Summary of the invention
In view of the above problems, it is proposed that the present invention, in order to provide one overcome the problems referred to above or solve at least in part
The malicious code detecting method based on virtual execution technology of the problems referred to above and device.
For reaching above-mentioned purpose, present invention generally provides following technical scheme:
On the one hand, a kind of malicious code detecting method based on virtual execution technology, the method bag are embodiments provided
Include:
Obtain network flow data;
Judge whether described network flow data matches with the malicious code in preset malicious code storehouse;
If described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce described network flow data
In file;
Described file is performed the most legal to detect described network flow data in virtual environment;
If described network flow data is illegal, it is determined that described network flow data comprises malicious code.
Concrete, the file in the described network flow data of described reduction includes:
Obtain the application layer host-host protocol that described network flow data is corresponding;
According to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Concrete, described in virtual environment, perform described file to detect the most legal bag of described network flow data
Include:
Described file is performed in virtual environment;
That detects described file performs whether operation meets the alarm regulation in preset alarm storehouse, stores in described preset alarm storehouse
Multiple alarm regulation, described alarm regulation is had to be used for detecting described network flow data the most legal.
Concrete, if described network flow data is illegal, it is determined that described network flow data comprises malice
Code includes:
If the operation that described file performs meets the alarm regulation in preset alarm storehouse, it is determined that described network flow data wraps
Containing malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
On the other hand, the embodiment of the present invention also provides for a kind of Malicious Code Detection device based on virtual execution technology, should
Device includes:
Acquiring unit, is used for obtaining network flow data;
Judging unit, for judging whether described network flow data matches with the malicious code in preset malicious code storehouse;
Reduction unit, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces institute
State the file in network flow data;
Performance element, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit, if illegal for described network flow data, it is determined that described network flow data comprises malice generation
Code.
Concrete, described reduction unit includes:
Acquisition module, for obtaining the application layer host-host protocol that described network flow data is corresponding;
Recovery module, for according to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Concrete, described performance element includes:
Perform module, for performing described file in virtual environment;
Detection module, for detecting whether the execution operation of described file meets the alarm regulation in preset alarm storehouse, described pre-
Putting storage in alarm storehouse, to have multiple alarm regulation, described alarm regulation to be used for detecting described network flow data the most legal.
Described determine unit, if the operation performed specifically for described file meets the alarm regulation in preset alarm storehouse,
Then determine in described network flow data and comprise malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
By technique scheme, the technical scheme that the embodiment of the present invention provides at least has the advantage that
A kind of based on virtual execution technology the malicious code detecting method of embodiment of the present invention offer and device, first obtain net
Network data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if
Described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing shows the disclosure
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should be by embodiments set forth here
Limited.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Advantage for making technical solution of the present invention is clearer, makees the present invention specifically with embodiment below in conjunction with the accompanying drawings
Bright.
Embodiments provide a kind of malicious code detecting method based on virtual execution technology, as it is shown in figure 1, institute
The method of stating includes:
101, network flow data is obtained.
102, judge whether described network flow data matches with the malicious code in preset malicious code storehouse.
Wherein, the malicious code in described preset malicious code storehouse is existing attack malicious code.Implement in the present invention
In example, based on known malicious code, the leak feature causing spilling in network flow data is mated, to detect network
Whether data on flows comprises malicious code, by the essence of the Malicious Code Detection network flow data in preset malicious code storehouse
Degree height.
If 103 described network flow datas do not mate with malicious code in preset malicious code storehouse, then reduce described network
File in data on flows.
104, in virtual environment, described file is performed the most legal to detect described network flow data.
If 105 described network flow datas are illegal, it is determined that comprise malicious code in described network flow data.
A kind of based on virtual execution technology the malicious code detecting method that the embodiment of the present invention provides, first obtains network
Data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if institute
State network flow data not mate with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Concrete, the file in the described network flow data of described reduction includes: obtain described network flow data
Corresponding application layer host-host protocol;According to the literary composition in the form described network flow data of reduction of described application layer literary composition host-host protocol
Part.
It should be noted that file is propagated in the way of network flow data.Conventional application layer file transmission is assisted
View includes H TTP agreement, smtp protocol, POP3 agreement, IMAP protocol and File Transfer Protocol.Wherein, http protocol is for from WWW
Server transport hypertext is to the transportation protocol of local browser;Smtp protocol, POP3 agreement and IMAP protocol are for electronics
The transportation protocol of mail transmission;File Transfer Protocol is the transportation protocol sharing file between main frame.Reduce described network flow data
In file, first pass through and obtain application layer host-host protocol corresponding to network flow data, then according to application layer host-host protocol
Protocol format file is reduced from network flow data, for next step virtual perform detection ready.
Concrete, described in virtual environment, perform described file to detect the most legal bag of described network flow data
Include: in virtual environment, perform described file;That detects described file performs whether operation meets the alarm in preset alarm storehouse
Rule, in described preset alarm storehouse, storage has multiple alarm regulation, described alarm regulation to be used for detecting described network flow data
The most legal.If described network flow data is illegal, it is determined that comprise malicious code bag in described network flow data
Include: if the operation that described file performs meets the alarm regulation in preset alarm storehouse, it is determined that described network flow data wraps
Containing malicious code.
For the embodiment of the present invention, virtual environment performs described file, carries out file, process, registration the most respectively
Table, network operation and service operations detection etc..Testing result is mated with preset alarm storehouse, when hit alarm regulation
Time, it is determined that described network flow data comprises malicious code, and outputting alarm information;Otherwise direct output function record.
As a example by registration table detects, first determine whether under virtual environment, the most whether the file of reduction has the behaviour accessing registration table
Make.Without the operation of access registration table, write down operation note the most in real time, provide foundation for subsequent analysis.If there being access
Registry operations, then continue to determine whether to hit the alarm regulation in preset alarm storehouse, when i.e. judging to perform whether malicious modification,
Delete or create registry information, paying special attention to those registry entries affecting system start-up.If hit alarm regulation, the most really
Fixed described network flow data comprises malicious code, exports detailed warning information, and add alarm storehouse.If miss alarm
Rule, then output function record, provide material for the manual examination and verification that may carry out in the future.
In embodiments of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
For the embodiment of the present invention, owing to virtual execution detection technique uses the Virtual Machine Mechanism different with sandbox detection,
Therefore called the behavior characteristics of trace analysis also original by system, observe internal memory and the change of instruction.Based on virtual execution
Technology is prevented from the escape technology for sandbox detection and utilizes the malicious code of leak.Virtual executing rule is by design void
Intending performing algorithm, the history information data performed according to example, at new Work flow model again virtual scheduling.Utilize NameSpace
Virtualization and Copy on write mechanism achieve resource and access redirection and isolation, and build virtual execution ring on this basis
Border, to realize the capture to multiple behaviors.
Further, the embodiment of the present invention provides a kind of Malicious Code Detection device based on virtual execution technology, such as Fig. 2
Shown in, described device includes: acquiring unit 21, judging unit 22, reduction unit 23, performance element 24, determine unit 25.
Acquiring unit 21, is used for obtaining network flow data;
Judging unit 22, for judging that whether with the malicious code in preset malicious code storehouse mutually described network flow data
Join;
Reduction unit 23, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces
File in described network flow data;
Performance element 24, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit 25, if illegal for described network flow data, it is determined that described network flow data comprises malice
Code.
It should be noted that a kind of based on virtual execution technology the Malicious Code Detection device that the embodiment of the present invention provides
Other of involved each functional unit describe accordingly, are referred to the corresponding description of method shown in Fig. 1, do not repeat them here, but
It will be appreciated that the device in the present embodiment corresponding can realize the full content in preceding method embodiment.
A kind of based on virtual execution technology the Malicious Code Detection device that the embodiment of the present invention provides, first obtains network
Data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if institute
State network flow data not mate with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Further, the embodiment of the present invention provides another kind of Malicious Code Detection device based on virtual execution technology, as
Shown in Fig. 3, described device includes: acquiring unit 31, judging unit 32, reduction unit 33, performance element 34, determine unit 35.
Acquiring unit 31, is used for obtaining network flow data;
Judging unit 32, for judging that whether with the malicious code in preset malicious code storehouse mutually described network flow data
Join;
Reduction unit 33, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces
File in described network flow data;
Performance element 34, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit 35, if illegal for described network flow data, it is determined that described network flow data comprises malice
Code.
Concrete, described reduction unit 33 includes:
Acquisition module 331, for obtaining the application layer host-host protocol that described network flow data is corresponding;
Recovery module 332, for according to the literary composition in the form described network flow data of reduction of described application layer literary composition host-host protocol
Part.
Concrete, described performance element 34 includes:
Perform module 341, for performing described file in virtual environment;
Detection module 342, for detecting whether the execution operation of described file meets the alarm regulation in preset alarm storehouse, described
In preset alarm storehouse, to have multiple alarm regulation, described alarm regulation to be used for detecting described network flow data the most legal in storage.
Described determine unit 35, if the alarm rule that the operation performed specifically for described file meets in preset alarm storehouse
Then, it is determined that described network flow data comprises malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
The another kind Malicious Code Detection device based on virtual execution technology that the embodiment of the present invention provides, first obtains net
Network data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if
Described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
The Malicious Code Detection device of described virtual execution technology includes processor and memorizer, above-mentioned acquiring unit, sentences
Disconnected unit, reduction unit, performance element and determine that unit etc. all as program unit storage in memory, is performed by processor
Storage said procedure unit in memory realizes corresponding function.
Processor comprises kernel, kernel goes memorizer is transferred corresponding program unit.Kernel can arrange one
More than or, improve the accuracy of detection of malicious code by adjusting kernel parameter.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM), memorizer includes that at least one is deposited
Storage chip.
Present invention also provides a kind of computer program, when performing in data handling equipment, at the beginning of being adapted for carrying out
Beginningization has the program code of following method step: obtain network flow data;Judge that whether described network flow data is with preset
Malicious code in malicious code storehouse matches;If malicious code is not in described network flow data and preset malicious code storehouse
Join, then reduce the file in described network flow data;Described file is performed to detect described network traffics in virtual environment
Data are the most legal;
If described network flow data is illegal, it is determined that described network flow data comprises malicious code.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware
Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code
The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce
A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real
The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to
Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter
Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or
The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function specified in individual square frame or multiple square frame.
In a typical configuration, calculating equipment include one or more processor (CPU), input/output interface,
Network interface and internal memory.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM).Memorizer is that computer-readable is situated between
The example of matter.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-can be by any method
Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer include, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM),
Dynamic random access memory (DRAM), other kinds of random access memory (RAM), read only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read only memory
(CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette tape, the storage of tape magnetic rigid disk or other
Magnetic storage apparatus or any other non-transmission medium, can be used for the information that storage can be accessed by a computing device.According to herein
In define, computer-readable medium does not include temporary computer readable media (transitory media), such as the data of modulation
Signal and carrier wave.
These are only embodiments herein, be not limited to the application.To those skilled in the art,
The application can have various modifications and variations.All made within spirit herein and principle any amendment, equivalent,
Improve, within the scope of should be included in claims hereof.