CN108009425A - File detects and threat level decision method, apparatus and system - Google Patents
File detects and threat level decision method, apparatus and system Download PDFInfo
- Publication number
- CN108009425A CN108009425A CN201711232296.XA CN201711232296A CN108009425A CN 108009425 A CN108009425 A CN 108009425A CN 201711232296 A CN201711232296 A CN 201711232296A CN 108009425 A CN108009425 A CN 108009425A
- Authority
- CN
- China
- Prior art keywords
- file
- behavior
- detected
- sample
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the present invention provides file detection and threat level decision method, apparatus and system, is related to computer system security field.This method includes:According to malicious file sample and secure file sample, behavioral characteristic database is established;Under the corresponding virtual environment of file to be detected, the behavior of the file to be detected is obtained;The behavior of the file to be detected is compared with the data in the behavioral characteristic database;If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, the threat level of the file to be detected is determined.Since the behavior in behavioral characteristic database is obtained by training; employ the dynamic behaviour analysis of file; therefore to shell adding, obscure, it is polymorphic, deformation etc. executable file protection technique protection file it is still effective, can be accurately judged to whether file is malicious file.
Description
Technical field
The present invention relates to computer system security field, in particular to file detection and threat level decision method,
Apparatus and system.
Background technology
With the high speed development of computer networking technology, computer has spread to huge numbers of families, becomes masses'
Entertain and handle official business indispensable important tool.While the high speed development of computer, malicious file has also obtained very big hair
Open up space.Such as computer virus, it is the one kind for belonging to malicious file, writes the author of computer virus by controlling victim
Computer come achieve the purpose that to steal user information or destroy custom system.At present, the detection to malicious file mainly have with
Lower two ways:
Judged that this mode is traditional by the architectural feature of binary data and file of file in itself in itself
The common mode of antivirus software, antivirus software are used as the mark of mark rogue program by the condition code and cryptographic Hash of extracting virus
Will, is deposited among the virus base of antivirus software, when there is new file to need to detect, then the progress from existing feature database
Match somebody with somebody, confirm the species of Malware, this mode needs continuous accumulation characteristic storehouse, it is impossible to which the killing malice new with identification is soft
Part, the current Malware order of magnitude it is huge, it is impossible to meet present situation for traditional feature database killing method.
By manual analysis malicious file sample, the behavior of malicious file is analyzed, records the behavioral characteristics of malicious file, root
According to the behavioral characteristics of malicious file judge the degree of danger of malicious file, this mode needs substantial amounts of manually carry out manually
Analysis, and malicious act database and grade are summarized, this mode needs to expend a large amount of manpowers to safeguard this data behavior spy
Levy database.
The content of the invention
In view of this, the purpose of the embodiment of the present invention is to provide a kind of file detection and threat level decision method, dress
Put and system, fast, accurately to judge whether unknown file is malicious file, and carry out threat level judgement.
The embodiment of the present invention provides a kind of file detection and threat level decision method, including:According to malicious file sample
With secure file sample, behavioral characteristic database is established;Under the corresponding virtual environment of file to be detected, obtain described to be detected
The behavior of file;The behavior of the file to be detected is compared with the data in the behavioral characteristic database;If described treat
Detection file is matched with the behavior of the malicious file in the behavioral characteristic database, determines the prestige of the file to be detected
Coerce grade.
Preferably, described according to malicious file sample and secure file sample, the step of establishing behavioral characteristic database, wraps
Include:Malicious file sample and secure file sample are obtained, the malicious file sample includes multiple malicious files, the safety text
Part sample includes multiple secure files;Own using sandbox technology to the malicious file sample and the secure file sample
Behavior is monitored, records and collects;By all behaviors of the malicious file sample of collection and the secure file sample
It is trained;All behaviors and combination behavior of the malicious file sample and the secure file sample are generated, and are established
Behavioral characteristic database.
Preferably, the method further includes:By the behavior in the behavior of file to be detected and the behavioral characteristic database
Match one by one, or the combination behavior of file to be detected is matched with the combination behavior in the behavioral characteristic database;Institute
The behavior for stating the malicious file in behavioral characteristic database has threat level, according to the file to be detected behavior with it is described
The number and threat level of the behavior of the malicious file to match in behavioral characteristic database, determine the prestige of the file to be detected
Coerce grade.
Preferably, the method further includes:Under the corresponding virtual environment of the file to be detected, file to be detected is obtained
Static nature, the virtual environment established by sandbox;Further included after the threat level of the file to be detected is determined:
The behavior of the file to be detected and static nature are added into the behavioral characteristic database.
The embodiment of the present invention also provides a kind of file detection and threat level decision maker, including:Establish module, for according to
According to malicious file sample and secure file sample, behavioral characteristic database is established;Acquisition module, for being corresponded in file to be detected
Virtual environment under, obtain the behavior of the file to be detected;Contrast module, for by the behavior of the file to be detected and institute
The data stated in behavioral characteristic database compare;Determining module, if for the file to be detected and the behavioural characteristic number
Matched according to the behavior of the malicious file in storehouse, determine the threat level of the file to be detected.
Preferably, module is established to further include:Acquiring unit, for obtaining malicious file sample and secure file sample, institute
Stating malicious file sample includes multiple malicious files, and the secure file sample includes multiple secure files;Collector unit, is used for
It is monitored, records and receives using all behaviors of the sandbox technology to the malicious file sample and the secure file sample
Collection;Training unit, for all behaviors of the malicious file sample and the secure file sample of collection to be trained;
Unit is established, for generating all behaviors and combination behavior of the malicious file sample and the secure file sample, and
Establish behavioral characteristic database.
Preferably, the contrast module is additionally operable to:By in the behavior of file to be detected and the behavioral characteristic database
Behavior matches one by one, or the combination behavior progress in the combination behavior and the behavioral characteristic database by file to be detected
Match somebody with somebody;The determining module is additionally operable to:The behavior of malicious file in the behavioral characteristic database has threat level, according to institute
State the behavior of file to be detected and the number of the behavior of malicious file to match in the behavioral characteristic database and threat etc.
Level, determines the threat level of the file to be detected.
Preferably, the acquisition module is additionally operable to:Under the corresponding virtual environment of the file to be detected, obtain to be detected
The static nature of file, the virtual environment are established by sandbox;The file detection and threat level decision maker further include
Module is added, for the behavior of the file to be detected and static nature to be added the behavioral characteristic database.
The embodiment of the present invention also provides a kind of detection of file and threat level decision-making system, including learning training server,
File acquisition server and document classification server, the learning training server and file acquisition server with the text
Part classified service device communicates to connect;The learning training server is used to, according to malicious file sample and secure file sample, build
Vertical behavioral characteristic database, the behavioral characteristic database are also connected with the document classification server communication;The file is adopted
Collect server to be used under the corresponding virtual environment of file to be detected, obtain the behavior of the file to be detected;The file point
Class server is used to compare the behavior of the file to be detected with the data in the behavioral characteristic database, if described treat
Detection file is matched with the behavior of the malicious file in the behavioral characteristic database, determines the prestige of the file to be detected
Coerce grade.
Preferably, the learning training server is additionally operable to:Obtain malicious file sample and secure file sample, the evil
Meaning paper sample includes multiple malicious files, and the secure file sample includes multiple secure files;Using sandbox technology to institute
All behaviors for stating malicious file sample and the secure file sample are monitored, record and collect;By the evil of collection
All behaviors of meaning paper sample and the secure file sample are trained;Generate the malicious file sample and the safety
All behaviors and combination behavior of paper sample, and establish behavioral characteristic database.
Compared with prior art, file detection provided by the invention and threat level decision method, apparatus and system, mainly
PE files are can perform for Windows and document class file is detected, and file dynamic behaviour has been used in the detection of PE files
Crawl, obtains behavioral characteristic database, by file to be detected using a large amount of malicious file samples and secure file sample training
Behavior is compared with the data of behavioral characteristic database, if the evil in the behavior and behavioral characteristic database of file to be detected
The behavior of meaning file matches or combinations matches, then carries out judging that file to be detected, can also be to be detected for malicious file
File impends ranking.Due to the embodiment of the present invention mainly employ the behavioral characteristic database that learning training obtains,
And mainly the threat degree of file is judged by the behavior combination of file, the dynamic behaviour analysis of file is employed, because
This to shell adding, obscure, it is polymorphic, deformation, etc. executable file protection technique protection file it is still effective, can be accurately judged to
Whether file is malicious file.The embodiment of the present invention is mainly used in windows platform, can be applied to APT detecting systems and works as
In, provide accurate file threat level evaluation result for Security Officer or enterprise institution.Sentence in file detection and threat level
Determine among the framework of system, since the difference for detecting kind of document and the environment for triggering malicious act are different, it is therefore desirable to open
Ward off multiple virtual environments to be respectively detected detected file, analysis result summary is judged.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate
Appended attached drawing, is described in detail below.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair
The restriction of scope, for those of ordinary skill in the art, without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 is the flow chart of the file detection that first embodiment of the invention provides and threat level decision method.
Fig. 2 be first embodiment of the invention file detection and threat level decision method in step S11 sub-step.
Fig. 3 is the structure diagram for the electronic equipment that first embodiment of the invention provides.
Fig. 4 is the file detection that first embodiment of the invention provides and the function module signal of threat level decision maker
Figure.
Fig. 5 is the structure diagram of the file detection that second embodiment of the invention provides and threat level decision-making system.
Icon:10- electronic equipments;101- processors;102- memories;103- buses;104- communication interfaces;200- files
Detection and threat level decision maker;201- establishes module;2011- acquiring units;2012- collector units;2013- training is single
Member;2014- establishes unit;202- acquisition modules;203- contrast modules;204- determining modules;205- adds module;30- files
Detection and threat level decision-making system;31- learning training servers;32- document classification servers;33- file acquisition servers.
Embodiment
Below in conjunction with attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.Usually exist
The component of the embodiment of the present invention described and illustrated in attached drawing can be arranged and designed with a variety of configurations herein.Cause
This, the detailed description of the embodiment of the present invention to providing in the accompanying drawings is not intended to limit claimed invention below
Scope, but it is merely representative of the selected embodiment of the present invention.Based on the embodiment of the present invention, those skilled in the art are not doing
Go out all other embodiments obtained on the premise of creative work, belong to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined, then it further need not be defined and explained in subsequent attached drawing in a attached drawing.Meanwhile the present invention's
In description, term " first ", " second " etc. are only used for distinguishing description, and it is not intended that instruction or hint relative importance.
First embodiment
Please refer to Fig.1, be the flow chart of the file detection and threat level decision method of first embodiment of the invention offer.
File provided in an embodiment of the present invention detection and threat level decision method, applied to electronic equipment, for unknown file into
Row detection, such as PE files (Portable Executable) and common document file such as doc, docx, xls, xlsx, pdf
Deng.In being detected to unknown file, employ the decision procedure of file behavior combination, to the file of unknown safe class into
Row threat level judges.Need it is to be noted that method of the present invention is not limited with Fig. 1 and particular order as shown below
System.The idiographic flow shown in Fig. 1 and step will be described in detail below, file detection and threat level judgement side
Method includes:
Step S11, according to malicious file sample and secure file sample, establishes behavioral characteristic database.
Please refer to Fig.2, be the embodiment of the present invention file detection and threat level decision method in step S11 sub-step
Suddenly, including:
Step S111, obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malice
File, the secure file sample include multiple secure files.
Substantial amounts of known malicious file and secure file are collected as sample, the behavioural characteristic data of the more foundation of sample
Storehouse is more perfect.It is main to collect in the past by the virus that security firm finds and analyzes, virus-like in embodiments of the present invention
This acquisition is mainly obtained from authorized organization, the selection of the sample of malicious file using executable file PE files under Windows as
It is main.Secure file is selected to be contrasted as sample primarily as the behavior of malicious file sample, in embodiments of the present invention, safety text
Part sample mainly have collected daily software portfolio.
Step S112, using sandbox (Sandboxie) technology to the malicious file sample and the secure file sample
All behaviors be monitored, record and collect.
In the present embodiment, sandbox (such as Cuckoo) and emulator (such as Qemu) are employed as coordinating, sandbox technology refers to:
The hardware environment of more set emulation is simulated above with software in an actual physical machine, is formed multiple shaped like the virtual of real machine
Environment, can be with isolated operation rogue program without infecting the actual physical machine and other virtual rings in each virtual environment
Border, moreover it is possible to preserve the reset condition of virtual environment, virtual environment can be reset after rogue program is run to reset condition.It is empty
It can be Windows systems to intend environmental interior, and the present embodiment does not limit this, or other systems.Sandbox can will be upper
The sample of biography carries out static analysis and dynamic analysis:Among static analysis, sandbox can parse the structure of PE files, its
Include PE files structure in itself, the MD5 check values and SHA1 check values, the shell adding information of PE files of PE files;In file
Dynamic analysis process in, sandbox can be detected among process and its subprocess of PE files with injecting, and HOOK target process
Middle crucial api function, is that main mode records detected PE file behaviors by HOOK, and with daily record
(LOG) mode is spread out of testing result to true thing by way of Shared Folders or network service among virtual environment
Reason machine.Wherein, API HOOK technologies are a kind of technologies for being used to change API implementing results, and Microsoft itself also exists
This technology, such as Windows compatibility modes have been used inside Windows operating system.Also, can also be to being gathered from sandbox
File behavior arranged, the file behavior that is recorded in a manner of LOG that will be spread out of here mainly by program from sandbox carries out
Extraction is collected.
Step S113, all behaviors of the malicious file sample and the secure file sample of collection are instructed
Practice.
The behavior of the malicious file of acquisition and secure file is organized into identifiable form, utilizes function pair malicious file
All behaviors of sample and the secure file sample are learnt and are analyzed, and the behavior with threat is distinguished, and root
According to the ratio cut partition threat level occupied with threat behavior among malicious file sample.Specifically, which behavior summed up
The probability occurred in malicious file is higher, and the threat index of behavior is evaluated according to the probability of appearance.Can be with
The behavior combination of malicious file is summed up by learning software, wherein, the learning software such as Weka.
Step S114, generates all behaviors and the bind lines of the malicious file sample and the secure file sample
For, and establish behavioral characteristic database.
Referring again to Fig. 1, step S12, under the corresponding virtual environment of file to be detected, the file to be detected is obtained
Behavior.
It is consistent with the acquisition method of the behavior of step S112, captured, wrapped using behavior of the sandbox to file to be detected
File behavior, API behaviors, registration table behavior, network behavior, other behaviors etc. is included to be acquired.Since some malicious files lead to
The operation behavior that can often carry, malicious file would generally detect whether oneself is operated among virtual machine, if operated in virtual
Then artificially think that the sample of oneself is taken by security study personnel among machine to be analyzed, therefore it can change the evil of oneself
Meaning behavior so that malicious code can not be performed, and influence to detect.Therefore in the present embodiment, established by sandbox similar true
The virtual environment of physical machine running environment, prevents to have the malicious file of anti-virtual machine operations to be in virtual ring from detecting itself
In border.Whether step S13, the behavior of file to be detected match with the behavior of the malicious file in behavioral characteristic database
The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or by file to be detected
Combination behavior matched with the combination behavior in the behavioral characteristic database, the behavioral characteristic database includes evil
The behavior of meaning file and the behavior of secure file.If the behavior of the malicious file in the behavior and property data base of file to be detected
Mismatch or matched with the secure file in property data base, then judge that file to be detected is secure file for this;It is if to be detected
The behavior of file is matched with the behavior of the malicious file in behavioral characteristic database, then performs step S14.
Step S14, determines the threat level of the file to be detected.
If the behavior of file to be detected is matched with the behavior of the malicious file in behavioral characteristic database, judge that this is to be checked
Survey file is malicious file, if having the multinomial behavior for having and threatening, this file to be detected among detected file behavior
Final threat behavior is defined the level according to highest threat behavior, such as can be divided into 1 to 5 grades from low to high, if this
File to be detected has multinomial threat behavior, this file to be detected is malicious file, and threat degree is 5 grades.Threat level is commented
Sentencing can also directly determine according to the species of the behavior of threat, such as this file to be detected has the behavior of detection virtual machine, then directly
Connect judge for this file to be detected threat degree be 5 grades.
In other embodiments, the file detection and threat level decision method further include:Described to be checked
Survey under the corresponding virtual environment of file, obtain the static nature of file to be detected, the static nature can be MD5, SHA1,
The Shell Code staticaanalysis results of Office files, multiple mandate antivirus software inspection results etc..Will also be described to be detected
The behavior of file and static nature add the behavioral characteristic database.
In this way, behavioral characteristic database constantly improve can be made, simultaneously also the static nature of file to be detected is added
Enter among behavioral characteristic database.
Please refer to Fig.3, be the structure diagram for the electronic equipment 10 that first embodiment of the invention provides.The electronic equipment
10 can be computer or any other computing device with data-handling capacity, including processor 101, memory 102, always
Line 103 and communication interface 104, the processor 101, communication interface 104 and memory 102 are connected by bus 103;Processor
101 are used to perform the executable module stored in memory 102, such as computer program.
Wherein, memory 102 may include high-speed random access memory (RAM:Random Access Memory),
Non-labile memory (non-volatile memory), for example, at least a magnetic disk storage may be further included.By extremely
A few communication interface 103 (can be wired or wireless) is realized logical between the system network element and at least one other network element
Letter connection.
Bus 104 can be isa bus, pci bus or eisa bus etc..Only represented in Fig. 3 with a four-headed arrow, but
It is not offered as only a bus or a type of bus.
Wherein, memory 102 is used for storage program, file as shown in Figure 4 detection and threat level decision maker 200.
This document detects and threat level decision maker 200 can be stored including at least one in the form of software or firmware (firmware)
In the memory 102 or the software that is solidificated in the operating system (operating system, OS) of the server 10
Function module.The processor 101 performs what described program was disclosed to realize the embodiment of the present invention after execute instruction is received
File detects and threat level decision method.
Processor 101 is probably a kind of IC chip, has the disposal ability of signal.It is above-mentioned during realization
Each step of method can be completed by the integrated logic circuit of the hardware in processor 101 or the instruction of software form.On
The processor 101 stated can be general processor, including central processing unit (Central Processing Unit, referred to as
CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (DSP), special
Integrated circuit (ASIC), ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor
Logical device, discrete hardware components.
The electronic equipment 10 can also include display unit, and display unit carries between the electronic equipment 10 and user
Referred to for an interactive interface (such as user interface) or for display image data to user.In the present embodiment, institute
It can be liquid crystal display or touch control display to state display unit.
Please refer to Fig.4, be file detection and the function of threat level decision maker 200 of first embodiment of the invention offer
Module diagram.The file detection and threat level decision maker 200 are applied in the electronic equipment 10, the file inspection
Survey and threat level decision maker 200 include establish module 201, acquisition module 202, contrast module 203, determining module 204 with
And add module 205.
It is described to establish module 201, for according to malicious file sample and secure file sample, establishing behavioural characteristic data
Storehouse.Specifically, the module 201 of establishing includes acquiring unit 2011, collector unit 2012, training unit 2013 and establishes unit
2014.In the present embodiment, the module 201 of establishing can perform step S11.
Acquiring unit 2011, for obtaining malicious file sample and secure file sample, the malicious file sample includes
Multiple malicious files, the secure file sample include multiple secure files.
Collector unit 2012, for the institute using sandbox technology to the malicious file sample and the secure file sample
There is behavior to be monitored, record and collect.
Training unit 2013, for by all behaviors of the malicious file sample of collection and the secure file sample
It is trained.
Establish unit 2014, for generate the malicious file sample and the secure file sample all behaviors and
Combination behavior, and establish behavioral characteristic database.
The acquisition module 202, under the corresponding virtual environment of file to be detected, obtaining the file to be detected
Behavior, is additionally operable under the corresponding virtual environment of the file to be detected, obtains the static nature of file to be detected, described virtual
Environment by sandbox by being established.
In the present embodiment, the acquisition module 202 can perform step S12.
The contrast module 203, for by the number in the behavior of the file to be detected and the behavioral characteristic database
According to comparing, it is additionally operable to the behavior in the behavioral characteristic database match the behavior of file to be detected one by one, or will treat
The combination behavior of detection file is matched with the combination behavior in the behavioral characteristic database.
In the present embodiment, the contrast module 203 can perform step S13.
Determining module 204, if for the malicious file in the file to be detected and the behavioral characteristic database
Behavior matching, determine the threat level of the file to be detected, the malicious file being additionally operable in the behavioral characteristic database
Behavior there is threat level, according to the malice to match in behavior and the behavioral characteristic database of the file to be detected
The number and threat level of the behavior of file, determine the threat level of the file to be detected
In the present embodiment, the determining module 204 can perform step S14.
The addition module 205, for the behavior of the file to be detected and static nature to be added the behavioural characteristic
Database.If the static state that the contrast module 203 is additionally operable in the behavioral characteristic database there are the file to be detected is special
Sign, then the file to be detected has been tested, and transfers testing result.
Second embodiment
Fig. 5 is refer to, is file detection and the structure of threat level decision-making system 30 of second embodiment of the invention offer
Schematic diagram.The present embodiment provides a kind of detection of file and threat level decision-making system 30, the system to include learning training server
31st, file acquisition server 33 and document classification server 32, the learning training server 31 and file acquisition server
33 communicate to connect with the document classification server 32, are such as communicated by network.
The learning training server 31 is used to collect substantial amounts of malicious file sample and secure file sample, and according to evil
Meaning paper sample and secure file sample, establish behavioral characteristic database.The behavioral characteristic database is also divided with the file
Class server 32 communicates to connect, i.e., described document classification server 32 can directly invoke the data of behavioral characteristic database.
The file acquisition server 33 is used under the corresponding virtual environment of file to be detected, obtains the text to be detected
The behavior of part.The type of file to be detected is different, and required operating environment is different, it is therefore desirable to using multiple and different virtual
Environment, file acquisition server 33 can use and multiple and different virtual environments established using sandbox, can be in same time pin
To the parallel detection in different virtual machine environments of same document, the detection speed of document class file is substantially increased.Virtual ring
The quantity in border sets quantity according to the needs of detection environment, such as when the file of word document type is detected, file
Acquisition server 33 can select virtual environment according to the type of document, and word document can be separately sent to be equipped with
It is detected in the virtual environment of office2003, office2007, office2010, office2013.
The document classification server 32 is used in the behavior of the file to be detected and the behavioral characteristic database
Data compare, if the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database,
Determine the threat level of the file to be detected.If file to be detected has the row of the malicious file in behavioral characteristic database
Then to mark the file to be detected into behavior malice, and file is evaluated according to the threat level of malicious act.
In conclusion file detection provided by the invention and threat level decision method, apparatus and system, this method include
According to malicious file sample and secure file sample, behavioral characteristic database is established;In the corresponding virtual environment of file to be detected
Under, obtain the behavior of the file to be detected;By the number in the behavior of the file to be detected and the behavioral characteristic database
According to comparing;If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, determine
The threat level of the file to be detected.PE files are can perform mainly for Windows and document class file is detected, in PE
Use file dynamic behaviour to capture in file detection, gone using a large amount of malicious file samples and secure file sample training
Be characterized database, by the behavior of file to be detected compared with the data of behavioral characteristic database, can be directed to document into
Row static analysis and dynamic analysis, if static analysis finds that document class textural anomaly or dynamic analysis find there is abnormal behaviour,
Then carry out being determined as malicious file.Due to the embodiment of the present invention mainly employ the behavioral characteristic database that learning training obtains,
And mainly the threat degree of file is judged by the behavior combination of file, therefore the embodiment of the present invention file detection and
Threat level decision method is still effective to the rogue program of shell adding, and the embodiment of the present invention is mainly used in windows platform, can
Among applied to APT detecting systems, accurate file threat level evaluation result is provided for Security Officer or enterprise institution.
Among the framework of file detection and threat level decision-making system, due to detecting the difference of kind of document and triggering malicious act
Environment is different, it is therefore desirable to open up multiple virtual environments and detected file be detected respectively, by analysis result summarize into
Row judges.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, can also pass through
Other modes are realized.Device embodiment described above is only schematical, for example, flow chart and block diagram in attached drawing
Show the devices of multiple embodiments according to the present invention, method and computer program product architectural framework in the cards,
Function and operation.At this point, each square frame in flow chart or block diagram can represent the one of a module, program segment or code
Part, a part for the module, program segment or code include one or more and are used for realization holding for defined logic function
Row instruction.It should also be noted that at some as in the implementation replaced, the function that is marked in square frame can also with different from
The order marked in attached drawing occurs.For example, two continuous square frames can essentially perform substantially in parallel, they are sometimes
It can perform in the opposite order, this is depending on involved function.It is it is also noted that every in block diagram and/or flow chart
The combination of a square frame and block diagram and/or the square frame in flow chart, can use function or the dedicated base of action as defined in performing
Realize, or can be realized with the combination of specialized hardware and computer instruction in the system of hardware.
In addition, each function module in each embodiment of the present invention can integrate to form an independent portion
Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with
It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words
The part to contribute to the prior art or the part of the technical solution can be embodied in the form of software product, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be
People's computer, server, or network equipment etc.) perform all or part of step of each embodiment the method for the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need
Illustrate, herein, relational terms such as first and second and the like be used merely to by an entity or operation with
Another entity or operation distinguish, without necessarily requiring or implying there are any this reality between these entities or operation
The relation or order on border.Moreover, term " comprising ", "comprising" or its any other variant are intended to the bag of nonexcludability
Contain, so that process, method, article or equipment including a series of elements not only include those key elements, but also including
Other elements that are not explicitly listed, or further include as elements inherent to such a process, method, article, or device.
In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including the key element
Process, method, also there are other identical element in article or equipment.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the invention, for the skill of this area
For art personnel, the invention may be variously modified and varied.Within the spirit and principles of the invention, that is made any repaiies
Change, equivalent substitution, improvement etc., should all be included in the protection scope of the present invention.It should be noted that:Similar label and letter exists
Similar terms is represented in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, is then not required in subsequent attached drawing
It is further defined and is explained.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be subject to scope of the claims.
Claims (10)
1. a kind of file detection and threat level decision method, it is characterised in that including:
According to malicious file sample and secure file sample, behavioral characteristic database is established;
Under the corresponding virtual environment of file to be detected, the behavior of the file to be detected is obtained;
The behavior of the file to be detected is compared with the data in the behavioral characteristic database;
If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, described treat is determined
Detect the threat level of file.
2. file detection according to claim 1 and threat level decision method, it is characterised in that described according to malice text
Part sample and secure file sample, the step of establishing behavioral characteristic database, include:
Obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malicious files, the safety
Paper sample includes multiple secure files;
Be monitored using all behaviors of the sandbox technology to the malicious file sample and the secure file sample, record and
Collect;
All behaviors of the malicious file sample and the secure file sample of collection are trained;
All behaviors and combination behavior of the malicious file sample and the secure file sample are generated, and establish behavior spy
Levy database.
3. file detection according to claim 1 and threat level decision method, it is characterised in that the method is also wrapped
Include:
The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or the group by file to be detected
Conjunction behavior is matched with the combination behavior in the behavioral characteristic database;
The behavior of malicious file in the behavioral characteristic database has threat level, the behavior according to the file to be detected
Number and threat level with the behavior of malicious file to match in the behavioral characteristic database, determine the text to be detected
The threat level of part.
4. file detection according to claim 1 and threat level decision method, it is characterised in that the method is also wrapped
Include:
Under the corresponding virtual environment of the file to be detected, the static nature of file to be detected is obtained, the virtual environment is led to
Cross sandbox foundation;
Further included after the threat level of the file to be detected is determined:By the behavior of the file to be detected and static nature
Add the behavioral characteristic database.
5. a kind of file detection and threat level decision maker, it is characterised in that including:
Module is established, for according to malicious file sample and secure file sample, establishing behavioral characteristic database;
Acquisition module, under the corresponding virtual environment of file to be detected, obtaining the behavior of the file to be detected;
Contrast module, for the behavior of the file to be detected to be compared with the data in the behavioral characteristic database;
Determining module, if the behavior for the malicious file in the file to be detected and the behavioral characteristic database
Match somebody with somebody, determine the threat level of the file to be detected.
6. file detection according to claim 5 and threat level decision maker, it is characterised in that described to establish module also
Including:
Acquiring unit, for obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malice
File, the secure file sample include multiple secure files;
Collector unit, for using all behaviors of the sandbox technology to the malicious file sample and the secure file sample into
Row monitoring, record and collection;
Training unit, for all behaviors of the malicious file sample and the secure file sample of collection to be instructed
Practice;
Unit is established, for generating all behaviors and the bind lines of the malicious file sample and the secure file sample
For, and establish behavioral characteristic database.
7. file detection according to claim 5 and threat level decision maker, it is characterised in that the contrast module is also
For:The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or by file to be detected
Combination behavior is matched with the combination behavior in the behavioral characteristic database;
The determining module is additionally operable to:The behavior of malicious file in the behavioral characteristic database has threat level, foundation
The number of the behavior of the malicious file to match in the behavior of the file to be detected and the behavioral characteristic database and threat
Grade, determines the threat level of the file to be detected.
8. file detection according to claim 5 and threat level decision maker, it is characterised in that the acquisition module is also
For:Under the corresponding virtual environment of the file to be detected, the static nature of file to be detected is obtained, the virtual environment is led to
Cross sandbox foundation;
File detection and threat level decision maker further include addition module, for by the behavior of the file to be detected and
Static nature adds the behavioral characteristic database.
9. a kind of file detection and threat level decision-making system, it is characterised in that including learning training server, file collection clothes
Be engaged in device and document classification server, the learning training server and file acquisition server with the document classification service
Device communicates to connect;
The learning training server is used to, according to malicious file sample and secure file sample, establish behavioral characteristic database,
The behavioral characteristic database is also connected with the document classification server communication;The file acquisition server is used for be checked
Survey under the corresponding virtual environment of file, obtain the behavior of the file to be detected;The document classification server is used for by described in
The behavior of file to be detected is compared with the data in the behavioral characteristic database, if the file to be detected and the behavior
The behavior matching of the malicious file in property data base, determines the threat level of the file to be detected.
10. file detection according to claim 9 and threat level decision-making system, it is characterised in that the learning training
Server is additionally operable to:Obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malicious files,
The secure file sample includes multiple secure files;Using sandbox technology to the malicious file sample and the secure file
All behaviors of sample are monitored, record and collect;By the malicious file sample of collection and the secure file sample
All behaviors be trained;Generate all behaviors and the bind lines of the malicious file sample and the secure file sample
For, and establish behavioral characteristic database.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711232296.XA CN108009425A (en) | 2017-11-29 | 2017-11-29 | File detects and threat level decision method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711232296.XA CN108009425A (en) | 2017-11-29 | 2017-11-29 | File detects and threat level decision method, apparatus and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108009425A true CN108009425A (en) | 2018-05-08 |
Family
ID=62055110
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711232296.XA Pending CN108009425A (en) | 2017-11-29 | 2017-11-29 | File detects and threat level decision method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108009425A (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
CN109284604A (en) * | 2018-09-10 | 2019-01-29 | 中国联合网络通信集团有限公司 | A kind of software action analysis method and system based on virtual machine |
CN109670309A (en) * | 2018-12-21 | 2019-04-23 | 北京天融信网络安全技术有限公司 | A kind of method and device detecting file |
CN109784053A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Generation method, device and storage medium, the electronic device of filtering rule |
CN110188538A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Using the method and device of sandbox cluster detection data |
WO2019242441A1 (en) * | 2018-06-20 | 2019-12-26 | 深信服科技股份有限公司 | Dynamic feature-based malware recognition method and system and related apparatus |
CN110881049A (en) * | 2019-12-16 | 2020-03-13 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
CN113810342A (en) * | 2020-06-15 | 2021-12-17 | 深信服科技股份有限公司 | Intrusion detection method, device, equipment and medium |
CN114003904A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Information sharing method, device, computer equipment and storage medium |
CN116149669A (en) * | 2023-04-14 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105718792A (en) * | 2015-08-13 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Sandbox based two-dimensional code detection method and system |
CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
-
2017
- 2017-11-29 CN CN201711232296.XA patent/CN108009425A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106162648A (en) * | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
CN105718792A (en) * | 2015-08-13 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Sandbox based two-dimensional code detection method and system |
CN106529293A (en) * | 2016-11-09 | 2017-03-22 | 东巽科技(北京)有限公司 | Sample classification determination method for malware detection |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019242441A1 (en) * | 2018-06-20 | 2019-12-26 | 深信服科技股份有限公司 | Dynamic feature-based malware recognition method and system and related apparatus |
CN110619211A (en) * | 2018-06-20 | 2019-12-27 | 深信服科技股份有限公司 | Malicious software identification method, system and related device based on dynamic characteristics |
CN108985361B (en) * | 2018-07-02 | 2021-06-18 | 北京金睛云华科技有限公司 | Malicious traffic detection implementation method and device based on deep learning |
CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
CN109284604A (en) * | 2018-09-10 | 2019-01-29 | 中国联合网络通信集团有限公司 | A kind of software action analysis method and system based on virtual machine |
CN109670309A (en) * | 2018-12-21 | 2019-04-23 | 北京天融信网络安全技术有限公司 | A kind of method and device detecting file |
CN109784053A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Generation method, device and storage medium, the electronic device of filtering rule |
CN110188538A (en) * | 2019-04-26 | 2019-08-30 | 北京奇安信科技有限公司 | Using the method and device of sandbox cluster detection data |
CN110881049A (en) * | 2019-12-16 | 2020-03-13 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN110881049B (en) * | 2019-12-16 | 2022-02-15 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
CN113810342A (en) * | 2020-06-15 | 2021-12-17 | 深信服科技股份有限公司 | Intrusion detection method, device, equipment and medium |
CN113810342B (en) * | 2020-06-15 | 2023-03-21 | 深信服科技股份有限公司 | Intrusion detection method, device, equipment and medium |
CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
CN111800412B (en) * | 2020-07-01 | 2023-02-21 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
CN114003904A (en) * | 2021-12-31 | 2022-02-01 | 北京微步在线科技有限公司 | Information sharing method, device, computer equipment and storage medium |
CN114003904B (en) * | 2021-12-31 | 2022-03-08 | 北京微步在线科技有限公司 | Information sharing method, device, computer equipment and storage medium |
CN116149669A (en) * | 2023-04-14 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium |
CN116149669B (en) * | 2023-04-14 | 2023-07-18 | 杭州安恒信息技术股份有限公司 | Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108009425A (en) | File detects and threat level decision method, apparatus and system | |
Hussain et al. | IMIAD: intelligent malware identification for android platform | |
Killourhy et al. | A defense-centric taxonomy based on attack manifestations | |
US20150172303A1 (en) | Malware Detection and Identification | |
CN107590388A (en) | Malicious code detecting method and device | |
Ceschin et al. | The need for speed: An analysis of brazilian malware classifiers | |
CN106022123A (en) | Multi-file malware analysis | |
CN103106365A (en) | Detection method for malicious application software on mobile terminal | |
KR101858620B1 (en) | Device and method for analyzing javascript using machine learning | |
US11797668B2 (en) | Sample data generation apparatus, sample data generation method, and computer readable medium | |
Allix et al. | Machine learning-based malware detection for Android applications: History matters! | |
CN107247902A (en) | Malware categorizing system and method | |
CN104462985A (en) | Detecting method and device of bat loopholes | |
CN111651768B (en) | Method and device for identifying link library function name of computer binary program | |
Gandotra et al. | Integrated framework for classification of malwares | |
CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
Li et al. | Ungrafting malicious code from piggybacked android apps | |
CN106301979B (en) | Method and system for detecting abnormal channel | |
CN106790025B (en) | Method and device for detecting link maliciousness | |
Zheng et al. | Cryptocurrency malware detection in real-world environment: Based on multi-results stacking learning | |
CN112016088A (en) | Method and device for generating file detection model and method and device for detecting file | |
Ambika | An economical machine learning approach for anomaly detection in IoT environment | |
KR102192196B1 (en) | An apparatus and method for detecting malicious codes using ai based machine running cross validation techniques | |
CN103095714A (en) | Trojan horse detection method based on Trojan horse virus type classification modeling | |
US11232202B2 (en) | System and method for identifying activity in a computer system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180508 |
|
RJ01 | Rejection of invention patent application after publication |