CN108171054A - The detection method and system of a kind of malicious code for social deception - Google Patents
The detection method and system of a kind of malicious code for social deception Download PDFInfo
- Publication number
- CN108171054A CN108171054A CN201611103717.4A CN201611103717A CN108171054A CN 108171054 A CN108171054 A CN 108171054A CN 201611103717 A CN201611103717 A CN 201611103717A CN 108171054 A CN108171054 A CN 108171054A
- Authority
- CN
- China
- Prior art keywords
- file
- angle value
- malice
- icon
- sample file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000004458 analytical method Methods 0.000 claims abstract description 88
- 239000000284 extract Substances 0.000 claims abstract description 6
- 238000000034 method Methods 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 238000004088 simulation Methods 0.000 description 4
- 238000000605 extraction Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 208000027534 Emotional disease Diseases 0.000 description 1
- 244000035744 Hura crepitans Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 239000012491 analyte Substances 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 102220038680 rs10401270 Human genes 0.000 description 1
- 102220144047 rs7667001 Human genes 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000014599 transmission of virus Effects 0.000 description 1
- 239000002023 wood Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/01—Social networking
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Economics (AREA)
- Tourism & Hospitality (AREA)
- Strategic Management (AREA)
- Primary Health Care (AREA)
- Computing Systems (AREA)
- Marketing (AREA)
- Virology (AREA)
- Human Resources & Organizations (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of detection methods and system of the malicious code for social deception, the file type of sample file is identified first, extract the sample file of non-security form therein, then the social suspicious degree analyzing of deception is carried out according to each attribute of file, including to filename, suffix name, file type, file icon, file attribute etc. is analyzed, according to filename whether overlength, filename character set type, whether uncommon suffix name is employed, whether file type is consistent with suffix name, whether file is the specific types such as shortcut, whether file icon is similar to known legitimate software, the detection means such as whether file signature legal, file is analyzed and is detected and is given a mark, finally assess whether file is malicious code according to the testing result comprehensive analysis of projects.
Description
Technical field
The invention belongs to Malicious Code Detection technical fields, and in particular to one kind is directed to is attacked using the development of social fraud
The detection method and system of the malicious code hit.
Background technology
It deepens continuously with the continuous development of society with information-based, computer and internet answering in social every field
With more and more extensive.At the same time, it is also more and more for the attack of information system, the malicious codes such as computer virus, wooden horse
Also getting worse is threatened caused by attack, with the continuous deployment of the safety measures such as antivirus software, anti-virus gateway, traditional meter
Calculation machine viral transmission mode gradually fails, and malware writer is more and more using Email, instant messaging, network opinion
The social medias such as altar carry out malicious code propagation in a manner that social activity is cheated, and are combined by social activity deception and technological means
Mode, around the protection of security software, user cheating is opened, performs malicious code, so as to be implanted into wood into victim system
Horse, the destructive activities such as stolen secret information, extorted.Currently, it is this more and more fiery based on social malicious code attack, have become and attack
The mainstream means for the activity of hitting, information privacy and property safety to national security, social stability and numerous netizens cause seriously
It influences.Therefore, seem very necessary for the detection method of the malicious code of social activity deception.
Current Malicious Code Detection technology mainly includes following several:
1. pair file carries out static binary scanning, by by the existing malice in file content and malicious code feature database
Code characteristic is compared, malicious code known to discovery.Since this method can only be detected for known malicious code, and
Malicious code would generally be encrypted in attacker, shell adding, deformation etc., cause static scanning be difficult to find unknown malicious code,
Metamorphic malware, extraordinary malicious code.
2. pair file carries out simulation execution, simulation execution is carried out by the segment to doubtful executable code, analyzes the mistake
The behavior generated in journey and exception realize Malicious Code Detection.Since this method is not easy to define abnormal behaviour, while also need to answer
To may be included in executable code anti-debug, Back analysis technique, therefore be difficult in practical application to large-scale code into
Row analysis, accuracy are relatively low.
3. by file merging sandbox operation, observe its dynamic running process, extract behavioural characteristic and with behavior white list pair
Than realizing Malicious Code Detection.Since the system resources consumption of dynamic analysis is larger, and analytic process more takes, it is difficult to
In client deployment, it is also difficult to which Massive Sample is detected in real time.
In conclusion the detection method of malicious code is primarily upon code in itself at present, major defect is to ignore
The external morphology relevant information of malicious code causes when failing for the detection of malicious code in itself, and user is easily social
Deception fascination, so as to perform malicious code, causes to attack and destroy.
Invention content
For the technical problems in the prior art, lead to the purpose of the present invention is to provide one kind in network attack
Cross the detection method and system of malicious code that the mode of social deception is delivered, sent.
To achieve the above object, the present invention adopts the following technical scheme that:
A kind of detection method of malicious code for social deception, step include:
1) according to sample file header contents feature, magic number information and format character, the actual file of sample file is identified
Type obtains the sample file of non-security form;
2) filename of above-mentioned non-security form sample file is extracted, the character number, unprintable according to contained by filename
Whether the affiliated character set of character number, character and character one of which containing spcial character or multinomial obtain malice angle value and can
Doubt angle value;
3) the suffix name number and the suffix name of mark included according to the filename of non-security form sample file with
The whether consistent one of which of file type or two obtain malice angle value and suspicious angle value;
4) according to non-security form sample file whether be legal software developer's publication, developer's information whether with number
Developer's information is consistent in word signature and the whether legal effective one of which of digital signature or multinomial obtains malice degree
Value and suspicious angle value;
5) according to non-security form sample file icon, whether similar and icon is similar to the icon of known legitimate software
The developer of known legitimate software whether consistent with the developer of sample file obtain malice angle value and suspicious angle value;
6) by total malice angle value of the malice angle value of each analysis project of above-mentioned steps and suspicious angle value and total suspicious angle value with
The detection threshold value of setting is compared, and whether judgement sample file is malicious code according to this.
Further, the Safe Format is the specified file format without analysis, including text file, picture.
Further, the spcial character includes Unicode control characters 0x202E (RLO).
Further, whether it is that legal software developer sends out according to digital signature information judgement sample file in step 4)
Cloth.
Further, it is utilized in step 5) and perceives hash algorithm (Perceptual Hash Algorithm) lookup and sample
The icon of the similar known legitimate software of this document icon.
Further, the malice degree is { 0,1 } binary value, and the suspicious degree is the arbitrary value in [0,1] section.
Further, the detection threshold value includes malice degree threshold value and suspicious degree threshold value.
Further, the malice degree of sample file is first determined whether, if total malice angle value is more than or equal to malice degree threshold value, depending on
Sample file is malicious code;Otherwise the suspicious degree of further judgement sample file, if total suspicious angle value and analysis item mesh number
Ratio is more than or equal to suspicious degree threshold value, then regards sample file as malicious code.
A kind of detecting system of malicious code for social deception, including:
One file type analysis module according to sample file header contents feature, magic number information and format character, identifies sample
The actual file type of this document, obtains the sample file of non-security form;
One filename analysis module extracts the filename of above-mentioned non-security form sample file, the word according to contained by filename
Accord with number, unprintable character number, the affiliated character set of character and character whether the one of which or multinomial containing spcial character
Obtain malice angle value and suspicious angle value;
One file suffixes name analysis module, the suffix name number included according to the filename of non-security form sample file
And the suffix name of mark obtains malice angle value and suspicious angle value with the whether consistent one of which of file type or two;
One file attribute analysis module, extracts the letters such as icon, developer, issuing time and the digital signature of sample file
Breath, and whether be whether legal software developer's publication, developer's information are signed with number according to non-security form sample file
Developer's information is consistent in name and the whether legal effective one of which of digital signature or it is multinomial obtain malice angle value and
Suspicious angle value;
One file icon analysis module, the icon of the lookup known legitimate software similar to sample file icon, and according to
Non-security form sample file icon known legitimate software whether similar to the icon of known legitimate software and similar icon
Developer whether consistent with the developer of sample file obtain malice angle value and suspicious angle value;
The malice angle value of each analysis project and suspicious angle value are summed it up and obtain total malice angle value by one file malice judgment module
With always suspicious angle value, and then be compared with the detection threshold value of setting, whether judgement sample file is malicious code according to this.
Further, the file type analysis module, filename analysis module, file suffixes name analysis module, file
Attributive analysis module and file icon analysis module use the form of expansion plugin.
Detection method provided by the invention is first identified the file type of sample file, and extraction is therein non-security
The sample file of form, then according to each attribute of file carry out it is social cheat suspicious degree analyzing, including to filename, after
Sew name, file type, file icon, file attribute etc. to be analyzed, according to filename whether overlength (character number), filename
Whether character set type employs whether uncommon suffix name, file type consistent with suffix name, whether file is quick side
The specific types such as formula, the file icon detection means such as whether, file signature similar to known legitimate software legal, to file
It is analyzed and is detected and given a mark, finally assess whether file is malice generation according to the testing result comprehensive analysis of projects
Code.
The difference of this detection method and other existing detection methods is that this method only needs the category of extraction and Study document
Property information, do not need to parse file content and instruction code into row format, simulation executions, the operation of the complexity such as characteristic matching,
The suspect code transmitted in the social networking applications such as Email, instant messaging can be rapidly detected, for needing further analysis
With the suspect code of detection, can be analyzed on this basis using other existing known detection methods, so as to carry significantly
High analyte efficiency reduces the social networking application Message Time Delay that safety detection is brought.
What the present invention obtained has the beneficial effect that:
1. the present invention only needs to analyze the attribute information of sample file, do not need to carry out feature to file content
Match, therefore detection process has very high efficiency.
2. the attack means that the present invention be easy to cause filename, suffix name, file icon etc. vision deception have carried out point
Analysis can identify that the filenames such as overlength filename, the filename comprising spcial character, the filename that is replaced using similar character are taken advantage of
Deceive technology, suffix names Cheating Technology and the similar icon Cheating Technology such as multiple suffix name, suffix name of equal value, therefore can be effective
The malicious code that detection is propagated using social Cheating Technology.
3. the present invention is based on Static Analysis Method, simulation or the practical code for performing analyzed sample file, tool are not needed to
There are higher detection performance, smaller space complexity and time complexity.
4. filename analysis module, file type analysis module, file suffixes name analysis module in the present invention, file category
Property analysis module, file icon analysis module exist in the form of expansion plugin, and supplement can be adjusted at any time, have higher
Scalability.
Description of the drawings
Fig. 1 is a kind of detection method flow chart of malicious code for social deception of the present invention.
Fig. 2 is a kind of detecting system schematic diagram of malicious code for social deception of the present invention.
Specific embodiment
Features described above and advantage to enable the present invention are clearer and more comprehensible, special embodiment below, and institute's attached drawing is coordinated to make
Detailed description are as follows.
The present embodiment specifically provides a kind of detection method and system of the malicious code for social deception, as shown in Figure 1, Figure 2
Shown, step includes:
1st, system and filename analysis module, file type analysis module, file suffixes name analysis module, file category is configured
Property the parameters such as analysis module, file icon analysis module, file malice judgment module, setting detection threshold value (suspicious degree threshold value Hs
With malice degree threshold value Hm), sample file to be analyzed is received, starts to analyze.Detection threshold value can be according to application scenarios and safety
Demand adjusts and setting, for the occasion of high safety demand, such as e-mail system, office Intranet, can set relatively low
Detection threshold value, so as to improve recall rate;For relatively low occasions of security requirements such as office outer nets, higher detection can be set
Threshold value, so as to reduce rate of false alarm.In the present embodiment, suspicious degree threshold value Hs=0.6 and malice degree threshold value Hm=3 can be set.
2nd, file type analysis module is called to analyze the type of sample file, according to sample file header contents spy
Sign, magic number information and format character identify the actual file type of sample file.It is not if identifying the file format of sample
Safe Format then carries out step 3;If the file format for identifying sample is Safe Format, the analysis of the sample is terminated,
Step 2 is gone to, a sample to be analyzed is reselected and is analyzed.
In this step, Safe Format refers to not need to the file format analyzed, such as text text according to system configuration
Part, picture etc. can be voluntarily configured by user.The sample file of the present embodiment is
Its identified file type is the RAR files of self-extracting, is a kind of executable file type, is unsafe form.
3rd, a sample file to be analyzed is selected, calls the filename of filename analysis module extraction sample file, it is right
File name is analyzed.
In this step, filename analysis module exists in the form of expansion plugin, and concrete analysis project can be by user
Expand.The analysis project of filename may include it is a variety of, such as:
1) length is denoted as l, and calculate s11=l/ by character number contained by calculation document name as filename length
255, while m11=0 is set;For the present embodiment, l=38, s11=0.15, m11=0;
2) such character number is denoted as n, and calculate s12=n/l, together by unprintable character number in statistics file name
When setFor the present embodiment, n=1, s12=0.03, m12=0;
3) judge the affiliated character set of character in filename, if character belongs to 3 and above character set in filename,
S13=1, otherwise s13=0, while m13=0 is set;For the present embodiment, character belongs to 3 character set, s13=in filename
1, m13=0;
4) judge whether include spcial character in filename, including Unicode control characters 0x202E (RLO) etc., if
The character in the spcial character set that any one is specified is included in filename, then s14=1, m14=1 are set, otherwise s14
=0, while m14=0 is set;For the present embodiment, character 0x202E (RLO), s14=1, m14=1 are included in filename.
4th, file suffixes name analysis module is called to be detected sample file, the suffix name of sample file is divided
Analysis.
In this step, file suffixes name analysis module exists in the form of expansion plugin, and concrete analysis project can be by
User expands.The analysis project of suffix name may include it is a variety of, such as:
1) the suffix name number that the filename of sample file includes, and suffix name number is remembered for f,
M21=s21 is set simultaneously;For the present embodiment, f=1, s21=0, m21=0;
2) judge that the suffix name identified in filename analyses whether unanimously with file type, the s22=0 if consistent is no
Then s22=1, while m22=s22 is set;For the present embodiment, the true entitled scr of suffix is a kind of executable file suffix,
Consistent, s22=0, m22=0 with file type analysis.
5th, file attribute analysis module is called to be detected sample file, by icon, the exploitation of extracting sample file
The information such as person, issuing time, digital signature, and these sample file attributes are analyzed.
In this step, file attribute analysis module exists in the form of expansion plugin, concrete analysis project can by with
Family is expanded.File attribute analysis project may include it is a variety of, such as:
1) whether judgement sample file is legal software developer's publication, if it is s31=0, otherwise s31=1, together
When m31=s31 is set;For the present embodiment, software developer's loss of learning, s31=1, m31=1;
2) judge whether developer's information is consistent with developer's information in digital signature, the s32=0 if consistent, otherwise
S32=1, while m32=s32 is set;For the present embodiment, digital signature information missing, s32=1, m32=1;
3) whether judge legal effectively for the certificate of digital signature, if it is legal effectively if s33=0, otherwise s33=1,
M33=s33 is set simultaneously;For the present embodiment, digital signature information missing, s33=1, m33=1.
6th, file icon analysis module is called to be detected sample file, the sample extracted according to file attribute analysis module
The icon of this document, and using the icon for perceiving the hash algorithm lookup known legitimate software similar to sample file icon, and
It is analyzed as follows according to the correlation between icon similar sofware.
In this step, file icon analysis module exists in the form of expansion plugin, concrete analysis project can by with
Family is expanded.File attribute analysis project may include it is a variety of, such as:
Whether the icon of judgement sample file is similar to the icon of known legitimate software, is denoted as f1, and further judge figure
Whether the developer for marking similar known legitimate software is consistent with the developer of sample file, is denoted as f2, thenIt sets simultaneouslyFor the present embodiment, through sentencing
It is disconnected, f1=FALSE, f2=FALSE, s41=0.5, m41=0.
7th, according to the analysis result of analysis module each in step 2 to step 6, pass through file malice judgment module comprehensive assessment
Whether the sample is malicious code.
In above-mentioned steps, for different analysis projects when specifically being analyzed, can targetedly it select different
Scheme, and each analysis project has the Rule of judgment of itself.For the output of difference analysis project during follow-up comprehensive analysis
As a result it may compare, be the output of each analysis item setup two as a result, one of them is the malice degree m of { 0,1 } binary value, table
Show and judge whether sample is malice according to the analysis project analysis result;Another is the arbitrary value in [0,1] section
Suspicious degree s is represented to judge suspicious degree of the sample for malicious code according to the analysis project analysis result, in this way will
The output normalization of each analysis project, convenient for the comprehensive analysis of this step.
In this step, the set of suspicious degree s that each analysis module exports is denoted as S, the set of malice degree m is denoted as M.
First determine whether the malice degree of sample, and Xm=∑s (m | m ∈ M), in the case of Hm≤Xm, then sample is considered as malicious code;It is no
The then suspicious degree of further judgement sample, Xs=∑s (s | s ∈ S)/| S |, in the case of Hs≤Xs, then sample is considered as malice
Code.For the present embodiment, Xm=4, Xs=0.568, due to Hm < Xm, it is determined that sample is malicious code.
If the 8th, judge that the sample for malicious code, records testing result and alarms in step 7.
9th, step 2 is repeated to step 8, and until the sample file that is received in step 1, all analysis finishes, entire detection process
It terminates.
The detection method and system of a kind of malicious code for social deception proposed by the present invention, for the skill of this field
For art personnel, configuration file type analysis module, filename analysis module, file suffixes name mould can be analyzed as needed
Block, file attribute analysis module, file icon analysis module and the parameters of file malice judgment module and configuration safety
File format, detection threshold value realize analysis and detection to a variety of different file attributes, so as to carry out quickly, efficiently and accurately
Malicious Code Detection works.
Above-described embodiment is used to help understand present disclosure and implement according to this, but not to be limited, the technology of this field
Personnel should be appreciated that;Without departing from the spirit and scope of the present invention, the operations such as various replacements, variation or modification can be carried out;This
The protection domain of invention is subject to those as defined in claim.
Claims (10)
1. a kind of detection method of malicious code for social deception, step include:
1) according to sample file header contents feature, magic number information and format character, the actual file type of sample file is identified,
Obtain the sample file of non-security form;
2) filename of above-mentioned non-security form sample file, character number, unprintable character according to contained by filename are extracted
Whether the affiliated character set of number, character and character one of which containing spcial character or multinomial obtain malice angle value and suspicious degree
Value;
3) the suffix name number and the suffix name and file of mark included according to the filename of non-security form sample file
The whether consistent one of which of type or two obtain malice angle value and suspicious angle value;
4) whether it is whether legal software developer's publication, developer's information are signed with number according to non-security form sample file
Developer's information is consistent in name and the whether legal effective one of which of digital signature or it is multinomial obtain malice angle value and
Suspicious angle value;
5) according to non-security form sample file icon, whether similar and icon is similar to the icon of known legitimate software
Know whether the developer of legal software is consistent with the developer of sample file and obtain malice angle value and suspicious angle value;
6) by the total malice angle value and total suspicious angle value of the malice angle value of each analysis project of above-mentioned steps and suspicious angle value and setting
Detection threshold value be compared, whether judgement sample file is malicious code according to this.
2. according to the method described in claim 1, it is characterized in that, the Safe Format is the specified tray without analysis
Formula, including text file, picture.
3. according to the method described in claim 1, it is characterized in that, the spcial character includes Unicode control characters
0x202E(RLO)。
4. according to the method described in claim 1, it is characterized in that, according to digital signature information judgement sample file in step 4)
Whether it is legal software developer's publication.
5. according to the method described in claim 1, it is characterized in that, using perceiving, hash algorithm is searched and sample is literary in step 5)
The icon of the similar known legitimate software of part icon.
6. according to the method described in claim 1, it is characterized in that, the malice degree be { 0,1 } binary value, the suspicious degree
For the arbitrary value in [0,1] section.
7. according to the method described in claim 1, it is characterized in that, the detection threshold value includes malice degree threshold value and suspicious degree threshold
Value.
8. the method according to the description of claim 7 is characterized in that the malice degree of sample file is first determined whether, if total malice degree
Value is more than or equal to malice degree threshold value, then regards sample file as malicious code;Otherwise the suspicious degree of further judgement sample file, if
The ratio of total suspicious angle value and analysis item mesh number is more than or equal to suspicious degree threshold value, then regards sample file as malicious code.
9. a kind of detecting system of malicious code for social deception, including:
One file type analysis module, according to sample file header contents feature, magic number information and format character, identification sample text
The actual file type of part, obtains the sample file of non-security form;
One filename analysis module extracts the filename of above-mentioned non-security form sample file, the character according to contained by filename
Whether number, unprintable character number, the affiliated character set of character and character one of which containing spcial character or multinomial obtain
Malice angle value and suspicious angle value;
One file suffixes name analysis module, the suffix name number included according to the filename of non-security form sample file and
The suffix name of mark obtains malice angle value and suspicious angle value with the whether consistent one of which of file type or two;
One file attribute analysis module extracts the information such as icon, developer, issuing time and the digital signature of sample file, and
Whether it is that legal software developer issues, whether developer's information in digital signature with opening according to non-security form sample file
Originator information is consistent and the whether legal effective one of which of digital signature or multinomial obtains malice angle value and suspicious degree
Value;
One file icon analysis module searches the icon of the known legitimate software similar to sample file icon, and according to non-peace
Full format sample file icon known legitimate software whether similar to the icon of known legitimate software and similar icon is opened
Whether originator is consistent with the developer of sample file to obtain malice angle value and suspicious angle value;
One file malice judgment module, by the malice angle value of each analysis project and the total malice angle value of suspicious angle value adduction acquisition and always
Suspicious angle value, and then be compared with the detection threshold value of setting, whether judgement sample file is malicious code according to this.
10. system according to claim 9, which is characterized in that the file type analysis module, filename analysis mould
Block, file suffixes name analysis module, file attribute analysis module and file icon analysis module use the form of expansion plugin.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611103717.4A CN108171054A (en) | 2016-12-05 | 2016-12-05 | The detection method and system of a kind of malicious code for social deception |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611103717.4A CN108171054A (en) | 2016-12-05 | 2016-12-05 | The detection method and system of a kind of malicious code for social deception |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108171054A true CN108171054A (en) | 2018-06-15 |
Family
ID=62525917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611103717.4A Pending CN108171054A (en) | 2016-12-05 | 2016-12-05 | The detection method and system of a kind of malicious code for social deception |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108171054A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109379364A (en) * | 2018-10-29 | 2019-02-22 | 深圳同耕科技股份有限公司 | Automated network data transmission method and system between a kind of application system |
CN109657465A (en) * | 2018-11-07 | 2019-04-19 | 深圳竹云科技有限公司 | A kind of software detecting method based on file corruption degree |
CN110096889A (en) * | 2019-04-18 | 2019-08-06 | 深圳前海微众银行股份有限公司 | File test method, device, equipment and computer readable storage medium |
CN113051562A (en) * | 2019-12-28 | 2021-06-29 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and readable storage medium |
CN113282921A (en) * | 2021-06-11 | 2021-08-20 | 深信服科技股份有限公司 | File detection method, device, equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
US8621233B1 (en) * | 2010-01-13 | 2013-12-31 | Symantec Corporation | Malware detection using file names |
CN103679019A (en) * | 2012-09-10 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Malicious file identifying method and device |
CN103761483A (en) * | 2014-01-27 | 2014-04-30 | 百度在线网络技术(北京)有限公司 | Method and device for detecting malicious codes |
-
2016
- 2016-12-05 CN CN201611103717.4A patent/CN108171054A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8621233B1 (en) * | 2010-01-13 | 2013-12-31 | Symantec Corporation | Malware detection using file names |
CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
CN103679019A (en) * | 2012-09-10 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Malicious file identifying method and device |
CN103761483A (en) * | 2014-01-27 | 2014-04-30 | 百度在线网络技术(北京)有限公司 | Method and device for detecting malicious codes |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109379364A (en) * | 2018-10-29 | 2019-02-22 | 深圳同耕科技股份有限公司 | Automated network data transmission method and system between a kind of application system |
CN109379364B (en) * | 2018-10-29 | 2021-01-22 | 深圳同耕科技股份有限公司 | Automatic network data transmission method and system between application systems |
CN109657465A (en) * | 2018-11-07 | 2019-04-19 | 深圳竹云科技有限公司 | A kind of software detecting method based on file corruption degree |
CN110096889A (en) * | 2019-04-18 | 2019-08-06 | 深圳前海微众银行股份有限公司 | File test method, device, equipment and computer readable storage medium |
WO2020211555A1 (en) * | 2019-04-18 | 2020-10-22 | 深圳前海微众银行股份有限公司 | File detection method, apparatus and device, and computer-readable storage medium |
CN110096889B (en) * | 2019-04-18 | 2024-03-01 | 深圳前海微众银行股份有限公司 | File detection method, device, equipment and computer readable storage medium |
CN113051562A (en) * | 2019-12-28 | 2021-06-29 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and readable storage medium |
CN113282921A (en) * | 2021-06-11 | 2021-08-20 | 深信服科技股份有限公司 | File detection method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhang et al. | Classification of ransomware families with machine learning based onN-gram of opcodes | |
EP3287927B1 (en) | Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device | |
CN108171054A (en) | The detection method and system of a kind of malicious code for social deception | |
Azeez et al. | Identifying phishing attacks in communication networks using URL consistency features | |
CN104660594B (en) | A kind of virtual malicious node and its Network Recognition method towards social networks | |
Mao et al. | BaitAlarm: detecting phishing sites using similarity in fundamental visual features | |
Kanta et al. | A survey exploring open source Intelligence for smarter password cracking | |
Hadi et al. | Performance analysis of big data intrusion detection system over random forest algorithm | |
CN109922065B (en) | Quick identification method for malicious website | |
CN109376537B (en) | Asset scoring method and system based on multi-factor fusion | |
Haddadi et al. | On botnet behaviour analysis using GP and C4. 5 | |
CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
CN104504335A (en) | Fishing APP detection method and system based on page feature and URL feature | |
CN104123501A (en) | Online virus detection method based on assembly of multiple detectors | |
CN106169050B (en) | A kind of PoC Program extraction method based on webpage Knowledge Discovery | |
CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
JP2015222471A (en) | Malicious communication pattern detecting device, malicious communication pattern detecting method, and malicious communication pattern detecting program | |
CN116566674A (en) | Automated penetration test method, system, electronic equipment and storage medium | |
Steinebach et al. | Phishing detection on tor hidden services | |
Hu et al. | Single-shot black-box adversarial attacks against malware detectors: A causal language model approach | |
CN108040053A (en) | A kind of network security threats analysis method and system based on DNS daily record datas | |
Orunsolu et al. | An Anti-Phishing Kit Scheme for Secure Web Transactions. | |
Yu et al. | An explainable method of phishing emails generation and its application in machine learning | |
EP4137976A1 (en) | Learning device, detection device, learning method, detection method, learning program, and detection program | |
Kumar et al. | Detection of malware using deep learning techniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180615 |
|
WD01 | Invention patent application deemed withdrawn after publication |