CN107016285A - One kind propagates malicious code Activity recognition method and system using move media - Google Patents
One kind propagates malicious code Activity recognition method and system using move media Download PDFInfo
- Publication number
- CN107016285A CN107016285A CN201610906367.9A CN201610906367A CN107016285A CN 107016285 A CN107016285 A CN 107016285A CN 201610906367 A CN201610906367 A CN 201610906367A CN 107016285 A CN107016285 A CN 107016285A
- Authority
- CN
- China
- Prior art keywords
- behavior
- mock
- less
- newly
- built
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
Malicious code Activity recognition method and system are propagated using move media the invention discloses one kind, including:Create no less than three mock discs;No less than two mock disc type of drivers of modification are moveable magnetic disc type;Monitor the behavior for whether having newly-built executable file under the mock disc drive created;If finding there is the behavior no less than two mock discs in preset time, can determine whether the behavior is malicious act.Technical scheme of the present invention is solved in the prior art can not distinguish malicious virus to the operation of move media with the artificial behavior to the operation of move media, easily produce wrong report, inaccurate technical problem is recognized to the behavior.
Description
Technical field
The present invention relates to computer security technique field, relate more specifically to one kind and propagate malicious code using move media
Activity recognition method and system.
Background technology
With the development of Internet technology, the increase of resource-sharing demand, wherein propagating shared resource by move media
Become the conventional propagation data method of masses with its convenience and ease for use, move media user is while enjoying convenient
Also certain potential safety hazard is being there is, may met with during data are transmitted using move medias such as USB flash disk or mobile hard disks
Infected by malicious code, the main frame sense that the main frame not being poisoned and move media are poisoned is infected including move media
Dye, then continues to propagate, such malicious code is referred to as the malicious code propagated by move media by this way.
The malicious code species propagated by move media is more, and spread speed is very fast, and antivirus software is to such maliciously generation
The Activity recognition method of code is usually real move media monitoring, that is, recognizes the true move media drive of operating system,
The executable file or script that are write into drive are judged again, and then identify that it is the evil propagated by move media
Meaning behavior, so as to carry out killing, such a recognition methods has some limitations, it is impossible to by behaviour of the malicious virus to move media
Make to distinguish with the artificial behavior to the operation of move media, i.e., easily produce report by mistake, it is inaccurate to behavior identification, also can be because
This improves the rate of false alarm of antivirus software.
The content of the invention
In order to solve the above-mentioned technical problem there is provided utilize move media propagation malicious code row according to a kind of of the present invention
For recognition methods and system.
According to the first aspect of the invention malicious code Activity recognition method is propagated there is provided one kind using move media.
This method includes:Create no less than three mock discs;No less than two mock disc type of drivers of modification are removable magnetic
Disc-type;Monitor the behavior for whether having newly-built executable file under the mock disc drive created;If being found in preset time
No less than two mock discs have the behavior, then can determine whether the behavior is malicious act.
In certain embodiments, methods described includes:If not finding the behavior, the simulation magnetic created is destroyed
Disk.
In certain embodiments, no less than one mock disc is not modified, and keeps disk drive types.
In certain embodiments, it is described it is newly-built including new script behavior, newly-built hiding type file behavior, establishment file
The behavior of shortcut.
According to the second aspect of the invention malicious code Activity recognition system, bag are propagated there is provided one kind using move media
Include:Creation module, for creating no less than three mock discs;Modified module, drives for changing no less than two mock discs
Dynamic device type is moveable magnetic disc type;Monitoring module, for monitoring under the mock disc drive created whether have newly-built hold
The behavior of style of writing part;Determination module, for finding there is the behavior no less than two mock discs in preset time,
Then can determine whether the behavior is malicious act.
In certain embodiments, the system includes:Removing module, if for not finding the behavior, destroying and creating
The mock disc.
In certain embodiments, no less than one mock disc is not modified, and keeps disk drive types.
In certain embodiments, it is described it is newly-built including new script behavior, newly-built hiding type file behavior, establishment file
The behavior of shortcut.
By using the method and system of the present invention, it is possible to use create mock disc and pass through hook technology modification mock discs
Whether type of driver, monitoring under the mock disc drive created has the behavior of newly-built executable file to find multiple mobile Jie
Matter is transmitted malicious code.Move media malicious dissemination behavior can be effectively recognized, and then move media is monitored by the behavior
Class wooden horse the method increase the detection degree of accuracy of move media class malicious act with traveling through the malicious acts such as disk sort wooden horse,
Reduce wrong report.
Brief description of the drawings
In order to illustrate more clearly of technical scheme, letter will be made to the required accompanying drawing used in embodiment below
Singly introduce, it should be apparent that, drawings in the following description are only some embodiments described in the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow that malicious code Activity recognition method is propagated according to a kind of utilization move media of the embodiment of the present invention
Figure;
Fig. 2 is the block diagram that malicious code Activity recognition system is propagated according to a kind of utilization move media of the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, eliminate in the course of the description for this
It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in accompanying drawing
Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here
System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention
Convey to those skilled in the art.
Fig. 1 shows that a kind of utilization move media according to embodiments of the present invention propagates malicious code Activity recognition method
Flow chart.As shown in figure 1, method comprises the following steps:
S110, creates no less than three mock discs.
Wherein, folder content is mapped as to the function of local hard drive according to Subst orders, it is possible to use Subst orders
Any catalogue is invented into a disc driver, three simulation drives are created by Subst orders, command format is very simple:
SubstDrive1Drive2Path, wherein " Drive1 " is to specify the virtual new driver symbol for substituting disk path,
“Drive2Path " is to specify the file to be substituted and its path.If user needs to delete virtual drive, it can hold
Row SubstDrive1/ D orders.
S120, no less than two mock disc type of drivers of modification are moveable magnetic disc type.
Wherein, if what is created is three mock discs, any two of which disk drive is changed by way of hook
Device type simulates USB flash disk for " DRIVE_REMOVABLE ", and another keeps disk drive types to be " DRIVE_FIXED ", comes
Simulate mobile hard disk.
If creating the mock disc of more than three, modification is removable no less than two mock disc type of drivers
Disk type, no less than one mock disc is not modified, and keeps disk drive types.
S130, monitors the behavior for whether having newly-built executable file under the mock disc drive created.
Wherein, it is newly-built also to include new script behavior, newly-built hiding type file behavior, the row of establishment file shortcut
For.
S140, if finding to have the behavior no less than two mock discs in preset time, can determine whether institute
Behavior is stated for malicious act.
If close to preset time t(Such as 5 minutes, this time can be set)It is interior discovery two or more drives have with
Upper behavior, then can determine whether it is move media malicious dissemination behavior, and regulation time to approach is to prevent artificial incorrect operation, it is to avoid
Possible wrong report.
In certain embodiments, in addition to:
S150, if not finding the behavior, destroys the mock disc created.
If specifically, not finding to propagate the behavior of malicious code, destroying the mock disc of establishment, this method can be spaced one
Duan Chongfu, more move media malicious dissemination behaviors are identified to detect.
Fig. 2 is the block diagram that malicious code Activity recognition system is propagated according to a kind of utilization move media of the embodiment of the present invention.Such as
Described in Fig. 2, system can include:Creation module 210, modified module 220, monitoring module 230, determination module 240.
Creation module 210, for creating no less than three mock discs.
Modified module 220, is moveable magnetic disc type for changing no less than two mock disc type of drivers.
No less than one mock disc is not modified, and keeps disk drive types.
Monitoring module 230, the behavior for whether having newly-built executable file under the mock disc drive created for monitoring.
It is newly-built including new script behavior, newly-built hiding type file behavior, the behavior of establishment file shortcut.Judge
Module 240, for finding there is the behavior no less than two mock discs in preset time, then can determine whether the row
For for malicious act.
In certain embodiments, in addition to:
Removing module 250, if for not finding the behavior, destroying the mock disc created.
Utilize the mock disc disk for creating mock disc and being created by hook technology modification mock disc type of drivers, monitoring
Whether there is the behavior of newly-built executable file under symbol to find that multiple move medias are transmitted malicious code.Shifting can effectively be recognized
Dynamic medium malicious dissemination behavior, and then move media class wooden horse is monitored with traveling through the malice row such as disk sort wooden horse by the behavior
To the method increase the detection degree of accuracy of move media class malicious act, reducing wrong report.
So far combined preferred embodiment invention has been described.It should be understood that those skilled in the art are not departing from
In the case of the spirit and scope of the present invention, various other changes can be carried out, replaces and adds.Therefore, model of the invention
Enclose and be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.
Claims (8)
1. one kind propagates malicious code Activity recognition method using move media, it is characterised in that including:
Create no less than three mock discs;
No less than two mock disc type of drivers of modification are moveable magnetic disc type;
Monitor the behavior for whether having newly-built executable file under the mock disc drive created;
If finding there is the behavior no less than two mock discs in preset time, can determine whether the behavior is evil
Meaning behavior.
2. according to the method described in claim 1, it is characterised in that methods described includes:If not finding the behavior, destroy
The mock disc created.
3. according to the method described in claim 1, it is characterised in that no less than one mock disc is not modified, keep
Disk drive types.
4. according to the method described in claim 1, it is characterised in that described newly-built including new script behavior, newly-built hiding class
The behavior of type file, the behavior of establishment file shortcut.
5. one kind propagates malicious code Activity recognition system using move media, it is characterised in that including:
Creation module, for creating no less than three mock discs;
Modified module, is moveable magnetic disc type for changing no less than two mock disc type of drivers;
Monitoring module, the behavior for whether having newly-built executable file under the mock disc drive created for monitoring;
Determination module, for finding there is the behavior no less than two mock discs in preset time, then can determine whether
The behavior is malicious act.
6. system according to claim 5, it is characterised in that the system includes:
Removing module, if for not finding the behavior, destroying the mock disc created.
7. system according to claim 5, it is characterised in that no less than one mock disc is not modified, keeps
Disk drive types.
8. system according to claim 5, it is characterised in that described newly-built including new script behavior, newly-built hiding class
The behavior of type file, the behavior of establishment file shortcut.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610906367.9A CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610906367.9A CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107016285A true CN107016285A (en) | 2017-08-04 |
CN107016285B CN107016285B (en) | 2019-11-05 |
Family
ID=59438749
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610906367.9A Active CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107016285B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178762A (en) * | 2007-12-18 | 2008-05-14 | 唐璐峤 | Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof |
CN101944169A (en) * | 2010-07-22 | 2011-01-12 | 北京安天电子设备有限公司 | Immune method for self-starting viruses of USB removable storage devices |
CN102110214A (en) * | 2011-04-12 | 2011-06-29 | 姚志浩 | Method and device for preventing viruses in mobile memory from infecting computer |
CN102799801A (en) * | 2011-05-27 | 2012-11-28 | 网秦无限(北京)科技有限公司 | Method and system for killing viruses of mobile equipment by utilizing mobile memory |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
-
2016
- 2016-10-17 CN CN201610906367.9A patent/CN107016285B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178762A (en) * | 2007-12-18 | 2008-05-14 | 唐璐峤 | Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof |
CN101944169A (en) * | 2010-07-22 | 2011-01-12 | 北京安天电子设备有限公司 | Immune method for self-starting viruses of USB removable storage devices |
CN102110214A (en) * | 2011-04-12 | 2011-06-29 | 姚志浩 | Method and device for preventing viruses in mobile memory from infecting computer |
CN102799801A (en) * | 2011-05-27 | 2012-11-28 | 网秦无限(北京)科技有限公司 | Method and system for killing viruses of mobile equipment by utilizing mobile memory |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
Non-Patent Citations (1)
Title |
---|
贺惠萍等: "autorun.inf病毒的原理及防范", 《电脑知识与技术》 * |
Also Published As
Publication number | Publication date |
---|---|
CN107016285B (en) | 2019-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9882920B2 (en) | Cross-user correlation for detecting server-side multi-target intrusion | |
JP6101408B2 (en) | System and method for detecting attacks on computing systems using event correlation graphs | |
US9838405B1 (en) | Systems and methods for determining types of malware infections on computing devices | |
US10242186B2 (en) | System and method for detecting malicious code in address space of a process | |
JP4828199B2 (en) | System and method for integrating knowledge base of anti-virus software applications | |
CN102436507B (en) | Method and device for browsing web pages | |
US9230106B2 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
US8904538B1 (en) | Systems and methods for user-directed malware remediation | |
CN106055976B (en) | File detection method and sandbox controller | |
US11609988B2 (en) | Systems and methods for detecting malicious behavior in process chains | |
US20090100520A1 (en) | Detection and dynamic alteration of execution of potential software threats | |
US9904787B2 (en) | Identifying stored security vulnerabilities in computer software applications | |
US20190026460A1 (en) | Dynamic creation of isolated scrubbing environments | |
Pont et al. | A roadmap for improving the impact of anti-ransomware research | |
US9202053B1 (en) | MBR infection detection using emulation | |
JP5711824B2 (en) | Vulnerability detection apparatus and method | |
US9311481B1 (en) | Systems and methods for classifying package files as trojans | |
Poeplau et al. | A honeypot for arbitrary malware on USB storage devices | |
CN103646213A (en) | Method and device for classifying malicious software | |
JP7238987B2 (en) | SECURITY TRAINING SUPPORT DEVICE, SECURITY TRAINING SUPPORT METHOD, AND PROGRAM | |
CN107016285A (en) | One kind propagates malicious code Activity recognition method and system using move media | |
US10290033B1 (en) | Method, system, and computer-readable medium for warning users about untrustworthy application payment pages | |
EP3800567B1 (en) | Systems and methods for countering removal of digital forensics information by malicious software | |
US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives | |
JP6081540B2 (en) | Correlate advertising content with malicious software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd. Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |