CN107016285B - It is a kind of to propagate malicious code Activity recognition method and system using move media - Google Patents
It is a kind of to propagate malicious code Activity recognition method and system using move media Download PDFInfo
- Publication number
- CN107016285B CN107016285B CN201610906367.9A CN201610906367A CN107016285B CN 107016285 B CN107016285 B CN 107016285B CN 201610906367 A CN201610906367 A CN 201610906367A CN 107016285 B CN107016285 B CN 107016285B
- Authority
- CN
- China
- Prior art keywords
- behavior
- mock
- less
- creation
- move media
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
Malicious code Activity recognition method and system are propagated using move media the invention discloses a kind of, comprising: creation is no less than three mock discs;Modification no less than two mock disc type of driver are moveable magnetic disc type;The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;If discovery, which is no less than two mock discs, within a preset time the behavior, it can determine whether that the behavior is malicious act.Technical solution of the present invention solves and malicious virus operating and manually distinguishing to the behavior of the operation of move media to move media can not be easy to produce wrong report, to the technical problem of behavior identification inaccuracy in the prior art.
Description
Technical field
The present invention relates to computer security technical fields, relate more specifically to a kind of utilization move media propagation malicious code
Activity recognition method and system.
Background technique
With the development of internet technology, the increase of resource-sharing demand, wherein propagating shared resource by move media
Become public common propagation data method with its convenience and ease for use, move media user is while enjoying convenient
Also there is some potential safety problems, may meet with during transmitting data using move medias such as USB flash disk or mobile hard disks
By the infection of malicious code, the host sense that the host not being poisoned and move media are poisoned is infected including move media
Dye, then continues to propagate in this way, and such malicious code is referred to as the malicious code propagated by move media.
The malicious code type propagated by move media is more, and spread speed is very fast, and antivirus software is to such maliciously generation
The Activity recognition method of code is usually true move media monitoring, that is, identifies the true move media drive of operating system,
The executable file or script being written in opposite drive again are judged, and then identify that it is the evil propagated by move media
Meaning behavior, to carry out killing, such recognition methods is had some limitations, can not be by malicious virus to the behaviour of move media
Make and manually the behavior of the operation of move media is distinguished, that is, is easy to produce wrong report, inaccurate to behavior identification, it also can be because
This improves the rate of false alarm of antivirus software.
Summary of the invention
In order to solve the above-mentioned technical problem, it provides a kind of utilization move media according to the present invention and propagates malicious code row
For recognition methods and system.
According to the first aspect of the invention, a kind of utilization move media propagation malicious code Activity recognition method is provided.
This method comprises: creation is no less than three mock discs;Modification no less than two mock disc type of driver are removable magnetic
Disc-type;The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;If finding within a preset time
No less than two mock disc drives have the behavior, then can determine whether that the behavior is malicious act.
In some embodiments, which comprises if not finding the behavior, destroy the simulation magnetic of creation
Disk.
In some embodiments, no less than a mock disc is not modified, and keeps disk drive types.
In some embodiments, described to create including new script behavior, newly-built hiding type file behavior, creation file
The behavior of shortcut.
According to the second aspect of the invention, a kind of utilization move media propagation malicious code Activity recognition system, packet are provided
Include: creation module is no less than three mock discs for creating;Modified module drives for modifying no less than two mock discs
Dynamic device type is moveable magnetic disc type;Whether monitoring module creates and can hold for monitoring under the mock disc drive created to have
The behavior of style of writing part;Determination module, for finding that it is described that no less than two mock disc drives have within a preset time
Behavior then can determine whether that the behavior is malicious act.
In some embodiments, the system comprises removing modules, if destroying creation for not finding the behavior
The mock disc.
In some embodiments, no less than a mock disc is not modified, and keeps disk drive types.
In some embodiments, described to create including new script behavior, newly-built hiding type file behavior, creation file
The behavior of shortcut.
By using method and system of the invention, it can use creation mock disc and simulated by hook technology modification
Whether disk drive types, monitoring has the behavior of newly-built executable file to find multiple shiftings under the mock disc drive of creation
Dynamic medium is transmitted malicious code.It can effectively identify move media malicious dissemination behavior, and then be monitored and moved by the behavior
The malicious acts such as medium class wooden horse and traversal disk sort wooden horse, the method increase the detection of move media class malicious act is accurate
Degree reduces wrong report.
Detailed description of the invention
In order to illustrate more clearly of technical solution of the present invention, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments recorded in the present invention, for this field
For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of process that malicious code Activity recognition method is propagated using move media according to the embodiment of the present invention
Figure;
Fig. 2 is a kind of frame that malicious code Activity recognition system is propagated using move media according to the embodiment of the present invention
Figure.
Specific embodiment
With reference to the accompanying drawings to a preferred embodiment of the present invention will be described in detail, it is omitted in the course of the description for this
It is unnecessary details and function for invention, to prevent the understanding of the present invention from causing to obscure.Show although being shown in attached drawing
Example property embodiment, it being understood, however, that may be realized in various forms the present invention without that should be limited by embodiments set forth here
System.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be complete by the scope of the present invention
Be communicated to those skilled in the art.
Fig. 1, which is shown, according to an embodiment of the present invention a kind of propagates malicious code Activity recognition method using move media
Flow chart.As shown in Figure 1, method includes the following steps:
S110, creation are no less than three mock discs.
Wherein, folder content is mapped as to the function of local hard drive according to Subst order, can use Subst order
Any catalogue is invented into a disc driver, three simulation drives are created by Subst order, command format is very simple:
Subst Drive1 Drive2 Path, wherein " Drive1 " is the virtual new driver symbol in specified substitution disk path,
" Drive2 Path " it is the specified file to be substituted and its path.If user needs to delete virtual drive, can hold
Row SubstDrive1 / D order.
S120, modification no less than two mock disc type of driver are moveable magnetic disc type.
Wherein, if creation is three mock discs, any two of them disk drive is modified by way of hook
Device type is " DRIVE_REMOVABLE " to simulate USB flash disk, and it is " DRIVE_FIXED " that another, which keeps disk drive types, is come
Simulate mobile hard disk.
If the mock disc of creation three or more, it is removable that modification, which is no less than two mock disc type of driver,
Disk type, no less than a mock disc are not modified, and keep disk drive types.
S130 monitors the behavior for whether having newly-built executable file under the mock disc drive of creation.
Wherein, create further includes new script behavior, newly-built hiding type file behavior, the row for creating file shortcut
For.
S140 can sentence if discovery no less than two mock disc drives have the behavior within a preset time
The behavior of breaking is malicious act.
If close to find in preset time t (such as 5 minutes, this time is settable) two or more drives have with
Upper behavior then can determine whether that it, it is specified that time to approach is artificial incorrect operation in order to prevent, is avoided for the behavior of move media malicious dissemination
Possible wrong report.
In some embodiments, further includes:
S150 destroys the mock disc of creation if not finding the behavior.
Specifically, destroying the mock disc of creation, this method can be spaced one if not finding the behavior of propagation malicious code
Duan Chongfu identifies more move media malicious dissemination behaviors to detect.
Fig. 2 is a kind of frame that malicious code Activity recognition system is propagated using move media according to the embodiment of the present invention
Figure.As described in Figure 2, system may include: creation module 210, modified module 220, monitoring module 230, determination module 240.
Creation module 210 is no less than three mock discs for creating.
Modified module 220 is moveable magnetic disc type for modifying no less than two mock disc type of driver.
No less than a mock disc is not modified, and keeps disk drive types.
Monitoring module 230, for monitoring the behavior for whether having newly-built executable file under the mock disc drive created.
Newly-built includes new script behavior, newly-built hiding type file behavior, the behavior for creating file shortcut.Determine
Module 240, for finding that no less than two mock disc drives have the behavior, then can determine whether institute within a preset time
Stating behavior is malicious act.
In some embodiments, further includes:
Removing module 250, if destroying the mock disc of creation for not finding the behavior.
Using creation mock disc and by hook technology modification mock disc type of driver, the simulation magnetic of creation is monitored
Whether the behavior of newly-built executable file is had under disk drive to find that multiple move medias are transmitted malicious code.Can effectively it know
Other move media malicious dissemination behavior, and then the malice such as move media class wooden horse and traversal disk sort wooden horse is monitored by the behavior
Behavior, the method increase the detection accuracy of move media class malicious act, reduce wrong report.
So far having been combined preferred embodiment, invention has been described.It should be understood that those skilled in the art are not
In the case where being detached from the spirit and scope of the present invention, various other changes, replacement and addition can be carried out.Therefore, of the invention
Range be not limited to above-mentioned specific embodiment, and should be defined by the appended claims.
Claims (8)
1. a kind of propagate malicious code Activity recognition method using move media characterized by comprising
Creation is no less than three mock discs;
Modification no less than two mock disc type of driver are moveable magnetic disc type;
The behavior for whether having newly-built executable file under the mock disc drive of creation monitored;
If discovery, which is no less than two mock disc drives, within a preset time the behavior, the behavior can determine whether
For malicious act.
2. the method according to claim 1, wherein the described method includes: being destroyed if not finding the behavior
The mock disc of creation.
3. being kept the method according to claim 1, wherein no less than a mock disc is not modified
Disk drive types.
4. the method according to claim 1, wherein described create including new script behavior, newly-built hiding class
The behavior of type file, the behavior for creating file shortcut.
5. a kind of propagate malicious code Activity recognition system using move media characterized by comprising
Creation module is no less than three mock discs for creating;
Modified module is moveable magnetic disc type for modifying no less than two mock disc type of driver;
Monitoring module, for monitoring the behavior for whether having newly-built executable file under the mock disc drive created;
Determination module, for finding that no less than two mock disc drives have the behavior, then may be used within a preset time
Judge the behavior for malicious act.
6. system according to claim 5, which is characterized in that the system comprises:
Removing module, if destroying the mock disc of creation for not finding the behavior.
7. system according to claim 5, which is characterized in that a no less than mock disc is not modified, and is kept
Disk drive types.
8. system according to claim 5, which is characterized in that described to create including new script behavior, newly-built hiding class
The behavior of type file, the behavior for creating file shortcut.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610906367.9A CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610906367.9A CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107016285A CN107016285A (en) | 2017-08-04 |
CN107016285B true CN107016285B (en) | 2019-11-05 |
Family
ID=59438749
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610906367.9A Active CN107016285B (en) | 2016-10-17 | 2016-10-17 | It is a kind of to propagate malicious code Activity recognition method and system using move media |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107016285B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178762A (en) * | 2007-12-18 | 2008-05-14 | 唐璐峤 | Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof |
CN101944169A (en) * | 2010-07-22 | 2011-01-12 | 北京安天电子设备有限公司 | Immune method for self-starting viruses of USB removable storage devices |
CN102110214A (en) * | 2011-04-12 | 2011-06-29 | 姚志浩 | Method and device for preventing viruses in mobile memory from infecting computer |
CN102799801A (en) * | 2011-05-27 | 2012-11-28 | 网秦无限(北京)科技有限公司 | Method and system for killing viruses of mobile equipment by utilizing mobile memory |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
-
2016
- 2016-10-17 CN CN201610906367.9A patent/CN107016285B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101178762A (en) * | 2007-12-18 | 2008-05-14 | 唐璐峤 | Method for inhibiting virus spreading through movable memory apparatus and movable memory apparatus thereof |
CN101944169A (en) * | 2010-07-22 | 2011-01-12 | 北京安天电子设备有限公司 | Immune method for self-starting viruses of USB removable storage devices |
CN102110214A (en) * | 2011-04-12 | 2011-06-29 | 姚志浩 | Method and device for preventing viruses in mobile memory from infecting computer |
CN102799801A (en) * | 2011-05-27 | 2012-11-28 | 网秦无限(北京)科技有限公司 | Method and system for killing viruses of mobile equipment by utilizing mobile memory |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
Non-Patent Citations (1)
Title |
---|
autorun.inf病毒的原理及防范;贺惠萍等;《电脑知识与技术》;20110131;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN107016285A (en) | 2017-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
US9882920B2 (en) | Cross-user correlation for detecting server-side multi-target intrusion | |
US9838405B1 (en) | Systems and methods for determining types of malware infections on computing devices | |
US8863289B2 (en) | Portable security device and methods for detection and treatment of malware | |
US8533831B2 (en) | Systems and methods for alternating malware classifiers in an attempt to frustrate brute-force malware testing | |
CN102713853B (en) | Use the aggressiveness that the behavior of file popularity degree notice is soundd out | |
US8904538B1 (en) | Systems and methods for user-directed malware remediation | |
Memon et al. | Colluding apps: Tomorrow's mobile malware threat | |
Bhat et al. | A system call-based android malware detection approach with homogeneous & heterogeneous ensemble machine learning | |
CN104123495A (en) | Method for neutralizing malicious software blocking computer operation | |
US20160259942A1 (en) | Automatic profiling framework of cross-vm covert channel capacity | |
Kapratwar | Static and dynamic analysis for android malware detection | |
Case et al. | Hooktracer: Automatic detection and analysis of keystroke loggers using memory forensics | |
CN105760761A (en) | Software behavior analyzing method and device | |
US9646157B1 (en) | Systems and methods for identifying repackaged files | |
CN112257037B (en) | Process watermarking method, system and electronic equipment | |
CN103646213A (en) | Method and device for classifying malicious software | |
CN107016285B (en) | It is a kind of to propagate malicious code Activity recognition method and system using move media | |
Poeplau et al. | A honeypot for arbitrary malware on USB storage devices | |
US11227052B2 (en) | Malware detection with dynamic operating-system-level containerization | |
US9064134B1 (en) | Method and apparatus for mitigating software vulnerabilities | |
Cole et al. | ScanMe mobile: a local and cloud hybrid service for analyzing APKs | |
JP2010176660A (en) | Extending secure management of file attribute information to virtual hard disk | |
KR20210089849A (en) | Malware Detection System and Method based on API Function Extraction | |
CN110443051A (en) | A method of prevent security files in transmission on Internet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee after: Shenzhen Antan Network Security Technology Co.,Ltd. Address before: 518000 Shenzhen, Baoan District, Guangdong Xixiang Baoan District street, the source of excellent industrial products display procurement center, block B, 7 floor, No. Patentee before: SHENZHEN ANZHITIAN INFORMATION TECHNOLOGY Co.,Ltd. |