CN105978911A - Malicious code detection method and device based on virtual execution technology - Google Patents
Malicious code detection method and device based on virtual execution technology Download PDFInfo
- Publication number
- CN105978911A CN105978911A CN201610555953.3A CN201610555953A CN105978911A CN 105978911 A CN105978911 A CN 105978911A CN 201610555953 A CN201610555953 A CN 201610555953A CN 105978911 A CN105978911 A CN 105978911A
- Authority
- CN
- China
- Prior art keywords
- flow data
- network flow
- malicious code
- file
- described network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a malicious code detection method and device based on a virtual execution technology, relates to the technical field of network security, and aims to solve the problem of malicious code detection accuracy. According to the main technical scheme, the method comprises the following steps: acquiring network traffic data; judging whether the network traffic data are matched with malicious codes in a preset malicious code library or not; if the network traffic data are mismatched with the malicious codes in the preset malicious code library, recovering a file in the network traffic data; executing the file in a virtual environment in order to detect whether the network traffic data are legal or not; and if the network traffic data are illegal, determining that the network traffic data include the malicious codes. The malicious code detection method and device are mainly used for detecting the malicious codes.
Description
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of Malicious Code Detection based on virtual execution technology
Method and device.
Background technology
Along with the rapidly universal of Internet and government and the quickening of IT application in enterprises, computer to the life of people and
Study brings huge facility, either shopping, the importance that body is not busy, work the most increasingly shows the Internet, but by
In the open and flexible abundant application of the Internet and the vulnerability of operating system, people are brought at enjoyment computer
While various benefits, also undergo puzzlement and the infringement of various malicious code, network security threats event rises year by year.?
In network safety event, the harm that malicious code causes is the most serious, causes huge warp to whole country, society and individual
Ji loss, a major challenge that oneself faces through becoming information security to work.
At present, Malicious Code Detection technology is mainly sandbox technology, and its principle is after the vulnerability exploit stage, to malice
The behavior of code is analyzed.But being as the development of cyber-attack techniques, senior malicious code is by polymorphic and deformation
Technology, it is possible to cover up the malicious act of oneself, such as, suspend its malicious act at sandbox detection-phase, thus escape the inspection of sandbox
Survey.The accuracy rate of the most existing malicious code detecting method is low.
Summary of the invention
In view of the above problems, it is proposed that the present invention, in order to provide one overcome the problems referred to above or solve at least in part
The malicious code detecting method based on virtual execution technology of the problems referred to above and device.
For reaching above-mentioned purpose, present invention generally provides following technical scheme:
On the one hand, a kind of malicious code detecting method based on virtual execution technology, the method bag are embodiments provided
Include:
Obtain network flow data;
Judge whether described network flow data matches with the malicious code in preset malicious code storehouse;
If described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce described network flow data
In file;
Described file is performed the most legal to detect described network flow data in virtual environment;
If described network flow data is illegal, it is determined that described network flow data comprises malicious code.
Concrete, the file in the described network flow data of described reduction includes:
Obtain the application layer host-host protocol that described network flow data is corresponding;
According to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Concrete, described in virtual environment, perform described file to detect the most legal bag of described network flow data
Include:
Described file is performed in virtual environment;
That detects described file performs whether operation meets the alarm regulation in preset alarm storehouse, stores in described preset alarm storehouse
Multiple alarm regulation, described alarm regulation is had to be used for detecting described network flow data the most legal.
Concrete, if described network flow data is illegal, it is determined that described network flow data comprises malice
Code includes:
If the operation that described file performs meets the alarm regulation in preset alarm storehouse, it is determined that described network flow data wraps
Containing malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
On the other hand, the embodiment of the present invention also provides for a kind of Malicious Code Detection device based on virtual execution technology, should
Device includes:
Acquiring unit, is used for obtaining network flow data;
Judging unit, for judging whether described network flow data matches with the malicious code in preset malicious code storehouse;
Reduction unit, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces institute
State the file in network flow data;
Performance element, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit, if illegal for described network flow data, it is determined that described network flow data comprises malice generation
Code.
Concrete, described reduction unit includes:
Acquisition module, for obtaining the application layer host-host protocol that described network flow data is corresponding;
Recovery module, for according to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Concrete, described performance element includes:
Perform module, for performing described file in virtual environment;
Detection module, for detecting whether the execution operation of described file meets the alarm regulation in preset alarm storehouse, described pre-
Putting storage in alarm storehouse, to have multiple alarm regulation, described alarm regulation to be used for detecting described network flow data the most legal.
Described determine unit, if the operation performed specifically for described file meets the alarm regulation in preset alarm storehouse,
Then determine in described network flow data and comprise malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
By technique scheme, the technical scheme that the embodiment of the present invention provides at least has the advantage that
A kind of based on virtual execution technology the malicious code detecting method of embodiment of the present invention offer and device, first obtain net
Network data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if
Described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
A kind of based on virtual execution technology the malicious code detecting method flow chart that Fig. 1 provides for the embodiment of the present invention;
The composition frame chart of a kind of based on virtual execution technology the Malicious Code Detection device that Fig. 2 provides for the embodiment of the present invention;
The composition frame of the another kind Malicious Code Detection device based on virtual execution technology that Fig. 3 provides for the embodiment of the present invention
Figure.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing shows the disclosure
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should be by embodiments set forth here
Limited.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Advantage for making technical solution of the present invention is clearer, makees the present invention specifically with embodiment below in conjunction with the accompanying drawings
Bright.
Embodiments provide a kind of malicious code detecting method based on virtual execution technology, as it is shown in figure 1, institute
The method of stating includes:
101, network flow data is obtained.
102, judge whether described network flow data matches with the malicious code in preset malicious code storehouse.
Wherein, the malicious code in described preset malicious code storehouse is existing attack malicious code.Implement in the present invention
In example, based on known malicious code, the leak feature causing spilling in network flow data is mated, to detect network
Whether data on flows comprises malicious code, by the essence of the Malicious Code Detection network flow data in preset malicious code storehouse
Degree height.
If 103 described network flow datas do not mate with malicious code in preset malicious code storehouse, then reduce described network
File in data on flows.
104, in virtual environment, described file is performed the most legal to detect described network flow data.
If 105 described network flow datas are illegal, it is determined that comprise malicious code in described network flow data.
A kind of based on virtual execution technology the malicious code detecting method that the embodiment of the present invention provides, first obtains network
Data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if institute
State network flow data not mate with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Concrete, the file in the described network flow data of described reduction includes: obtain described network flow data
Corresponding application layer host-host protocol;According to the literary composition in the form described network flow data of reduction of described application layer literary composition host-host protocol
Part.
It should be noted that file is propagated in the way of network flow data.Conventional application layer file transmission is assisted
View includes H TTP agreement, smtp protocol, POP3 agreement, IMAP protocol and File Transfer Protocol.Wherein, http protocol is for from WWW
Server transport hypertext is to the transportation protocol of local browser;Smtp protocol, POP3 agreement and IMAP protocol are for electronics
The transportation protocol of mail transmission;File Transfer Protocol is the transportation protocol sharing file between main frame.Reduce described network flow data
In file, first pass through and obtain application layer host-host protocol corresponding to network flow data, then according to application layer host-host protocol
Protocol format file is reduced from network flow data, for next step virtual perform detection ready.
Concrete, described in virtual environment, perform described file to detect the most legal bag of described network flow data
Include: in virtual environment, perform described file;That detects described file performs whether operation meets the alarm in preset alarm storehouse
Rule, in described preset alarm storehouse, storage has multiple alarm regulation, described alarm regulation to be used for detecting described network flow data
The most legal.If described network flow data is illegal, it is determined that comprise malicious code bag in described network flow data
Include: if the operation that described file performs meets the alarm regulation in preset alarm storehouse, it is determined that described network flow data wraps
Containing malicious code.
For the embodiment of the present invention, virtual environment performs described file, carries out file, process, registration the most respectively
Table, network operation and service operations detection etc..Testing result is mated with preset alarm storehouse, when hit alarm regulation
Time, it is determined that described network flow data comprises malicious code, and outputting alarm information;Otherwise direct output function record.
As a example by registration table detects, first determine whether under virtual environment, the most whether the file of reduction has the behaviour accessing registration table
Make.Without the operation of access registration table, write down operation note the most in real time, provide foundation for subsequent analysis.If there being access
Registry operations, then continue to determine whether to hit the alarm regulation in preset alarm storehouse, when i.e. judging to perform whether malicious modification,
Delete or create registry information, paying special attention to those registry entries affecting system start-up.If hit alarm regulation, the most really
Fixed described network flow data comprises malicious code, exports detailed warning information, and add alarm storehouse.If miss alarm
Rule, then output function record, provide material for the manual examination and verification that may carry out in the future.
In embodiments of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
For the embodiment of the present invention, owing to virtual execution detection technique uses the Virtual Machine Mechanism different with sandbox detection,
Therefore called the behavior characteristics of trace analysis also original by system, observe internal memory and the change of instruction.Based on virtual execution
Technology is prevented from the escape technology for sandbox detection and utilizes the malicious code of leak.Virtual executing rule is by design void
Intending performing algorithm, the history information data performed according to example, at new Work flow model again virtual scheduling.Utilize NameSpace
Virtualization and Copy on write mechanism achieve resource and access redirection and isolation, and build virtual execution ring on this basis
Border, to realize the capture to multiple behaviors.
Further, the embodiment of the present invention provides a kind of Malicious Code Detection device based on virtual execution technology, such as Fig. 2
Shown in, described device includes: acquiring unit 21, judging unit 22, reduction unit 23, performance element 24, determine unit 25.
Acquiring unit 21, is used for obtaining network flow data;
Judging unit 22, for judging that whether with the malicious code in preset malicious code storehouse mutually described network flow data
Join;
Reduction unit 23, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces
File in described network flow data;
Performance element 24, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit 25, if illegal for described network flow data, it is determined that described network flow data comprises malice
Code.
It should be noted that a kind of based on virtual execution technology the Malicious Code Detection device that the embodiment of the present invention provides
Other of involved each functional unit describe accordingly, are referred to the corresponding description of method shown in Fig. 1, do not repeat them here, but
It will be appreciated that the device in the present embodiment corresponding can realize the full content in preceding method embodiment.
A kind of based on virtual execution technology the Malicious Code Detection device that the embodiment of the present invention provides, first obtains network
Data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if institute
State network flow data not mate with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
Further, the embodiment of the present invention provides another kind of Malicious Code Detection device based on virtual execution technology, as
Shown in Fig. 3, described device includes: acquiring unit 31, judging unit 32, reduction unit 33, performance element 34, determine unit 35.
Acquiring unit 31, is used for obtaining network flow data;
Judging unit 32, for judging that whether with the malicious code in preset malicious code storehouse mutually described network flow data
Join;
Reduction unit 33, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces
File in described network flow data;
Performance element 34, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit 35, if illegal for described network flow data, it is determined that described network flow data comprises malice
Code.
Concrete, described reduction unit 33 includes:
Acquisition module 331, for obtaining the application layer host-host protocol that described network flow data is corresponding;
Recovery module 332, for according to the literary composition in the form described network flow data of reduction of described application layer literary composition host-host protocol
Part.
Concrete, described performance element 34 includes:
Perform module 341, for performing described file in virtual environment;
Detection module 342, for detecting whether the execution operation of described file meets the alarm regulation in preset alarm storehouse, described
In preset alarm storehouse, to have multiple alarm regulation, described alarm regulation to be used for detecting described network flow data the most legal in storage.
Described determine unit 35, if the alarm rule that the operation performed specifically for described file meets in preset alarm storehouse
Then, it is determined that described network flow data comprises malicious code.
For the embodiment of the present invention, the alarm regulation in described preset alarm storehouse includes but not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
The another kind Malicious Code Detection device based on virtual execution technology that the embodiment of the present invention provides, first obtains net
Network data on flows, then judges whether described network flow data matches with the malicious code in preset malicious code storehouse, if
Described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce the literary composition in described network flow data
Part, performs described file the most legal to detect described network flow data in virtual environment, if described network flow data
Illegal, it is determined that described network flow data comprises malicious code.Malicious code phase is detected with passing through sandbox technology at present
Ratio, first whether the embodiment of the present invention comprise evil according in the Malicious Code Detection network flow data in preset malicious code storehouse
Meaning code, if not detected by preset malicious code storehouse and comprising malicious code in network flow data, then obtains network wandering
Whether the file in data, and put in virtual environment by this document and perform, determine whether in network flow data
Comprise malicious code, can dynamically detect, owing to performing file in virtual environment, the malicious code comprised in file, thus
The accuracy of detection of malicious code can be improved by the embodiment of the present invention.
The Malicious Code Detection device of described virtual execution technology includes processor and memorizer, above-mentioned acquiring unit, sentences
Disconnected unit, reduction unit, performance element and determine that unit etc. all as program unit storage in memory, is performed by processor
Storage said procedure unit in memory realizes corresponding function.
Processor comprises kernel, kernel goes memorizer is transferred corresponding program unit.Kernel can arrange one
More than or, improve the accuracy of detection of malicious code by adjusting kernel parameter.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM), memorizer includes that at least one is deposited
Storage chip.
Present invention also provides a kind of computer program, when performing in data handling equipment, at the beginning of being adapted for carrying out
Beginningization has the program code of following method step: obtain network flow data;Judge that whether described network flow data is with preset
Malicious code in malicious code storehouse matches;If malicious code is not in described network flow data and preset malicious code storehouse
Join, then reduce the file in described network flow data;Described file is performed to detect described network traffics in virtual environment
Data are the most legal;
If described network flow data is illegal, it is determined that described network flow data comprises malicious code.
Those skilled in the art are it should be appreciated that embodiments herein can be provided as method, system or computer program
Product.Therefore, the reality in terms of the application can use complete hardware embodiment, complete software implementation or combine software and hardware
Execute the form of example.And, the application can use at one or more computers wherein including computer usable program code
The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to method, equipment (system) and the flow process of computer program according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce
A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real
The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to
Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter
Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or
The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function specified in individual square frame or multiple square frame.
In a typical configuration, calculating equipment include one or more processor (CPU), input/output interface,
Network interface and internal memory.
Memorizer potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash RAM).Memorizer is that computer-readable is situated between
The example of matter.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-can be by any method
Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer include, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM),
Dynamic random access memory (DRAM), other kinds of random access memory (RAM), read only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read only memory
(CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassette tape, the storage of tape magnetic rigid disk or other
Magnetic storage apparatus or any other non-transmission medium, can be used for the information that storage can be accessed by a computing device.According to herein
In define, computer-readable medium does not include temporary computer readable media (transitory media), such as the data of modulation
Signal and carrier wave.
These are only embodiments herein, be not limited to the application.To those skilled in the art,
The application can have various modifications and variations.All made within spirit herein and principle any amendment, equivalent,
Improve, within the scope of should be included in claims hereof.
Claims (10)
1. a malicious code detecting method based on virtual execution technology, it is characterised in that including:
Obtain network flow data;
Judge whether described network flow data matches with the malicious code in preset malicious code storehouse;
If described network flow data does not mates with malicious code in preset malicious code storehouse, then reduce described network flow data
In file;
Described file is performed the most legal to detect described network flow data in virtual environment;
If described network flow data is illegal, it is determined that described network flow data comprises malicious code.
Method the most according to claim 1, it is characterised in that the file bag in the described network flow data of described reduction
Include:
Obtain the application layer host-host protocol that described network flow data is corresponding;
According to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Method the most according to claim 1, it is characterised in that described perform described file in virtual environment to detect institute
State that network flow data is the most legal to be included:
Described file is performed in virtual environment;
That detects described file performs whether operation meets the alarm regulation in preset alarm storehouse, stores in described preset alarm storehouse
Multiple alarm regulation, described alarm regulation is had to be used for detecting described network flow data the most legal.
Method the most according to claim 3, it is characterised in that if described network flow data is illegal, it is determined that
Described network flow data comprises malicious code include:
If the operation that described file performs meets the alarm regulation in preset alarm storehouse, it is determined that described network flow data wraps
Containing malicious code.
Method the most according to claim 3, it is characterised in that the alarm regulation in described preset alarm storehouse includes but do not limits
In file operation alarm regulation, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service
Operation alarm regulation.
6. a Malicious Code Detection device based on virtual execution technology, it is characterised in that including:
Acquiring unit, is used for obtaining network flow data;
Judging unit, for judging whether described network flow data matches with the malicious code in preset malicious code storehouse;
Reduction unit, if not mating with malicious code in preset malicious code storehouse for described network flow data, then reduces institute
State the file in network flow data;
Performance element, the most legal to detect described network flow data for performing described file in virtual environment;
Determine unit, if illegal for described network flow data, it is determined that described network flow data comprises malice generation
Code.
Device the most according to claim 6, it is characterised in that described reduction unit includes:
Acquisition module, for obtaining the application layer host-host protocol that described network flow data is corresponding;
Recovery module, for according to the file in the form described network flow data of reduction of described application layer literary composition host-host protocol.
Device the most according to claim 6, it is characterised in that described performance element includes:
Perform module, for performing described file in virtual environment;
Detection module, for detecting whether the execution operation of described file meets the alarm regulation in preset alarm storehouse, described pre-
Putting storage in alarm storehouse, to have multiple alarm regulation, described alarm regulation to be used for detecting described network flow data the most legal.
Device the most according to claim 8, it is characterised in that
Described determine unit, if the operation performed specifically for described file meets the alarm regulation in preset alarm storehouse, the most really
Fixed described network flow data comprises malicious code.
Device the most according to claim 8, it is characterised in that the alarm regulation in described preset alarm storehouse include but not
It is limited to file operation alarm regulation, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, clothes
Business operation alarm regulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555953.3A CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555953.3A CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105978911A true CN105978911A (en) | 2016-09-28 |
| CN105978911B CN105978911B (en) | 2019-05-21 |
Family
ID=56951638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610555953.3A Active CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105978911B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360170A (en) * | 2017-07-18 | 2017-11-17 | 百色闻远网络科技有限公司 | A kind of computer network security detection method |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249B (en) * | 2008-05-30 | 2011-08-03 | 成都市华为赛门铁克科技有限公司 | Suspicious file analyzing method and suspicious file analyzing system |
| CN103761475A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
-
2016
- 2016-07-15 CN CN201610555953.3A patent/CN105978911B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249B (en) * | 2008-05-30 | 2011-08-03 | 成都市华为赛门铁克科技有限公司 | Suspicious file analyzing method and suspicious file analyzing system |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103761475A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
Non-Patent Citations (1)
| Title |
|---|
| 任卓然: ""面向邮件附件的恶意代码检测系统"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360170A (en) * | 2017-07-18 | 2017-11-17 | 百色闻远网络科技有限公司 | A kind of computer network security detection method |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN107566401B (en) * | 2017-09-30 | 2021-01-08 | 北京奇虎科技有限公司 | Protection method and device for virtualized environment |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| CN112866244B (en) * | 2021-01-15 | 2021-09-07 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
| CN113747443B (en) * | 2021-02-26 | 2024-06-07 | 上海观安信息技术股份有限公司 | Safety detection method and device based on machine learning algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105978911B (en) | 2019-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10936727B2 (en) | Detection of second order vulnerabilities in web services | |
| CN109361711B (en) | Firewall configuration method and device, electronic equipment and computer readable medium | |
| US9690946B2 (en) | Security analysis using relational abstraction of data structures | |
| CN107533622A (en) | Credible binary file translation | |
| US11797668B2 (en) | Sample data generation apparatus, sample data generation method, and computer readable medium | |
| CN105978911A (en) | Malicious code detection method and device based on virtual execution technology | |
| CN106228067A (en) | Malicious code dynamic testing method and device | |
| US10310956B2 (en) | Techniques for web service black box testing | |
| Yang et al. | Detection of malicious behavior in android apps through API calls and permission uses analysis | |
| Arslan | AndroAnalyzer: android malicious software detection based on deep learning | |
| CN109558207A (en) | The system and method for carrying out the log of the anti-virus scan of file are formed in virtual machine | |
| Hodson | Cyber risk management: Prioritize threats, identify vulnerabilities and apply controls | |
| Guamán et al. | Automated GDPR compliance assessment for cross-border personal data transfers in android applications | |
| Senanayake et al. | Developing secured android applications by mitigating code vulnerabilities with machine learning | |
| Pieczul et al. | Runtime detection of zero-day vulnerability exploits in contemporary software systems | |
| Ohm et al. | Sok: Practical detection of software supply chain attacks | |
| Caputo et al. | Droids in disarray: detecting frame confusion in hybrid android apps | |
| Rowe | Confining adversary actions via measurement | |
| Escoses et al. | Phisherman: Phishing link scanner | |
| Awang et al. | Automated security testing framework for detecting SQL injection vulnerability in web application | |
| Zhao et al. | Large-scale detection of privacy leaks for BAT browsers extensions in China | |
| Bokolo et al. | Hybrid analysis based cross inspection framework for android malware detection | |
| Lodrant | Designing a generic web forms crawler to enable legal compliance analysis of authentication sections | |
| CN109409038A (en) | A kind of dynamic link library file cracks risk checking method and device | |
| AlJarrah et al. | Closer look at mobile hybrid apps configurations: Statistics and implications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee after: Bozhi Safety Technology Co.,Ltd. Address before: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. Address after: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee after: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. Address before: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. |