Summary of the invention
In view of the above problems, the present invention is proposed, overcome the above problem in order to provide one kind or at least is partially solved
The malicious code detecting method and device based on virtual execution technology of the above problem.
In order to achieve the above objectives, present invention generally provides following technical solutions:
On the one hand, the embodiment of the invention provides a kind of malicious code detecting method based on virtual execution technology, the party
Method includes:
Obtain network flow data;
Judge whether the network flow data matches with the malicious code in preset malicious code library;
If malicious code mismatches in the network flow data and preset malicious code library, the network flow is restored
File in data;
Whether the file is executed in virtual environment legal to detect the network flow data;
If the network flow data is illegal, it is determined that include malicious code in the network flow data.
Specifically, the file in the reduction network flow data includes:
Obtain the corresponding application layer transport protocol of the network flow data;
The file in the network flow data is restored according to the format of the application layer text transport protocol.
Specifically, described execute the file in virtual environment to detect the whether legal packet of the network flow data
It includes:
The file is executed in virtual environment;
The execution for detecting the file operates whether meet the preset alarm regulation alerted in library, in the preset alarm library
Multiple alarm regulations are stored with, whether the alarm regulation is legal for detecting the network flow data.
If specifically, the network flow data is illegal, it is determined that include malice in the network flow data
Code includes:
If the operation that the file executes meets the alarm regulation in preset alarm library, it is determined that the network flow data
In include malicious code.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
On the other hand, the embodiment of the present invention also provides a kind of Malicious Code Detection device based on virtual execution technology, should
Device includes:
Acquiring unit, for obtaining network flow data;
Judging unit, for judge the network flow data whether with the malicious code phase in preset malicious code library
Match;
Reduction unit, if being mismatched for malicious code in the network flow data and preset malicious code library, also
File in the former network flow data;
Whether legal execution unit detects the network flow data for executing the file in virtual environment;
Determination unit, if illegal for the network flow data, it is determined that comprising disliking in the network flow data
Meaning code.
Specifically, the reduction unit includes:
Module is obtained, for obtaining the corresponding application layer transport protocol of the network flow data;
Recovery module, for restoring the text in the network flow data according to the format of the application layer text transport protocol
Part.
Specifically, the execution unit includes:
Execution module, for executing the file in virtual environment;
Whether detection module, the execution operation for detecting the file meet the alarm regulation in preset alarm library, institute
It states and is stored with multiple alarm regulations in preset alarm library, the alarm regulation is for detecting whether the network flow data closes
Method.
The determination unit, if the operation executed specifically for the file meets the alarm regulation in preset alarm library,
It then determines in the network flow data comprising malicious code.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
A kind of malicious code detecting method and device based on virtual execution technology provided in an embodiment of the present invention, is obtained first
Take network flow data, then judge the network flow data whether with the malicious code phase in preset malicious code library
Match, if malicious code mismatches in the network flow data and preset malicious code library, restores the network flow data
In file, whether to detect the network flow data legal, if the network flow if the file is executed in virtual environment
It is illegal to measure data, it is determined that include malicious code in the network flow data.Malice is detected with the current sandbox technology that passes through
Code is compared, the embodiment of the present invention first according in the Malicious Code Detection network flow data in preset malicious code library whether
Comprising malicious code, if not detecting to obtain net comprising malicious code in network flow data by preset malicious code library
File in network wandering data, and this document is put into virtual environment and is executed, further to judge network flow data
In whether include malicious code, due in virtual environment execute file can go out the malice generation for including in file with dynamic detection
Code, so that the detection accuracy of malicious code can be improved through the embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The advantages of to make technical solution of the present invention, is clearer, makees specifically to the present invention with reference to the accompanying drawings and examples
It is bright.
The embodiment of the invention provides a kind of malicious code detecting methods based on virtual execution technology, as shown in Figure 1, institute
The method of stating includes:
101, network flow data is obtained.
102, judge whether the network flow data matches with the malicious code in preset malicious code library.
Wherein, the malicious code in the preset malicious code library is existing attack malicious code.Implement in the present invention
In example, based on known malicious code to causing the loophole feature overflowed to match in network flow data, to detect network
Whether include malicious code in data on flows, passes through the essence of the Malicious Code Detection network flow data in preset malicious code library
Degree is high.
If 103, the network flow data is mismatched with malicious code in preset malicious code library, the network is restored
File in data on flows.
104, whether the file is executed in virtual environment legal to detect the network flow data.
If 105, the network flow data is illegal, it is determined that include malicious code in the network flow data.
A kind of malicious code detecting method based on virtual execution technology provided in an embodiment of the present invention, first acquisition network
Data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if institute
It states malicious code in network flow data and preset malicious code library to mismatch, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
Specifically, the file in the reduction network flow data includes: to obtain the network flow data
Corresponding application layer transport protocol;The text in the network flow data is restored according to the format of the application layer text transport protocol
Part.
It should be noted that file is propagated in a manner of network flow data.Common application layer file transmission association
View includes H TTP agreement, smtp protocol, POP3 agreement, IMAP protocol and File Transfer Protocol.Wherein, http protocol is for from WWW
Transportation protocol of the server transport hypertext to local browser;Smtp protocol, POP3 agreement and IMAP protocol are for electronics
The transportation protocol of mail transmission;File Transfer Protocol is the transportation protocol for shared file between host.Restore the network flow data
In file, first by obtaining the corresponding application layer transport protocol of network flow data, then according to application layer transport protocol
Protocol format file is restored from network flow data, for next step virtual execution detection be ready.
Specifically, described execute the file in virtual environment to detect the whether legal packet of the network flow data
It includes: executing the file in virtual environment;Whether the execution operation for detecting the file meets the preset alarm alerted in library
Rule is stored with multiple alarm regulations in the preset alarm library, and the alarm regulation is for detecting the network flow data
It is whether legal.If the network flow data is illegal, it is determined that include malicious code packet in the network flow data
It includes: if the operation that the file executes meets the alarm regulation in preset alarm library, it is determined that wrapped in the network flow data
Containing malicious code.
For the embodiment of the present invention, the file is executed in virtual environment, then carries out file, process, registration respectively
Table, network operation and service operations detection etc..It will test result to be matched with preset alarm library, when hit alarm regulation
When, it is determined that it include malicious code, and outputting alarm information in the network flow data;Otherwise operation note is directly exported.
Whether by taking registration table detects as an example, first determining whether the file restored under virtual environment in the process of implementation has the behaviour of access registration table
Make.If not accessing the operation of registration table, operation note is write down in real time, provides foundation for subsequent analysis.If there is access
Registry operations then continue to determine whether to hit the alarm regulation in preset alarm library, i.e., when judge execution whether malicious modification,
Registry information is deleted or created, the registry entry of those influence systems starting is paid special attention to.If hitting alarm regulation, really
Include malicious code in the fixed network flow data, export detailed warning information, and alarm library is added.If miss alerts
Rule then exports operation note, and the manual examination and verification that can be can be carried out for future provide material.
In embodiments of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
For the embodiment of the present invention, different Virtual Machine Mechanisms is detected with sandbox since virtual execution detection technique is used,
Therefore the behavioural characteristic that trace analysis also original is called by system, observes the variation of memory and instruction.Based on virtual execution
Technology can prevent the escape technology for sandbox detection and utilize the malicious code of loophole.Virtual execution rule is empty by design
It is quasi- to execute algorithm, according to the history information data that example executes, in new Work flow model again virtual scheduling.Utilize NameSpace
Virtualization and Copy on write mechanism realize resource access and redirect and completely cut off, and construct virtual execution ring on this basis
Border, to realize the capture to multiple behaviors.
Further, the embodiment of the present invention provides a kind of Malicious Code Detection device based on virtual execution technology, such as Fig. 2
Shown, described device includes: acquiring unit 21, judging unit 22, reduction unit 23, execution unit 24, determination unit 25.
Acquiring unit 21, for obtaining network flow data;
Judging unit 22, for judge the network flow data whether with the malicious code phase in preset malicious code library
Matching;
Reduction unit 23, if being mismatched for malicious code in the network flow data and preset malicious code library,
Restore the file in the network flow data;
Execution unit 24, for executing the file in virtual environment to detect whether the network flow data closes
Method;
Determination unit 25, if illegal for the network flow data, it is determined that include in the network flow data
Malicious code.
It should be noted that a kind of Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention
Other corresponding descriptions of involved each functional unit, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein, but
It will be appreciated that the device in the present embodiment can correspond to the full content realized in preceding method embodiment.
A kind of Malicious Code Detection device based on virtual execution technology provided in an embodiment of the present invention, first acquisition network
Data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if institute
It states malicious code in network flow data and preset malicious code library to mismatch, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
Further, the embodiment of the present invention provides another Malicious Code Detection device based on virtual execution technology, such as
Shown in Fig. 3, described device includes: acquiring unit 31, judging unit 32, reduction unit 33, execution unit 34, determination unit 35.
Acquiring unit 31, for obtaining network flow data;
Judging unit 32, for judge the network flow data whether with the malicious code phase in preset malicious code library
Matching;
Reduction unit 33, if being mismatched for malicious code in the network flow data and preset malicious code library,
Restore the file in the network flow data;
Execution unit 34, for executing the file in virtual environment to detect whether the network flow data closes
Method;
Determination unit 35, if illegal for the network flow data, it is determined that include in the network flow data
Malicious code.
Specifically, the reduction unit 33 includes:
Module 331 is obtained, for obtaining the corresponding application layer transport protocol of the network flow data;
Recovery module 332, for being restored in the network flow data according to the format of the application layer text transport protocol
File.
Specifically, the execution unit 34 includes:
Execution module 341, for executing the file in virtual environment;
Whether detection module 342, the execution operation for detecting the file meet the alarm regulation in preset alarm library,
Multiple alarm regulations are stored in the preset alarm library, the alarm regulation is for detecting whether the network flow data closes
Method.
The determination unit 35, if the alarm that the operation executed specifically for the file meets in preset alarm library is advised
Then, it is determined that include malicious code in the network flow data.
For the embodiment of the present invention, the alarm regulation in the preset alarm library includes but is not limited to file operation alarm rule
Then, process operation alarm regulation, registry operations alarm regulation, network operation alarm regulation, service operations alarm regulation.
Malicious Code Detection device of the another kind based on virtual execution technology provided in an embodiment of the present invention, first acquisition net
Network data on flows, then judges whether the network flow data matches with the malicious code in preset malicious code library, if
Malicious code mismatches in the network flow data and preset malicious code library, then restores the text in the network flow data
Part, whether to detect the network flow data legal, if the network flow data if the file is executed in virtual environment
It is illegal, it is determined that include malicious code in the network flow data.Malicious code phase is detected with the current sandbox technology that passes through
Than whether the embodiment of the present invention includes evil according in the Malicious Code Detection network flow data in preset malicious code library first
Meaning code, if not detecting to obtain network wandering comprising malicious code in network flow data by preset malicious code library
File in data, and this document is put into virtual environment and is executed, with further judge in network flow data whether
Comprising malicious code, the malicious code for including in file can be gone out with dynamic detection due to executing file in virtual environment, thus
The detection accuracy of malicious code can be improved through the embodiment of the present invention.
The Malicious Code Detection device of the virtual execution technology includes processor and memory, and above-mentioned acquiring unit is sentenced
Disconnected unit, reduction unit, execution unit and determination unit etc. store in memory as program unit, are executed by processor
Above procedure unit stored in memory realizes corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one
Or more, the detection accuracy of malicious code is improved by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
Present invention also provides a kind of computer program products, when executing on data processing equipment, are adapted for carrying out just
The program code of beginningization there are as below methods step: network flow data is obtained;Judge the network flow data whether with it is preset
Malicious code in malicious code library matches;If malicious code is not in the network flow data and preset malicious code library
Match, then restores the file in the network flow data;The file is executed in virtual environment to detect the network flow
Whether data are legal;
If the network flow data is illegal, it is determined that include malicious code in the network flow data.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculate equipment include one or more processors (CPU), input/output interface,
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer include, but are not limited to phase change memory (PRAM), static random access memory (SRAM),
Dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM)
(CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other
Magnetic storage device or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to herein
In define, computer-readable medium does not include temporary computer readable media (transitory media), such as the data of modulation
Signal and carrier wave.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art,
Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of the claims of this application.