CN108064384A - The mitigation of Malware - Google Patents

The mitigation of Malware Download PDF

Info

Publication number
CN108064384A
CN108064384A CN201680037878.XA CN201680037878A CN108064384A CN 108064384 A CN108064384 A CN 108064384A CN 201680037878 A CN201680037878 A CN 201680037878A CN 108064384 A CN108064384 A CN 108064384A
Authority
CN
China
Prior art keywords
malware
task
electronic equipment
behavior
detection task
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201680037878.XA
Other languages
Chinese (zh)
Inventor
A.米什拉
R.莫罕达斯
S.苏布拉马尼安
K.A.维尔穆鲁甘
A.萨亚思
A.马杜卡
L.卢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
McAfee LLC
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by McAfee LLC filed Critical McAfee LLC
Publication of CN108064384A publication Critical patent/CN108064384A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Abstract

Particular embodiment described herein provides a kind of electronic equipment, which, which can be configured as, allows Malware to perform in systems;Record is as the change to the system caused by the execution of the Malware;With establishment for the Detection task of the detection of the Malware in electronic equipment, wherein the Detection task is based at least partially on as the change to the system caused by the execution of the Malware.Detection task can be used for identifying infected electronic equipment;Mitigate with creating as the mitigation task of the change to infected electronic equipment caused by the Malware.

Description

The mitigation of Malware
Cross reference to related applications
This application claims the Indian patent applications of entitled " the MITIGATION OF MALWARE " submitted on June 27th, 2015 The rights and interests and priority of number 3247/CHE/2015, entire contents are incorporated herein by reference.
Technical field
The disclosure relates generally to the field of information security, and relates more specifically to the mitigation of Malware.
Background technology
The field of network security becomes more and more important in present day society.Internet has made it possible to realize full generation The interconnection of the different computer network in boundary.Particularly, internet provides connecting via various types of client devices It is connected to the medium of the swapping data of the different user of different computer networks.Although the use of internet changed enterprise and People communicates, but it used also as make malicious operation person obtain unauthorized access to computer and computer network and For the intentionally or accidentally exposed carrier of sensitive information.
Infect the Malware of master computer(" Malware ")Any amount of malicious action may be able to carry out, such as Sensitive information is stolen from enterprise associated with master computer or individual, propagates, and/or assists distributed to other master computers Denial of Service attack sends spam or malicious e-mail etc. from master computer.Therefore, for protection computer and calculating From the malice by Malware and unintentionally, utilization still has great administrative challenge to machine network.
Description of the drawings
In order to provide the more complete understanding to the disclosure and its feature and advantage, following retouched with reference to what is carried out with reference to attached drawing It states, wherein identical reference numeral represents identical part, wherein:
Figure 1A is the simplified block diagram of the communication system of the mitigation for Malware in accordance with an embodiment of the present disclosure;
Figure 1B is the simplified block diagram of the communication system of the mitigation for Malware in accordance with an embodiment of the present disclosure;
Fig. 1 C are the simplified block diagrams of the communication system of the mitigation for Malware in accordance with an embodiment of the present disclosure;
Fig. 2 is the simplified block diagram of a part for the communication system of the mitigation for Malware in accordance with an embodiment of the present disclosure;
Fig. 3 is the simplification figure of the example details of the communication system of the mitigation for Malware in accordance with an embodiment of the present disclosure;
Fig. 4 be diagram according to the embodiment can potential operation associated with communication system simplified flowchart;
Fig. 5 be diagram according to the embodiment can potential operation associated with communication system simplified flowchart;
Fig. 6 is diagram according to the embodiment with the block diagram of the exemplary computing system of point-to-point deployment arrangements;
Fig. 7 is the example A RM ecosystem systems on chip with the disclosure(SOC)Associated simplified block diagram;With
Fig. 8 is the block diagram of diagram example processor core according to the embodiment.
The figure of attached drawing is not drawn necessarily to scale, because their size can be with significant changes without departing from the model of the disclosure It encloses.
Specific embodiment
Example embodiment
Figure 1A is the simplified block diagram of the communication system 100a of the mitigation for Malware in accordance with an embodiment of the present disclosure.Communication System 100a can include electronic equipment 102a, cloud service 104 and server 106.Electronic equipment 102a can include processor 110th, memory 112, operating system 114, sandbox 116 and security module 118.Security module 118 can include Malware and examine Survey module 120, Malware mitigates module 122 and Malware Mode behavior 124.Malware detection module 120 can wrap Include analysis daily record 126.Malware, which mitigates module 122, can include reversing Malware behavior act 128.104 He of cloud service Server 106 may each comprise network security module 130.Network security module 130 can include Mode behavior generation module 132 With Malware Mode behavior 124.Electronic equipment 102a, cloud service 104 and server 106 can be carried out using network 108 Communication.
Figure 1B is gone to, Figure 1B is the communication system 100b of the mitigation for Malware in accordance with an embodiment of the present disclosure Simplified block diagram.Communication system 100b can include electronic equipment 102b, cloud service 104 and server 106.Electronic equipment 102b can To include processor 110, memory 112, operating system 114, security module 118 and recover environment 136.Electronic equipment 102b, Cloud service 104 and server 106 can be communicated using network 108.
Fig. 1 C are gone to, Fig. 1 C are the communication system 100c of the mitigation for Malware in accordance with an embodiment of the present disclosure Simplified block diagram.Communication system 100c can include electronic equipment 102c, cloud service 104 and server 106.Electronic equipment 102c can To include processor 110, memory 112, operating system 114, security module 118 and auxiliary operation system 138.Electronic equipment 102c, cloud service 104 and server 106 can be communicated using network 108.
In the exemplary embodiment, communication system 100a-100c can be configured as the behavior of research malicious application in detail.So Infected electronic equipment can be identified using the knowledge of the behavior of malicious application afterwards, and corrects or mitigates Malware pair The influence of electronic equipment, without mirror image again(re-image)Electronic equipment.For example, communication system 100a-100c can The infected machine infected by Malware sample is corrected to be configured with the dynamic analysis of Malware sample Device.Correction or mitigation can be directed to use with iterative multi-stage method.In this example, can using recover environment come during mitigation around It crosses and evades technology by what Malware used.In another example, can use on belonging to Malware, Malware The behavior knowledge and sample of Malware family and general Malware behavior detect Malware and correct soft by malice The machine of part infection.It can allow to detect and correct traditional anti-virus software possibility using the dynamic analysis to Malware sample The ability for the Malware that can not be detected.Furthermore, it is possible to it the infected electronic equipment of mirror imageization and need not prevent from leading to again Often result from again mirror image some loss of data in the case of correct Malware.
The element of Figure 1A -1C can be used for network by using providing(For example, network 108)The feasible path of communication is appointed What suitable connection(It is wired or wireless)One or more interfaces and it is coupled to each other.In addition, appointing in these elements of Figure 1A -1C What one or more, which can be based on specific configuration, needs to be combined or remove from framework.Communication system 100a-100c To include that the transmission control protocol/internet protocol for sending or receiving the grouping in network can be carried out(TCP/IP)Communication Configuration.Communication system 100a-100c can also in appropriate circumstances and based on specific needs and with User Datagram Protocol/ IP(UDP/IP)Or any other suitable agreement binding operation.
In order to illustrate the purpose of some example techniques of communication system 100a-100c, understand possibly through network environment Communication is important.Following basic information can be considered as suitably explaining the basis of the disclosure from it.
Most enterprises are by reformatting entire hard disk and mirror image electronic equipment is corrected by Malware again The electronic equipment of infection.This is inconvenient process, and not only causes electronic equipment to be nonproductive, but also due to removing The data that are not backed up before mirror image again and cause the loss of data on electronic equipment.At present, since Malware uses Various technologies evade detection and correction, so mirror image is one of considerably less reliable Malware removal technology again. Using currently a popular detection technique, not only it is difficult to correct presence of the malicious file on infected electronic equipment, but also It is very difficult to whether mark host is infected actually.What is desired is that it can mitigate or correct the evil on infected electronic equipment Meaning software is without the system and method for mirror image electronic equipment again.
Communication system such as the mitigation for Malware summarized in Figure 1A -1C can solve the problems, such as these(And other Problem).Communication system 100a-100c can be configured as usage behavior analytical technology to analyze the suspicious sample of Malware.Example Such as, Mode behavior generation module 132 can be configured as usage behavior analytical technology to analyze the suspicious sample of Malware.Technology It can be directed to use with pattern match, global reputation, program simulation, static analysis, dynamic analysis or some other behavioural analysis skills The combination of one or more of art.Once having analyzed the suspicious sample of Malware, then system, which can be configured as, is based on The analysis generates the Malware Mode behavior of Malware(For example, Malware Mode behavior 124).Malware pattern Behavior can include various as used in the Malware captured as analysis evade and obfuscation.Malware Mode behavior It can be the indicant of particular malware sample behavior.
It, can be associated with sample behavior to identify using the behavior knowledge of typical Malware family based on sample behavior Malware family.As to the research and analysis of known and new Malware family as a result, specific to being identified One group of behavior pattern of Malware family can be created as family's behavior.Most of Malwares are engaged in not by kindhearted or good The behavior pattern that property software shows.As research and analysis as a result, generally may be used by one group of behavior pattern shown in Malware To be prepared as general Malware behavior.Specific Malware sample behavior, family's behavior and general Malware behavior It can be incorporated into Malware Mode behavior 124.
The element of sample behavior, family's behavior and general Malware behavior can be in malware detection module 120 It combines and identifies Malware compared with analyzing daily record 126.Analysis daily record 126 can be suspected by Malware sense Activity log in the system of dye.In addition, the element of sample behavior, family's behavior and general Malware behavior can be in malice Software mitigates combination in module 122, and, to generate Detection task, the Detection task can be configured as execution to collect correlative link Border details, file system and registry information and infection in electronic equipment and the indicant evaded.It can use to malice Software mitigate module 122 backfeed loop come analyze Detection task as a result, to generate to detect and repair infected electricity The further particular task of infection in sub- equipment.The result of these tasks can be fed back to Malware and mitigate module again 122, further task can be generated for performing.The sequence of action can be with iteration, until Malware mitigates mould Block 122 determines that electronic equipment is removed as the infection indicated by sample behavior and family's behavior.
In order to mitigate the ability for evading detection of Malware, task can be performed on different platforms.For example, appoint Business can perform in real time operating system, may be infected by malware, and may interfere with detection or mitigate task Accuracy.Task can be in the recovery environment 136 for the malware infection for being less likely to may interfere with detection or mitigate task (For example, Windows®Recover environment(RE))Middle execution.Task can be held using the auxiliary operation system 138 on electronic equipment Row.Auxiliary operation system can be pushed on an electronic device using the file that can be installed as boot disk.Malware is most The mitigation task performed on auxiliary operation system can not possibly be disturbed.
The foundation structure of Figure 1A -1C is gone to, shows communication system 100a-100c according to example embodiment.Generally, lead to Letter system 100a-100c can sample the network of any types or topology to realize.Network 108 represents to send and receive logical Cross the series of points or node of the interconnected communication paths of the information block of communication system 100a-100c propagation.Network 108 is in node Between communication interface is provided, and can be configured as any LAN(LAN), virtual LAN(VLAN), wide area network (WAN), WLAN(WLAN), Metropolitan Area Network (MAN)(MAN), Intranet, extranet, Virtual Private Network(VPN)And promote network Any other appropriate framework or system or its any appropriate combination of communication in environment, including wired and/or channel radio Letter.
In communication system 100a-100c, it can be sent and received according to any suitable communication information transportation protocol Include the network service of grouping, frame, signal, data etc..Suitable communication information transportation protocol can include multilayer scheme, such as Open system interconnection(OSI)Model or its any derivative or modification(Such as transmission control protocol/internet protocol(TCP/IP)、 User Datagram Protocol/IP(UDP/IP)).In addition it is also possible to it is provided in communication system 100a-100c through cellular network Radio signal communications.Suitable interface can be provided and foundation structure enables to realize the communication with cellular network.
Term " grouping " as used herein refer to can be on a packet switched network source node and destination node it Between the unit of data that route.Grouping includes source network address and destination network address.These network address can be TCP/ Internet protocol in IP message transportation protocol(IP)Address.Term " data " as used herein refers to any kind of binary system File, number, voice, video, text or script data or any kind of source or object code or can be in electronics Any other suitable information using any appropriate format of another point is transmitted in equipment and/or network from a point. In addition, message, request, response and inquiry are the forms of network service, and it therefore can include grouping, frame, signal, data Deng.
In example implementation, electronic equipment 102a-102c, cloud service 104 and server 106 and be network element, It is intended to include network appliance, server, router, interchanger, gateway, bridge, load balancer, processor, module or can grasps Make to exchange any other suitable equipment, component, element or object of information in a network environment.Network element can include Promote its any suitable hardware, software, component, module or object for operating and for receiving, sending in a network environment And/or otherwise transmit the suitable interface of data or information.This can include the effective exchange for allowing data or information Appropriate algorithm and communication protocol.
On internal structure associated with communication system 100a-100c, electronic equipment 102a-102c, 104 and of cloud service The storage element that can each include the information used in the operation that summarized herein for storage in server 106 Part.In electronic equipment 102a-102c, cloud service 104 and server 106 each can in appropriate circumstances and based on spy It needs calmly and information is maintained at any suitable memory component(For example, random access memory(RAM), read-only memory (ROM), erasable programmable ROM(EPROM), electrically erasable ROM(EEPROM), application-specific integrated circuit(ASIC)Deng)、 In software, hardware, firmware or in any other suitable component, equipment, element or object.The memory items being discussed herein In any one should be interpreted be included in broad terms " memory component " in.In addition, in communication system 100a-100c The middle information for being used, tracked, sending or being received may be provided in any database, register, queue, table, cache, It is all these to be cited at any suitable time frame in control list or other storage organizations.It is any such The Save option may also be included in that in broad terms as used herein " memory component ".
In some example implementations, the function of summarizing herein can be by that can include non-transitory computer readable medium The logic encoded in one or more tangible mediums of matter(For example, to be performed by processor or other similar machines Embedded logic, the digital signal processor provided in ASIC(DSP)Instruction, software(Potentially include object code and source generation Code)Deng)To realize.In some in these examples, memory component can store the data for operation described herein. This includes the memory that can store the software for being executed to perform activity described herein, logic, code or processor instruction Element.
In example implementation, the network element of communication system 100a-100c(Such as electronic equipment 102a-102c, cloud service 104 and server 106)It can include software module(Such as security module 118, malware detection module 120, Malware Mitigate module 122, network security module 130 and Mode behavior generation module module 132)To realize or promote as summarized herein Operation.These modules can be combined suitably in any suitable manner, can be based on specific configuration and/or preset need It will.In the exemplary embodiment, such operation can be performed by hardware, realize in these element-externals or be included in certain To realize be intended to function in other a network equipments.In addition, module may be implemented as software, hardware, firmware or its What suitable combination.These elements can also include that the software for realizing operation can be coordinated with other network elements(It is or past Compound software), as summarized herein.
In addition, in electronic equipment 102a-102c, cloud service 104 and server 106 each can include can perform it is soft Part or algorithm are to perform the processor of activity as discussed herein.Processor can perform any types associated with data Instruction to realize operation detailed in this article.In one example, processor can be by element or article(Such as data)From one A state or things are changed into another state or things.In another example, fixed logic can be utilized or may be programmed and patrolled Volume(For example, software/the computer instruction performed by processor)Realize the activity summarized herein, and identified herein Element can be certain type of programmable processor, programmable digital logic(For example, field programmable gate array(FPGA)、 EPROM、EEPROM)Or include the ASIC of Digital Logic, software, code, e-command or its any appropriate combination.It is described herein Potential processing element, any one in module and machine should be interpreted to be included in broad terms " processor ".
Electronic equipment 102a-102c can be network element, and including such as desktop computer, laptop computer, Mobile equipment, personal digital assistant, smart phone, tablet computer or other similar devices.Cloud service 104 is configured as to electronics Equipment 102a-102c provides cloud service.Cloud service generally can be defined as use and pass through network(Such as internet)As clothes The computing resource of business delivering.In general, calculating, storage and Internet resources are provided in cloud foundation structure, so as to effectively by work Load is transferred to cloud network from local network.Server 106 can be the network element of such as server or virtual server etc Part, and can be with wishing via some network(For example, network 108)The visitor of communication is initiated in communication system 100a-100c Family end, client, endpoint or terminal user are associated.Term " server " includes the request and/or representative for service client The equipment of client executing some calculating task in communication system 100a-100c.Although security module 118 is in Figures IA-1 C It is expressed as being located in electronic equipment 102a-102c, but this is for illustrative purposes only.Security module 118 can be with Any suitable configuration combination or separation.In addition, security module 118 can with can be accessed by electronic equipment 102a-102c it is another One network(Such as cloud service 104 or server 106)It is integrated or distributed among wherein.
Fig. 2 is gone to, Fig. 2 is the communication system 100a- of the mitigation for Malware in accordance with an embodiment of the present disclosure The simplified block diagram of a part of 100c.Mode behavior generation module 132 can be configured as use pattern matching, global reputation, Sample is analyzed in static analysis, dynamic analysis, program simulation or the combination of one or more of some other behavioral analysis technologies This is applied.Analyzed sample can be summarized and for creating Malware Mode behavior 124.Malware Mode behavior 124 can include sample behavior 140 and family's behavior 142.Sample behavior 140 can include specific Malware sample row For.Family's behavior 142 can be created from associated with analyzed sample or including analyzed sample Malware family.
Because Malware can evade detection using various technologies, sample is analyzed using the combination of various technologies This simultaneously detects whether it is strictly malice.It is, for example, possible to use pattern match identifies well known sample, and identical know Knowledge can be used for identify sample system is made what change and Malware what evades technology using.Similarly, sample Global reputation can be used for identifying the behavior of Malware based on the input from global data base.
It can simulate that Malware sample is allowed to perform in the environment of simulation and for by Malware sample using program This change made studies the environment, and identifies and evade technology as used in Malware.If for example, Malware Use Windows®API hook mechanisms hide the list for the process being currently running, then identical behavioural information is recorded and makes It must can use as the technology of evading.
Static analysis is the another way that Mode behavior generation module 132 can identify Malware behavior.The technology Using the assembly instruction pattern being known in advance specific behavior in mirror image is can perform to identify Malware.Sometimes Malware can It performs file to be encrypted or obscure, and is only just decrypted when Malware sample is actual to be performed on machine.This In the case of, Malware is allowed to be performed on machine, and the content to being extracted carries out static analysis.It is used by the technology of evading The pattern of code can be identified and form a part for Mode behavior generation module 132.
It can be studied by Mode behavior generation module 132 using dynamic analysis after Malware sample has been performed To real time virtual machine change made.Different technologies(Such as API hooks)It can be used for detection by Malware to system Change made.It can be by using the actual knowledge that is performed on machine and from each germline of that angle analysis of Malware System product(Such as the process or the module of loading being currently running)Various evade technology to identify.For example, if Malware opens The process of referred to as malwareSample.exe has been moved, and in the list of the process being currently running of the process in system not As it can be seen that then so that the technology of evading that the process hides the process that it performs wherein as Malware is used.
After sample has been analyzed, report/production of the analysis on the Malware at different phase can be generated Object.Analysis report can simultaneously generate one group of user behaviors log.The Malware behavior of different phase of the log analysis from analysis Instruction, and it is combined into complete behavioural analysis daily record.Analysis daily record can mitigate module 122 by Malware and use Sample behavior product(For example, sample behavior 140).
The example of the element of " sample behavior " can include title, the registry entries of the file created by Malware And kernel objects(Such as mutexes).The technology of evading can also indicate in sample behavior product.It can also find out Malware Whether create whether hidden file, Malware describe similar concealment techniques(rootkit)Behavior or whether can enumerate The process of Malware.
The behavior that sample user behaviors log can be directed to known malware family is analyzed and matched, to identify specific evil The family for software sample of anticipating.The database 150 of Malware family behavior can be safeguarded for this purpose.Upon identifying family, The joint act of all members of the particular malware family can be then collected from the database 150 of Malware family behavior Indicant, and family's behavior 142 for Malware sample can be generated.
One example of family's behavior can include the information on polymorphic malware behavior.Some Malware can be with The establishment file in the AppData files of user.When being performed at different examples, identical sample, which creates, has difference The file of title, so that filename is randomized so that Malware cannot be by the file identification of its establishment.In such case Under, Malware can be identified by the concomitant pattern in act of randomization.For example, some Malware can be The file that there are different names but hashed using identical md5 is created in same sub-folder in AppData files.If All samples of Malware family can be attributed to by creating the characteristic for the file that different names but identical md5 verify sum, then should Characteristic may be used as identifying the indicant of the infection of all samples of the family.Such information quilt including family's specific behavior It is fed to malware detection module 120 and Malware mitigates module 122, generation can be used the information to and detect/subtract Light task.For example, for the title for changing file but folder name and md5 is made to verify and keep the sample of identical family, The mark task that the specific md5 in particular file folder is searched in electronic equipment can be generated.
It is common that known malware institute can be involved setting up to the mark of the behavior of general or common similar Malware And the behavioral parameters that are showed scarcely ever by benign software.This is related to mark common mode, such as specific registration table item Purpose creates, installs unsigned or invalidated binary file etc. in startup file folder.For example, as it is known that startup file Unsigned program present in folder is typically malice, especially if they are not accompanied by the list of installation procedure Corresponding entry or the binary file of such component be not if publisher's signature of empirical tests.Malware is examined It surveys module 120 and Malware mitigates module 122 and can generate Detection task(Such as analysis daily record 126)With mitigation task(Example Such as, Malware behavior act 128 is reversed), with search such binary file in systems and by their verification and Compared with known Malware or family's behavior with identify it is possible infect and correspondingly correct.
Fig. 3 is gone to, Fig. 3 is the communication system 100a- of the mitigation for Malware in accordance with an embodiment of the present disclosure The simplification figure of a part of 100c.Security module 118 can be configured as by Malware Mode behavior 124 be transmitted to malice it is soft Part detection module 120.Malware detection module 120 can be configured as the various indicants of compiling Malware behavior(Example As sample behavior 140, family's behavior 142, Malware behavior 144 etc.), whether to identify electronic equipment 102a-102c It is infected and if infected, module 122 can be mitigated using Malware to correct the electronic equipment 102a- of infection 102c.In this example, Malware mitigates module 122 and can analyze all indicants and generate mark electronic equipment 102a- The task of the indicant of infection in 102c.Based on specific sample, family and general behavior(For example, sample behavior 140, family Race's behavior 142 and general Malware behavior 144), task can wherein before malware infection and machine may occur Think highly of open may without occur performing environment in perform.Malware may infect the memory of machine, registration table And file system.For example some indicants of the infection for the file system and registry change made by Malware may be difficult To find in this context, because Malware may destroy operating system to hide its existing indicant.Some Other indicants can only be found in this context, because they can use in operating system real-time memory and in computer weight It will be lost when opening.These include the mutexes being mounted on electronic equipment 102a-102c, event, API hooks etc..
In another example, the ring that task can be performed in the write-protect disk mirroring file present in the operating system It is performed in border.This may be useful for recovery operation system file in the case of the infection of the damage of OS files.It is identical Environment can be used for evading the Malware ability of detection, and the startup persistence of Malware sample is eliminated, to go Fall the machine of infection.
For evading Windows®The Malware of detection in RE, mark and correction mitigate only having for Malware Mode may be to start machine in OS is aided in, and be iterating through the file of machine and lookup is based on using NTFS drivers The infection indicant of file system.Supporting the selection for the auxiliary OS for being iterating through new technology file system can help to evade file system The detection and removal of system product.It can be according to the behavior indicant from specific sample, family and general Malware behavior Generation task.For example, if it find that sample creates registry entries, such as startup executable program started as windows A part for journey can then generate the Detection task for searching the specific registration table clause.
The result of detection and the execution of mitigation task can feed back to Malware via backfeed loop 146 and mitigate module 122.Malware, which mitigates module 122, to determine next action based on result of the analysis from task.At another In example, malware detection module 120 can be with the result of analysis task.If the result indicate that electronic equipment is infected, then dislike Meaning software mitigation module 122 can generate will be in above three environment(For example, sandbox 116, recovery environment 136 or auxiliary operation System 138)One of in the mitigation task that performs.If the result indicate that not infecting, then Malware mitigates module 122 and can determine It is fixed to be checked again in another environment and correspondingly generate task.Similarly, if Malware mitigates module 122 and can confirm that There is no any of infection indicants, then Malware, which mitigates module 122, can state that electronic equipment is clean or good Property.
Backfeed loop 146 can by iterating perform fully to release infection electronic equipment.If for example, malice Software detection module 120 determines to find Malware sample infected file system and registration table, but family's behavior instruction filename It is randomization from an example to another example with md5, then Malware mitigates module 122 and can generate in real time environment Middle the searching Malware sample of the task.If not finding Malware sample, Malware mitigates module 122 can be again Generate task of Malware sample is searched in environment is recovered.If not finding the evidence of Malware sample, can give birth to Into the searching particular file folder of the task.When finding particular file folder, the md5 of All Files in calculation document folder can be generated Task.If matched from the known difference md5 verifications of specific family with md5 is not found, lookup can be generated and be modified in machine The task of the registry entries of program is performed when device starts.If suspect program is found to be registered as startup program, can give birth to Into the searching executable file associated with the program of the task, and it can be found that the md5 of Malware sample in known difference Md5 is verified in.It can generate and delete the Malware sample and registry entries and opened again in real-time windows OS The task of indicant in the memory of movement machine and lookup such as mutexes and event.Finally, in the result of iteration several times Afterwards, Malware mitigation module 122 may infer that whether machine eliminates particular malware sample completely.
Go to Fig. 4, Fig. 4 be diagram it is according to the embodiment can flow 400 associated with the mitigation of Malware can Operable example flow diagram.It in embodiment, can be by security module 118, malware detection module 120, Malware Mitigate one or more operations that module 122, network security module 130 and Mode behavior generation module 132 perform flow 400. At 402, Malware is allowed to run.At 404, observe the action performed by Malware and record changes system Become.For example, Mode behavior generation module 132 can observe the action performed by Malware and create Malware Mode behavior 124.At 406, create and the revocation of the change as caused by Malware to system is reversed to act.
Go to Fig. 5, Fig. 5 be diagram it is according to the embodiment can flow 500 associated with the mitigation of Malware can Operable example flow diagram.In embodiment, one or more operations of flow 500 can be soft by security module 118, malice Part detection module 120, Malware mitigate module 122, network security module 130 and Mode behavior generation module 132 and perform. At 502, Malware changes system.For example, malware detection module 120 may have determined that Malware changes or becomes More electronic equipment 102a.At 504, Malware is identified.For example, using analysis daily record 126, Malware can be identified. Analysis daily record 126 can create the change of electronic equipment 102a by record by malware detection module 120.506 Place, determines Malware Mode behavior.At 508, determine to reverse Malware behavior act.For example, it determines to reverse malice soft Part behavior act 128.At 510, perform and Malware behavior act is reversed to change to cancel Malware to what system was made Become.For example, Malware, which mitigates module 122, can perform reverse Malware behavior act 128 to cancel Malware to electricity Sub- equipment 102a change made.
Fig. 6 diagrams are according to the embodiment with point-to-point(PtP)The computing system 600 of deployment arrangements.Particularly, Fig. 6 is shown System that wherein processor, memory and input-output apparatus are interconnected by multiple point-to-point interfaces.Generally, communication system 10 one or more network elements can by with computing system 600 it is same or similar in a manner of configure.
As illustrated in figure 6, system 600 can include several processors, for the sake of clarity illustrate only wherein two A processor 670 and 680.Though it is shown that two processors 670 and 680, it is to be appreciated that, the embodiment of system 600 Such processor can also only be included.Processor 670 and 680 may each comprise one group of the multiple threads for performing program Core(That is, processor core 674A and 674B and processor core 684A and 684B).Core is joined more than can be configured as to be similar to The mode that Fig. 1-5 discussed is examined to execute instruction code.Each processor 670,680 can delay including at least one shared high speed Deposit 671,681.Shared cache 671,681 can be stored by the one or more assemblies of processor 670,680(Such as handle Device core 674 and 684)The data utilized(For example, instruction).
Processor 670 and 680 can also include the integrated memory controller to communicate with memory component 632 and 634 Logic(MC)672 and 682.Memory component 632 and/or 634 can store the various data used by processor 670 and 680. In alternative embodiments, Memory Controller logic 672 and 682 can be and 670 and 680 separated discrete logic of processor.
Processor 670 and 680 can be any kind of processor, and can use point-to-point interface circuit respectively 678 and 688 via point-to-point(PtP)Interface 650 exchanges data.Processor 670 and 680 can use point-to-point interface circuit 676th, 686,694 and 698 data are exchanged with chipset 690 via individual point-to-point interface 652 and 654.Chipset 690 may be used also With use can be PtP interface circuit interface circuit 692 via high performance graphics interface 639 and high performance graphics circuit 638 Exchange data.In alternative embodiments, any or all of PtP link illustrated in Fig. 6 may be implemented as multiple-limb(multi- drop)Bus rather than PtP link.
Chipset 690 can communicate via interface circuit 696 with bus 620.Bus 620 can have by its into One or more equipment of row communication, such as bus bridge 618 and I/O equipment 616.Via bus 610, bus bridge 618 can be with Other equipment communicates, such as keyboard/mouse 612(Or other input equipments of such as touch-screen, trackball or the like), it is logical Believe equipment 626(Such as modem, network interface device can be communicated other kinds of by computer network 660 Communication equipment), audio I/O equipment 614, and/or data storage device 628.Data storage device 628 can store can be by Manage the code 630 that device 670 and/or 680 performs.In alternative embodiments, any part of bus architecture can utilize one or Multiple PtP links are realized.
Computer system depicted in figure 6 can be used for realizing the computing system of various embodiments discussed in this article Embodiment schematic diagram.It will be appreciated that the various assemblies for the system described in Fig. 6 can be with system on chip(SoC)Frame Structure suitably configures to combine with any other.For example, presently disclosed embodiment can be incorporated into including such as intelligence In the system of the mobile equipment of energy cellular phone, tablet computer, personal digital assistant, portable gaming device or the like.It will Understand, at least some embodiments, these movement equipment can be provided with SoC frameworks.
Fig. 7 is gone to, Fig. 7 is the 700 associated simplified block diagrams of example A RM ecosystems SOC with the disclosure.The disclosure At least one example implementation can include mitigating the characteristic of malware that is discussed herein and ARM components.For example, the example of Fig. 7 It can be with any ARM cores(For example, A-7, A-15 etc.)It is associated.In addition, framework can be any kind of tablet computer, intelligence Phone(Including AndroidTMPhone, iPhoneTM)、iPadTM、Google NexusTM、Microsoft SurfaceTM, it is personal Computer, server, video output component, laptop computer(Including any kind of laptop)、UltrabookTM Input equipment that system, any kind of touch enable etc..
In the example of Fig. 7, ARM ecosystems SOC 700 can include multiple core 706-907, L2 cache controls System 708, Bus Interface Unit 709, L2 caches 710, graphics processing unit(GPU)715th, interconnection 702, Video Codec 720 and liquid crystal display(LCD)I/F 725, can be with being coupled to the Mobile Industry Processor Interface of LCD(MIPI)/ high definition Clear degree multimedia interface(HDMI)Link is associated.
ARM ecosystems SOC 700 can also include subscriber identity module(SIM)I/F 730, read-only memory is started (ROM)735th, Synchronous Dynamic Random Access Memory(SDRAM)Controller 740, flash controller 745, serial peripheral interface (SPI)Master control 750, suitable Power Control 755, dynamic ram(DRAM)760 and flash memory 765.In addition, one or more examples Embodiment includes one or more communication capacities, interface and feature, such as BluetoothTM770th, 3G modems 775, complete Ball alignment system(GPS)The example of 780 and 802.11 Wi-Fi 785.
In operation, the example of Fig. 7 processing capacity can be provided and relatively low power consumption enable to realize it is various The calculating of type(For example, mobile computing, high end digital family, server, wireless infrastructure etc.).In addition, such framework It can enable to realize any amount of software application(For example, AndroidTM、Adobe®Flash®Player, Java platform Standard edition(Java SE), JavaFX, Linux, Microsoft Windows Embedded, Symbian and Ubuntu etc.). In at least one example embodiment, core processor can realize the unordered exceeded of 2 cache of low delay rank with coupling Measure assembly line.
Fig. 8 illustrates processor core 800 according to the embodiment.Processor core 800 can be used for any kind of processor Core, such as microprocessor, embeded processor, digital signal processor(DSP), network processing unit or perform code other Equipment.Although illustrating only a processor core 800 in fig. 8, processor can alternatively include in more than one Fig. 8 The processor core 800 of diagram.For example, processor core 800 represents the processing for showing and describing with reference to the processor 670 and 680 of figure 6 An example embodiment of device core 674a, 674b, 684a and 684b.Processor core 800 can be single thread core or for extremely Few one embodiment, processor core 800 can be multithreading, because it can include more than one hardware thread contexts (Or " logic processor ")Each core.
Fig. 8 also illustrates the memory 802 according to the embodiment for being coupled to processor core 800.Memory 802 can be as For known to those skilled in the art or otherwise available various memories(Including the various of memory hierarchy Layer)Any one of.Memory 802 can include the code 804 to be performed by processor core 800, can be one or Multiple instruction.Processor core 800 can follow the agenda of the instruction indicated by code 804.Each instruction is patrolled into front end It collects 806 and is handled by one or more decoders 808.Decoder can generate microoperation with predefined form(It is such as solid Fixed width degree microoperation)Believe as its output or other instructions, microcommand or control that reflection original code instruction can be generated Number.Front end logic 806 further includes register renaming logic 810 and scheduling logic 812, usually distributes resource and is lined up and refers to Corresponding operation is made for performing.
Processor core 800 can also include the execution logic 814 with one group of execution unit 816-1 to 816-N.Some realities The multiple execution units for being exclusively used in specific function or function set can be included by applying example.Other embodiment can be held including only one Row unit or the execution unit that specific function can be performed.It performs logic 814 and performs the operation specified by code command.
After the execution for the operation for completing to be specified by code command, back-end logic 818 is recoverable to(retire)Code 804 instruction.In one embodiment, processor core 800 allows to execute out, but requires the orderly withdrawal of instruction.It withdraws Logic 820 can take various known forms(For example, resequence buffer etc.).In this way, processor core 800 exists It is converted during the execution of code 804, at least in the output generated by decoder, is utilized by register renaming logic 810 Hardware register and table and any register changed by execution logic 814(It is not shown)Aspect.
Although not shown in fig. 8, processor can include other yuan on the chip with processor core 800 Part, wherein at least some are shown and described herein with reference to Fig. 6.For example, as shown in fig. 6, processor can include storage Device control logic and processor core 800.Processor can include I/O control logics and/or can include controlling with memory The I/O control logics that logic integrates.
Note that using provided herein is example, can be described in terms of two, three or more network element interaction. However, this is carried out just for the sake of clear and exemplary purpose.In some cases, by only quoting the net of limited quantity Network element may be easier to describe the one or more functions of given set of process.It should be appreciated that communication system 100a- 100c and its introduction can easily extend, and can accommodate substantial amounts of component and more complicated/advanced arrangement and configuration.Cause This, the example provided should not limit the scope of communication system 100a-100c or it is forbidden widely to instruct, because potential Ground is applied to other countless frameworks.
Pay attention to the flow chart of front(That is, Figure 4 and 5)In operational illustration yet can be performed by communication system 100a-100c or Only some possible associated scenarios and the pattern performed in communication system 100a-100c is also important.In appropriate situation Under, some in these operations can be deleted or remove or these operations can not depart from the feelings of the scope of the present disclosure It significantly changes or changes under condition.In addition, by these operate in it is multiple be described as it is same with one or more additional operations When or be performed in parallel.However, the timing of these operations can be changed significantly.For example and the purpose discussed, provide The operating process of front.The flexibility of essence is provided by communication system 100a-100c, because can the religion of the disclosure not departed from Any suitable arrangement, chronology, configuration and timing mechanism are provided in the case of leading.
Although the disclosure is described in detail by reference to specific arrangements and configuration, these example arrangements and arrangement can To be altered significantly over time without departing from the scope of the disclosure.In addition, based on specific needs and realization, some components can Being combined, separating, eliminating or adding.In addition, although communication system 100a-100c is by reference to the specific of promotion communication process Element illustrates with operation, but these elements and operation may alternatively be and realize being intended to for communication system 100a-100c Any suitable framework, agreement and/or the process of function.
Those skilled in the art can find out many other changes, replacement, variation, change and modification, and it is intended that The disclosure includes all such change, replacement, variation, the change and modification fallen within the scope of the appended claims.In order to Assist U.S.Patent & Trademark Office(USPTO)And any reader for any patent issued in the application is assisted to explain herein in addition Appended claim, it is intended that it is noted that applicant:(a)It is not intended to any appended claims and quotes 35 U.S.C. The paragraph six of part 112(6), because it exists in the submission date of the application, unless specifically making in specific rights requirement With word " component being used for ... " or " the step of being used for ... ";With(b)Be not intended to by any statement in specification with Any mode for reflecting in the following claims not otherwise limits the disclosure.
Other annotations and example
Example C1 is at least one machine readable storage medium with one or more instructions, and described instruction is by least one Processor causes at least one processor when performing:Malware is allowed to perform in systems;Record is soft by the malice The change to the system caused by the execution of part;Appoint with the detection created for the detection of the Malware in electronic equipment Business, wherein the Detection task is based at least partially on as changing caused by the execution of the Malware to the system Become.
In example C2, the theme of example C1 can optionally include the mould that wherein described Detection task uses Malware One or more of formula matching, the analysis of global reputation, program simulation, static analysis and dynamic analysis create.
In example C3, any one theme in example C1-C2 can optionally include wherein described instruction by At least one processor causes at least one processor when performing:Mark Malware associated with Malware Family, wherein Malware family include family's behavior, and the Detection task is based in part on family's behavior.
In example C4, any one theme in example C1-C3 can optionally include wherein described Detection task It is based in part on general Malware behavior.
In example C5, any one theme in example C1-C4 can optionally include wherein described instruction by At least one processor causes at least one processor when performing:Created Detection task is used to be felt to identify The electronic equipment of dye;Appointed with creating to mitigate as the mitigation of the change to infected electronic equipment caused by the Malware Business.
In example C6, any one theme in example C1-C5 can optionally include wherein described mitigation task It is performed in environment is recovered.
In example C7, any one theme in example C1-C6 can optionally include wherein described mitigation task It is performed using the auxiliary operation system on infected electronic equipment.
In example C8, any one theme in example C1-C7 can optionally include wherein described auxiliary operation System, which is pushed on infected electronic equipment, is used as boot disk.
In example A 1, device can include Mode behavior generation module, wherein the Mode behavior generation module by with It is set to:Malware is allowed to perform in systems;Record is as changing the system caused by the execution of the Malware Become;With establishment for the Detection task of the detection of the Malware in electronic equipment, wherein the Detection task is at least partly Based on the change to the system caused by the execution as the Malware.
In example A 2, the theme of example A 1 can optionally include the mould that wherein described Detection task uses Malware One or more of formula matching, the analysis of global reputation, program simulation, static analysis and dynamic analysis create.
In example A 3, any one theme in example A 1-A2 can optionally include wherein monitoring module also by It is configured to:Mark Malware family associated with Malware, wherein Malware family include family's behavior, and institute It states Detection task and is based in part on family's behavior.
In example A 4, any one theme in example A 1-A3 can optionally include wherein described Detection task It is based in part on general Malware behavior.
In example A 5, any one theme in example A 1-A4 optionally can also be configured including monitoring module For:The Detection task is sent to security module, wherein the security module is configured as:Use created Detection task To identify infected electronic equipment;Mitigate with creating as changing caused by the Malware to infected electronic equipment The mitigation task of change.
In example A 6, any one theme in example A 1-A5 can optionally include wherein described mitigation task It is performed in environment is recovered.
In example A 7, any one theme in example A 1-A6 can optionally include wherein described mitigation task It is performed using the auxiliary operation system on infected electronic equipment.
In example A 8, any one theme in example A 1-A7 can optionally include wherein described auxiliary operation System, which is pushed on infected electronic equipment, is used as boot disk.
Example M1 is a kind of method, including:Malware is allowed to perform in systems;Record holding by the Malware The caused change to the system of row;The Detection task of the detection of the Malware in electronic equipment is used for establishment, Described in Detection task be based at least partially on as the change to the system caused by the execution of the Malware.
In example M2, the theme of example M1 can optionally include the mould that wherein described Detection task uses Malware One or more of formula matching, the analysis of global reputation, program simulation, static analysis and dynamic analysis create.
In example M3, any one theme in example M1-M2 can optionally include mark and Malware phase Associated Malware family, wherein Malware family include family's behavior, and the Detection task is based in part on house Race's behavior.
In example M4, any one theme in example M1-M3 can optionally include the Detection task part Ground is based on general Malware behavior.
In example M5, any one theme in example M1-M4 can optionally include the use of created detection Task identifies infected electronic equipment;With create mitigate as caused by the Malware to infected electronic equipment Change mitigation task.
In example M6, any one theme in example M1-M5 can optionally include wherein described mitigation task It is performed in environment is recovered.
In example M7, any one theme in example M1-M6 can optionally include wherein described mitigation task It is performed using the auxiliary operation system on infected electronic equipment.
Example S1 is the system of the correction for Malware, the system comprises:Mode behavior generation module, by with It is set to:Malware is allowed to perform in systems;Record is as changing the system caused by the execution of the Malware Become;The Detection task of the detection for the Malware in electronic equipment is created, wherein Detection task at least part ground In the change to the system caused by the execution as the Malware;And security module, it is configured as:Using being created The Detection task built identifies infected electronic equipment;With create mitigate as caused by the Malware to infected The mitigation task of the change of electronic equipment.
In example S2, the theme of example S1 can optionally include the mould that wherein described Detection task uses Malware One or more of formula matching, the analysis of global reputation, program simulation, static analysis and dynamic analysis create.
Example X1 is machine readable storage medium, including machine readable instructions with implementation method or realization device, such as Method or apparatus in any one in example A 1-A8 or M1-M7.Example Y1 is to include performing exemplary method The device of any one component in M1-M7.In example Y2, the theme of example Y1 can optionally include for the side of execution The component for including processor and memory of method.In example Y3, the theme of example Y2 can optionally include can comprising machine The memory of reading instruction.

Claims (25)

1. including at least one computer-readable medium of one or more instructions, described instruction is held by least one processor Cause at least one processor during row:
Malware is allowed to perform in systems;
Record is as the change to the system caused by the execution of the Malware;With
The Detection task of the detection for the Malware in electronic equipment is created, wherein Detection task at least part ground In the change to the system caused by the execution as the Malware.
2. at least one computer-readable medium according to claim 1, wherein the Detection task uses Malware One or more of pattern match, the analysis of global reputation, program simulation, static analysis and dynamic analysis create.
3. according at least one computer-readable medium any one of claim 1 and 2, further include one or more and refer to Order, described instruction cause at least one processor when being performed by least one processor:
Mark Malware family associated with Malware, wherein Malware family include family's behavior, and described Detection task is based in part on family's behavior.
4. at least one computer-readable medium according to any one of claim 1-3, wherein the Detection task portion Ground is divided to be based on general Malware behavior.
5. at least one computer-readable medium according to any one of claim 1-4, further includes one or more and refers to Order, described instruction cause at least one processor when being performed by least one processor:
Created Detection task is used to identify infected electronic equipment;With
It creates and mitigates as the mitigation task of the change to infected electronic equipment caused by the Malware.
6. at least one computer-readable medium according to any one of claim 1-5, wherein the mitigation task exists Recover to perform in environment.
7. at least one computer-readable medium according to any one of claim 1-6, wherein the mitigation task makes It is performed with the auxiliary operation system on infected electronic equipment.
8. at least one computer-readable medium according to any one of claim 1-7, wherein the auxiliary operation system System, which is pushed on infected electronic equipment, is used as boot disk.
9. a kind of device, including:
Mode behavior generation module, is configured as:
Malware is allowed to perform in systems;
Record is as the change to the system caused by the execution of the Malware;With
The Detection task of the detection for the Malware in electronic equipment is created, wherein Detection task at least part ground In the change to the system caused by the execution as the Malware.
10. device according to claim 9, wherein the Detection task uses the pattern match of Malware, global sound One or more of analysis, program simulation, static analysis and dynamic analysis are praised to create.
11. according to the device any one of claim 9 and 10, wherein the Mode behavior generation module is also configured For:
Mark Malware family associated with Malware, wherein Malware family include family's behavior, and described Detection task is based in part on family's behavior.
12. according to the device any one of claim 9-11, wherein the Detection task is based in part on general malice Software action.
13. according to the device any one of claim 9-12, wherein the Mode behavior generation module is additionally configured to:
The Detection task is sent to security module, wherein the security module is configured as:
Created Detection task is used to identify infected electronic equipment;With
It creates and mitigates as the mitigation task of the change to infected electronic equipment caused by the Malware.
14. according to the device any one of claim 9-13, wherein the mitigation task performs in environment is recovered.
15. according to the device any one of claim 9-14, wherein the mitigation task is set using infected electronics Standby upper auxiliary operation system performs.
16. according to the device any one of claim 9-15, wherein the auxiliary operation system is pushed infected Electronic equipment on be used as boot disk.
17. a kind of method, including:
Malware is performed in systems;
Record is as the change to the system caused by the execution of the Malware;With
The Detection task of the detection for the Malware in electronic equipment is created, wherein Detection task at least part ground In the change to the system caused by the execution as the Malware.
18. according to the method for claim 17, wherein the Detection task uses the pattern match of Malware, global sound One or more of analysis, program simulation, static analysis and dynamic analysis are praised to create.
19. according to the method any one of claim 17 and 18, further include:
Mark Malware family associated with Malware, wherein Malware family include family's behavior, and described Detection task is based in part on family's behavior.
20. according to the method any one of claim 17-19, wherein the Detection task is based in part on general malice Software action.
21. according to the method any one of claim 17-20, further include:
Created Detection task is used to identify infected electronic equipment;With
It creates and mitigates as the mitigation task of the change to infected electronic equipment caused by the Malware.
22. according to the method any one of claim 17-21, wherein the mitigation task performs in environment is recovered.
23. according to the method any one of claim 17-22, wherein the mitigation task is set using infected electronics Standby upper auxiliary operation system performs.
24. a kind of system of correction for Malware, the system comprises:
Mode behavior generation module, is configured as:
Malware is allowed to perform in systems;
Record is as the change to the system caused by the execution of the Malware;With
The Detection task of the detection for the Malware in electronic equipment is created, wherein Detection task at least part ground In the change to the system caused by the execution as the Malware;With
Security module is configured as:
Created Detection task is used to identify infected electronic equipment;With
It creates and mitigates as the mitigation task of the change to infected electronic equipment caused by the Malware.
25. system according to claim 24, wherein the Detection task uses the pattern match of Malware, global sound One or more of analysis, program simulation, static analysis and dynamic analysis are praised to create.
CN201680037878.XA 2015-06-27 2016-05-24 The mitigation of Malware Pending CN108064384A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
IN3247/CHE/2015 2015-06-27
IN3247CH2015 2015-06-27
PCT/US2016/033846 WO2017003580A1 (en) 2015-06-27 2016-05-24 Mitigation of malware

Publications (1)

Publication Number Publication Date
CN108064384A true CN108064384A (en) 2018-05-22

Family

ID=57608987

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680037878.XA Pending CN108064384A (en) 2015-06-27 2016-05-24 The mitigation of Malware

Country Status (4)

Country Link
EP (1) EP3314509A4 (en)
JP (2) JP6668390B2 (en)
CN (1) CN108064384A (en)
WO (1) WO2017003580A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492399A (en) * 2019-01-17 2019-03-19 腾讯科技(深圳)有限公司 Risk file test method, device and computer equipment
CN113722705A (en) * 2021-11-02 2021-11-30 北京微步在线科技有限公司 Malicious program clearing method and device
CN113722714A (en) * 2021-11-03 2021-11-30 北京微步在线科技有限公司 Network threat processing method and device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2597097B (en) * 2020-07-15 2022-10-05 British Telecomm Computer-implemented automatic security methods and systems
GB2597098A (en) * 2020-07-15 2022-01-19 British Telecomm Computer-implemented automatic security methods and systems
KR102308477B1 (en) * 2020-12-07 2021-10-06 주식회사 샌즈랩 Method for Generating Information of Malware Which Describes the Attack Charateristics of the Malware

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080256633A1 (en) * 2002-05-08 2008-10-16 International Business Machines Corporation Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program
CN102160048A (en) * 2008-09-22 2011-08-17 微软公司 Collecting and analyzing malware data
US20110271341A1 (en) * 2010-04-28 2011-11-03 Symantec Corporation Behavioral signature generation using clustering
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
US20120260342A1 (en) * 2011-04-05 2012-10-11 Government Of The United States, As Represented By The Secretary Of The Air Force Malware Target Recognition
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
US20130333033A1 (en) * 2012-06-06 2013-12-12 Empire Technology Development Llc Software protection mechanism

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4755658B2 (en) * 2008-01-30 2011-08-24 日本電信電話株式会社 Analysis system, analysis method and analysis program
JP2010049627A (en) * 2008-08-25 2010-03-04 Hitachi Software Eng Co Ltd Computer virus detection system
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
US9202048B2 (en) * 2010-01-27 2015-12-01 Mcafee, Inc. Method and system for discrete stateful behavioral analysis
US8782791B2 (en) * 2010-12-01 2014-07-15 Symantec Corporation Computer virus detection systems and methods
US8677493B2 (en) * 2011-09-07 2014-03-18 Mcafee, Inc. Dynamic cleaning for malware using cloud technology
US9591003B2 (en) * 2013-08-28 2017-03-07 Amazon Technologies, Inc. Dynamic application security verification

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080256633A1 (en) * 2002-05-08 2008-10-16 International Business Machines Corporation Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program
CN102160048A (en) * 2008-09-22 2011-08-17 微软公司 Collecting and analyzing malware data
US20110271341A1 (en) * 2010-04-28 2011-11-03 Symantec Corporation Behavioral signature generation using clustering
CN102314561A (en) * 2010-07-01 2012-01-11 电子科技大学 Automatic analysis method and system of malicious codes based on API (application program interface) HOOK
US20120260342A1 (en) * 2011-04-05 2012-10-11 Government Of The United States, As Represented By The Secretary Of The Air Force Malware Target Recognition
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
US20130333033A1 (en) * 2012-06-06 2013-12-12 Empire Technology Development Llc Software protection mechanism

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492399A (en) * 2019-01-17 2019-03-19 腾讯科技(深圳)有限公司 Risk file test method, device and computer equipment
CN113722705A (en) * 2021-11-02 2021-11-30 北京微步在线科技有限公司 Malicious program clearing method and device
CN113722705B (en) * 2021-11-02 2022-02-08 北京微步在线科技有限公司 Malicious program clearing method and device
CN113722714A (en) * 2021-11-03 2021-11-30 北京微步在线科技有限公司 Network threat processing method and device

Also Published As

Publication number Publication date
EP3314509A4 (en) 2018-12-05
WO2017003580A1 (en) 2017-01-05
JP6668390B2 (en) 2020-03-18
JP2020113290A (en) 2020-07-27
EP3314509A1 (en) 2018-05-02
JP2018524720A (en) 2018-08-30

Similar Documents

Publication Publication Date Title
US11328063B2 (en) Identification of malicious execution of a process
US11870793B2 (en) Determining a reputation for a process
CN108064384A (en) The mitigation of Malware
US11379583B2 (en) Malware detection using a digital certificate
US20170091453A1 (en) Enforcement of file characteristics
CN108093652B (en) Simulation of an application
US20110277033A1 (en) Identifying Malicious Threads
EP3198513A1 (en) Data verification using enclave attestation
US20150379268A1 (en) System and method for the tracing and detection of malware
US9886577B2 (en) Detection and mitigation of malicious invocation of sensitive code
JP6598221B2 (en) Anomaly detection to identify malware
CN107960126A (en) Vulnerability exploit detection based on analysis event
US11627145B2 (en) Determining a reputation of data using a data visa including information indicating a reputation
JP2018524716A5 (en)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180522

WD01 Invention patent application deemed withdrawn after publication