CN107016285B - It is a kind of to propagate malicious code Activity recognition method and system using move media - Google Patents

It is a kind of to propagate malicious code Activity recognition method and system using move media Download PDF

Info

Publication number
CN107016285B
CN107016285B CN201610906367.9A CN201610906367A CN107016285B CN 107016285 B CN107016285 B CN 107016285B CN 201610906367 A CN201610906367 A CN 201610906367A CN 107016285 B CN107016285 B CN 107016285B
Authority
CN
China
Prior art keywords
behavior
mock
less
creation
move media
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610906367.9A
Other languages
Chinese (zh)
Other versions
CN107016285A (en
Inventor
康学斌
徐艺航
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Antan Network Security Technology Co.,Ltd.
Original Assignee
Shenzhen Anzhitian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Anzhitian Information Technology Co Ltd filed Critical Shenzhen Anzhitian Information Technology Co Ltd
Priority to CN201610906367.9A priority Critical patent/CN107016285B/en
Publication of CN107016285A publication Critical patent/CN107016285A/en
Application granted granted Critical
Publication of CN107016285B publication Critical patent/CN107016285B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Malicious code Activity recognition method and system are propagated using move media the invention discloses a kind of, comprising: creation is no less than three mock discs;Modification no less than two mock disc type of driver are moveable magnetic disc type;The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;If discovery, which is no less than two mock discs, within a preset time the behavior, it can determine whether that the behavior is malicious act.Technical solution of the present invention solves and malicious virus operating and manually distinguishing to the behavior of the operation of move media to move media can not be easy to produce wrong report, to the technical problem of behavior identification inaccuracy in the prior art.

Description

It is a kind of to propagate malicious code Activity recognition method and system using move media
Technical field
The present invention relates to computer security technical fields, relate more specifically to a kind of utilization move media propagation malicious code Activity recognition method and system.
Background technique
With the development of internet technology, the increase of resource-sharing demand, wherein propagating shared resource by move media Become public common propagation data method with its convenience and ease for use, move media user is while enjoying convenient Also there is some potential safety problems, may meet with during transmitting data using move medias such as USB flash disk or mobile hard disks By the infection of malicious code, the host sense that the host not being poisoned and move media are poisoned is infected including move media Dye, then continues to propagate in this way, and such malicious code is referred to as the malicious code propagated by move media.
The malicious code type propagated by move media is more, and spread speed is very fast, and antivirus software is to such maliciously generation The Activity recognition method of code is usually true move media monitoring, that is, identifies the true move media drive of operating system, The executable file or script being written in opposite drive again are judged, and then identify that it is the evil propagated by move media Meaning behavior, to carry out killing, such recognition methods is had some limitations, can not be by malicious virus to the behaviour of move media Make and manually the behavior of the operation of move media is distinguished, that is, is easy to produce wrong report, inaccurate to behavior identification, it also can be because This improves the rate of false alarm of antivirus software.
Summary of the invention
In order to solve the above-mentioned technical problem, it provides a kind of utilization move media according to the present invention and propagates malicious code row For recognition methods and system.
According to the first aspect of the invention, a kind of utilization move media propagation malicious code Activity recognition method is provided. This method comprises: creation is no less than three mock discs;Modification no less than two mock disc type of driver are removable magnetic Disc-type;The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;If finding within a preset time No less than two mock disc drives have the behavior, then can determine whether that the behavior is malicious act.
In some embodiments, which comprises if not finding the behavior, destroy the simulation magnetic of creation Disk.
In some embodiments, no less than a mock disc is not modified, and keeps disk drive types.
In some embodiments, described to create including new script behavior, newly-built hiding type file behavior, creation file The behavior of shortcut.
According to the second aspect of the invention, a kind of utilization move media propagation malicious code Activity recognition system, packet are provided Include: creation module is no less than three mock discs for creating;Modified module drives for modifying no less than two mock discs Dynamic device type is moveable magnetic disc type;Whether monitoring module creates and can hold for monitoring under the mock disc drive created to have The behavior of style of writing part;Determination module, for finding that it is described that no less than two mock disc drives have within a preset time Behavior then can determine whether that the behavior is malicious act.
In some embodiments, the system comprises removing modules, if destroying creation for not finding the behavior The mock disc.
In some embodiments, no less than a mock disc is not modified, and keeps disk drive types.
In some embodiments, described to create including new script behavior, newly-built hiding type file behavior, creation file The behavior of shortcut.
By using method and system of the invention, it can use creation mock disc and simulated by hook technology modification Whether disk drive types, monitoring has the behavior of newly-built executable file to find multiple shiftings under the mock disc drive of creation Dynamic medium is transmitted malicious code.It can effectively identify move media malicious dissemination behavior, and then be monitored and moved by the behavior The malicious acts such as medium class wooden horse and traversal disk sort wooden horse, the method increase the detection of move media class malicious act is accurate Degree reduces wrong report.
Detailed description of the invention
In order to illustrate more clearly of technical solution of the present invention, letter will be made to attached drawing needed in the embodiment below Singly introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments recorded in the present invention, for this field For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of process that malicious code Activity recognition method is propagated using move media according to the embodiment of the present invention Figure;
Fig. 2 is a kind of frame that malicious code Activity recognition system is propagated using move media according to the embodiment of the present invention Figure.
Specific embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, it is omitted in the course of the description for this It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in attached drawing Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention Be communicated to those skilled in the art.
Fig. 1, which is shown, according to an embodiment of the present invention a kind of propagates malicious code Activity recognition method using move media Flow chart.As shown in Figure 1, method includes the following steps:
S110, creation are no less than three mock discs.
Wherein, folder content is mapped as to the function of local hard drive according to Subst order, can use Subst order Any catalogue is invented into a disc driver, three simulation drives are created by Subst order, command format is very simple: Subst Drive1 Drive2 Path, wherein " Drive1 " is the virtual new driver symbol in specified substitution disk path, " Drive2 Path " it is the specified file to be substituted and its path.If user needs to delete virtual drive, can hold Row SubstDrive1 / D order.
S120, modification no less than two mock disc type of driver are moveable magnetic disc type.
Wherein, if creation is three mock discs, any two of them disk drive is modified by way of hook Device type is " DRIVE_REMOVABLE " to simulate USB flash disk, and it is " DRIVE_FIXED " that another, which keeps disk drive types, is come Simulate mobile hard disk.
If the mock disc of creation three or more, it is removable that modification, which is no less than two mock disc type of driver, Disk type, no less than a mock disc are not modified, and keep disk drive types.
S130 monitors the behavior for whether having newly-built executable file under the mock disc drive of creation.
Wherein, create further includes new script behavior, newly-built hiding type file behavior, the row for creating file shortcut For.
S140 can sentence if discovery no less than two mock disc drives have the behavior within a preset time The behavior of breaking is malicious act.
If close to find in preset time t (such as 5 minutes, this time is settable) two or more drives have with Upper behavior then can determine whether that it, it is specified that time to approach is artificial incorrect operation in order to prevent, is avoided for the behavior of move media malicious dissemination Possible wrong report.
In some embodiments, further includes:
S150 destroys the mock disc of creation if not finding the behavior.
Specifically, destroying the mock disc of creation, this method can be spaced one if not finding the behavior of propagation malicious code Duan Chongfu identifies more move media malicious dissemination behaviors to detect.
Fig. 2 is a kind of frame that malicious code Activity recognition system is propagated using move media according to the embodiment of the present invention Figure.As described in Figure 2, system may include: creation module 210, modified module 220, monitoring module 230, determination module 240.
Creation module 210 is no less than three mock discs for creating.
Modified module 220 is moveable magnetic disc type for modifying no less than two mock disc type of driver.
No less than a mock disc is not modified, and keeps disk drive types.
Monitoring module 230, for monitoring the behavior for whether having newly-built executable file under the mock disc drive created.
Newly-built includes new script behavior, newly-built hiding type file behavior, the behavior for creating file shortcut.Determine Module 240, for finding that no less than two mock disc drives have the behavior, then can determine whether institute within a preset time Stating behavior is malicious act.
In some embodiments, further includes:
Removing module 250, if destroying the mock disc of creation for not finding the behavior.
Using creation mock disc and by hook technology modification mock disc type of driver, the simulation magnetic of creation is monitored Whether the behavior of newly-built executable file is had under disk drive to find that multiple move medias are transmitted malicious code.Can effectively it know Other move media malicious dissemination behavior, and then the malice such as move media class wooden horse and traversal disk sort wooden horse is monitored by the behavior Behavior, the method increase the detection accuracy of move media class malicious act, reduce wrong report.
So far having been combined preferred embodiment, invention has been described.It should be understood that those skilled in the art are not In the case where being detached from the spirit and scope of the present invention, various other changes, replacement and addition can be carried out.Therefore, of the invention Range be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.

Claims (8)

1. a kind of propagate malicious code Activity recognition method using move media characterized by comprising
Creation is no less than three mock discs;
Modification no less than two mock disc type of driver are moveable magnetic disc type;
The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;
If discovery, which is no less than two mock disc drives, within a preset time the behavior, the behavior can determine whether For malicious act.
2. the method according to claim 1, wherein the described method includes: being destroyed if not finding the behavior The mock disc of creation.
3. being kept the method according to claim 1, wherein no less than a mock disc is not modified Disk drive types.
4. the method according to claim 1, wherein described create including new script behavior, newly-built hiding class The behavior of type file, the behavior for creating file shortcut.
5. a kind of propagate malicious code Activity recognition system using move media characterized by comprising
Creation module is no less than three mock discs for creating;
Modified module is moveable magnetic disc type for modifying no less than two mock disc type of driver;
Monitoring module, for monitoring the behavior for whether having newly-built executable file under the mock disc drive created;
Determination module, for finding that no less than two mock disc drives have the behavior, then may be used within a preset time Judge the behavior for malicious act.
6. system according to claim 5, which is characterized in that the system comprises:
Removing module, if destroying the mock disc of creation for not finding the behavior.
7. system according to claim 5, which is characterized in that a no less than mock disc is not modified, and is kept Disk drive types.
8. system according to claim 5, which is characterized in that described to create including new script behavior, newly-built hiding class The behavior of type file, the behavior for creating file shortcut.
CN201610906367.9A 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media Active CN107016285B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610906367.9A CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610906367.9A CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Publications (2)

Publication Number Publication Date
CN107016285A CN107016285A (en) 2017-08-04
CN107016285B true CN107016285B (en) 2019-11-05

Family

ID=59438749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610906367.9A Active CN107016285B (en) 2016-10-17 2016-10-17 It is a kind of to propagate malicious code Activity recognition method and system using move media

Country Status (1)

Country Link
CN (1) CN107016285B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178762A (en) * 2007-12-18 2008-05-14 唐璐峤 Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof
CN101944169A (en) * 2010-07-22 2011-01-12 北京安天电子设备有限公司 Immune method for self-starting viruses of USB removable storage devices
CN102110214A (en) * 2011-04-12 2011-06-29 姚志浩 Method and device for preventing viruses in mobile memory from infecting computer
CN102799801A (en) * 2011-05-27 2012-11-28 网秦无限(北京)科技有限公司 Method and system for killing viruses of mobile equipment by utilizing mobile memory
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101178762A (en) * 2007-12-18 2008-05-14 唐璐峤 Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof
CN101944169A (en) * 2010-07-22 2011-01-12 北京安天电子设备有限公司 Immune method for self-starting viruses of USB removable storage devices
CN102110214A (en) * 2011-04-12 2011-06-29 姚志浩 Method and device for preventing viruses in mobile memory from infecting computer
CN102799801A (en) * 2011-05-27 2012-11-28 网秦无限(北京)科技有限公司 Method and system for killing viruses of mobile equipment by utilizing mobile memory
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
autorun.inf病毒的原理及防范;贺惠萍等;《电脑知识与技术》;20110131;全文 *

Also Published As

Publication number Publication date
CN107016285A (en) 2017-08-04

Similar Documents

Publication Publication Date Title
Arshad et al. SAMADroid: a novel 3-level hybrid malware detection model for android operating system
US9882920B2 (en) Cross-user correlation for detecting server-side multi-target intrusion
US9838405B1 (en) Systems and methods for determining types of malware infections on computing devices
US8863289B2 (en) Portable security device and methods for detection and treatment of malware
US8533831B2 (en) Systems and methods for alternating malware classifiers in an attempt to frustrate brute-force malware testing
CN102713853B (en) Use the aggressiveness that the behavior of file popularity degree notice is soundd out
US8904538B1 (en) Systems and methods for user-directed malware remediation
Memon et al. Colluding apps: Tomorrow's mobile malware threat
Bhat et al. A system call-based android malware detection approach with homogeneous & heterogeneous ensemble machine learning
CN104123495A (en) Method for neutralizing malicious software blocking computer operation
US20160259942A1 (en) Automatic profiling framework of cross-vm covert channel capacity
Kapratwar Static and dynamic analysis for android malware detection
Case et al. Hooktracer: Automatic detection and analysis of keystroke loggers using memory forensics
CN105760761A (en) Software behavior analyzing method and device
US9646157B1 (en) Systems and methods for identifying repackaged files
CN112257037B (en) Process watermarking method, system and electronic equipment
CN103646213A (en) Method and device for classifying malicious software
CN107016285B (en) It is a kind of to propagate malicious code Activity recognition method and system using move media
Poeplau et al. A honeypot for arbitrary malware on USB storage devices
US11227052B2 (en) Malware detection with dynamic operating-system-level containerization
US9064134B1 (en) Method and apparatus for mitigating software vulnerabilities
Cole et al. ScanMe mobile: a local and cloud hybrid service for analyzing APKs
JP2010176660A (en) Extending secure management of file attribute information to virtual hard disk
KR20210089849A (en) Malware Detection System and Method based on API Function Extraction
CN110443051A (en) A method of prevent security files in transmission on Internet

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd.

Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No.

Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd.