CN105978911B - Malicious code detecting method and device based on virtual execution technology - Google Patents
Malicious code detecting method and device based on virtual execution technology Download PDFInfo
- Publication number
- CN105978911B CN105978911B CN201610555953.3A CN201610555953A CN105978911B CN 105978911 B CN105978911 B CN 105978911B CN 201610555953 A CN201610555953 A CN 201610555953A CN 105978911 B CN105978911 B CN 105978911B
- Authority
- CN
- China
- Prior art keywords
- flow data
- network flow
- malicious code
- file
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a kind of malicious code detecting method and device based on virtual execution technology, is related to technical field of network security, solves the problems, such as Malicious Code Detection precision.Main technical schemes of the invention are as follows: obtain network flow data;Judge whether the network flow data matches with the malicious code in preset malicious code library;If malicious code mismatches in the network flow data and preset malicious code library, the file in the network flow data is restored;Whether the file is executed in virtual environment legal to detect the network flow data;If the network flow data is illegal, it is determined that include malicious code in the network flow data.Present invention is mainly used for detection malicious codes.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of Malicious Code Detections based on virtual execution technology
Method and device.
Background technique
With the quickening of the rapid proliferation of Internet and government and IT application in enterprises, computer to people's lives and
Study brings huge convenience, either shopping, the importance that body is not busy, work all increasingly shows internet, but by
In the fragility of the open of internet and flexible application abundant and operating system people are brought in enjoyment computer
While various benefits, also in the puzzlement and infringement that undergo various malicious codes, network security threats event is risen year by year.?
It is endangered in network safety event, caused by malicious code the most seriously, to entire country, society and individual cause huge warp
It helps and loses, a major challenge that oneself faces through becoming information security work.
Currently, Malicious Code Detection technology is mainly sandbox technology, principle is after the vulnerability exploit stage, to malice
The behavior of code is analyzed.But with the continuous development of cyber-attack techniques, advanced malicious code passes through polymorphic and deformation
Technology can cover up the malicious act of oneself, such as suspend its malicious act in sandbox detection-phase, to escape the inspection of sandbox
It surveys.Therefore the accuracy rate of existing malicious code detecting method is low.
Summary of the invention
In view of the above problems, the present invention is proposed, overcome the above problem in order to provide one kind or at least is partially solved
The malicious code detecting method and device based on virtual execution technology of the above problem.
In order to achieve the above objectives, present invention generally provides following technical solutions:
On the one hand, the embodiment of the invention provides a kind of malicious code detecting method based on virtual execution technology, the party
Method includes:
Obtain network flow data;
Judge whether the network flow data matches with the malicious code in preset malicious code library;
If malicious code mismatches in the network flow data and preset malicious code library, the network flow is restored
File in data;
Whether the file is executed in virtual environment legal to detect the network flow data;
If the network flow data is illegal, it is determined that include malicious code in the network flow data.
Specifically, the file in the reduction network flow data includes:
Obtain the corresponding application layer transport protocol of the network flow data;
The file in the network flow data is restored according to the format of the application layer text transport protocol.
Specifically, described execute the file in virtual environment to detect the whether legal packet of the network flow data
It includes:
The file is executed in virtual environment;
The execution for detecting the file operates whether meet the preset alarm regulation alerted in library, in the preset alarm library
Multiple alarm regulations are stored with, whether the alarm regulation is legal for detecting the network flow data.
If specifically, the network flow data is illegal, it is determined that include malice in the network flow data
Code includes:
If the operation that the file executes meets the alarm regulation in preset alarm library, it is determined that the network flow data
In include malicious code.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
On the other hand, the embodiment of the present invention also provides a kind of Malicious Code Detection device based on virtual execution technology, should
Device includes:
Acquiring unit, for obtaining network flow data;
Judging unit, for judge the network flow data whether with the malicious code phase in preset malicious code library
Match;
Reduction unit, if being mismatched for malicious code in the network flow data and preset malicious code library, also
File in the former network flow data;
Whether legal execution unit detects the network flow data for executing the file in virtual environment;
Determination unit, if illegal for the network flow data, it is determined that comprising disliking in the network flow data
Meaning code.
Specifically, the reduction unit includes:
Module is obtained, for obtaining the corresponding application layer transport protocol of the network flow data;
Recovery module, for restoring the text in the network flow data according to the format of the application layer text transport protocol
Part.
Specifically, the execution unit includes:
Execution module, for executing the file in virtual environment;
Whether detection module, the execution operation for detecting the file meet the alarm regulation in preset alarm library, institute
It states and is stored with multiple alarm regulations in preset alarm library, the alarm regulation is for detecting whether the network flow data closes
Method.
The determination unit, if the operation executed specifically for the file meets the alarm regulation in preset alarm library,
It then determines in the network flow data comprising malicious code.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
A kind of malicious code detecting method and device based on virtual execution technology provided in an embodiment of the present invention, is obtained first
Take network flow data, then judge the network flow data whether with the malicious code phase in preset malicious code library
Match, if malicious code mismatches in the network flow data and preset malicious code library, restores the network flow data
In file, whether to detect the network flow data legal, if the network flow if the file is executed in virtual environment
It is illegal to measure data, it is determined that include malicious code in the network flow data.Malice is detected with the current sandbox technology that passes through
Code is compared, the embodiment of the present invention first according in the Malicious Code Detection network flow data in preset malicious code library whether
Comprising malicious code, if not detecting to obtain net comprising malicious code in network flow data by preset malicious code library
File in network wandering data, and this document is put into virtual environment and is executed, further to judge network flow data
In whether include malicious code, due in virtual environment execute file can go out the malice generation for including in file with dynamic detection
Code, so that the detection accuracy of malicious code can be improved through the embodiment of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is a kind of malicious code detecting method flow chart based on virtual execution technology provided in an embodiment of the present invention;
Fig. 2 is a kind of composition frame of the Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention
Figure;
Fig. 3 is the composition of another Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention
Block diagram.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The advantages of to make technical solution of the present invention, is clearer, makees specifically to the present invention with reference to the accompanying drawings and examples
It is bright.
The embodiment of the invention provides a kind of malicious code detecting methods based on virtual execution technology, as shown in Figure 1, institute
The method of stating includes:
101, network flow data is obtained.
102, judge whether the network flow data matches with the malicious code in preset malicious code library.
Wherein, the malicious code in the preset malicious code library is existing attack malicious code.Implement in the present invention
In example, based on known malicious code to causing the loophole feature overflowed to match in network flow data, to detect network
Whether include malicious code in data on flows, passes through the essence of the Malicious Code Detection network flow data in preset malicious code library
Degree is high.
If 103, the network flow data is mismatched with malicious code in preset malicious code library, the network is restored
File in data on flows.
104, whether the file is executed in virtual environment legal to detect the network flow data.
If 105, the network flow data is illegal, it is determined that include malicious code in the network flow data.
A kind of malicious code detecting method based on virtual execution technology provided in an embodiment of the present invention, first acquisition network
Data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if institute
It states malicious code in network flow data and preset malicious code library to mismatch, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
Specifically, the file in the reduction network flow data includes: to obtain the network flow data
Corresponding application layer transport protocol;The text in the network flow data is restored according to the format of the application layer text transport protocol
Part.
It should be noted that file is propagated in a manner of network flow data.Common application layer file transmission association
View includes H TTP agreement, smtp protocol, POP3 agreement, IMAP protocol and File Transfer Protocol.Wherein, http protocol is for from WWW
Transportation protocol of the server transport hypertext to local browser;Smtp protocol, POP3 agreement and IMAP protocol are for electronics
The transportation protocol of mail transmission;File Transfer Protocol is the transportation protocol for shared file between host.Restore the network flow data
In file, first by obtaining the corresponding application layer transport protocol of network flow data, then according to application layer transport protocol
Protocol format file is restored from network flow data, for next step virtual execution detection be ready.
Specifically, described execute the file in virtual environment to detect the whether legal packet of the network flow data
It includes: executing the file in virtual environment;Whether the execution operation for detecting the file meets the preset alarm alerted in library
Rule is stored with multiple alarm regulations in the preset alarm library, and the alarm regulation is for detecting the network flow data
It is whether legal.If the network flow data is illegal, it is determined that include malicious code packet in the network flow data
It includes: if the operation that the file executes meets the alarm regulation in preset alarm library, it is determined that wrapped in the network flow data
Containing malicious code.
For the embodiment of the present invention, the file is executed in virtual environment, then carries out file, process, registration respectively
Table, network operation and service operations detection etc..It will test result to be matched with preset alarm library, when hit alarm regulation
When, it is determined that it include malicious code, and outputting alarm information in the network flow data;Otherwise operation note is directly exported.
Whether by taking registration table detects as an example, first determining whether the file restored under virtual environment in the process of implementation has the behaviour of access registration table
Make.If not accessing the operation of registration table, operation note is write down in real time, provides foundation for subsequent analysis.If there is access
Registry operations then continue to determine whether to hit the alarm regulation in preset alarm library, i.e., when judge execution whether malicious modification,
Registry information is deleted or created, the registry entry of those influence systems starting is paid special attention to.If hitting alarm regulation, really
Include malicious code in the fixed network flow data, export detailed warning information, and alarm library is added.If miss alerts
Rule then exports operation note, and the manual examination and verification that can be can be carried out for future provide material.
In embodiments of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
For the embodiment of the present invention, different Virtual Machine Mechanisms is detected with sandbox since virtual execution detection technique is used,
Therefore the behavioural characteristic that trace analysis also original is called by system, observes the variation of memory and instruction.Based on virtual execution
Technology can prevent the escape technology for sandbox detection and utilize the malicious code of loophole.Virtual execution rule is empty by design
It is quasi- to execute algorithm, according to the history information data that example executes, in new Work flow model again virtual scheduling.Utilize NameSpace
Virtualization and Copy on write mechanism realize resource access and redirect and completely cut off, and construct virtual execution ring on this basis
Border, to realize the capture to multiple behaviors.
Further, the embodiment of the present invention provides a kind of Malicious Code Detection device based on virtual execution technology, such as Fig. 2
Shown, described device includes: acquiring unit 21, judging unit 22, reduction unit 23, execution unit 24, determination unit 25.
Acquiring unit 21, for obtaining network flow data;
Judging unit 22, for judge the network flow data whether with the malicious code phase in preset malicious code library
Matching;
Reduction unit 23, if being mismatched for malicious code in the network flow data and preset malicious code library,
Restore the file in the network flow data;
Execution unit 24, for executing the file in virtual environment to detect whether the network flow data closes
Method;
Determination unit 25, if illegal for the network flow data, it is determined that include in the network flow data
Malicious code.
It should be noted that a kind of Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention
Other corresponding descriptions of involved each functional unit, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein, but
It will be appreciated that the device in the present embodiment can correspond to the full content realized in preceding method embodiment.
A kind of Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention, first acquisition network
Data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if institute
It states malicious code in network flow data and preset malicious code library to mismatch, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
Further, the embodiment of the present invention provides another Malicious Code Detection device based on virtual execution technology, such as
Shown in Fig. 3, described device includes: acquiring unit 31, judging unit 32, reduction unit 33, execution unit 34, determination unit 35.
Acquiring unit 31, for obtaining network flow data;
Judging unit 32, for judge the network flow data whether with the malicious code phase in preset malicious code library
Matching;
Reduction unit 33, if being mismatched for malicious code in the network flow data and preset malicious code library,
Restore the file in the network flow data;
Execution unit 34, for executing the file in virtual environment to detect whether the network flow data closes
Method;
Determination unit 35, if illegal for the network flow data, it is determined that include in the network flow data
Malicious code.
Specifically, the reduction unit 33 includes:
Module 331 is obtained, for obtaining the corresponding application layer transport protocol of the network flow data;
Recovery module 332, for being restored in the network flow data according to the format of the application layer text transport protocol
File.
Specifically, the execution unit 34 includes:
Execution module 341, for executing the file in virtual environment;
Whether detection module 342, the execution operation for detecting the file meet the alarm regulation in preset alarm library,
Multiple alarm regulations are stored in the preset alarm library, the alarm regulation is for detecting whether the network flow data closes
Method.
The determination unit 35, if the alarm that the operation executed specifically for the file meets in preset alarm library is advised
Then, it is determined that include malicious code in the network flow data.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
Malicious Code Detection device of the another kind based on virtual execution technology provided in an embodiment of the present invention, first acquisition net
Network data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if
Malicious code mismatches in the network flow data and preset malicious code library, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
The Malicious Code Detection device of the virtual execution technology includes processor and memory, and above-mentioned acquiring unit is sentenced
Disconnected unit, reduction unit, execution unit and determination unit etc. store in memory as program unit, are executed by processor
Above procedure unit stored in memory realizes corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one
Or more, the detection accuracy of malicious code is improved by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
Present invention also provides a kind of computer program products, when executing on data processing equipment, are adapted for carrying out just
The program code of beginningization there are as below methods step: network flow data is obtained;Judge the network flow data whether with it is preset
Malicious code in malicious code library matches;If malicious code is not in the network flow data and preset malicious code library
Match, then restores the file in the network flow data;The file is executed in virtual environment to detect the network flow
Whether data are legal;
If the network flow data is illegal, it is determined that include malicious code in the network flow data.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculate equipment include one or more processors (CPU), input/output interface,
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer include, but are not limited to phase change memory (PRAM), static random access memory (SRAM),
Dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM)
(CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other
Magnetic storage device or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to herein
In define, computer-readable medium does not include temporary computer readable media (transitory media), such as the data of modulation
Signal and carrier wave.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art,
Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of the claims of this application.
Claims (8)
1. a kind of malicious code detecting method based on virtual execution technology characterized by comprising
Obtain network flow data;
Judge whether the network flow data matches with the malicious code in preset malicious code library;
If malicious code mismatches in the network flow data and preset malicious code library, the network flow data is restored
In file;
Whether the file is executed in virtual environment legal to detect the network flow data;It include: judgement virtual environment
Whether the file of lower reduction has access operation in the process of implementation, if writing down operation note in real time without access operation;If
There is access operation, then continues to determine whether to hit the alarm regulation in preset alarm library, if miss alarm regulation, exports
Operation note, if hit alarm regulation, it is determined that the network flow data is illegal;
If the network flow data is illegal, it is determined that include malicious code in the network flow data.
2. the method according to claim 1, wherein the file packet in the reduction network flow data
It includes: obtaining the corresponding application layer transport protocol of the network flow data;
The file in the network flow data is restored according to the format of the application layer text transport protocol.
3. the method according to claim 1, wherein described execute the file in virtual environment to detect
State whether network flow data is legal to include:
The file is executed in virtual environment;
Whether the execution operation for detecting the file meets the preset alarm regulation alerted in library, stores in the preset alarm library
There are multiple alarm regulations, whether the alarm regulation is legal for detecting the network flow data.
4. according to the method described in claim 3, it is characterized in that, the alarm regulation in the preset alarm library includes but unlimited
In file operation alarm regulation, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service
Operate alarm regulation.
5. a kind of Malicious Code Detection device based on virtual execution technology characterized by comprising
Acquiring unit, for obtaining network flow data;
Judging unit, for judging whether the network flow data matches with the malicious code in preset malicious code library;
Reduction unit restores institute if mismatching for malicious code in the network flow data and preset malicious code library
State the file in network flow data;
Whether legal execution unit detects the network flow data for executing the file in virtual environment;
Determination unit, if illegal for the network flow data, it is determined that include malice generation in the network flow data
Code.
6. device according to claim 5, which is characterized in that the reduction unit includes:
Module is obtained, for obtaining the corresponding application layer transport protocol of the network flow data;
Recovery module, for restoring the file in the network flow data according to the format of the application layer text transport protocol.
7. device according to claim 5, which is characterized in that the execution unit includes:
Execution module, for executing the file in virtual environment;
Detection module, whether the execution operation for detecting the file meets the alarm regulation in preset alarm library, described pre-
It sets and is stored with multiple alarm regulations in alarm library, whether the alarm regulation is legal for detecting the network flow data.
8. device according to claim 7, which is characterized in that the alarm regulation in the preset alarm library includes but unlimited
In file operation alarm regulation, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service
Operate alarm regulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555953.3A CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610555953.3A CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105978911A CN105978911A (en) | 2016-09-28 |
| CN105978911B true CN105978911B (en) | 2019-05-21 |
Family
ID=56951638
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610555953.3A Active CN105978911B (en) | 2016-07-15 | 2016-07-15 | Malicious code detecting method and device based on virtual execution technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105978911B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107360170A (en) * | 2017-07-18 | 2017-11-17 | 百色闻远网络科技有限公司 | A kind of computer network security detection method |
| CN107566401B (en) * | 2017-09-30 | 2021-01-08 | 北京奇虎科技有限公司 | Protection method and device for virtualized environment |
| CN112866244B (en) * | 2021-01-15 | 2021-09-07 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249B (en) * | 2008-05-30 | 2011-08-03 | 成都市华为赛门铁克科技有限公司 | Suspicious file analyzing method and suspicious file analyzing system |
| CN103761475A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
-
2016
- 2016-07-15 CN CN201610555953.3A patent/CN105978911B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593249B (en) * | 2008-05-30 | 2011-08-03 | 成都市华为赛门铁克科技有限公司 | Suspicious file analyzing method and suspicious file analyzing system |
| CN102254120B (en) * | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103761475A (en) * | 2013-12-30 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
Non-Patent Citations (1)
| Title |
|---|
| "面向邮件附件的恶意代码检测系统";任卓然;《中国优秀硕士学位论文全文数据库 信息科技辑》;20120515(第05(2012)期);I139-301 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105978911A (en) | 2016-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
| US10142370B2 (en) | Methods and apparatus for generating and using security assertions associated with containers in a computing environment | |
| US10936727B2 (en) | Detection of second order vulnerabilities in web services | |
| CN105978911B (en) | Malicious code detecting method and device based on virtual execution technology | |
| US20100192222A1 (en) | Malware detection using multiple classifiers | |
| US9892258B2 (en) | Automatic synthesis of unit tests for security testing | |
| Groce et al. | What are the actual flaws in important smart contracts (and how can we find them)? | |
| US11797668B2 (en) | Sample data generation apparatus, sample data generation method, and computer readable medium | |
| US11593473B2 (en) | Stack pivot exploit detection and mitigation | |
| US20190361788A1 (en) | Interactive analysis of a security specification | |
| US20160011951A1 (en) | Techniques for web service black box testing | |
| CN117321584A (en) | Processing management of high data I/O ratio modules | |
| Arslan | AndroAnalyzer: android malicious software detection based on deep learning | |
| US20210034740A1 (en) | Threat analysis system, threat analysis method, and threat analysis program | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| US9507621B1 (en) | Signature-based detection of kernel data structure modification | |
| US20220269949A1 (en) | Self-learning and adapting cyber threat defense | |
| US10754950B2 (en) | Entity resolution-based malicious file detection | |
| Zhang et al. | Inferring test models from kate’s bug reports using multi-objective search | |
| Rowe | Confining adversary actions via measurement | |
| US20160092313A1 (en) | Application Copy Counting Using Snapshot Backups For Licensing | |
| CN109214212B (en) | Information leakage prevention method and device | |
| US11704589B1 (en) | Automatically identifying dynamic applications | |
| US20200226257A1 (en) | System and method for identifying activity in a computer system | |
| CN109409038A (en) | A kind of dynamic link library file cracks risk checking method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee after: Bozhi Safety Technology Co.,Ltd. Address before: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. Address after: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee after: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. Address before: 3, building 168, 5, 210012 software Avenue, Yuhuatai District, Jiangsu, Nanjing Patentee before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. |