CN107292168A - Detect method and device, the server of program code - Google Patents
Detect method and device, the server of program code Download PDFInfo
- Publication number
- CN107292168A CN107292168A CN201610192199.1A CN201610192199A CN107292168A CN 107292168 A CN107292168 A CN 107292168A CN 201610192199 A CN201610192199 A CN 201610192199A CN 107292168 A CN107292168 A CN 107292168A
- Authority
- CN
- China
- Prior art keywords
- program code
- detected
- code
- expression formula
- process performing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The application provides a kind of method and device for detecting program code, and this method includes:After in the environment that program code input simulator to be detected is run, morphology and syntax parsing, the program code to be detected after being parsed are carried out to program code to be detected;Extract the first expression formula feature in the program code to be detected after the parsing;The first expression formula feature is matched with the second expression formula feature in feature database, matching result is obtained, the feature database is used to record the expression formula feature occurred in the malicious code gathered;Determine whether the program code to be detected is malicious code according to the matching result.Program code to be detected can be parsed by virtual machine technique in the technical scheme of the application, so as to identify deformed, obscure or encryption technology processing after malicious code, solve in the prior art to deform, obscure or encryption technology processing after malicious code can not screen the problem of.
Description
Technical field
The application is related to software technology field, more particularly to a kind of method and device for detecting program code,
Server.
Background technology
Retrieved in the prior art by regular expression, replace the text or character string for meeting AD HOC
Feature carrys out identified code, when program code has various deformation, passes through regular expression in the prior art
The Metamorphic malware of variform can not be screened.
The content of the invention
In view of this, the application provides a kind of new technical scheme, can solve prior art to deformation,
Obscure or the processing such as encryption technology after the technical problem that can not screen of malicious code.
To achieve the above object, the application offer technical scheme is as follows:
According to the first aspect of the application, it is proposed that a kind of method of detection program code, including:
After in the environment that program code input simulator to be detected is run, program code to be detected is entered
Row morphology and syntax parsing, the program code to be detected after being parsed;
Extract the first expression formula feature in the program code to be detected after the parsing;
The first expression formula feature is matched with the second expression formula feature in feature database, obtained
With result, the feature database is used to record the expression formula feature occurred in the malicious code gathered;
Determine whether the program code to be detected is malicious code according to the matching result.
According to the second aspect of the application, it is proposed that a kind of method of detection program code, including:
In the environment that program code input simulator to be detected is run;
The process performing of the program code to be detected is tracked in the environment that the simulation program is run;
Determine whether the program code to be detected is malicious code according to the process performing.
According to the third aspect of the application, it is proposed that a kind of device of detection program code, including:
Parsing module, after in the environment that runs program code input simulator to be detected, is treated
Detect that program code carries out morphology and syntax parsing, the program code to be detected after being parsed;
First extraction module, for extracting the in the program code to be detected after parsing module parsing
One expression formula feature;
Matching module, for the first expression formula feature and the spy for extracting first extraction module
The the second expression formula feature levied in storehouse is matched, and obtains matching result, and the feature database is used to record
The expression formula feature occurred in the malicious code of collection;
First determining module, for being treated according to the matching result determination that the matching module is obtained
Detect whether program code is malicious code.
According to the fourth aspect of the application, it is proposed that a kind of device of detection program code, including:
Input module, in the environment that runs program code input simulator to be detected;
Second tracking module, for tracking the input module input in the environment that simulation program is run
The process performing of program code to be detected;
3rd determining module, the process performing for being obtained according to second tracking module determines institute
Whether state program code to be detected is malicious code.
According to the fifth aspect of the invention, it is proposed that a kind of server, the server includes:
Processor;Memory for storing the processor-executable instruction;
Wherein, the processor, is configured as:
After program code to be detected is inputted in the environment run for simulation program, to program generation to be detected
Code carries out morphology and syntax parsing, the program code to be detected after being parsed;
Extract the first expression formula feature in the program code to be detected after the parsing;
The first expression formula feature is matched with the second expression formula feature in feature database, obtained
With result, the feature database is used to record the expression formula feature occurred in the malicious code gathered;
Determine whether the program code to be detected is malicious code according to the matching result.
According to the sixth aspect of the invention, it is proposed that a kind of server, the server includes:
Processor;Memory for storing the processor-executable instruction;
Wherein, the processor, is configured as:
After in the environment that program code input simulator to be detected is run, program code to be detected is entered
Row morphology and syntax parsing, the program code to be detected after being parsed;
The process performing of the program code to be detected is tracked in the environment that the simulation program is run;
Determine whether the program code to be detected is malicious code according to the process performing.
From above technical scheme, the environment parsing that the application can be run by simulation program is to be detected
Program code, by by the first expression formula feature in the program code to be detected after parsing and feature database
The second expression formula feature matched, according to matching result determine program code to be detected whether be malice
Code, so as to identify deformed, obscure or encryption technology processing after malicious code, solve
In the prior art to deform, obscure or encryption technology processing after malicious code can not screen the problem of.
Brief description of the drawings
Figure 1A shows the stream of the method for the detection program code according to the exemplary embodiment one of the present invention
Journey schematic diagram;
Figure 1B shows the structure chart of the virtual machine according to one example embodiment of the present invention;
Fig. 2 shows the flow of the method for the detection program code according to the exemplary embodiment two of the present invention
Schematic diagram;
Fig. 3 shows the flow of the method for the detection program code according to the exemplary embodiment three of the present invention
Schematic diagram;
Fig. 4 shows the structural representation of the server according to one example embodiment of the present invention;
Fig. 5 shows the structure of the device of the detection program code according to the exemplary embodiment one of the present invention
Schematic diagram;
Fig. 6 shows the structure of the device of the detection program code according to the exemplary embodiment two of the present invention
Schematic diagram;
Fig. 7 shows the structure of the device of the detection program code according to the exemplary embodiment three of the present invention
Schematic diagram;
Fig. 8 shows the structure of the device of the detection program code according to the exemplary embodiment four of the present invention
Schematic diagram.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following
When description is related to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous
Key element.Embodiment described in following exemplary embodiment does not represent the institute consistent with the application
There is embodiment.On the contrary, they are only one be described in detail in such as appended claims, the application
The example of the consistent apparatus and method of a little aspects.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting
The application." one kind ", " institute of singulative used in the application and appended claims
State " and "the" be also intended to including most forms, unless context clearly shows that other implications.Should also
Work as understanding, term "and/or" used herein refers to and associated lists item comprising one or more
Purpose any or all may combine.
It will be appreciated that though may describe various using term first, second, third, etc. in the application
Information, but these information should not necessarily be limited by these terms.These terms only be used for by same type of information that
This is distinguished.For example, in the case where not departing from the application scope, the first information can also be referred to as
Two information, similarly, the second information can also be referred to as the first information.Depending on linguistic context, as in this institute
Use word " if " can be construed to " and ... when " or " when ... when " or " response
In it is determined that ".
In order the application to be further described, there is provided the following example:
Figure 1A shows the stream of the method for the detection program code according to the exemplary embodiment one of the present invention
Journey schematic diagram, Figure 1B shows the structure chart of the virtual machine according to one example embodiment of the present invention;
The present embodiment can using on the server, by install on the server virtual machine program or sandbox come
Realize, as shown in Figure 1A, comprise the following steps:
Step 101, after in environment program code input simulator to be detected run, to be detected
Program code carries out morphology and syntax parsing, the program code to be detected after being parsed.
Step 102, the first expression formula feature in the program code to be detected after parsing is extracted.
Step 103, the first expression formula feature is matched with the second expression formula feature in feature database,
Matching result is obtained, feature database is used to record the expression formula feature occurred in the malicious code gathered.
Step 104, determine whether program code to be detected is malicious code according to matching result.
In above-mentioned steps 101, the environment of simulation program operation can be the environment where virtual machine program,
Can also be network programming virtual execution environment (or being sandbox), the present embodiment is run with simulation program
Environment be it is illustrative exemplified by environment (referred to as " virtual machine ") where virtual machine program,
Virtual machine can carry out morphology and syntax parsing, example according to default resolution rules to program code to be detected
Such as, it is determined that be detected program code be deformed, obscure or encryption technology processing after malice generation
In the case of code, by with deform, obscure or encryption technology processing after the process of contrary reduced,
So as to the program code to be detected after being parsed.
In above-mentioned steps 102, it is generally the case that malicious code includes for representing that its own is special
The character string or condition code levied, therefore can be parsed by analytic method of the prior art to be detected
Character string or condition code in program code, the character string or condition code is special as the first expression formula
Levy.
In above-mentioned steps 103, the first expression formula feature and the second expression formula feature can be entered line character
String matching, obtains matching result, matching result can be a Similarity value, for representing the phase of the two
Like degree.
In above-mentioned steps 104, matching result can be compared with a predetermined threshold value, work as matching
As a result it is more than or equal to predetermined threshold value, it is malicious code to represent the program code to be detected, when matching knot
When fruit is less than the predetermined threshold value, it is normal code to represent the program code to be detected.
In an exemplary scenario, as shown in Figure 1B, program code 11 to be detected is inputted into virtual machine 12
In, program code 11 to be detected is optimized processing by virtual machine 12, and optimization processing is, for example, to filter out to treat
The noise reduction process such as the unrelated character in detection program code 11, morphology and syntax parsing module 121 are to be checked
Survey program code 11 and carry out morphology and syntax parsing, matching identification module 122 extracts to be detected after parsing
The first expression formula feature in program code, by the second expression in the first expression formula feature and feature database 10
Formula feature is matched, and obtains matching result, according to matching result determine program code to be detected whether be
Malicious code, in addition, Dynamic Execution module 123 can also be reduced by Dynamic Execution after ranging to be checked
Whether sequence code 11, it is malicious code that program code to be detected is identified by process performing.
Illustrative by taking the wooden horse represented by following program codes as an example, wooden horse code is as follows:
<php
@$ _=" s " " s "/* -/*-*/" e "/* -/*-*/" r ";
@$ _=/ * -/*-*/" a "/* -/*-*/$ _/* -/*-*/" t ";
@$_/*-/*-*/($/*-/*-*/{"_P"./*-/*-*/"OS"./*-/*-*/"T"};
[/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/]);>
Morphological analysis is carried out by morphology and syntax parsing module 121, annotation interference is removed, and remove appearance
Mismark, obtains following code:
$ _=" s " " s " " e " " r ";
$ _=" a " $ _ " t ";
$_(${"_P"."OS"."T"}[0-2-5]);
Syntax parsing is carried out by morphology and syntax parsing module 121, you can tracking variable, restored multiple
Miscellaneous grammer, the code after parsing is as follows:
assert($_POST[0-2-5])。
Seen from the above description, the environment parsing that the embodiment of the present invention can be run by simulation program is to be checked
Program code is surveyed, by by the first expression formula feature and feature database in the program code to be detected after parsing
In the second expression formula feature matched, determine whether program code to be detected is evil according to matching result
Anticipate code, so as to identify deformed, obscure or encryption technology processing after malicious code, solution
Determined in the prior art to deform, obscure or encryption technology processing after asking of can not screening of malicious code
Topic.
Fig. 2 shows the flow of the method for the detection program code according to the exemplary embodiment two of the present invention
Schematic diagram;The present embodiment according to matching result by above-mentioned Figure 1A embodiments to determine program generation to be detected
When code is normal code, how to realize exemplified by secondary detection malicious code and combine Figure 1B carry out it is exemplary
Illustrate, as shown in Fig. 2 comprising the following steps:
Step 201, by after in the incoming virtual machine for simulation program running environment of program code to be detected,
Morphology and syntax parsing, the program code to be detected after being parsed are carried out to program code to be detected.
Step 202, the first expression formula feature in the program code to be detected after parsing is extracted.
Step 203, the first expression formula feature is matched with the second expression formula feature in feature database,
Matching result is obtained, feature database is used to record the expression formula feature occurred in the malicious code gathered.
Step 204, determine whether program code to be detected is malicious code according to matching result, work as basis
When matching result determines program code to be detected for normal code, step 205 is performed, according to matching result
When determining program code to be detected for malicious code, qualification result is obtained, flow terminates.
Step 205, when determining program code to be detected according to matching result for normal code, virtual
The process performing of program code to be detected in machine after tracking parsing.
Step 206, determine whether process performing hits default abnormal behaviour, when process performing hit is pre-
If abnormal behaviour when, perform step 207, when the miss default abnormal behaviour of process performing, hold
Row step 210.
Step 207, when process performing hits default abnormal behaviour, determine that program code to be detected is
Malicious code.
Step 208, when it is determined that program code to be detected is malicious code, program code to be detected is extracted
In expression formula feature.
Step 209, the expression formula feature in program code to be detected is updated into feature database.
Step 210, when the miss default abnormal behaviour of process performing, program code to be detected is determined
For normal code.
The associated description of above-mentioned steps 201- steps 204 may refer to retouching for above-mentioned Figure 1A illustrated embodiments
State, will not be described in detail herein.
In above-mentioned steps 205- steps 207, what default abnormal behaviour can set for virtual machine internal
A set of rule for being used to represent abnormal behaviour, hits if being detected program code during Dynamic Execution
Rule for representing abnormal behaviour, then can be accredited as malicious code.
For example, for a deformation wooden horse, the deformation wooden horse can be by the GET or POST of http protocol
The external data that method is submitted, is transmitted by handling, and incoming eval functions are performed.The application passes through above-mentioned
, can be in Code obtaining http protocol in the case of step 201- steps 204 are accredited as non-malicious code
GET or POST data when, stain mark will be carried out to data, when Dynamic Execution module 123 is performed
To after eval functions, what virtual machine internal was set be used for represent the rule of abnormal behaviour as:Determine eval
Function is incoming with flecked data, then the deformation wooden horse can be accredited as into malicious code.
The present embodiment is on the basis of the advantageous effects with above-described embodiment, when detected program generation
In the case of code is by matching expression feature recognition mistake, by the environment machine that simulation program is run
Perform and be detected program code, so as to further identify that this is detected program generation according to process performing
Whether code is malicious code, submits the degree of accuracy of code detection;By by the table in program code to be detected
Updated up to formula feature into feature database, expression that can be to occur in the malicious code that is recorded in feature-rich storehouse
Formula feature, and then the degree of accuracy by matching expression characterization malicious code can be improved.
Fig. 3 shows the flow of the method for the detection program code according to the exemplary embodiment three of the present invention
Schematic diagram;The present embodiment with directly by detected in virtual machine the process performing of program code to be detected come
Whether be malicious code exemplified by and to combine Figure 1B illustrative if identifying, as shown in figure 3, including
Following steps:
Step 301, in environment program code input simulator to be detected run.
Step 302, holding for the program code to be detected after parsing is tracked in the environment that simulation program is run
Every trade is.
Step 303, determine whether process performing hits default abnormal behaviour, when process performing hit is pre-
If abnormal behaviour when, perform step 304, when the miss default abnormal behaviour of process performing, hold
Row step 307.
Step 304, when process performing hits default abnormal behaviour, determine that program code to be detected is
Malicious code.
Step 305, when it is determined that program code to be detected is malicious code, program code to be detected is extracted
In expression formula feature.
Step 306, the expression formula feature in program code to be detected is updated into feature database.
Step 307, when the miss default abnormal behaviour of process performing, program code to be detected is determined
For normal code.
The present embodiment is from unlike above-mentioned Fig. 2 embodiments, directly passing through the dynamic of Dynamic Execution module 123
Program code 11 to be detected is performed, whether it is malice generation that program code to be detected is identified by process performing
Code, wherein, the related description of default abnormal behaviour may refer to above-mentioned embodiment illustrated in fig. 2, this reality
Example is applied no longer to be described in detail.
In the present embodiment, by the execution that program code to be detected is tracked in the environment that simulation program is run
Behavior, so as to further identify that this is detected whether program code is malice generation according to process performing
Code, improves the degree of accuracy of code detection.
Corresponding to the above-mentioned method for corresponding to above-mentioned detection program code, the application also proposed Fig. 4
The schematic configuration diagram of the server of the shown exemplary embodiment according to the application.It refer to Fig. 4,
In hardware view, the server includes processor, internal bus, network interface, internal memory and non-volatile
Property memory, is also possible that the hardware required for other business certainly.Processor is from non-volatile memories
Corresponding computer program is read in device into internal memory and then is run, detection program is formed on logic level
The device of code.Certainly, in addition to software realization mode, the application is not precluded from other implementations,
Mode of such as logical device or software and hardware combining etc., that is to say, that the execution master of following handling process
Body is not limited to each logic unit or hardware or logical device.
Fig. 5 shows the structure of the device of the detection program code according to the exemplary embodiment one of the present invention
Schematic diagram;As shown in figure 5, the device of the detection program code can include:Parsing module 51, first
Extraction module 52, matching module 53, the first determining module 54.Wherein:
Parsing module 51, it is right after in the environment that runs program code input simulator to be detected
Program code to be detected carries out morphology and syntax parsing, the program code to be detected after being parsed;
First extraction module 52, for extracting in the program code to be detected after parsing module 51 is parsed
First expression formula feature;
Matching module 53, for the first expression formula feature and feature for extracting the first extraction module 52
The second expression formula feature in storehouse is matched, and obtains matching result, and feature database is used to record what is gathered
The expression formula feature occurred in malicious code;
First determining module 54, the matching result for being obtained according to matching module 53 determines ranging to be checked
Whether sequence code is malicious code.
Fig. 6 shows the structure of the device of the detection program code according to the exemplary embodiment two of the present invention
Schematic diagram;As shown in fig. 6, on the basis of above-mentioned embodiment illustrated in fig. 5, device may also include:
First tracking module 55, for according to matching result determining ranging to be checked when the first determining module 54
When sequence code is normal code, the process performing of the program code to be detected after tracking parsing;
Second determining module 56, the process performing for being obtained according to the first tracking module 55 determines to be checked
Survey whether program code is malicious code.
In one embodiment, the second determining module 56 may include:
First determining unit 561, for determining whether process performing hits default abnormal behaviour;
Second determining unit 562, for determining that process performing hit is default when the first determining unit 561
During abnormal behaviour, it is malicious code to determine program code to be detected;
3rd determining unit 563, for determining that process performing is miss default when the first determining unit 561
Abnormal behaviour when, determine program code to be detected be normal code.
In one embodiment, device may also include:
Second extraction module 57, for determining that program code to be detected is malice when the second determining unit 562
During code, the expression formula feature in program code to be detected is extracted;
Update module 58, for the table in the program code to be detected that extracts the second extraction module 57
Updated up to formula feature into feature database.
Fig. 7 shows the structure of the device of the detection program code according to the exemplary embodiment three of the present invention
Schematic diagram;As shown in fig. 7, the device of the detection program code can include:Input module 71, second
Tracking module 72, the 3rd determining module 73.Wherein:
Input module 71, in the environment that runs program code input simulator to be detected;
Second tracking module 72, is inputted for tracking input module 71 in the environment that simulation program is run
Program code to be detected process performing;
3rd determining module 73, the process performing for being obtained according to the second tracking module 72 determines to be checked
Survey whether program code is malicious code.
Fig. 8 shows the structure of the device of the detection program code according to the exemplary embodiment four of the present invention
Schematic diagram;As shown in figure 8, on the basis of above-mentioned embodiment illustrated in fig. 7, the 3rd determining module 73
It may include:
4th determining unit 731, for determining whether process performing hits default abnormal behaviour;
5th determining unit 732, for determining that process performing hit is default when the 4th determining unit 731
During abnormal behaviour, it is malicious code to determine program code to be detected;
6th determining unit 733, for determining that process performing is miss default when the 4th determining unit 731
Abnormal behaviour when, determine program code to be detected be normal code.
Above-described embodiment is visible, and the environment that the application can be run by simulation program parses program to be detected
Code, by by the in the first expression formula feature in the program code to be detected after parsing and feature database
Two expression formula features are matched, and determine whether program code to be detected is malicious code according to matching result,
So as to identify deformed, obscure or encryption technology processing after malicious code, solve existing
In technology to deform, obscure or encryption technology processing after malicious code can not screen the problem of.
Those skilled in the art will readily occur to this after considering specification and putting into practice invention disclosed herein
Other embodiments of application.The application is intended to any modification, purposes or the adaptability of the application
Change, these modifications, purposes or adaptations follow the general principle of the application and including this Shen
Please undocumented common knowledge or conventional techniques in the art.Description and embodiments only by
It is considered as exemplary, the true scope of the application and spirit are pointed out by following claim.
It should also be noted that, term " comprising ", "comprising" or its any other variant be intended to it is non-exclusive
Property include so that process, method, commodity or equipment including a series of key elements not only include that
A little key elements, but also other key elements including being not expressly set out, or also include being this process, side
Method, commodity or the intrinsic key element of equipment.In the absence of more restrictions, by sentence " including one
It is individual ... " limit key element, it is not excluded that in the process including the key element, method, commodity or equipment
Also there is other identical element.
The preferred embodiment of the application is the foregoing is only, it is all at this not to limit the application
Within the spirit and principle of application, any modification, equivalent substitution and improvements done etc. should be included in
Within the scope of the application protection.
Claims (14)
1. a kind of method for detecting program code, it is characterised in that methods described includes:
After in the environment that program code input simulator to be detected is run, program code to be detected is entered
Row morphology and syntax parsing, the program code to be detected after being parsed;
Extract the first expression formula feature in the program code to be detected after the parsing;
The first expression formula feature is matched with the second expression formula feature in feature database, obtained
With result, the feature database is used to record the expression formula feature occurred in the malicious code gathered;
Determine whether the program code to be detected is malicious code according to the matching result.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
When determining the program code to be detected according to the matching result for normal code, in the void
The process performing of the program code to be detected after the parsing is tracked in plan machine;
Determine whether the program code to be detected is malicious code according to the process performing.
3. method according to claim 2, it is characterised in that described true according to the process performing
Whether the fixed program code to be detected is malicious code, including:
Determine whether the process performing hits default abnormal behaviour;
When the process performing hits the default abnormal behaviour, the program code to be detected is determined
For malicious code;
When the miss default abnormal behaviour of the process performing, the program generation to be detected is determined
Code is normal code.
4. method according to claim 3, it is characterised in that methods described also includes:
When it is determined that the program code to be detected is malicious code, extract in the program code to be detected
Expression formula feature;
Expression formula feature in the program code to be detected is updated into the feature database.
5. a kind of method for detecting program code, it is characterised in that methods described includes:
In the environment that program code input simulator to be detected is run;
The process performing of the program code to be detected is tracked in the environment that the simulation program is run;
Determine whether the program code to be detected is malicious code according to the process performing.
6. method according to claim 5, it is characterised in that described true according to the process performing
Whether the fixed program code to be detected is malicious code, including:
Determine whether the process performing hits default abnormal behaviour;
When the process performing hits the default abnormal behaviour, the program code to be detected is determined
For malicious code;
When the miss default abnormal behaviour of the process performing, the program generation to be detected is determined
Code is normal code.
7. a kind of device for detecting program code, it is characterised in that described device includes:
Parsing module, after in the environment that runs program code input simulator to be detected, is treated
Detect that program code carries out morphology and syntax parsing, the program code to be detected after being parsed;
First extraction module, for extracting the in the program code to be detected after parsing module parsing
One expression formula feature;
Matching module, for the first expression formula feature and the spy for extracting first extraction module
The the second expression formula feature levied in storehouse is matched, and obtains matching result, and the feature database is used to record
The expression formula feature occurred in the malicious code of collection;
First determining module, for being treated according to the matching result determination that the matching module is obtained
Detect whether program code is malicious code.
8. device according to claim 7, it is characterised in that described device also includes:
First tracking module, for being treated when first determining module according to being determined the matching result
When detecting program code for normal code, the process performing of the program code to be detected after the parsing is tracked;
Second determining module, the process performing for being obtained according to first tracking module determines institute
Whether state program code to be detected is malicious code.
9. device according to claim 8, it is characterised in that second determining module includes:
First determining unit, for determining whether the process performing hits default abnormal behaviour;
Second determining unit, for determining that the process performing hit is described pre- when first determining unit
If abnormal behaviour when, determine the program code to be detected be malicious code;
3rd determining unit, for determining that the process performing is miss described when first determining unit
During default abnormal behaviour, it is normal code to determine the program code to be detected.
10. device according to claim 9, it is characterised in that described device also includes:
Second extraction module, for determining that the program code to be detected is evil when second determining unit
During meaning code, the expression formula feature in the program code to be detected is extracted;
Update module, in the program code to be detected that extracts second extraction module
Expression formula feature is updated into the feature database.
11. a kind of device for detecting program code, it is characterised in that described device includes:
Input module, in the environment that runs program code input simulator to be detected;
Second tracking module, for tracking the input module input in the environment that simulation program is run
The process performing of program code to be detected;
3rd determining module, the process performing for being obtained according to second tracking module determines institute
Whether state program code to be detected is malicious code.
12. device according to claim 11, it is characterised in that the 3rd determining module includes:
4th determining unit, for determining whether the process performing hits default abnormal behaviour;
5th determining unit, for determining that the process performing hit is described pre- when the 4th determining unit
If abnormal behaviour when, determine the program code to be detected be malicious code;
6th determining unit, for determining that the process performing is miss described when the 4th determining unit
During default abnormal behaviour, it is normal code to determine the program code to be detected.
13. a kind of server, it is characterised in that the server includes:
Processor;Memory for storing the processor-executable instruction;
Wherein, the processor, is configured as:
After in the environment that program code input simulator to be detected is run, program code to be detected is entered
Row morphology and syntax parsing, the program code to be detected after being parsed;
Extract the first expression formula feature in the program code to be detected after the parsing;
The first expression formula feature is matched with the second expression formula feature in feature database, obtained
With result, the feature database is used to record the expression formula feature occurred in the malicious code gathered;
Determine whether the program code to be detected is malicious code according to the matching result.
14. a kind of server, it is characterised in that the server includes:
Processor;Memory for storing the processor-executable instruction;
Wherein, the processor, is configured as:
After in the virtual machine for the environment that program code input simulator to be detected is run, to journey to be detected
Sequence code carries out morphology and syntax parsing, the program code to be detected after being parsed;
The execution of the program code to be detected after the parsing is tracked in the environment that the simulation program is run
Behavior;
Determine whether the program code to be detected is malicious code according to the process performing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610192199.1A CN107292168A (en) | 2016-03-30 | 2016-03-30 | Detect method and device, the server of program code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610192199.1A CN107292168A (en) | 2016-03-30 | 2016-03-30 | Detect method and device, the server of program code |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107292168A true CN107292168A (en) | 2017-10-24 |
Family
ID=60087988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610192199.1A Pending CN107292168A (en) | 2016-03-30 | 2016-03-30 | Detect method and device, the server of program code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107292168A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008462A (en) * | 2018-01-05 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of command sequence detection method and command sequence processing method |
| CN112612516A (en) * | 2020-12-30 | 2021-04-06 | 瑞庭网络技术(上海)有限公司 | Code processing method and device |
| US11449799B1 (en) * | 2020-01-30 | 2022-09-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11477016B1 (en) | 2019-09-10 | 2022-10-18 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11533175B1 (en) | 2020-01-30 | 2022-12-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography on a smartcard |
| US11626983B1 (en) | 2019-09-10 | 2023-04-11 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11727829B1 (en) | 2020-01-30 | 2023-08-15 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11736281B1 (en) | 2019-09-10 | 2023-08-22 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11838410B1 (en) | 2020-01-30 | 2023-12-05 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100031353A1 (en) * | 2008-02-04 | 2010-02-04 | Microsoft Corporation | Malware Detection Using Code Analysis and Behavior Monitoring |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| CN103310150A (en) * | 2012-03-13 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting portable document format (PDF) vulnerability |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN103761481A (en) * | 2014-01-23 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for automatically processing malicious code sample |
| CN104933366A (en) * | 2015-07-17 | 2015-09-23 | 成都布林特信息技术有限公司 | Mobile terminal application program processing method |
-
2016
- 2016-03-30 CN CN201610192199.1A patent/CN107292168A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100031353A1 (en) * | 2008-02-04 | 2010-02-04 | Microsoft Corporation | Malware Detection Using Code Analysis and Behavior Monitoring |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN102737019A (en) * | 2011-03-31 | 2012-10-17 | 阿里巴巴集团控股有限公司 | Machine behavior determining method, webpage browser and webpage server |
| CN103310150A (en) * | 2012-03-13 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting portable document format (PDF) vulnerability |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN103488947A (en) * | 2013-10-11 | 2014-01-01 | 北京金山网络科技有限公司 | Method and device for identifying instant messaging client-side account number stealing Trojan horse program |
| CN103761481A (en) * | 2014-01-23 | 2014-04-30 | 北京奇虎科技有限公司 | Method and device for automatically processing malicious code sample |
| CN104933366A (en) * | 2015-07-17 | 2015-09-23 | 成都布林特信息技术有限公司 | Mobile terminal application program processing method |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008462A (en) * | 2018-01-05 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of command sequence detection method and command sequence processing method |
| CN110008462B (en) * | 2018-01-05 | 2023-09-01 | 阿里巴巴集团控股有限公司 | Command sequence detection method and command sequence processing method |
| US11477016B1 (en) | 2019-09-10 | 2022-10-18 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11626983B1 (en) | 2019-09-10 | 2023-04-11 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11736281B1 (en) | 2019-09-10 | 2023-08-22 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11750378B1 (en) | 2019-09-10 | 2023-09-05 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11902431B1 (en) | 2019-09-10 | 2024-02-13 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11449799B1 (en) * | 2020-01-30 | 2022-09-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11533175B1 (en) | 2020-01-30 | 2022-12-20 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography on a smartcard |
| US11727310B1 (en) | 2020-01-30 | 2023-08-15 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11727829B1 (en) | 2020-01-30 | 2023-08-15 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| US11838410B1 (en) | 2020-01-30 | 2023-12-05 | Wells Fargo Bank, N.A. | Systems and methods for post-quantum cryptography optimization |
| CN112612516A (en) * | 2020-12-30 | 2021-04-06 | 瑞庭网络技术(上海)有限公司 | Code processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107292168A (en) | Detect method and device, the server of program code | |
| EP3651043B1 (en) | Url attack detection method and apparatus, and electronic device | |
| US11188650B2 (en) | Detection of malware using feature hashing | |
| US9253208B1 (en) | System and method for automated phishing detection rule evolution | |
| CN109583200B (en) | Program abnormity analysis method based on dynamic taint propagation | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| US20190034632A1 (en) | Method and system for static behavior-predictive malware detection | |
| CN106326737B (en) | System and method for detecting the harmful file that can be executed on virtual stack machine | |
| CN103500308A (en) | System and method for countering detection of emulation by malware | |
| CN108009425A (en) | File detects and threat level decision method, apparatus and system | |
| US11665135B2 (en) | Domain name processing systems and methods | |
| CN104156490A (en) | Method and device for detecting suspicious fishing webpage based on character recognition | |
| CN107247902A (en) | Malware categorizing system and method | |
| CN105653949B (en) | A kind of malware detection methods and device | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| US11797668B2 (en) | Sample data generation apparatus, sample data generation method, and computer readable medium | |
| US11531748B2 (en) | Method and system for autonomous malware analysis | |
| CN104462985A (en) | Detecting method and device of bat loopholes | |
| US11206277B1 (en) | Method and apparatus for detecting abnormal behavior in network | |
| CN111651768B (en) | Method and device for identifying link library function name of computer binary program | |
| CN109983459A (en) | Method and apparatus for identifying the counting of the N-GRAM occurred in corpus | |
| CN110213255A (en) | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection | |
| CN106415577A (en) | Systems and methods for identifying a source of a suspect event | |
| CN112200196A (en) | Phishing website detection method, device, equipment and computer readable storage medium | |
| CN104462311A (en) | Information displaying method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171024 |
|
| RJ01 | Rejection of invention patent application after publication |