CN108009425A - File detects and threat level decision method, apparatus and system - Google Patents

File detects and threat level decision method, apparatus and system Download PDF

Info

Publication number
CN108009425A
CN108009425A CN201711232296.XA CN201711232296A CN108009425A CN 108009425 A CN108009425 A CN 108009425A CN 201711232296 A CN201711232296 A CN 201711232296A CN 108009425 A CN108009425 A CN 108009425A
Authority
CN
China
Prior art keywords
file
behavior
detected
sample
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711232296.XA
Other languages
Chinese (zh)
Inventor
冯浩
黄勇
陈航
宋国志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Silent Information Technology Co Ltd
Original Assignee
Sichuan Silent Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Silent Information Technology Co Ltd filed Critical Sichuan Silent Information Technology Co Ltd
Priority to CN201711232296.XA priority Critical patent/CN108009425A/en
Publication of CN108009425A publication Critical patent/CN108009425A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present invention provides file detection and threat level decision method, apparatus and system, is related to computer system security field.This method includes:According to malicious file sample and secure file sample, behavioral characteristic database is established;Under the corresponding virtual environment of file to be detected, the behavior of the file to be detected is obtained;The behavior of the file to be detected is compared with the data in the behavioral characteristic database;If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, the threat level of the file to be detected is determined.Since the behavior in behavioral characteristic database is obtained by training; employ the dynamic behaviour analysis of file; therefore to shell adding, obscure, it is polymorphic, deformation etc. executable file protection technique protection file it is still effective, can be accurately judged to whether file is malicious file.

Description

File detects and threat level decision method, apparatus and system
Technical field
The present invention relates to computer system security field, in particular to file detection and threat level decision method, Apparatus and system.
Background technology
With the high speed development of computer networking technology, computer has spread to huge numbers of families, becomes masses' Entertain and handle official business indispensable important tool.While the high speed development of computer, malicious file has also obtained very big hair Open up space.Such as computer virus, it is the one kind for belonging to malicious file, writes the author of computer virus by controlling victim Computer come achieve the purpose that to steal user information or destroy custom system.At present, the detection to malicious file mainly have with Lower two ways:
Judged that this mode is traditional by the architectural feature of binary data and file of file in itself in itself The common mode of antivirus software, antivirus software are used as the mark of mark rogue program by the condition code and cryptographic Hash of extracting virus Will, is deposited among the virus base of antivirus software, when there is new file to need to detect, then the progress from existing feature database Match somebody with somebody, confirm the species of Malware, this mode needs continuous accumulation characteristic storehouse, it is impossible to which the killing malice new with identification is soft Part, the current Malware order of magnitude it is huge, it is impossible to meet present situation for traditional feature database killing method.
By manual analysis malicious file sample, the behavior of malicious file is analyzed, records the behavioral characteristics of malicious file, root According to the behavioral characteristics of malicious file judge the degree of danger of malicious file, this mode needs substantial amounts of manually carry out manually Analysis, and malicious act database and grade are summarized, this mode needs to expend a large amount of manpowers to safeguard this data behavior spy Levy database.
The content of the invention
In view of this, the purpose of the embodiment of the present invention is to provide a kind of file detection and threat level decision method, dress Put and system, fast, accurately to judge whether unknown file is malicious file, and carry out threat level judgement.
The embodiment of the present invention provides a kind of file detection and threat level decision method, including:According to malicious file sample With secure file sample, behavioral characteristic database is established;Under the corresponding virtual environment of file to be detected, obtain described to be detected The behavior of file;The behavior of the file to be detected is compared with the data in the behavioral characteristic database;If described treat Detection file is matched with the behavior of the malicious file in the behavioral characteristic database, determines the prestige of the file to be detected Coerce grade.
Preferably, described according to malicious file sample and secure file sample, the step of establishing behavioral characteristic database, wraps Include:Malicious file sample and secure file sample are obtained, the malicious file sample includes multiple malicious files, the safety text Part sample includes multiple secure files;Own using sandbox technology to the malicious file sample and the secure file sample Behavior is monitored, records and collects;By all behaviors of the malicious file sample of collection and the secure file sample It is trained;All behaviors and combination behavior of the malicious file sample and the secure file sample are generated, and are established Behavioral characteristic database.
Preferably, the method further includes:By the behavior in the behavior of file to be detected and the behavioral characteristic database Match one by one, or the combination behavior of file to be detected is matched with the combination behavior in the behavioral characteristic database;Institute The behavior for stating the malicious file in behavioral characteristic database has threat level, according to the file to be detected behavior with it is described The number and threat level of the behavior of the malicious file to match in behavioral characteristic database, determine the prestige of the file to be detected Coerce grade.
Preferably, the method further includes:Under the corresponding virtual environment of the file to be detected, file to be detected is obtained Static nature, the virtual environment established by sandbox;Further included after the threat level of the file to be detected is determined: The behavior of the file to be detected and static nature are added into the behavioral characteristic database.
The embodiment of the present invention also provides a kind of file detection and threat level decision maker, including:Establish module, for according to According to malicious file sample and secure file sample, behavioral characteristic database is established;Acquisition module, for being corresponded in file to be detected Virtual environment under, obtain the behavior of the file to be detected;Contrast module, for by the behavior of the file to be detected and institute The data stated in behavioral characteristic database compare;Determining module, if for the file to be detected and the behavioural characteristic number Matched according to the behavior of the malicious file in storehouse, determine the threat level of the file to be detected.
Preferably, module is established to further include:Acquiring unit, for obtaining malicious file sample and secure file sample, institute Stating malicious file sample includes multiple malicious files, and the secure file sample includes multiple secure files;Collector unit, is used for It is monitored, records and receives using all behaviors of the sandbox technology to the malicious file sample and the secure file sample Collection;Training unit, for all behaviors of the malicious file sample and the secure file sample of collection to be trained; Unit is established, for generating all behaviors and combination behavior of the malicious file sample and the secure file sample, and Establish behavioral characteristic database.
Preferably, the contrast module is additionally operable to:By in the behavior of file to be detected and the behavioral characteristic database Behavior matches one by one, or the combination behavior progress in the combination behavior and the behavioral characteristic database by file to be detected Match somebody with somebody;The determining module is additionally operable to:The behavior of malicious file in the behavioral characteristic database has threat level, according to institute State the behavior of file to be detected and the number of the behavior of malicious file to match in the behavioral characteristic database and threat etc. Level, determines the threat level of the file to be detected.
Preferably, the acquisition module is additionally operable to:Under the corresponding virtual environment of the file to be detected, obtain to be detected The static nature of file, the virtual environment are established by sandbox;The file detection and threat level decision maker further include Module is added, for the behavior of the file to be detected and static nature to be added the behavioral characteristic database.
The embodiment of the present invention also provides a kind of detection of file and threat level decision-making system, including learning training server, File acquisition server and document classification server, the learning training server and file acquisition server with the text Part classified service device communicates to connect;The learning training server is used to, according to malicious file sample and secure file sample, build Vertical behavioral characteristic database, the behavioral characteristic database are also connected with the document classification server communication;The file is adopted Collect server to be used under the corresponding virtual environment of file to be detected, obtain the behavior of the file to be detected;The file point Class server is used to compare the behavior of the file to be detected with the data in the behavioral characteristic database, if described treat Detection file is matched with the behavior of the malicious file in the behavioral characteristic database, determines the prestige of the file to be detected Coerce grade.
Preferably, the learning training server is additionally operable to:Obtain malicious file sample and secure file sample, the evil Meaning paper sample includes multiple malicious files, and the secure file sample includes multiple secure files;Using sandbox technology to institute All behaviors for stating malicious file sample and the secure file sample are monitored, record and collect;By the evil of collection All behaviors of meaning paper sample and the secure file sample are trained;Generate the malicious file sample and the safety All behaviors and combination behavior of paper sample, and establish behavioral characteristic database.
Compared with prior art, file detection provided by the invention and threat level decision method, apparatus and system, mainly PE files are can perform for Windows and document class file is detected, and file dynamic behaviour has been used in the detection of PE files Crawl, obtains behavioral characteristic database, by file to be detected using a large amount of malicious file samples and secure file sample training Behavior is compared with the data of behavioral characteristic database, if the evil in the behavior and behavioral characteristic database of file to be detected The behavior of meaning file matches or combinations matches, then carries out judging that file to be detected, can also be to be detected for malicious file File impends ranking.Due to the embodiment of the present invention mainly employ the behavioral characteristic database that learning training obtains, And mainly the threat degree of file is judged by the behavior combination of file, the dynamic behaviour analysis of file is employed, because This to shell adding, obscure, it is polymorphic, deformation, etc. executable file protection technique protection file it is still effective, can be accurately judged to Whether file is malicious file.The embodiment of the present invention is mainly used in windows platform, can be applied to APT detecting systems and works as In, provide accurate file threat level evaluation result for Security Officer or enterprise institution.Sentence in file detection and threat level Determine among the framework of system, since the difference for detecting kind of document and the environment for triggering malicious act are different, it is therefore desirable to open Ward off multiple virtual environments to be respectively detected detected file, analysis result summary is judged.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended attached drawing, is described in detail below.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, without creative efforts, can also be according to this A little attached drawings obtain other relevant attached drawings.
Fig. 1 is the flow chart of the file detection that first embodiment of the invention provides and threat level decision method.
Fig. 2 be first embodiment of the invention file detection and threat level decision method in step S11 sub-step.
Fig. 3 is the structure diagram for the electronic equipment that first embodiment of the invention provides.
Fig. 4 is the file detection that first embodiment of the invention provides and the function module signal of threat level decision maker Figure.
Fig. 5 is the structure diagram of the file detection that second embodiment of the invention provides and threat level decision-making system.
Icon:10- electronic equipments;101- processors;102- memories;103- buses;104- communication interfaces;200- files Detection and threat level decision maker;201- establishes module;2011- acquiring units;2012- collector units;2013- training is single Member;2014- establishes unit;202- acquisition modules;203- contrast modules;204- determining modules;205- adds module;30- files Detection and threat level decision-making system;31- learning training servers;32- document classification servers;33- file acquisition servers.
Embodiment
Below in conjunction with attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Ground describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.Usually exist The component of the embodiment of the present invention described and illustrated in attached drawing can be arranged and designed with a variety of configurations herein.Cause This, the detailed description of the embodiment of the present invention to providing in the accompanying drawings is not intended to limit claimed invention below Scope, but it is merely representative of the selected embodiment of the present invention.Based on the embodiment of the present invention, those skilled in the art are not doing Go out all other embodiments obtained on the premise of creative work, belong to the scope of protection of the invention.
It should be noted that:Similar label and letter represents similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent attached drawing in a attached drawing.Meanwhile the present invention's In description, term " first ", " second " etc. are only used for distinguishing description, and it is not intended that instruction or hint relative importance.
First embodiment
Please refer to Fig.1, be the flow chart of the file detection and threat level decision method of first embodiment of the invention offer. File provided in an embodiment of the present invention detection and threat level decision method, applied to electronic equipment, for unknown file into Row detection, such as PE files (Portable Executable) and common document file such as doc, docx, xls, xlsx, pdf Deng.In being detected to unknown file, employ the decision procedure of file behavior combination, to the file of unknown safe class into Row threat level judges.Need it is to be noted that method of the present invention is not limited with Fig. 1 and particular order as shown below System.The idiographic flow shown in Fig. 1 and step will be described in detail below, file detection and threat level judgement side Method includes:
Step S11, according to malicious file sample and secure file sample, establishes behavioral characteristic database.
Please refer to Fig.2, be the embodiment of the present invention file detection and threat level decision method in step S11 sub-step Suddenly, including:
Step S111, obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malice File, the secure file sample include multiple secure files.
Substantial amounts of known malicious file and secure file are collected as sample, the behavioural characteristic data of the more foundation of sample Storehouse is more perfect.It is main to collect in the past by the virus that security firm finds and analyzes, virus-like in embodiments of the present invention This acquisition is mainly obtained from authorized organization, the selection of the sample of malicious file using executable file PE files under Windows as It is main.Secure file is selected to be contrasted as sample primarily as the behavior of malicious file sample, in embodiments of the present invention, safety text Part sample mainly have collected daily software portfolio.
Step S112, using sandbox (Sandboxie) technology to the malicious file sample and the secure file sample All behaviors be monitored, record and collect.
In the present embodiment, sandbox (such as Cuckoo) and emulator (such as Qemu) are employed as coordinating, sandbox technology refers to: The hardware environment of more set emulation is simulated above with software in an actual physical machine, is formed multiple shaped like the virtual of real machine Environment, can be with isolated operation rogue program without infecting the actual physical machine and other virtual rings in each virtual environment Border, moreover it is possible to preserve the reset condition of virtual environment, virtual environment can be reset after rogue program is run to reset condition.It is empty It can be Windows systems to intend environmental interior, and the present embodiment does not limit this, or other systems.Sandbox can will be upper The sample of biography carries out static analysis and dynamic analysis:Among static analysis, sandbox can parse the structure of PE files, its Include PE files structure in itself, the MD5 check values and SHA1 check values, the shell adding information of PE files of PE files;In file Dynamic analysis process in, sandbox can be detected among process and its subprocess of PE files with injecting, and HOOK target process Middle crucial api function, is that main mode records detected PE file behaviors by HOOK, and with daily record (LOG) mode is spread out of testing result to true thing by way of Shared Folders or network service among virtual environment Reason machine.Wherein, API HOOK technologies are a kind of technologies for being used to change API implementing results, and Microsoft itself also exists This technology, such as Windows compatibility modes have been used inside Windows operating system.Also, can also be to being gathered from sandbox File behavior arranged, the file behavior that is recorded in a manner of LOG that will be spread out of here mainly by program from sandbox carries out Extraction is collected.
Step S113, all behaviors of the malicious file sample and the secure file sample of collection are instructed Practice.
The behavior of the malicious file of acquisition and secure file is organized into identifiable form, utilizes function pair malicious file All behaviors of sample and the secure file sample are learnt and are analyzed, and the behavior with threat is distinguished, and root According to the ratio cut partition threat level occupied with threat behavior among malicious file sample.Specifically, which behavior summed up The probability occurred in malicious file is higher, and the threat index of behavior is evaluated according to the probability of appearance.Can be with The behavior combination of malicious file is summed up by learning software, wherein, the learning software such as Weka.
Step S114, generates all behaviors and the bind lines of the malicious file sample and the secure file sample For, and establish behavioral characteristic database.
Referring again to Fig. 1, step S12, under the corresponding virtual environment of file to be detected, the file to be detected is obtained Behavior.
It is consistent with the acquisition method of the behavior of step S112, captured, wrapped using behavior of the sandbox to file to be detected File behavior, API behaviors, registration table behavior, network behavior, other behaviors etc. is included to be acquired.Since some malicious files lead to The operation behavior that can often carry, malicious file would generally detect whether oneself is operated among virtual machine, if operated in virtual Then artificially think that the sample of oneself is taken by security study personnel among machine to be analyzed, therefore it can change the evil of oneself Meaning behavior so that malicious code can not be performed, and influence to detect.Therefore in the present embodiment, established by sandbox similar true The virtual environment of physical machine running environment, prevents to have the malicious file of anti-virtual machine operations to be in virtual ring from detecting itself In border.Whether step S13, the behavior of file to be detected match with the behavior of the malicious file in behavioral characteristic database
The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or by file to be detected Combination behavior matched with the combination behavior in the behavioral characteristic database, the behavioral characteristic database includes evil The behavior of meaning file and the behavior of secure file.If the behavior of the malicious file in the behavior and property data base of file to be detected Mismatch or matched with the secure file in property data base, then judge that file to be detected is secure file for this;It is if to be detected The behavior of file is matched with the behavior of the malicious file in behavioral characteristic database, then performs step S14.
Step S14, determines the threat level of the file to be detected.
If the behavior of file to be detected is matched with the behavior of the malicious file in behavioral characteristic database, judge that this is to be checked Survey file is malicious file, if having the multinomial behavior for having and threatening, this file to be detected among detected file behavior Final threat behavior is defined the level according to highest threat behavior, such as can be divided into 1 to 5 grades from low to high, if this File to be detected has multinomial threat behavior, this file to be detected is malicious file, and threat degree is 5 grades.Threat level is commented Sentencing can also directly determine according to the species of the behavior of threat, such as this file to be detected has the behavior of detection virtual machine, then directly Connect judge for this file to be detected threat degree be 5 grades.
In other embodiments, the file detection and threat level decision method further include:Described to be checked Survey under the corresponding virtual environment of file, obtain the static nature of file to be detected, the static nature can be MD5, SHA1, The Shell Code staticaanalysis results of Office files, multiple mandate antivirus software inspection results etc..Will also be described to be detected The behavior of file and static nature add the behavioral characteristic database.
In this way, behavioral characteristic database constantly improve can be made, simultaneously also the static nature of file to be detected is added Enter among behavioral characteristic database.
Please refer to Fig.3, be the structure diagram for the electronic equipment 10 that first embodiment of the invention provides.The electronic equipment 10 can be computer or any other computing device with data-handling capacity, including processor 101, memory 102, always Line 103 and communication interface 104, the processor 101, communication interface 104 and memory 102 are connected by bus 103;Processor 101 are used to perform the executable module stored in memory 102, such as computer program.
Wherein, memory 102 may include high-speed random access memory (RAM:Random Access Memory), Non-labile memory (non-volatile memory), for example, at least a magnetic disk storage may be further included.By extremely A few communication interface 103 (can be wired or wireless) is realized logical between the system network element and at least one other network element Letter connection.
Bus 104 can be isa bus, pci bus or eisa bus etc..Only represented in Fig. 3 with a four-headed arrow, but It is not offered as only a bus or a type of bus.
Wherein, memory 102 is used for storage program, file as shown in Figure 4 detection and threat level decision maker 200. This document detects and threat level decision maker 200 can be stored including at least one in the form of software or firmware (firmware) In the memory 102 or the software that is solidificated in the operating system (operating system, OS) of the server 10 Function module.The processor 101 performs what described program was disclosed to realize the embodiment of the present invention after execute instruction is received File detects and threat level decision method.
Processor 101 is probably a kind of IC chip, has the disposal ability of signal.It is above-mentioned during realization Each step of method can be completed by the integrated logic circuit of the hardware in processor 101 or the instruction of software form.On The processor 101 stated can be general processor, including central processing unit (Central Processing Unit, referred to as CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (DSP), special Integrated circuit (ASIC), ready-made programmable gate array (FPGA) either other programmable logic device, discrete gate or transistor Logical device, discrete hardware components.
The electronic equipment 10 can also include display unit, and display unit carries between the electronic equipment 10 and user Referred to for an interactive interface (such as user interface) or for display image data to user.In the present embodiment, institute It can be liquid crystal display or touch control display to state display unit.
Please refer to Fig.4, be file detection and the function of threat level decision maker 200 of first embodiment of the invention offer Module diagram.The file detection and threat level decision maker 200 are applied in the electronic equipment 10, the file inspection Survey and threat level decision maker 200 include establish module 201, acquisition module 202, contrast module 203, determining module 204 with And add module 205.
It is described to establish module 201, for according to malicious file sample and secure file sample, establishing behavioural characteristic data Storehouse.Specifically, the module 201 of establishing includes acquiring unit 2011, collector unit 2012, training unit 2013 and establishes unit 2014.In the present embodiment, the module 201 of establishing can perform step S11.
Acquiring unit 2011, for obtaining malicious file sample and secure file sample, the malicious file sample includes Multiple malicious files, the secure file sample include multiple secure files.
Collector unit 2012, for the institute using sandbox technology to the malicious file sample and the secure file sample There is behavior to be monitored, record and collect.
Training unit 2013, for by all behaviors of the malicious file sample of collection and the secure file sample It is trained.
Establish unit 2014, for generate the malicious file sample and the secure file sample all behaviors and Combination behavior, and establish behavioral characteristic database.
The acquisition module 202, under the corresponding virtual environment of file to be detected, obtaining the file to be detected Behavior, is additionally operable under the corresponding virtual environment of the file to be detected, obtains the static nature of file to be detected, described virtual Environment by sandbox by being established.
In the present embodiment, the acquisition module 202 can perform step S12.
The contrast module 203, for by the number in the behavior of the file to be detected and the behavioral characteristic database According to comparing, it is additionally operable to the behavior in the behavioral characteristic database match the behavior of file to be detected one by one, or will treat The combination behavior of detection file is matched with the combination behavior in the behavioral characteristic database.
In the present embodiment, the contrast module 203 can perform step S13.
Determining module 204, if for the malicious file in the file to be detected and the behavioral characteristic database Behavior matching, determine the threat level of the file to be detected, the malicious file being additionally operable in the behavioral characteristic database Behavior there is threat level, according to the malice to match in behavior and the behavioral characteristic database of the file to be detected The number and threat level of the behavior of file, determine the threat level of the file to be detected
In the present embodiment, the determining module 204 can perform step S14.
The addition module 205, for the behavior of the file to be detected and static nature to be added the behavioural characteristic Database.If the static state that the contrast module 203 is additionally operable in the behavioral characteristic database there are the file to be detected is special Sign, then the file to be detected has been tested, and transfers testing result.
Second embodiment
Fig. 5 is refer to, is file detection and the structure of threat level decision-making system 30 of second embodiment of the invention offer Schematic diagram.The present embodiment provides a kind of detection of file and threat level decision-making system 30, the system to include learning training server 31st, file acquisition server 33 and document classification server 32, the learning training server 31 and file acquisition server 33 communicate to connect with the document classification server 32, are such as communicated by network.
The learning training server 31 is used to collect substantial amounts of malicious file sample and secure file sample, and according to evil Meaning paper sample and secure file sample, establish behavioral characteristic database.The behavioral characteristic database is also divided with the file Class server 32 communicates to connect, i.e., described document classification server 32 can directly invoke the data of behavioral characteristic database.
The file acquisition server 33 is used under the corresponding virtual environment of file to be detected, obtains the text to be detected The behavior of part.The type of file to be detected is different, and required operating environment is different, it is therefore desirable to using multiple and different virtual Environment, file acquisition server 33 can use and multiple and different virtual environments established using sandbox, can be in same time pin To the parallel detection in different virtual machine environments of same document, the detection speed of document class file is substantially increased.Virtual ring The quantity in border sets quantity according to the needs of detection environment, such as when the file of word document type is detected, file Acquisition server 33 can select virtual environment according to the type of document, and word document can be separately sent to be equipped with It is detected in the virtual environment of office2003, office2007, office2010, office2013.
The document classification server 32 is used in the behavior of the file to be detected and the behavioral characteristic database Data compare, if the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, Determine the threat level of the file to be detected.If file to be detected has the row of the malicious file in behavioral characteristic database Then to mark the file to be detected into behavior malice, and file is evaluated according to the threat level of malicious act.
In conclusion file detection provided by the invention and threat level decision method, apparatus and system, this method include According to malicious file sample and secure file sample, behavioral characteristic database is established;In the corresponding virtual environment of file to be detected Under, obtain the behavior of the file to be detected;By the number in the behavior of the file to be detected and the behavioral characteristic database According to comparing;If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, determine The threat level of the file to be detected.PE files are can perform mainly for Windows and document class file is detected, in PE Use file dynamic behaviour to capture in file detection, gone using a large amount of malicious file samples and secure file sample training Be characterized database, by the behavior of file to be detected compared with the data of behavioral characteristic database, can be directed to document into Row static analysis and dynamic analysis, if static analysis finds that document class textural anomaly or dynamic analysis find there is abnormal behaviour, Then carry out being determined as malicious file.Due to the embodiment of the present invention mainly employ the behavioral characteristic database that learning training obtains, And mainly the threat degree of file is judged by the behavior combination of file, therefore the embodiment of the present invention file detection and Threat level decision method is still effective to the rogue program of shell adding, and the embodiment of the present invention is mainly used in windows platform, can Among applied to APT detecting systems, accurate file threat level evaluation result is provided for Security Officer or enterprise institution. Among the framework of file detection and threat level decision-making system, due to detecting the difference of kind of document and triggering malicious act Environment is different, it is therefore desirable to open up multiple virtual environments and detected file be detected respectively, by analysis result summarize into Row judges.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, can also pass through Other modes are realized.Device embodiment described above is only schematical, for example, flow chart and block diagram in attached drawing Show the devices of multiple embodiments according to the present invention, method and computer program product architectural framework in the cards, Function and operation.At this point, each square frame in flow chart or block diagram can represent the one of a module, program segment or code Part, a part for the module, program segment or code include one or more and are used for realization holding for defined logic function Row instruction.It should also be noted that at some as in the implementation replaced, the function that is marked in square frame can also with different from The order marked in attached drawing occurs.For example, two continuous square frames can essentially perform substantially in parallel, they are sometimes It can perform in the opposite order, this is depending on involved function.It is it is also noted that every in block diagram and/or flow chart The combination of a square frame and block diagram and/or the square frame in flow chart, can use function or the dedicated base of action as defined in performing Realize, or can be realized with the combination of specialized hardware and computer instruction in the system of hardware.
In addition, each function module in each embodiment of the present invention can integrate to form an independent portion Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to contribute to the prior art or the part of the technical solution can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment the method for the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.Need Illustrate, herein, relational terms such as first and second and the like be used merely to by an entity or operation with Another entity or operation distinguish, without necessarily requiring or implying there are any this reality between these entities or operation The relation or order on border.Moreover, term " comprising ", "comprising" or its any other variant are intended to the bag of nonexcludability Contain, so that process, method, article or equipment including a series of elements not only include those key elements, but also including Other elements that are not explicitly listed, or further include as elements inherent to such a process, method, article, or device. In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including the key element Process, method, also there are other identical element in article or equipment.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the invention, for the skill of this area For art personnel, the invention may be variously modified and varied.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should all be included in the protection scope of the present invention.It should be noted that:Similar label and letter exists Similar terms is represented in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, is then not required in subsequent attached drawing It is further defined and is explained.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be subject to scope of the claims.

Claims (10)

1. a kind of file detection and threat level decision method, it is characterised in that including:
According to malicious file sample and secure file sample, behavioral characteristic database is established;
Under the corresponding virtual environment of file to be detected, the behavior of the file to be detected is obtained;
The behavior of the file to be detected is compared with the data in the behavioral characteristic database;
If the file to be detected is matched with the behavior of the malicious file in the behavioral characteristic database, described treat is determined Detect the threat level of file.
2. file detection according to claim 1 and threat level decision method, it is characterised in that described according to malice text Part sample and secure file sample, the step of establishing behavioral characteristic database, include:
Obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malicious files, the safety Paper sample includes multiple secure files;
Be monitored using all behaviors of the sandbox technology to the malicious file sample and the secure file sample, record and Collect;
All behaviors of the malicious file sample and the secure file sample of collection are trained;
All behaviors and combination behavior of the malicious file sample and the secure file sample are generated, and establish behavior spy Levy database.
3. file detection according to claim 1 and threat level decision method, it is characterised in that the method is also wrapped Include:
The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or the group by file to be detected Conjunction behavior is matched with the combination behavior in the behavioral characteristic database;
The behavior of malicious file in the behavioral characteristic database has threat level, the behavior according to the file to be detected Number and threat level with the behavior of malicious file to match in the behavioral characteristic database, determine the text to be detected The threat level of part.
4. file detection according to claim 1 and threat level decision method, it is characterised in that the method is also wrapped Include:
Under the corresponding virtual environment of the file to be detected, the static nature of file to be detected is obtained, the virtual environment is led to Cross sandbox foundation;
Further included after the threat level of the file to be detected is determined:By the behavior of the file to be detected and static nature Add the behavioral characteristic database.
5. a kind of file detection and threat level decision maker, it is characterised in that including:
Module is established, for according to malicious file sample and secure file sample, establishing behavioral characteristic database;
Acquisition module, under the corresponding virtual environment of file to be detected, obtaining the behavior of the file to be detected;
Contrast module, for the behavior of the file to be detected to be compared with the data in the behavioral characteristic database;
Determining module, if the behavior for the malicious file in the file to be detected and the behavioral characteristic database Match somebody with somebody, determine the threat level of the file to be detected.
6. file detection according to claim 5 and threat level decision maker, it is characterised in that described to establish module also Including:
Acquiring unit, for obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malice File, the secure file sample include multiple secure files;
Collector unit, for using all behaviors of the sandbox technology to the malicious file sample and the secure file sample into Row monitoring, record and collection;
Training unit, for all behaviors of the malicious file sample and the secure file sample of collection to be instructed Practice;
Unit is established, for generating all behaviors and the bind lines of the malicious file sample and the secure file sample For, and establish behavioral characteristic database.
7. file detection according to claim 5 and threat level decision maker, it is characterised in that the contrast module is also For:The behavior of file to be detected is matched one by one with the behavior in the behavioral characteristic database, or by file to be detected Combination behavior is matched with the combination behavior in the behavioral characteristic database;
The determining module is additionally operable to:The behavior of malicious file in the behavioral characteristic database has threat level, foundation The number of the behavior of the malicious file to match in the behavior of the file to be detected and the behavioral characteristic database and threat Grade, determines the threat level of the file to be detected.
8. file detection according to claim 5 and threat level decision maker, it is characterised in that the acquisition module is also For:Under the corresponding virtual environment of the file to be detected, the static nature of file to be detected is obtained, the virtual environment is led to Cross sandbox foundation;
File detection and threat level decision maker further include addition module, for by the behavior of the file to be detected and Static nature adds the behavioral characteristic database.
9. a kind of file detection and threat level decision-making system, it is characterised in that including learning training server, file collection clothes Be engaged in device and document classification server, the learning training server and file acquisition server with the document classification service Device communicates to connect;
The learning training server is used to, according to malicious file sample and secure file sample, establish behavioral characteristic database, The behavioral characteristic database is also connected with the document classification server communication;The file acquisition server is used for be checked Survey under the corresponding virtual environment of file, obtain the behavior of the file to be detected;The document classification server is used for by described in The behavior of file to be detected is compared with the data in the behavioral characteristic database, if the file to be detected and the behavior The behavior matching of the malicious file in property data base, determines the threat level of the file to be detected.
10. file detection according to claim 9 and threat level decision-making system, it is characterised in that the learning training Server is additionally operable to:Obtaining malicious file sample and secure file sample, the malicious file sample includes multiple malicious files, The secure file sample includes multiple secure files;Using sandbox technology to the malicious file sample and the secure file All behaviors of sample are monitored, record and collect;By the malicious file sample of collection and the secure file sample All behaviors be trained;Generate all behaviors and the bind lines of the malicious file sample and the secure file sample For, and establish behavioral characteristic database.
CN201711232296.XA 2017-11-29 2017-11-29 File detects and threat level decision method, apparatus and system Pending CN108009425A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711232296.XA CN108009425A (en) 2017-11-29 2017-11-29 File detects and threat level decision method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711232296.XA CN108009425A (en) 2017-11-29 2017-11-29 File detects and threat level decision method, apparatus and system

Publications (1)

Publication Number Publication Date
CN108009425A true CN108009425A (en) 2018-05-08

Family

ID=62055110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711232296.XA Pending CN108009425A (en) 2017-11-29 2017-11-29 File detects and threat level decision method, apparatus and system

Country Status (1)

Country Link
CN (1) CN108009425A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108985361A (en) * 2018-07-02 2018-12-11 北京金睛云华科技有限公司 A kind of malicious traffic stream detection implementation method and device based on deep learning
CN109284604A (en) * 2018-09-10 2019-01-29 中国联合网络通信集团有限公司 A kind of software action analysis method and system based on virtual machine
CN109670309A (en) * 2018-12-21 2019-04-23 北京天融信网络安全技术有限公司 A kind of method and device detecting file
CN109784053A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Generation method, device and storage medium, the electronic device of filtering rule
CN110188538A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Using the method and device of sandbox cluster detection data
WO2019242441A1 (en) * 2018-06-20 2019-12-26 深信服科技股份有限公司 Dynamic feature-based malware recognition method and system and related apparatus
CN110881049A (en) * 2019-12-16 2020-03-13 淮安信息职业技术学院 Computer network safety intelligent control system
CN111464526A (en) * 2020-03-30 2020-07-28 深信服科技股份有限公司 Network intrusion detection method, device, equipment and readable storage medium
CN111800412A (en) * 2020-07-01 2020-10-20 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN113810342A (en) * 2020-06-15 2021-12-17 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium
CN114003904A (en) * 2021-12-31 2022-02-01 北京微步在线科技有限公司 Information sharing method, device, computer equipment and storage medium
CN116149669A (en) * 2023-04-14 2023-05-23 杭州安恒信息技术股份有限公司 Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105718792A (en) * 2015-08-13 2016-06-29 哈尔滨安天科技股份有限公司 Sandbox based two-dimensional code detection method and system
CN106162648A (en) * 2015-04-17 2016-11-23 上海墨贝网络科技有限公司 A kind of behavioral value method, server and system applying installation kit
CN106529293A (en) * 2016-11-09 2017-03-22 东巽科技(北京)有限公司 Sample classification determination method for malware detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106162648A (en) * 2015-04-17 2016-11-23 上海墨贝网络科技有限公司 A kind of behavioral value method, server and system applying installation kit
CN105718792A (en) * 2015-08-13 2016-06-29 哈尔滨安天科技股份有限公司 Sandbox based two-dimensional code detection method and system
CN106529293A (en) * 2016-11-09 2017-03-22 东巽科技(北京)有限公司 Sample classification determination method for malware detection

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019242441A1 (en) * 2018-06-20 2019-12-26 深信服科技股份有限公司 Dynamic feature-based malware recognition method and system and related apparatus
CN110619211A (en) * 2018-06-20 2019-12-27 深信服科技股份有限公司 Malicious software identification method, system and related device based on dynamic characteristics
CN108985361B (en) * 2018-07-02 2021-06-18 北京金睛云华科技有限公司 Malicious traffic detection implementation method and device based on deep learning
CN108985361A (en) * 2018-07-02 2018-12-11 北京金睛云华科技有限公司 A kind of malicious traffic stream detection implementation method and device based on deep learning
CN109284604A (en) * 2018-09-10 2019-01-29 中国联合网络通信集团有限公司 A kind of software action analysis method and system based on virtual machine
CN109670309A (en) * 2018-12-21 2019-04-23 北京天融信网络安全技术有限公司 A kind of method and device detecting file
CN109784053A (en) * 2018-12-29 2019-05-21 360企业安全技术(珠海)有限公司 Generation method, device and storage medium, the electronic device of filtering rule
CN110188538A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Using the method and device of sandbox cluster detection data
CN110881049A (en) * 2019-12-16 2020-03-13 淮安信息职业技术学院 Computer network safety intelligent control system
CN110881049B (en) * 2019-12-16 2022-02-15 淮安信息职业技术学院 Computer network safety intelligent control system
CN111464526A (en) * 2020-03-30 2020-07-28 深信服科技股份有限公司 Network intrusion detection method, device, equipment and readable storage medium
CN113810342A (en) * 2020-06-15 2021-12-17 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium
CN113810342B (en) * 2020-06-15 2023-03-21 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium
CN111800412A (en) * 2020-07-01 2020-10-20 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN111800412B (en) * 2020-07-01 2023-02-21 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN114003904A (en) * 2021-12-31 2022-02-01 北京微步在线科技有限公司 Information sharing method, device, computer equipment and storage medium
CN114003904B (en) * 2021-12-31 2022-03-08 北京微步在线科技有限公司 Information sharing method, device, computer equipment and storage medium
CN116149669A (en) * 2023-04-14 2023-05-23 杭州安恒信息技术股份有限公司 Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium
CN116149669B (en) * 2023-04-14 2023-07-18 杭州安恒信息技术股份有限公司 Binary file-based software component analysis method, binary file-based software component analysis device and binary file-based medium

Similar Documents

Publication Publication Date Title
CN108009425A (en) File detects and threat level decision method, apparatus and system
Hussain et al. IMIAD: intelligent malware identification for android platform
Killourhy et al. A defense-centric taxonomy based on attack manifestations
US20150172303A1 (en) Malware Detection and Identification
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
CN107590388A (en) Malicious code detecting method and device
CN106022123A (en) Multi-file malware analysis
CN103106365A (en) Detection method for malicious application software on mobile terminal
KR101858620B1 (en) Device and method for analyzing javascript using machine learning
CN107944274A (en) A kind of Android platform malicious application off-line checking method based on width study
Allix et al. Machine learning-based malware detection for Android applications: History matters!
US20210157909A1 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
CN107292168A (en) Detect method and device, the server of program code
CN107247902A (en) Malware categorizing system and method
CN104462985A (en) Detecting method and device of bat loopholes
CN111651768B (en) Method and device for identifying link library function name of computer binary program
Gandotra et al. Integrated framework for classification of malwares
CN106301979B (en) Method and system for detecting abnormal channel
Sihag et al. Opcode n-gram based malware classification in android
CN106790025B (en) Method and device for detecting link maliciousness
Ugarte-Pedrero et al. On the adoption of anomaly detection for packed executable filtering
Vurdelja et al. Detection of linux malware using system tracers–An overview of solutions
CN112016088A (en) Method and device for generating file detection model and method and device for detecting file
KR102192196B1 (en) An apparatus and method for detecting malicious codes using ai based machine running cross validation techniques
CN103095714A (en) Trojan horse detection method based on Trojan horse virus type classification modeling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180508

RJ01 Rejection of invention patent application after publication