CN107657176A - A kind of unknown malicious code identification of Behavior-based control analysis and analysis method - Google Patents
A kind of unknown malicious code identification of Behavior-based control analysis and analysis method Download PDFInfo
- Publication number
- CN107657176A CN107657176A CN201710884189.9A CN201710884189A CN107657176A CN 107657176 A CN107657176 A CN 107657176A CN 201710884189 A CN201710884189 A CN 201710884189A CN 107657176 A CN107657176 A CN 107657176A
- Authority
- CN
- China
- Prior art keywords
- analysis
- main frame
- sample
- center
- called
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
Unknown malicious code identification and analysis method the invention discloses a kind of analysis of Behavior-based control, including main frame, the main frame have application programming interfaces, responsing center, control centre, analysis center are provided with inside the main frame.The present invention can realize the change of Study document system, the change of system registry, the change of the network information, the change of progress information, the change of dynamic link library, the service condition etc. in virtual memory region, and whole action process during unknown malicious code operation can be described from various dimensions.
Description
Technical field
The present invention relates to the complete technical field of computer network, more particularly to a kind of unknown malice generation of Behavior-based control analysis
Code identification and analysis method.
Background technology
Rises sharply now with malicious code quantity, malicious code species is continuously increased, the side matched using feature database
Formula finds that the accuracy of malicious code progressively declines, and how accurately identifying and analyzing unknown malicious code is current weight
Want research direction.
Present Malware can use some skills, such as insertion rubbish code, code position to exchange, and register is again
Distribution, equivalent code the mode such as replace and hide the detection of traditional anti-malware based on signature, in order to solve this kind of ask
Topic, numerous manufacturers strengthen the detectability to malicious code attack by the way of sandbox.
During Malicious Code Detection is carried out using sandbox, the judgement of malicious act is essentially all feature based
Match somebody with somebody, such as the method and device automatically processed in Chinese patent, a kind of malicious code sample, CN201410032004.8's is special
In profit application, it is proposed that using the method for extraction static nature matching, while using behavioral characteristics matching as supplement.Although very
More sandboxs also use the method for dynamic analysis, but exist in dynamic analysis process can not truly be reduced under sandbox environment it is detected
The problem of running paper track.
The content of the invention
Part in view of the shortcomings of the prior art, it is an object of the invention to provide a kind of the unknown of Behavior-based control analysis
Malicious code identifies and analysis method, it is possible to achieve the change of Study document system, the change of system registry, the network information
Change, the change of progress information, the change of dynamic link library, the service condition etc. in virtual memory region, can be retouched from various dimensions
State whole action process during unknown malicious code operation.
The purpose of the present invention is achieved through the following technical solutions:
A kind of unknown malicious code identification of Behavior-based control analysis and analysis method, including main frame, the main frame has should
With routine interface, the main frame inside is provided with responsing center, control centre, analysis center;Its method is as follows:
A, the responsing center includes following method:
The called API sequences of A1, monitoring main frame, and record;
The application programming interfaces that A2, monitoring main frame input sample are called, and record;
A3, monitoring operational state of mainframe, the network information, and record;
A4, the information unification of record sent to control centre;
B, the control centre includes following method:
B1, receive the instruction issued by analysis center and handled;
B2, the step B1 instructions handled well are issued to responsing center;
B3, receive the data sent by responsing center and carry out classification processing;
B4, the data handled well that step B3 classifies are respectively sent to analysis center;
C, the analysis center includes following method:
C1, module call instruction is issued to control centre;
C2, compare the API sequences that the API sequences that main frame input sample is called are called with credible legal procedure;
The application program that the application programming interfaces that C3, comparison main frame input sample are called call with credible legal procedure connects
Mouthful;
C4, generation sample operations footprint information;
C5, according to step C4 sample footprint information, draw out sample operations footprint figure;
C6, the sample footprint information to step C4 stamp threat level label respectively, sketch the contours of sample and threaten footprint figure;
C7, the analysis report model of the detailed behavior of generation.
The present invention compared with the prior art, has advantages below and beneficial effect:
The present invention can realize the change of Study document system, the change of system registry, the change of the network information, process
The change of information, the change of dynamic link library, the service condition etc. in virtual memory region, can describe unknown malice from various dimensions
Whole action process when code is run.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the present invention;
Fig. 2 is the sample operations footprint illustrated example in the embodiment of the present invention;
Fig. 3 is that the sample in the embodiment of the present invention threatens footprint illustrated example.
Embodiment
The present invention is described in further detail with reference to embodiment:
Embodiment
As shown in FIG. 1 to 3, a kind of unknown malicious code identification of Behavior-based control analysis and analysis method, including main frame,
The main frame has application programming interfaces, and responsing center, control centre, analysis center are provided with inside the main frame;In main frame
Responsing center, control centre, the work of three kinds of program modules of analysis center and effect are as follows respectively:
The function of responsing center and effect:(1) user behaviors log:When unknown malicious code is run, monitoring main frame is called
API sequences and system in application programming interfaces, according to unknown malicious code call API sequences and application program connect
The API sequences and application programming interfaces situation that mouth calls with legal procedure are observed, and are captured the dynamic behaviour of malicious code, are reported
Daily record.(2) response control:The control information issued according to control centre takes respective behavior (such as start, stop), will collect
The data forwarding arrived is to control centre.
The function of control centre and effect:The interface of center and analysis center is in response to, receives the number that responsing center sends
According to, and preliminary treatment is carried out, it is subsequently forwarded to analysis center.When control centre receives the control command sent by analysis center
When, control centre sends commands to responsing center.
The function of analysis center and effect:It is used for depositing all user behaviors log and suspect program containing central database
User behaviors log is analyzed and handled by sample, analysis center, and procedure operation footprint figure is drawn out by behavioural analysis, simultaneously raw
Reported into detailed behavioural analysis, report main information includes:The change of file system, the change of system registry, network letter
The change of breath, the change of progress information, the change of dynamic link library, the service condition etc. in virtual memory region, are retouched from various dimensions
State whole action process during unknown malicious code operation.
Its method is as follows:
A, the responsing center includes following method:
The called API sequences of A1, monitoring main frame, and record;
The application programming interfaces that A2, monitoring main frame input sample are called, and record;
A3, monitoring operational state of mainframe, the network information, and record;
A4, the information unification of record sent to control centre;
B, the control centre includes following method:
B1, receive the instruction issued by analysis center and handled;
B2, the step B1 instructions handled well are issued to responsing center;
B3, receive the data sent by responsing center and carry out classification processing;
B4, the data handled well that step B3 classifies are respectively sent to analysis center;
C, the analysis center includes following method:
C1, module call instruction is issued to control centre;
C2, compare the API sequences that the API sequences that main frame input sample is called are called with credible legal procedure;
The application program that the application programming interfaces that C3, comparison main frame input sample are called call with credible legal procedure connects
Mouthful;
C4, generation sample operations footprint information;
C5, according to step C4 sample footprint information, draw out sample operations footprint figure;
C6, the sample footprint information to step C4 stamp threat level label respectively, sketch the contours of sample and threaten footprint figure;
C7, the analysis report model of the detailed behavior of generation.
As shown in figure 1, unknown malicious code of the present invention identification and analysis method comprise the following steps that:
1st, Malicious Code Detection analysis system is started;
2nd, the suspect program sample for needing to detect is imported;
3rd, analysis center sends to control centre and instructed;
4th, control centre sends instructions to each functional module of responsing center;
5th, the instruction that responsing center issues according to control centre, what the called API sequences of monitoring main frame, sample called answers
Record with routine interface, operational state of mainframe, network information etc. and respectively;
6th, responsing center sends the data (including the information such as sample program, user behaviors log) of record to control centre;
7th, control centre classifies to the data that responsing center sends over;
8th, sorted data are respectively sent to analysis center's corresponding analysis unit by control centre;
9th, the API sequences that analysis center is called by comparing the API sequences that sample calls with credible legal procedure, and ratio
The application programming interfaces that the application programming interfaces that sample calls are called with credible legal procedure, generation sample operations footprint letter
Breath;
10th, according to sample footprint information, sample operations footprint figure (as shown in Figure 2) is drawn out;
11st, threat level label is stamped respectively to sample footprint information, sketches the contours of sample and threaten footprint (as shown in Figure 3);
12nd, detailed behavioural analysis report is generated, is mainly included in analysis report:The change of file system, system registry
Change, the change of the network information, the change of progress information, the change of dynamic link library, the service condition in virtual memory region
Etc. information.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention
All any modification, equivalent and improvement made within refreshing and principle etc., should be included in the scope of the protection.
Claims (1)
1. unknown malicious code identification and the analysis method of a kind of Behavior-based control analysis, it is characterised in that:Including main frame, the master
Machine has application programming interfaces, and responsing center, control centre, analysis center are provided with inside the main frame;Its method is as follows:
A, the responsing center includes following method:
The called API sequences of A1, monitoring main frame, and record;
The application programming interfaces that A2, monitoring main frame input sample are called, and record;
A3, monitoring operational state of mainframe, the network information, and record;
A4, the information unification of record sent to control centre;
B, the control centre includes following method:
B1, receive the instruction issued by analysis center and handled;
B2, the step B1 instructions handled well are issued to responsing center;
B3, receive the data sent by responsing center and carry out classification processing;
B4, the data handled well that step B3 classifies are respectively sent to analysis center;
C, the analysis center includes following method:
C1, module call instruction is issued to control centre;
C2, compare the API sequences that the API sequences that main frame input sample is called are called with credible legal procedure;
C3, compare the application programming interfaces that the application programming interfaces that main frame input sample is called call with credible legal procedure;
C4, generation sample operations footprint information;
C5, according to step C4 sample footprint information, draw out sample operations footprint figure;
C6, the sample footprint information to step C4 stamp threat level label respectively, sketch the contours of sample and threaten footprint figure;
C7, the analysis table model of the detailed behavior of generation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710884189.9A CN107657176A (en) | 2017-09-26 | 2017-09-26 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710884189.9A CN107657176A (en) | 2017-09-26 | 2017-09-26 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107657176A true CN107657176A (en) | 2018-02-02 |
Family
ID=61116037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710884189.9A Pending CN107657176A (en) | 2017-09-26 | 2017-09-26 | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107657176A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110414233A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | Malicious code detecting method and device |
| CN110516440A (en) * | 2019-08-12 | 2019-11-29 | 广州海颐信息安全技术有限公司 | Privilege based on dragging threatens the method and device of action trail association playback |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN105653956A (en) * | 2016-03-02 | 2016-06-08 | 中国科学院信息工程研究所 | Android malicious software sorting method based on dynamic behavior dependency graph |
| CN105874463A (en) * | 2013-12-30 | 2016-08-17 | 诺基亚技术有限公司 | Method and apparatus for malware detection |
-
2017
- 2017-09-26 CN CN201710884189.9A patent/CN107657176A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN105874463A (en) * | 2013-12-30 | 2016-08-17 | 诺基亚技术有限公司 | Method and apparatus for malware detection |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN105653956A (en) * | 2016-03-02 | 2016-06-08 | 中国科学院信息工程研究所 | Android malicious software sorting method based on dynamic behavior dependency graph |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110414233A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | Malicious code detecting method and device |
| CN110516440A (en) * | 2019-08-12 | 2019-11-29 | 广州海颐信息安全技术有限公司 | Privilege based on dragging threatens the method and device of action trail association playback |
| CN110516440B (en) * | 2019-08-12 | 2021-12-10 | 广州海颐信息安全技术有限公司 | Method and device for linkage playback of privilege threat behavior track based on dragging |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105069355B (en) | The static detection method and device of webshell deformations | |
| US11481492B2 (en) | Method and system for static behavior-predictive malware detection | |
| JP2019529882A5 (en) | ||
| CN108156166A (en) | Abnormal access identification and connection control method and device | |
| CN106557695A (en) | A kind of malicious application detection method and system | |
| CN107707541A (en) | A kind of attack daily record real-time detection method based on machine learning of streaming | |
| CN106778266A (en) | A kind of Android Malware dynamic testing method based on machine learning | |
| CN109740040B (en) | Verification code identification method, device, storage medium and computer equipment | |
| CN107045607A (en) | Using abnormal behaviour identification model method for building up and device, recognition methods and device | |
| CN110149266A (en) | Spam filtering method and device | |
| CN104680065A (en) | Virus detection method, virus detection device and virus detection equipment | |
| CN109214178A (en) | APP application malicious act detection method and device | |
| CN107657176A (en) | A kind of unknown malicious code identification of Behavior-based control analysis and analysis method | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN111355628B (en) | Model training method, service identification method, device and electronic device | |
| CN114639152A (en) | Multi-modal voice interaction method, device, equipment and medium based on face recognition | |
| CN113688391A (en) | Power software malicious code monitoring method, system, equipment and medium | |
| CN112436980A (en) | Method, device and equipment for reading test data packet and storage medium | |
| CN108334602B (en) | Data annotation method and device, electronic equipment and computer storage medium | |
| CN111013155A (en) | Method for detecting network game plug-in | |
| CN114610844A (en) | Sensitive information detection method and device, storage medium and terminal | |
| CN114491523A (en) | Malicious software detection method and device, electronic equipment, medium and product | |
| CN115034292A (en) | Multi-mode-based internal threat detection method and system | |
| CN112101192B (en) | Artificial intelligence-based camouflage detection method, device, equipment and medium | |
| CN108200776A (en) | For determining the system and method for the safe class of unknown applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180202 |
|
| RJ01 | Rejection of invention patent application after publication |