CN106611122A - Virtual execution-based unknown malicious program offline detection system - Google Patents
Virtual execution-based unknown malicious program offline detection system Download PDFInfo
- Publication number
- CN106611122A CN106611122A CN201510708823.4A CN201510708823A CN106611122A CN 106611122 A CN106611122 A CN 106611122A CN 201510708823 A CN201510708823 A CN 201510708823A CN 106611122 A CN106611122 A CN 106611122A
- Authority
- CN
- China
- Prior art keywords
- detection
- unknown
- file
- virtual execution
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
Disclosed is a virtual execution-based unknown malicious program offline detection system. The unknown malicious program offline detection system performs file importing, virus detection, static detection, dynamic detection, and log system and threat analysis report generation; the detection system performs cooperative detection by three detection methods of virus detection, static detection and dynamic detection, and deeply observes and analyzes instruction attribute changes by a virtual execution technology so as to detect an imported offline malicious program file and to generate a detailed threat analysis report finally. On the basis of the current virus detection and static detection and by combination with the virtual execution technology, the detection system disclosed by the invention provides dynamic detection behavior information for unknown program analysis, so that the successful rate of malicious program detection can be ensured while harm to an original system is avoided; and finally, detailed analysis of unknown program attack behaviors can be obtained.
Description
Technical field
The present invention relates to rogue program detection technique and network safety filed, more particularly to a kind of to be based on virtual execution
Unknown rogue program off-line checking system.
Background technology
With Information & Communication Technology, sensing and e measurement technology, advanced equipment and technology and advanced control skill
The high speed development of art, senior malware attacks produce very big potential safety hazard to industrial control network.As industry
The pith of controlling network, intelligent grid is also faced with huge threat.Carry in intelligent grid field at present
The intelligent electronic device of the functions such as protection, measurement, control, charging is widely used in electrical network, is to improve intelligence
The real-time of interoperability and interoperability between energy electronic equipment, meets international standard (such as IEC61850)
Communication service module be also used.Compare traditional electrical network, for interconnect network element (industrial switch,
Router, NM server etc.) become the important component part of novel power grid infrastructure, therefore power system
Automatization, intellectuality have obtained unprecedented development.However, the extensive application of ICT technologies promotes electrical network fast
While speed development, many new challenges are also brought, the new of smart electric grid system is especially specifically designed in recent years
The high Subversive attack event of type takes place frequently, seriously threaten the personal safety of people, assets security and National Environmental,
Energy security.In order to contain unknown threat attacking system, user data is protected to steal from lawless person, it is maximum
The reduction of degree more easily controls the row such as diffusion, attack of unknown threat due to the loss for threatening invasion to bring
For, it is desirable to have reliable detection meanss are identified and analyzed to unknown threat.Existing file retrieval is found,
Currently mainly there are the unknown malware detection methods of two classes.
Chinese Patent Application No. 201310573299.5, a kind of denomination of invention " detection based on Virus Sample feature
Method, detection means and detecting system ", by carrying out morphology, syntactic analysiss to actual script, it is determined that actual
The word types of each word unit, statement type, set in script, and according to word types and statement type
Set obtains the virtual script set of actual script, and detection carries out the result of virtual execution to virtual script set,
Determine whether script virus.
The scheme that the patent is provided is that script is analyzed, and detection meanss are single, and accuracy rate cannot
Ensure.With the quick renewal of attack technology, the attack code that attacker is adopted constantly pretends iteration, only root
It is difficult to tackle newest attack code according to existing script set, the detection method that the patent is proposed is difficult reply.
Chinese Patent Application No. 201310084544.6, a kind of denomination of invention " Viral diagnosis based on virtual execution
System " collects unknown virus by Virus Sample catcher, and performs unknown virus by virtual machine, then
To the viral process performing report, finally the unknown virus behavior of execution is reported and is analyzed, judge this not
Know whether virus is virus.
The scheme that the patent is provided is to carry out virtual execution to all unknown virus having been enter into, and needs to allow each
The unknown file come in ran at least one cycle in virtual system, in the face of many programs when, not only expend big
The amount time, and it is also very high to the occupancy of hardware resource.
The content of the invention
A large amount of, senior rogue program deficiency existing when attacking, the present invention are being detected for above detection technique
There is provided a kind of unknown rogue program off-line checking system based on virtual execution, the system adopts various testing machine
The detecting system that system combines, not only can quickly be analyzed existing file type by Viral diagnosis,
Can be called with tracking system carries out software action feature analysiss, and observation point come the threat program to not occurring
Analysis internal memory and the change of instruction such that it is able to find that senior malware attacks in the vulnerability exploit stage, so as to
Escape technology of the senior rogue program for sandbox detection after vulnerability exploit is evaded.
The system concrete technical scheme that the present invention is realized is as follows:
A kind of unknown rogue program off-line checking system based on virtual execution, its feature is, including:
File is imported, the file unknown for importing threat to be detected;
Malicious program detection system, for carrying out comprehensive detection to file to be detected;
Log system, for recording detection process in aggressive behavior and code characteristic;
Content analysis are threatened, for analyzing detected malware threat details.
The system is introduced directly into using user and imports two kinds of off-line files lead-in modes with remote batch.It is described offline
File refers to the unknown file of threat to be detected, generally refers to using main sides such as camouflage, embedded active files
The rogue program that method is produced, the system supports to contain current main active file, including pdf, xls, doc,
The types such as exe.User is introduced directly into the system that refers to and provides controlling interface, and the file for needing detection is selected by user,
It is importing directly into system;Remote batch is imported and refers to the authority that file is remotely guided by user's offer, and system is supported
Remote network resource sharing mode based on SMB agreements imports long-range high-volume file.As long as user provides
Corresponding authority, you can the remote batch for realizing file is imported.
The Viral diagnosis refer to the Viral diagnosis based on malicious code feature.For the file imported on computer,
Extract its static nature.It is the character string included in extraction document that static nature extracts major way.Characteristic item can
To have character string describing mode, characteristic resource describing mode, binary system describing mode, regardless of whether be it is any all
Need application system resource to complete the function of itself, a general character is have found between all of application program:
Need the APl functions by calling system bottom to realize the function of itself, and these api functions undoubtedly can be
Occur in the application file.Therefore we adopt character string describing mode as the describing mode of file characteristic,
These character strings can reflect the characteristic of this document.The present invention using the main purpose of virus detection techniques be by
The file rapid screening that known viruse has been infected in file to be measured is detected, and will more consume the dynamic inspection of resource
Survey method is concentrated for the detection of unknown rogue program.
The Static Detection, is primarily upon in threatening with attack causing the feature of the vulnerability exploits such as spilling, although need
Known vulnerability information is based on, but accuracy of detection is high, and it is soft for the different malice using same leak
Part a, it is possible to use detected rule accomplishes complete covering.Invention increases intelligence Shellcode detections
Part.Shellcode is one section of executable code in malware attacks.Traditional rogue program internal structure one
As have fixed filling field and function field, therefore based on pattern match and dis-assembling technology Static Detection side
Method energy effective detection goes out Shellcode codes hereof.However as polymorphic and deformation technology development,
Function field inside malicious file all have passed through coding and encrypt, when Shellcode codes are hidden wherein,
Simple pattern match and dis-assembling cannot detect Shellcode codes.And in traditional Shellcode inspections
On the basis of survey, increase the function of file dynamic decoder.First file is taken out from document queue to be detected, so
Judge whether file needs decoding afterwards, such as need not decode, then directly carry out Shellcode detections, if desired for
Decoding, then by file dynamic decoder, restoring function field, finally detect Shellcode.The inspection
Survey method can effectively for the escape technology of polymorphic Shellcode.
The dynamic detection refers to that dynamic detection module sets up multiple different applied environments by virtual machine technique,
Observation program behavior wherein come judge whether attack.This mode can detect known and unknown prestige
The side of body, and because what is analyzed is the real behavior under true applied environment, therefore extremely low rate of false alarm can be accomplished,
And higher verification and measurement ratio.It is unknown rogue program in view of detection target, its behavior and feature are all unknown, needs
Analysed in depth from many levels.Therefore, system is from process, file, registration table, network, vulnerability exploit
Alarm data is provided etc. multiple dimensions, is final qualitative offer data supporting.
Virtual execution detection technique adopts the Virtual Machine Mechanism different with sandbox detection, not only can be by system
The tracking called carrys out the behavior characteristicss of analysis software, and can be with observation analysis internal memory and the change of instruction.Leak
The process for utilizing, necessarily involves the change of internal memory and instruction, also takes including workaround system protection mechanism
Ad hoc fashion.Therefore this deeper virtual machine technique of virtual execution technology is based on, is prevented from being directed to
The escape technology of sandbox detection, the senior Malware in vulnerability exploit stage.The process of virtual execution detection technique
Including:
1) according to dynamic detection strategy, virtual execution environment is generated;
2) file of flow restructuring file recovery module reduction is put into into document queue memory;
3) file to be detected is taken out from document queue memory;
4) file is opened using different software versions and is put under multiple virtual machine environments and performed, to sentence
System and software version that other leak is directed to;
5) after observation file to be detected is triggered, internal memory instructs the change of aspect, judges whether senior evil
Meaning software attacks;
6) observe the follow-up behavior characteristicss of file to be detected in virtual machine, including file and network access,
The modification of registration table, the change of process and detecting system possess the code analysis ability of instruction-level, can track point
Analysis instruction features and behavior characteristicss.Instruction features include code implementation status in heap, stack etc., by referring to
The ANOMALOUS VARIATIONS of operating memory headroom is made, it can be found that the vulnerability exploit behavior such as various floodings, finds
0day leaks.
The log system refers to that system upon completion of the assays writes down aggressive behavior and the code of this unknown program
Feature, it is convenient subsequently statistical analysiss to be carried out to attack condition.
The threat content analysis refer to that detecting system possesses the code analysis ability of instruction-level, can be with trace analysises
Instruction features and behavior characteristicss.Instruction features include code implementation status in heap, stack etc., by instruction
The ANOMALOUS VARIATIONS of operating memory headroom, it can be found that the vulnerability exploit behavior such as various floodings, finds
0day leaks.
Description of the drawings
Fig. 1 is structural representation of the present invention based on the unknown rogue program off-line checking system of virtual execution
Fig. 2 is overhaul flow chart of the present invention based on the unknown rogue program off-line checking system of virtual execution
Specific embodiment
The embodiment of the present invention is implemented lower premised on technical solution of the present invention, give detailed embodiment and
Specific operating process, but protection scope of the present invention is not limited to the following examples, below to the reality of the present invention
Apply example to elaborate.
With reference to the accompanying drawings, the specific embodiment of the present invention is described in further detail.
Fig. 1 is structural representation of the present invention based on the unknown rogue program off-line checking system of virtual execution, such as
Shown in figure, including:Off-line files 102, malicious program detection system 106, log system 107 and threat point
Analysis report 108, wherein off-line files 102 have local file importing 100 and telefile to import 101 two kinds and lead
Enter mode, malicious program detection system 106 includes Viral diagnosis 103, Static Detection 104 and dynamic detection 105.
The present invention overall operation flow process be:(local file imports 100 or remote to be first according to demand importing program file
101) journey file imports, and then starts malicious program detection system 106, if fruit detects that result is threat program,
Threat detection report 108 is then generated and exported, and aggressive behavior and code characteristic are write into log system 107.
Off-line files 102 are the unknown file of threat to be detected, generally refer to using camouflage, embedded conventional text
The rogue program that the main methods such as part are produced.The system is supported to contain current main active file, concrete to support
Including following seven big class files:
File type | Extension name |
Office files | .ppt/.pptx、.doc/.docx、.xls/.xlsx、.rtf |
Executable file | .exe、.dll、.com、.scr、.pif、.bat |
Flash file | .swf |
Java files | .class、.jar |
Pdf files | |
Web page files | .html、.xml、.js |
Compressed file | .zip、.rar、.gzip、.gz、.tar、.7z、.bz2 |
Local file imports 100 and refers to offer controlling interface, and the file for needing detection is selected by user, is introduced directly into
To system;Telefile imports 101 and refers to the authority that file is remotely guided by user's offer, and system is supported to be based on
The remote network resource sharing mode of SMB agreements imports long-range high-volume file, when user provides corresponding power
In limited time, the remote batch for being capable of achieving file is imported.
Fig. 2 is overhaul flow chart of the present invention based on the unknown rogue program off-line checking system of virtual execution, this
The specific implementation step of invention is as follows:
1), system is completed after initialization 200, is selected to be introduced directly into 100 or base by system control interface by user
File to be detected is imported to the mode for importing 101 in SMB protocol remotes batch the document queue memory of system
203。
2), while, system reads inspection policies 204 and is simultaneously respectively started according to inspection policies set in advance 205
Each detecting and alarm 206, concrete detecting and alarm detection method is as follows:
A) Viral diagnosis engine 207 obtains file from document queue memory and carries out Viral diagnosis 210, passes through
Detection malicious code feature, the file rapid screening that known viruse has been infected in file to be measured is detected,
The dynamic testing method for more consuming resource concentrates the detection for unknown rogue program to perform;
B) Static Detection engine 208 obtains file 211 from document queue memory, judges whether file adopts
Deformation technology escapes detection, if it is, corresponding function field decoding is reduced, then to the text after reduction
Part carries out ShellCode detections, and the feature that the vulnerability exploits such as spilling are caused in threatening is attacked in detection;
C) dynamic detection engine 209 obtains file from document queue memory, puts file according to inspection policies
Entering different virtual execution environments 217 carries out dynamic detection 212.First according to inspection set in advance in detection process
Survey strategy generating virtual execution environment 213, such as WinXP and Win7, therefore certain form of rogue program
The main leak using WinXP systems, and without effect in Win7 systems;Some carry malicious code
Word document then cannot run for word2003 faultiness designs under word2007 environment.According to
The operation action that file is set up in multiple different applied environments in virtual machine technique is attacked judging that it whether there is
Hit.Can detect unknown threat, and because analysis is real behavior under true applied environment, therefore can
To accomplish extremely low rate of false alarm, and higher verification and measurement ratio.
In detection process, inspection policies can be flexibly set;A class detecting and alarm can only be enabled to accelerate inspection
Degree of testing the speed, it is also possible to start multiple detecting and alarms, set various dynamic detection virtual execution environments to improve detection
Accuracy rate.
3), log system 107 refers to that system upon completion of the assays writes down aggressive behavior and the generation of this unknown program
Code feature, it is convenient subsequently statistical analysiss to be carried out to attack condition.
4) Viral diagnosis warning information 218, static state that content analysis 108 refer to that detecting system is detected, are threatened
Detection warning information 219, dynamic detection warning information 220, wherein Viral diagnosis warning information 218 is contained
Source, external linkage of request of virus etc.;Static Detection warning information 219 refers to and ShellCode is detected
Vulnerability exploit situation for going out etc.;Dynamic detection warning information 220 refers to that system carries out the code analysis of instruction-level,
And trace analysises instruction features and behavior characteristicss.The code that wherein instruction features are included in heap, stack performs feelings
Condition etc., the ANOMALOUS VARIATIONS of the operating memory headroom of analysis instruction, system tracks the establishment of process and stops simultaneously,
Process is injected, service, driving, registry access, rewriting, file access, rewriting, download, program port
Monitor, the behavior characteristicss such as network access behavior, according to above behavior characteristicss, comprehensive analysis finds to belong to and attacks system
The behavior characteristicss of threat are hit, and then finds the Malwares such as 0day wooden horses.
5), consider that detection target is unknown rogue program in dynamic detection, its behavior and feature are all unknown, need
To be analysed in depth from many levels.Therefore, system is from process, file, registration table, network, leak profit
With etc. multiple dimensions alarm datas are provided, be final qualitative offer data supporting.The alarm letter that the system is provided
Breath is as shown in the table:
It should be noted last that, above example is only unrestricted to illustrate technical scheme, to the greatest extent
Pipe has been described in detail with reference to preferred embodiment to the present invention, it will be understood by those within the art that,
The technical scheme invented can be modified or equivalent, without deviating from the spirit of technical solution of the present invention
And scope, it all should cover in the middle of scope of the presently claimed invention.
Claims (11)
1. a kind of unknown rogue program off-line checking system based on virtual execution, it is characterised in that include:
File is imported, the file unknown for importing threat to be detected;
Malicious program detection system, for carrying out comprehensive detection to file to be detected;
Log system, for recording detection process in aggressive behavior and code characteristic;
Content analysis are threatened, for analyzing detected malware threat details.
2. the unknown rogue program off-line checking system based on virtual execution according to claim 1, its
It is characterised by, the file is imported includes that the direct off-line files of user are imported and remote batch off-line files are imported.
3. the unknown rogue program off-line checking system based on virtual execution according to claim 2, its
It is characterised by, remote batch is imported and refers to the authority that file is remotely guided by user's offer, and system is supported to be based on
The remote network resource sharing mode of SMB agreements imports long-range high-volume file.
4. the unknown rogue program off-line checking system based on virtual execution according to claim 1, its
It is characterised by, described malicious program detection system includes:
Viral diagnosis, refer to the Viral diagnosis based on malicious code feature;
Static Detection, refer to carries out ShellCode detections to attacking the leak in threatening;
Dynamic detection, to refer to and set up multiple different applied environments by virtual machine technique, observation program is held wherein
Capable behavior come judge whether attack.
5. the unknown rogue program off-line checking system based on virtual execution according to claim 4, its
It is characterised by, described Viral diagnosis are that the program file of unknown threat is detected using feature detection mode,
Purpose is to detect the file rapid screening that known viruse is carried in file to be measured.
6. the unknown rogue program off-line checking system based on virtual execution according to claim 4, its
It is characterised by, described Static Detection is, using the different rogue programs of same leak, to be believed according to known leak
Breath, is detected using the detected rule of complete set, including the rogue program that utilizes of detection known bugs and portion
The unknown rogue program for dividing.
7. the unknown rogue program off-line checking system based on virtual execution according to claim 4, its
It is characterised by, described dynamic detection adopts virtual execution technology for detection known and unknown rogue program, records and exists
Rogue program is performed under virtual execution environment behavior and feature.
8. the unknown rogue program off-line checking system based on virtual execution according to claim 7, its
It is characterised by, described virtual execution environment includes operating system and file host program, using virtual machine technique
Virtual execution environment is created, to carry out dynamic detection suitable performing environment is founded.
9. the unknown rogue program off-line checking system based on virtual execution according to claim 7,
Characterized in that, described behavior and feature include process, file, registration table, network and vulnerability exploit.
10. the unknown rogue program off-line checking system based on virtual execution according to claim 1,
Characterized in that, described log system refers to that system writes down the aggressive behavior of this unknown program after the completion of detection
And code characteristic, for subsequently carrying out statistical analysiss to attack condition provides detailed record.
The 11. unknown rogue program off-line checking systems based on virtual execution according to claim 1,
Characterized in that, the described content analysis that threaten include that the instruction features of trace analysises unknown program and behavior are special
Levy, instruction features include the code implementation status in heap, stack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510708823.4A CN106611122A (en) | 2015-10-27 | 2015-10-27 | Virtual execution-based unknown malicious program offline detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510708823.4A CN106611122A (en) | 2015-10-27 | 2015-10-27 | Virtual execution-based unknown malicious program offline detection system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106611122A true CN106611122A (en) | 2017-05-03 |
Family
ID=58614372
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510708823.4A Pending CN106611122A (en) | 2015-10-27 | 2015-10-27 | Virtual execution-based unknown malicious program offline detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106611122A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106789878A (en) * | 2016-11-17 | 2017-05-31 | 任子行网络技术股份有限公司 | A kind of file towards large traffic environment also original system and method |
CN107103243A (en) * | 2017-05-11 | 2017-08-29 | 北京安赛创想科技有限公司 | The detection method and device of leak |
CN107239705A (en) * | 2017-05-25 | 2017-10-10 | 中国东方电气集团有限公司 | A kind of contactless industrial control system or the static leakage location of equipment and detection method |
CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
CN107426201A (en) * | 2017-07-13 | 2017-12-01 | 北京金山安全管理系统技术有限公司 | Processing method and processing device, storage medium and the processor of executable file |
CN107563205A (en) * | 2017-09-20 | 2018-01-09 | 杭州安恒信息技术有限公司 | Typical smart machine leak detection method and permeability apparatus |
CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
CN108090352A (en) * | 2016-11-22 | 2018-05-29 | 财团法人资讯工业策进会 | Detection system and detection method |
CN108549813A (en) * | 2018-03-02 | 2018-09-18 | 彭根 | Method of discrimination, device and pocessor and storage media |
CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
CN110874472A (en) * | 2018-09-04 | 2020-03-10 | 中国信息安全测评中心 | Method and system for generating PE virus escape sample |
CN111008376A (en) * | 2019-12-09 | 2020-04-14 | 国网山东省电力公司电力科学研究院 | Mobile application source code safety audit system based on code dynamic analysis |
CN111291368A (en) * | 2018-12-07 | 2020-06-16 | 北京奇虎科技有限公司 | Method and system for defending CPU bug |
CN111382440A (en) * | 2018-12-27 | 2020-07-07 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
CN111444509A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
CN104363240A (en) * | 2014-11-26 | 2015-02-18 | 国家电网公司 | Unknown threat comprehensive detection method based on information flow behavior validity detection |
CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
-
2015
- 2015-10-27 CN CN201510708823.4A patent/CN106611122A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
CN104363240A (en) * | 2014-11-26 | 2015-02-18 | 国家电网公司 | Unknown threat comprehensive detection method based on information flow behavior validity detection |
CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106789878B (en) * | 2016-11-17 | 2019-11-22 | 任子行网络技术股份有限公司 | A kind of file towards large traffic environment also original system and method |
CN106789878A (en) * | 2016-11-17 | 2017-05-31 | 任子行网络技术股份有限公司 | A kind of file towards large traffic environment also original system and method |
CN108090352A (en) * | 2016-11-22 | 2018-05-29 | 财团法人资讯工业策进会 | Detection system and detection method |
CN108090352B (en) * | 2016-11-22 | 2021-07-20 | 财团法人资讯工业策进会 | Detection system and detection method |
CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
CN107247902B (en) * | 2017-05-10 | 2021-07-06 | 深信服科技股份有限公司 | Malicious software classification system and method |
CN107103243A (en) * | 2017-05-11 | 2017-08-29 | 北京安赛创想科技有限公司 | The detection method and device of leak |
CN107103243B (en) * | 2017-05-11 | 2020-05-05 | 北京安赛创想科技有限公司 | Vulnerability detection method and device |
CN107239705A (en) * | 2017-05-25 | 2017-10-10 | 中国东方电气集团有限公司 | A kind of contactless industrial control system or the static leakage location of equipment and detection method |
CN107426201A (en) * | 2017-07-13 | 2017-12-01 | 北京金山安全管理系统技术有限公司 | Processing method and processing device, storage medium and the processor of executable file |
CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
CN107688743B (en) * | 2017-08-14 | 2021-01-29 | 北京奇虎科技有限公司 | Malicious program detection and analysis method and system |
CN107563205A (en) * | 2017-09-20 | 2018-01-09 | 杭州安恒信息技术有限公司 | Typical smart machine leak detection method and permeability apparatus |
CN108549813A (en) * | 2018-03-02 | 2018-09-18 | 彭根 | Method of discrimination, device and pocessor and storage media |
CN110874472B (en) * | 2018-09-04 | 2024-02-13 | 中国信息安全测评中心 | PE virus escape sample generation method and system |
CN110874472A (en) * | 2018-09-04 | 2020-03-10 | 中国信息安全测评中心 | Method and system for generating PE virus escape sample |
CN111291368A (en) * | 2018-12-07 | 2020-06-16 | 北京奇虎科技有限公司 | Method and system for defending CPU bug |
CN111382440A (en) * | 2018-12-27 | 2020-07-07 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
CN111444509A (en) * | 2018-12-27 | 2020-07-24 | 北京奇虎科技有限公司 | CPU vulnerability detection method and system based on virtual machine |
CN110602044A (en) * | 2019-08-12 | 2019-12-20 | 贵州电网有限责任公司 | Network threat analysis method and system |
CN111008376A (en) * | 2019-12-09 | 2020-04-14 | 国网山东省电力公司电力科学研究院 | Mobile application source code safety audit system based on code dynamic analysis |
CN111008376B (en) * | 2019-12-09 | 2021-11-05 | 国网山东省电力公司电力科学研究院 | Mobile application source code safety audit system based on code dynamic analysis |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106611122A (en) | Virtual execution-based unknown malicious program offline detection system | |
US10951647B1 (en) | Behavioral scanning of mobile applications | |
Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
Hou et al. | Deep4maldroid: A deep learning framework for android malware detection based on linux kernel system call graphs | |
CN108304720B (en) | Android malicious program detection method based on machine learning | |
Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
Ham et al. | Analysis of android malware detection performance using machine learning classifiers | |
Carlin et al. | Detecting cryptomining using dynamic analysis | |
KR102160659B1 (en) | Detection of anomalous program execution using hardware-based micro-architectural data | |
Wang et al. | Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution | |
Sabhadiya et al. | Android malware detection using deep learning | |
CN104766011A (en) | Sandbox detection alarming method and system based on main engine characteristic | |
Tang et al. | A novel hybrid method to analyze security vulnerabilities in android applications | |
CN106599688B (en) | A kind of Android malware detection method based on applicating category | |
CN102034050A (en) | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception | |
Bhandari et al. | Sword: semantic aware android malware detector | |
TW201533604A (en) | Method of generating in-kernel hook point candidates to detect rootkits and system thereof | |
WO2015016901A1 (en) | Signal tokens indicative of malware | |
Xu et al. | {PlatPal}: Detecting Malicious Documents with Platform Diversity | |
US10657257B2 (en) | Feature vector aggregation for malware detection | |
Schlumberger et al. | Jarhead analysis and detection of malicious java applets | |
Elish et al. | A static assurance analysis of android applications | |
Huang et al. | Code coverage measurement for Android dynamic analysis tools | |
Ni et al. | Real-time detection of malicious behavior in android apps | |
CN105488414A (en) | Method and system for preventing malicious codes from detecting virtual environments |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170503 |
|
WD01 | Invention patent application deemed withdrawn after publication |