, such as individual privacy file and enterprises and institutions' classified papers etc., just can it be submitted to is deployed in inside the dynamic analysis system of private network, analyze its behavioral pattern, extract the feature of malicious code, the more more fully features extracted are deployed to private network detection system and carry out the whole network tracking, this has reached again the effect of a kind of Machine self-learning simultaneously, so both ensure that file security, improve again computer virus defense ability in network environment.
As seen through the above description of the embodiments, those skilled in the art is it can be understood that can add the mode of required general hardware platform by software to the present invention and realize.Based on such understanding, the part that prior art is contributed by technical scheme substantially in other words can embody with the form of software product, this computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
The present invention can described in the general context of computer executable instructions, for instance program module.Usually, program module includes performing particular task or realizing the routine of particular abstract data type, program, object, assembly, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these distributed computing environment, the remote processing devices connected by communication network perform task.In a distributed computing environment, program module may be located in the local and remote computer-readable storage medium including storage device.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention has many deformation and is varied without departing from the spirit of the present invention, it is desirable to appended claim includes these deformation and is varied without departing from the spirit of the present invention.
Claims (6)
1. the automatically analyzing malicious codes method amplified based on private network information, it is characterised in that including:
Obtain the file that network transmits, detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;
Private network detection system obtains and judges whether the document source that user terminal receives is known, if it is, described file can be opened safely, is otherwise dynamically analyzed by described file;
Dynamically analyze: run and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
Information portion after amplifying is deployed in private network detection system, for Intranet being tracked detection.
2. the method for claim 1, it is characterized in that, described operation also monitors described file, judge whether malice particularly as follows: be sent to designated analysis virtual machine by described file for described file, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.
3. the method for claim 1, it is characterized in that, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
4. the automatically analyzing malicious codes system amplified based on private network information, it is characterised in that including:
Global network detection server, for obtaining the file that network transmits, is detected by the detection system of global network, if it is decided that described file is malice, then carry out file interception;If non-malicious, then file is allowed to enter Intranet user terminal;
Private network detection server, including privately owned cloud analysis module, dynamic analysis module and information deployment module;
Whether the document source that described privately owned cloud analysis module receives for obtaining and judge user terminal is known, if it is, described file can be opened safely, otherwise described file is submitted to dynamic analysis module;
Described dynamic analysis module is used for running and monitor described file, it is judged that maliciously whether described file, if it is, analyze described file and file is carried out information amplification, carry out file filter simultaneously and send alarm;Otherwise described file can be opened safely;
Information deployment module, for being deployed in private network detection server, for Intranet is tracked detection by the information portion after amplification.
5. system as claimed in claim 4, it is characterized in that, described dynamic analysis module runs and monitors described file, judge whether malice is particularly as follows: described file is sent to designated analysis virtual machine to described file by dynamic analysis module, and run sample, after sample end of run, output monitoring daily record, and the behavior of analysis monitoring daily record, if there is malicious act, then described file is malice.
6. system as claimed in claim 4, it is characterized in that, file is also carried out information amplification by the described file of described analysis, particularly as follows: sum up the behavioral pattern of described file, extract file characteristic and the behavior characteristics of described file, including: version information, shell information, network operation, file operation and registry information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510506490.7A CN105718798A (en) | 2015-08-18 | 2015-08-18 | Private network information amplification based automatic malicious code analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510506490.7A CN105718798A (en) | 2015-08-18 | 2015-08-18 | Private network information amplification based automatic malicious code analysis method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105718798A true CN105718798A (en) | 2016-06-29 |
Family
ID=56144824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510506490.7A Withdrawn CN105718798A (en) | 2015-08-18 | 2015-08-18 | Private network information amplification based automatic malicious code analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105718798A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709326A (en) * | 2016-11-24 | 2017-05-24 | 北京奇虎科技有限公司 | Processing method and device for suspicious sample |
| CN109472142A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of automatic method of disposal of malicious code and system |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102902924A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting behavior feature of file |
-
2015
- 2015-08-18 CN CN201510506490.7A patent/CN105718798A/en not_active Withdrawn
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102902924A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | Method and device for detecting behavior feature of file |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709326A (en) * | 2016-11-24 | 2017-05-24 | 北京奇虎科技有限公司 | Processing method and device for suspicious sample |
| WO2018095099A1 (en) * | 2016-11-24 | 2018-05-31 | 北京奇虎科技有限公司 | Method and device for processing suspicious samples |
| CN109472142A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of automatic method of disposal of malicious code and system |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3207487B1 (en) | Systems and methods for classifying security events as targeted attacks | |
| US11902303B2 (en) | System and method for detecting lateral movement and data exfiltration | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| US10133866B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
| US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
| US11363557B2 (en) | Detection of mobile transmitters in an office environment | |
| US20160065601A1 (en) | System And Method For Detecting Lateral Movement And Data Exfiltration | |
| US9158915B1 (en) | Systems and methods for analyzing zero-day attacks | |
| US10218725B2 (en) | Device and method for detecting command and control channel | |
| CN107295021B (en) | Security detection method and system of host based on centralized management | |
| EP3374871B1 (en) | System and method for detecting lateral movement and data exfiltration | |
| EP3374870B1 (en) | Threat risk scoring of security threats | |
| US11777961B2 (en) | Asset remediation trend map generation and utilization for threat mitigation | |
| US9275226B1 (en) | Systems and methods for detecting selective malware attacks | |
| Kara et al. | Static and dynamic analysis of third generation cerber ransomware | |
| US11762991B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| EP3144845A1 (en) | Detection device, detection method, and detection program | |
| Ali et al. | Next‐Generation Digital Forensic Readiness BYOD Framework | |
| CN113992386A (en) | Method and device for evaluating defense ability, storage medium and electronic equipment | |
| CN105718798A (en) | Private network information amplification based automatic malicious code analysis method and system | |
| Tanaka et al. | IoT system security issues and solution approaches | |
| WO2020057156A1 (en) | Safety management method and safety management device | |
| EP2648384A1 (en) | Information security management | |
| KR20180059611A (en) | Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof | |
| Chong et al. | Bringing defensive artificial intelligence capabilities to mobile devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20160629 |