CN106599684A - Detection method and system of entity file-free malicious code - Google Patents
Detection method and system of entity file-free malicious code Download PDFInfo
- Publication number
- CN106599684A CN106599684A CN201511011935.0A CN201511011935A CN106599684A CN 106599684 A CN106599684 A CN 106599684A CN 201511011935 A CN201511011935 A CN 201511011935A CN 106599684 A CN106599684 A CN 106599684A
- Authority
- CN
- China
- Prior art keywords
- parameter
- order
- malicious code
- detection
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses a detection method of an entity file-free malicious code. The detection method comprises the following steps: temporarily blocking a command and/or parameter executed by using PowerShell; judging whether the command and/or parameter is a command and/or parameter allowed to run; if the command and/or parameter is the command and/or parameter allowed to run, allowing the command and/or parameter to run, or otherwise detecting whether the command and/or parameter is a malicious code; and if the command and/or parameter is the malicious code, ending running, or otherwise allowing the running. The invention also discloses a detection system of the entity file-free malicious code. The technical scheme disclosed by the invention can effectively detect the entity file-free malicious code based on PowerShell.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of detection method and system of incorporeity file malicious code.
Background technology
Most anti-virus product carries out Malicious Code Detection based on to entity file, and using the corresponding file of process, the method such as file of process loading is detecting malicious code.So as to detect to the malicious code of incorporeity files classes, the malicious code based on PowerShell is even more the process because having used PowerShell(White list mechanism)And be ignored.The detection of traditional anti-virus product can be broken through based on the malicious code of the incorporeity file of PowerShell, and used by more lawless persons.2015, it was found that for the APT attacks of China, the attack method used in current attack was based on the malicious code of PowerShell, and certain anti-virus product is invaded system because detecting this malicious code.
The content of the invention
For above-mentioned technical problem, technical solutions according to the invention carry out Basilar artery by the order that performs to PowerShell and/or parameter, and further go to detect whether the order and/parameter are malicious codes, if then terminating operation.The present invention can make up traditional detection means cannot detect the problem of incorporeity file malicious code, can in time find and detect the malicious code of incorporeity file type.
The present invention adopts with the following method to realize:A kind of detection method of incorporeity file malicious code, including:
Order and/or parameter that Basilar artery is performed using PowerShell;
Judge whether the order and/or parameter are order and/or the parameter for allowing operation, if so, then allow operation, and the detection for malicious code is otherwise made whether to the order and/or parameter;
If it is determined that the order and/or parameter then terminate operation for malicious code, operation is otherwise allowed.
Further, the order and/or parameter are made whether to be detected as malicious code:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
Further, the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
In said method, the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
The present invention can be realized using following system:A kind of detecting system of incorporeity file malicious code, including:
Basilar artery module, the order performed using PowerShell for Basilar artery and/or parameter;
Prefix switch module, for judging that whether the order and/or parameter are the order and/or the parameter that allow operation, if so, then allows operation, otherwise the order and/or parameter is delivered to into detection module;
Detection module, for being made whether the detection for malicious code to the order and/or parameter, if then terminating operation, otherwise allows operation.
Further, the detection module is used for:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
Further, the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
In said system, the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
To sum up, the present invention provides a kind of detection method and system of incorporeity file malicious code, order and/or parameter that first Basilar artery is performed using PowerShell;And judge whether the order and/or parameter are to allow operation, are not detected if operation is allowed, and are otherwise made whether the detection for malicious code to the order and/or parameter, if then terminating operation, otherwise allow operation.
Have the beneficial effect that:The present invention is different from traditional detection method, is not based on the detection that entity file is carried out, but monitors PowerShell and block the order and/or parameter performed using PowerShell;And then to the detection that the order and/or parameter are made whether to be malicious code, so as to overcome the problem that the traditional detection method malicious code related for PowerShell cannot be detected.Because the present invention is the detection that carries out before the order and/or parameter are performed, once finding there are suspicious actions, then terminate the order and/or the operation of parameter, so as to thoroughly avoid destruction and the loss that malicious code is likely to result in.
Description of the drawings
In order to be illustrated more clearly that technical scheme, the accompanying drawing to be used needed for embodiment will be briefly described below, apparently, drawings in the following description are only some embodiments described in the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with according to these other accompanying drawings of accompanying drawings acquisition.
A kind of detection method embodiment flow chart of incorporeity file malicious code that Fig. 1 is provided for the present invention;
A kind of detecting system example structure figure of incorporeity file malicious code that Fig. 2 is provided for the present invention.
Specific embodiment
The present invention gives the detection method and system embodiment of a kind of incorporeity file malicious code, in order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and it is understandable the above objects, features and advantages of the present invention is become apparent from, technical scheme in the present invention is described in further detail below in conjunction with the accompanying drawings:
Present invention firstly provides a kind of detection method embodiment of incorporeity file malicious code, as shown in figure 1, including:
Order and/or parameter that S101 Basilar arteries are performed using PowerShell;
S102 judges whether the order and/or parameter are order and/or the parameter for allowing operation, if so, then allow operation, otherwise perform S103;Guarantee not affect normally to use PowerShell functions, it is possible to specify order and/or the parameter of operation are allowed, so as to ensure not affect normally using for user;
S103 is made whether the detection for malicious code to the order and/or parameter, if then terminating operation, otherwise allows operation.
Preferably, the order and/or parameter are made whether to be detected as malicious code:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
It is highly preferred that the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
Wherein, the script detection method is that the order and/or parameter are detected using condition code and detected rule, can effectively detect known malicious code;
Wherein, the structuring detection method can effectively detect the mutation of known malicious code family and unknown malicious code.
In said method embodiment, the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
Wherein, the native virtualization detection method does not interfere with local system, is a kind of safer local dynamic testing method;
Wherein, the remote virtual system detection method builds the virtual system of dynamic behaviour detection in enterprises, sends and dynamic behaviour detection is carried out into the virtual system order and/or parameter;The remote virtual system detection method dependable performance and accuracy height.
Present invention also offers a kind of detecting system embodiment of incorporeity file malicious code, as shown in Fig. 2 including:
Basilar artery module 201, the order performed using PowerShell for Basilar artery and/or parameter;
Prefix switch module 202, for judging that whether the order and/or parameter are the order and/or the parameter that allow operation, if so, then allows operation, otherwise the order and/or parameter is delivered to into detection module;
Detection module 203, for being made whether the detection for malicious code to the order and/or parameter, if then terminating operation, otherwise allows operation.
Preferably, the detection module is used for:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
It is highly preferred that the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
In said system embodiment, the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
Above-described embodiment is described by the way of progressive, and same or analogous part is mutually referring to what each embodiment was stressed is the difference with other embodiment between each embodiment.Said method embodiment part related in system embodiment is participated in mutually.
As described above, above-described embodiment gives a kind of detection method and system embodiment of incorporeity file malicious code, the order using PowerShell execution and/or parameter by Basilar artery;And judge whether the order and/or parameter are order and/or the parameter for allowing operation, if then allowing operation, are otherwise further detected;If thinking there is malicious code after detection, terminate operation.Above-described embodiment provided by the present invention is not only available for personal user to use; it is particularly suited for enterprises information safety protection; the known malicious code based on PowerShell not only can be prevented using above-mentioned technical proposal; and the unknown malicious code based on PowerShell is can be found that, so as to effectively prevent enterprise from being attacked by incorporeity file malicious code.
Above example is to illustrative and not limiting technical scheme.Without departing from any modification or partial replacement of spirit and scope of the invention, all should cover in the middle of scope of the presently claimed invention.
Claims (8)
1. a kind of detection method of incorporeity file malicious code, it is characterised in that include:
Order and/or parameter that Basilar artery is performed using PowerShell;
Judge whether the order and/or parameter are order and/or the parameter for allowing operation, if so, then allow operation, and the detection for malicious code is otherwise made whether to the order and/or parameter;
If it is determined that the order and/or parameter then terminate operation for malicious code, operation is otherwise allowed.
2. the method for claim 1, it is characterised in that be made whether to be detected as malicious code to the order and/or parameter:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
3. method as claimed in claim 2, it is characterised in that the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
4. method as claimed in claim 2 or claim 3, it is characterised in that the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
5. a kind of detecting system of incorporeity file malicious code, it is characterised in that include:
Basilar artery module, the order performed using PowerShell for Basilar artery and/or parameter;
Prefix switch module, for judging that whether the order and/or parameter are the order and/or the parameter that allow operation, if so, then allows operation, otherwise the order and/or parameter is delivered to into detection module;
Detection module, for being made whether the detection for malicious code to the order and/or parameter, if then terminating operation, otherwise allows operation.
6. system as claimed in claim 5, it is characterised in that the detection module is used for:
The detection for malicious code is made whether to the order and/or parameter based on static detection method and dynamic testing method.
7. system as claimed in claim 6, it is characterised in that the static detection method includes:
If the order and/or parameter are encrypted, process is decrypted, if successful decryption cannot be carried out, is judged to malicious code;
If the order and/or parameter unencryption are successfully decrypted, the detection for malicious code is made whether to the order and/or parameter using script detection method and structuring detection method.
8. system as claimed in claims 6 or 7, it is characterised in that the dynamic testing method includes:
Using order and/or parameter described in native virtualization detection method virtual execution, and it is made whether the detection for malicious code;
Using order and/or parameter described in remote virtual system detection method virtual execution, and it is made whether the detection for malicious code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511011935.0A CN106599684A (en) | 2015-12-30 | 2015-12-30 | Detection method and system of entity file-free malicious code |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511011935.0A CN106599684A (en) | 2015-12-30 | 2015-12-30 | Detection method and system of entity file-free malicious code |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106599684A true CN106599684A (en) | 2017-04-26 |
Family
ID=58555462
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201511011935.0A Pending CN106599684A (en) | 2015-12-30 | 2015-12-30 | Detection method and system of entity file-free malicious code |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106599684A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111368303A (en) * | 2020-03-12 | 2020-07-03 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
CN102622543A (en) * | 2012-02-06 | 2012-08-01 | 北京百度网讯科技有限公司 | Method and device for dynamically detecting malicious webpage scripts |
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
-
2015
- 2015-12-30 CN CN201511011935.0A patent/CN106599684A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
CN102622543A (en) * | 2012-02-06 | 2012-08-01 | 北京百度网讯科技有限公司 | Method and device for dynamically detecting malicious webpage scripts |
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
Non-Patent Citations (1)
Title |
---|
安天实验室: "一例"无实体文件"恶意样本分析报告", 《百度文库》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111368303A (en) * | 2020-03-12 | 2020-07-03 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
CN111368303B (en) * | 2020-03-12 | 2023-12-29 | 深信服科技股份有限公司 | PowerShell malicious script detection method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3430557B1 (en) | System and method for reverse command shell detection | |
US9571520B2 (en) | Preventing execution of task scheduled malware | |
KR101587959B1 (en) | Cross-user correlation for detecting server-side multi-target intrusion | |
US9548990B2 (en) | Detecting a heap spray attack | |
US8782791B2 (en) | Computer virus detection systems and methods | |
RU2531861C1 (en) | System and method of assessment of harmfullness of code executed in addressing space of confidential process | |
JP5326062B1 (en) | Non-executable file inspection apparatus and method | |
US9762608B1 (en) | Detecting malware | |
EP2774039B1 (en) | Systems and methods for virtualized malware detection | |
US8352522B1 (en) | Detection of file modifications performed by malicious codes | |
US11689562B2 (en) | Detection of ransomware | |
US11204998B2 (en) | Detection and mitigation of fileless security threats | |
EP2782040A1 (en) | Malware Discovery Method and System | |
JP2016538614A (en) | System and method for facilitating malware scanning using reputation indicators | |
EP2663944B1 (en) | Malware detection | |
CN103065092A (en) | Method for intercepting operating of suspicious programs | |
US10944720B2 (en) | Methods and systems for network security | |
US10972490B2 (en) | Specifying system, specifying device, and specifying method | |
US9584550B2 (en) | Exploit detection based on heap spray detection | |
EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
EP3455773A1 (en) | Inferential exploit attempt detection | |
WO2017048340A1 (en) | Method and apparatus for detecting security anomalies in a public cloud environment using network activity monitoring, application profiling, and self-building host mapping | |
US20220046030A1 (en) | Simulating user interactions for malware analysis | |
US10645107B2 (en) | System and method for detecting and classifying malware | |
CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170426 |
|
RJ01 | Rejection of invention patent application after publication |