CN108171054A - The detection method and system of a kind of malicious code for social deception - Google Patents

The detection method and system of a kind of malicious code for social deception Download PDF

Info

Publication number
CN108171054A
CN108171054A CN201611103717.4A CN201611103717A CN108171054A CN 108171054 A CN108171054 A CN 108171054A CN 201611103717 A CN201611103717 A CN 201611103717A CN 108171054 A CN108171054 A CN 108171054A
Authority
CN
China
Prior art keywords
file
angle value
malice
icon
sample file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611103717.4A
Other languages
Chinese (zh)
Inventor
应凌云
聂眉宁
苏璞睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201611103717.4A priority Critical patent/CN108171054A/en
Publication of CN108171054A publication Critical patent/CN108171054A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/01Social networking

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Economics (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • Primary Health Care (AREA)
  • Computing Systems (AREA)
  • Marketing (AREA)
  • Virology (AREA)
  • Human Resources & Organizations (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of detection methods and system of the malicious code for social deception, the file type of sample file is identified first, extract the sample file of non-security form therein, then the social suspicious degree analyzing of deception is carried out according to each attribute of file, including to filename, suffix name, file type, file icon, file attribute etc. is analyzed, according to filename whether overlength, filename character set type, whether uncommon suffix name is employed, whether file type is consistent with suffix name, whether file is the specific types such as shortcut, whether file icon is similar to known legitimate software, the detection means such as whether file signature legal, file is analyzed and is detected and is given a mark, finally assess whether file is malicious code according to the testing result comprehensive analysis of projects.

Description

The detection method and system of a kind of malicious code for social deception
Technical field
The invention belongs to Malicious Code Detection technical fields, and in particular to one kind is directed to is attacked using the development of social fraud The detection method and system of the malicious code hit.
Background technology
It deepens continuously with the continuous development of society with information-based, computer and internet answering in social every field With more and more extensive.At the same time, it is also more and more for the attack of information system, the malicious codes such as computer virus, wooden horse Also getting worse is threatened caused by attack, with the continuous deployment of the safety measures such as antivirus software, anti-virus gateway, traditional meter Calculation machine viral transmission mode gradually fails, and malware writer is more and more using Email, instant messaging, network opinion The social medias such as altar carry out malicious code propagation in a manner that social activity is cheated, and are combined by social activity deception and technological means Mode, around the protection of security software, user cheating is opened, performs malicious code, so as to be implanted into wood into victim system Horse, the destructive activities such as stolen secret information, extorted.Currently, it is this more and more fiery based on social malicious code attack, have become and attack The mainstream means for the activity of hitting, information privacy and property safety to national security, social stability and numerous netizens cause seriously It influences.Therefore, seem very necessary for the detection method of the malicious code of social activity deception.
Current Malicious Code Detection technology mainly includes following several:
1. pair file carries out static binary scanning, by by the existing malice in file content and malicious code feature database Code characteristic is compared, malicious code known to discovery.Since this method can only be detected for known malicious code, and Malicious code would generally be encrypted in attacker, shell adding, deformation etc., cause static scanning be difficult to find unknown malicious code, Metamorphic malware, extraordinary malicious code.
2. pair file carries out simulation execution, simulation execution is carried out by the segment to doubtful executable code, analyzes the mistake The behavior generated in journey and exception realize Malicious Code Detection.Since this method is not easy to define abnormal behaviour, while also need to answer To may be included in executable code anti-debug, Back analysis technique, therefore be difficult in practical application to large-scale code into Row analysis, accuracy are relatively low.
3. by file merging sandbox operation, observe its dynamic running process, extract behavioural characteristic and with behavior white list pair Than realizing Malicious Code Detection.Since the system resources consumption of dynamic analysis is larger, and analytic process more takes, it is difficult to In client deployment, it is also difficult to which Massive Sample is detected in real time.
In conclusion the detection method of malicious code is primarily upon code in itself at present, major defect is to ignore The external morphology relevant information of malicious code causes when failing for the detection of malicious code in itself, and user is easily social Deception fascination, so as to perform malicious code, causes to attack and destroy.
Invention content
For the technical problems in the prior art, lead to the purpose of the present invention is to provide one kind in network attack Cross the detection method and system of malicious code that the mode of social deception is delivered, sent.
To achieve the above object, the present invention adopts the following technical scheme that:
A kind of detection method of malicious code for social deception, step include:
1) according to sample file header contents feature, magic number information and format character, the actual file of sample file is identified Type obtains the sample file of non-security form;
2) filename of above-mentioned non-security form sample file is extracted, the character number, unprintable according to contained by filename Whether the affiliated character set of character number, character and character one of which containing spcial character or multinomial obtain malice angle value and can Doubt angle value;
3) the suffix name number and the suffix name of mark included according to the filename of non-security form sample file with The whether consistent one of which of file type or two obtain malice angle value and suspicious angle value;
4) according to non-security form sample file whether be legal software developer's publication, developer's information whether with number Developer's information is consistent in word signature and the whether legal effective one of which of digital signature or multinomial obtains malice degree Value and suspicious angle value;
5) according to non-security form sample file icon, whether similar and icon is similar to the icon of known legitimate software The developer of known legitimate software whether consistent with the developer of sample file obtain malice angle value and suspicious angle value;
6) by total malice angle value of the malice angle value of each analysis project of above-mentioned steps and suspicious angle value and total suspicious angle value with The detection threshold value of setting is compared, and whether judgement sample file is malicious code according to this.
Further, the Safe Format is the specified file format without analysis, including text file, picture.
Further, the spcial character includes Unicode control characters 0x202E (RLO).
Further, whether it is that legal software developer sends out according to digital signature information judgement sample file in step 4) Cloth.
Further, it is utilized in step 5) and perceives hash algorithm (Perceptual Hash Algorithm) lookup and sample The icon of the similar known legitimate software of this document icon.
Further, the malice degree is { 0,1 } binary value, and the suspicious degree is the arbitrary value in [0,1] section.
Further, the detection threshold value includes malice degree threshold value and suspicious degree threshold value.
Further, the malice degree of sample file is first determined whether, if total malice angle value is more than or equal to malice degree threshold value, depending on Sample file is malicious code;Otherwise the suspicious degree of further judgement sample file, if total suspicious angle value and analysis item mesh number Ratio is more than or equal to suspicious degree threshold value, then regards sample file as malicious code.
A kind of detecting system of malicious code for social deception, including:
One file type analysis module according to sample file header contents feature, magic number information and format character, identifies sample The actual file type of this document, obtains the sample file of non-security form;
One filename analysis module extracts the filename of above-mentioned non-security form sample file, the word according to contained by filename Accord with number, unprintable character number, the affiliated character set of character and character whether the one of which or multinomial containing spcial character Obtain malice angle value and suspicious angle value;
One file suffixes name analysis module, the suffix name number included according to the filename of non-security form sample file And the suffix name of mark obtains malice angle value and suspicious angle value with the whether consistent one of which of file type or two;
One file attribute analysis module, extracts the letters such as icon, developer, issuing time and the digital signature of sample file Breath, and whether be whether legal software developer's publication, developer's information are signed with number according to non-security form sample file Developer's information is consistent in name and the whether legal effective one of which of digital signature or it is multinomial obtain malice angle value and Suspicious angle value;
One file icon analysis module, the icon of the lookup known legitimate software similar to sample file icon, and according to Non-security form sample file icon known legitimate software whether similar to the icon of known legitimate software and similar icon Developer whether consistent with the developer of sample file obtain malice angle value and suspicious angle value;
The malice angle value of each analysis project and suspicious angle value are summed it up and obtain total malice angle value by one file malice judgment module With always suspicious angle value, and then be compared with the detection threshold value of setting, whether judgement sample file is malicious code according to this.
Further, the file type analysis module, filename analysis module, file suffixes name analysis module, file Attributive analysis module and file icon analysis module use the form of expansion plugin.
Detection method provided by the invention is first identified the file type of sample file, and extraction is therein non-security The sample file of form, then according to each attribute of file carry out it is social cheat suspicious degree analyzing, including to filename, after Sew name, file type, file icon, file attribute etc. to be analyzed, according to filename whether overlength (character number), filename Whether character set type employs whether uncommon suffix name, file type consistent with suffix name, whether file is quick side The specific types such as formula, the file icon detection means such as whether, file signature similar to known legitimate software legal, to file It is analyzed and is detected and given a mark, finally assess whether file is malice generation according to the testing result comprehensive analysis of projects Code.
The difference of this detection method and other existing detection methods is that this method only needs the category of extraction and Study document Property information, do not need to parse file content and instruction code into row format, simulation executions, the operation of the complexity such as characteristic matching, The suspect code transmitted in the social networking applications such as Email, instant messaging can be rapidly detected, for needing further analysis With the suspect code of detection, can be analyzed on this basis using other existing known detection methods, so as to carry significantly High analyte efficiency reduces the social networking application Message Time Delay that safety detection is brought.
What the present invention obtained has the beneficial effect that:
1. the present invention only needs to analyze the attribute information of sample file, do not need to carry out feature to file content Match, therefore detection process has very high efficiency.
2. the attack means that the present invention be easy to cause filename, suffix name, file icon etc. vision deception have carried out point Analysis can identify that the filenames such as overlength filename, the filename comprising spcial character, the filename that is replaced using similar character are taken advantage of Deceive technology, suffix names Cheating Technology and the similar icon Cheating Technology such as multiple suffix name, suffix name of equal value, therefore can be effective The malicious code that detection is propagated using social Cheating Technology.
3. the present invention is based on Static Analysis Method, simulation or the practical code for performing analyzed sample file, tool are not needed to There are higher detection performance, smaller space complexity and time complexity.
4. filename analysis module, file type analysis module, file suffixes name analysis module in the present invention, file category Property analysis module, file icon analysis module exist in the form of expansion plugin, and supplement can be adjusted at any time, have higher Scalability.
Description of the drawings
Fig. 1 is a kind of detection method flow chart of malicious code for social deception of the present invention.
Fig. 2 is a kind of detecting system schematic diagram of malicious code for social deception of the present invention.
Specific embodiment
Features described above and advantage to enable the present invention are clearer and more comprehensible, special embodiment below, and institute's attached drawing is coordinated to make Detailed description are as follows.
The present embodiment specifically provides a kind of detection method and system of the malicious code for social deception, as shown in Figure 1, Figure 2 Shown, step includes:
1st, system and filename analysis module, file type analysis module, file suffixes name analysis module, file category is configured Property the parameters such as analysis module, file icon analysis module, file malice judgment module, setting detection threshold value (suspicious degree threshold value Hs With malice degree threshold value Hm), sample file to be analyzed is received, starts to analyze.Detection threshold value can be according to application scenarios and safety Demand adjusts and setting, for the occasion of high safety demand, such as e-mail system, office Intranet, can set relatively low Detection threshold value, so as to improve recall rate;For relatively low occasions of security requirements such as office outer nets, higher detection can be set Threshold value, so as to reduce rate of false alarm.In the present embodiment, suspicious degree threshold value Hs=0.6 and malice degree threshold value Hm=3 can be set.
2nd, file type analysis module is called to analyze the type of sample file, according to sample file header contents spy Sign, magic number information and format character identify the actual file type of sample file.It is not if identifying the file format of sample Safe Format then carries out step 3;If the file format for identifying sample is Safe Format, the analysis of the sample is terminated, Step 2 is gone to, a sample to be analyzed is reselected and is analyzed.
In this step, Safe Format refers to not need to the file format analyzed, such as text text according to system configuration Part, picture etc. can be voluntarily configured by user.The sample file of the present embodiment is Its identified file type is the RAR files of self-extracting, is a kind of executable file type, is unsafe form.
3rd, a sample file to be analyzed is selected, calls the filename of filename analysis module extraction sample file, it is right File name is analyzed.
In this step, filename analysis module exists in the form of expansion plugin, and concrete analysis project can be by user Expand.The analysis project of filename may include it is a variety of, such as:
1) length is denoted as l, and calculate s11=l/ by character number contained by calculation document name as filename length 255, while m11=0 is set;For the present embodiment, l=38, s11=0.15, m11=0;
2) such character number is denoted as n, and calculate s12=n/l, together by unprintable character number in statistics file name When setFor the present embodiment, n=1, s12=0.03, m12=0;
3) judge the affiliated character set of character in filename, if character belongs to 3 and above character set in filename, S13=1, otherwise s13=0, while m13=0 is set;For the present embodiment, character belongs to 3 character set, s13=in filename 1, m13=0;
4) judge whether include spcial character in filename, including Unicode control characters 0x202E (RLO) etc., if The character in the spcial character set that any one is specified is included in filename, then s14=1, m14=1 are set, otherwise s14 =0, while m14=0 is set;For the present embodiment, character 0x202E (RLO), s14=1, m14=1 are included in filename.
4th, file suffixes name analysis module is called to be detected sample file, the suffix name of sample file is divided Analysis.
In this step, file suffixes name analysis module exists in the form of expansion plugin, and concrete analysis project can be by User expands.The analysis project of suffix name may include it is a variety of, such as:
1) the suffix name number that the filename of sample file includes, and suffix name number is remembered for f, M21=s21 is set simultaneously;For the present embodiment, f=1, s21=0, m21=0;
2) judge that the suffix name identified in filename analyses whether unanimously with file type, the s22=0 if consistent is no Then s22=1, while m22=s22 is set;For the present embodiment, the true entitled scr of suffix is a kind of executable file suffix, Consistent, s22=0, m22=0 with file type analysis.
5th, file attribute analysis module is called to be detected sample file, by icon, the exploitation of extracting sample file The information such as person, issuing time, digital signature, and these sample file attributes are analyzed.
In this step, file attribute analysis module exists in the form of expansion plugin, concrete analysis project can by with Family is expanded.File attribute analysis project may include it is a variety of, such as:
1) whether judgement sample file is legal software developer's publication, if it is s31=0, otherwise s31=1, together When m31=s31 is set;For the present embodiment, software developer's loss of learning, s31=1, m31=1;
2) judge whether developer's information is consistent with developer's information in digital signature, the s32=0 if consistent, otherwise S32=1, while m32=s32 is set;For the present embodiment, digital signature information missing, s32=1, m32=1;
3) whether judge legal effectively for the certificate of digital signature, if it is legal effectively if s33=0, otherwise s33=1, M33=s33 is set simultaneously;For the present embodiment, digital signature information missing, s33=1, m33=1.
6th, file icon analysis module is called to be detected sample file, the sample extracted according to file attribute analysis module The icon of this document, and using the icon for perceiving the hash algorithm lookup known legitimate software similar to sample file icon, and It is analyzed as follows according to the correlation between icon similar sofware.
In this step, file icon analysis module exists in the form of expansion plugin, concrete analysis project can by with Family is expanded.File attribute analysis project may include it is a variety of, such as:
Whether the icon of judgement sample file is similar to the icon of known legitimate software, is denoted as f1, and further judge figure Whether the developer for marking similar known legitimate software is consistent with the developer of sample file, is denoted as f2, thenIt sets simultaneouslyFor the present embodiment, through sentencing It is disconnected, f1=FALSE, f2=FALSE, s41=0.5, m41=0.
7th, according to the analysis result of analysis module each in step 2 to step 6, pass through file malice judgment module comprehensive assessment Whether the sample is malicious code.
In above-mentioned steps, for different analysis projects when specifically being analyzed, can targetedly it select different Scheme, and each analysis project has the Rule of judgment of itself.For the output of difference analysis project during follow-up comprehensive analysis As a result it may compare, be the output of each analysis item setup two as a result, one of them is the malice degree m of { 0,1 } binary value, table Show and judge whether sample is malice according to the analysis project analysis result;Another is the arbitrary value in [0,1] section Suspicious degree s is represented to judge suspicious degree of the sample for malicious code according to the analysis project analysis result, in this way will The output normalization of each analysis project, convenient for the comprehensive analysis of this step.
In this step, the set of suspicious degree s that each analysis module exports is denoted as S, the set of malice degree m is denoted as M. First determine whether the malice degree of sample, and Xm=∑s (m | m ∈ M), in the case of Hm≤Xm, then sample is considered as malicious code;It is no The then suspicious degree of further judgement sample, Xs=∑s (s | s ∈ S)/| S |, in the case of Hs≤Xs, then sample is considered as malice Code.For the present embodiment, Xm=4, Xs=0.568, due to Hm < Xm, it is determined that sample is malicious code.
If the 8th, judge that the sample for malicious code, records testing result and alarms in step 7.
9th, step 2 is repeated to step 8, and until the sample file that is received in step 1, all analysis finishes, entire detection process It terminates.
The detection method and system of a kind of malicious code for social deception proposed by the present invention, for the skill of this field For art personnel, configuration file type analysis module, filename analysis module, file suffixes name mould can be analyzed as needed Block, file attribute analysis module, file icon analysis module and the parameters of file malice judgment module and configuration safety File format, detection threshold value realize analysis and detection to a variety of different file attributes, so as to carry out quickly, efficiently and accurately Malicious Code Detection works.
Above-described embodiment is used to help understand present disclosure and implement according to this, but not to be limited, the technology of this field Personnel should be appreciated that;Without departing from the spirit and scope of the present invention, the operations such as various replacements, variation or modification can be carried out;This The protection domain of invention is subject to those as defined in claim.

Claims (10)

1. a kind of detection method of malicious code for social deception, step include:
1) according to sample file header contents feature, magic number information and format character, the actual file type of sample file is identified, Obtain the sample file of non-security form;
2) filename of above-mentioned non-security form sample file, character number, unprintable character according to contained by filename are extracted Whether the affiliated character set of number, character and character one of which containing spcial character or multinomial obtain malice angle value and suspicious degree Value;
3) the suffix name number and the suffix name and file of mark included according to the filename of non-security form sample file The whether consistent one of which of type or two obtain malice angle value and suspicious angle value;
4) whether it is whether legal software developer's publication, developer's information are signed with number according to non-security form sample file Developer's information is consistent in name and the whether legal effective one of which of digital signature or it is multinomial obtain malice angle value and Suspicious angle value;
5) according to non-security form sample file icon, whether similar and icon is similar to the icon of known legitimate software Know whether the developer of legal software is consistent with the developer of sample file and obtain malice angle value and suspicious angle value;
6) by the total malice angle value and total suspicious angle value of the malice angle value of each analysis project of above-mentioned steps and suspicious angle value and setting Detection threshold value be compared, whether judgement sample file is malicious code according to this.
2. according to the method described in claim 1, it is characterized in that, the Safe Format is the specified tray without analysis Formula, including text file, picture.
3. according to the method described in claim 1, it is characterized in that, the spcial character includes Unicode control characters 0x202E(RLO)。
4. according to the method described in claim 1, it is characterized in that, according to digital signature information judgement sample file in step 4) Whether it is legal software developer's publication.
5. according to the method described in claim 1, it is characterized in that, using perceiving, hash algorithm is searched and sample is literary in step 5) The icon of the similar known legitimate software of part icon.
6. according to the method described in claim 1, it is characterized in that, the malice degree be { 0,1 } binary value, the suspicious degree For the arbitrary value in [0,1] section.
7. according to the method described in claim 1, it is characterized in that, the detection threshold value includes malice degree threshold value and suspicious degree threshold Value.
8. the method according to the description of claim 7 is characterized in that the malice degree of sample file is first determined whether, if total malice degree Value is more than or equal to malice degree threshold value, then regards sample file as malicious code;Otherwise the suspicious degree of further judgement sample file, if The ratio of total suspicious angle value and analysis item mesh number is more than or equal to suspicious degree threshold value, then regards sample file as malicious code.
9. a kind of detecting system of malicious code for social deception, including:
One file type analysis module, according to sample file header contents feature, magic number information and format character, identification sample text The actual file type of part, obtains the sample file of non-security form;
One filename analysis module extracts the filename of above-mentioned non-security form sample file, the character according to contained by filename Whether number, unprintable character number, the affiliated character set of character and character one of which containing spcial character or multinomial obtain Malice angle value and suspicious angle value;
One file suffixes name analysis module, the suffix name number included according to the filename of non-security form sample file and The suffix name of mark obtains malice angle value and suspicious angle value with the whether consistent one of which of file type or two;
One file attribute analysis module extracts the information such as icon, developer, issuing time and the digital signature of sample file, and Whether it is that legal software developer issues, whether developer's information in digital signature with opening according to non-security form sample file Originator information is consistent and the whether legal effective one of which of digital signature or multinomial obtains malice angle value and suspicious degree Value;
One file icon analysis module searches the icon of the known legitimate software similar to sample file icon, and according to non-peace Full format sample file icon known legitimate software whether similar to the icon of known legitimate software and similar icon is opened Whether originator is consistent with the developer of sample file to obtain malice angle value and suspicious angle value;
One file malice judgment module, by the malice angle value of each analysis project and the total malice angle value of suspicious angle value adduction acquisition and always Suspicious angle value, and then be compared with the detection threshold value of setting, whether judgement sample file is malicious code according to this.
10. system according to claim 9, which is characterized in that the file type analysis module, filename analysis mould Block, file suffixes name analysis module, file attribute analysis module and file icon analysis module use the form of expansion plugin.
CN201611103717.4A 2016-12-05 2016-12-05 The detection method and system of a kind of malicious code for social deception Pending CN108171054A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611103717.4A CN108171054A (en) 2016-12-05 2016-12-05 The detection method and system of a kind of malicious code for social deception

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611103717.4A CN108171054A (en) 2016-12-05 2016-12-05 The detection method and system of a kind of malicious code for social deception

Publications (1)

Publication Number Publication Date
CN108171054A true CN108171054A (en) 2018-06-15

Family

ID=62525917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611103717.4A Pending CN108171054A (en) 2016-12-05 2016-12-05 The detection method and system of a kind of malicious code for social deception

Country Status (1)

Country Link
CN (1) CN108171054A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379364A (en) * 2018-10-29 2019-02-22 深圳同耕科技股份有限公司 Automated network data transmission method and system between a kind of application system
CN109657465A (en) * 2018-11-07 2019-04-19 深圳竹云科技有限公司 A kind of software detecting method based on file corruption degree
CN110096889A (en) * 2019-04-18 2019-08-06 深圳前海微众银行股份有限公司 File test method, device, equipment and computer readable storage medium
CN113051562A (en) * 2019-12-28 2021-06-29 深信服科技股份有限公司 Virus checking and killing method, device, equipment and readable storage medium
CN113282921A (en) * 2021-06-11 2021-08-20 深信服科技股份有限公司 File detection method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
US8621233B1 (en) * 2010-01-13 2013-12-31 Symantec Corporation Malware detection using file names
CN103679019A (en) * 2012-09-10 2014-03-26 腾讯科技(深圳)有限公司 Malicious file identifying method and device
CN103761483A (en) * 2014-01-27 2014-04-30 百度在线网络技术(北京)有限公司 Method and device for detecting malicious codes

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8621233B1 (en) * 2010-01-13 2013-12-31 Symantec Corporation Malware detection using file names
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN103679019A (en) * 2012-09-10 2014-03-26 腾讯科技(深圳)有限公司 Malicious file identifying method and device
CN103761483A (en) * 2014-01-27 2014-04-30 百度在线网络技术(北京)有限公司 Method and device for detecting malicious codes

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379364A (en) * 2018-10-29 2019-02-22 深圳同耕科技股份有限公司 Automated network data transmission method and system between a kind of application system
CN109379364B (en) * 2018-10-29 2021-01-22 深圳同耕科技股份有限公司 Automatic network data transmission method and system between application systems
CN109657465A (en) * 2018-11-07 2019-04-19 深圳竹云科技有限公司 A kind of software detecting method based on file corruption degree
CN110096889A (en) * 2019-04-18 2019-08-06 深圳前海微众银行股份有限公司 File test method, device, equipment and computer readable storage medium
WO2020211555A1 (en) * 2019-04-18 2020-10-22 深圳前海微众银行股份有限公司 File detection method, apparatus and device, and computer-readable storage medium
CN110096889B (en) * 2019-04-18 2024-03-01 深圳前海微众银行股份有限公司 File detection method, device, equipment and computer readable storage medium
CN113051562A (en) * 2019-12-28 2021-06-29 深信服科技股份有限公司 Virus checking and killing method, device, equipment and readable storage medium
CN113282921A (en) * 2021-06-11 2021-08-20 深信服科技股份有限公司 File detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
Zhang et al. Classification of ransomware families with machine learning based onN-gram of opcodes
EP3287927B1 (en) Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device
CN108171054A (en) The detection method and system of a kind of malicious code for social deception
Azeez et al. Identifying phishing attacks in communication networks using URL consistency features
CN104660594B (en) A kind of virtual malicious node and its Network Recognition method towards social networks
Mao et al. BaitAlarm: detecting phishing sites using similarity in fundamental visual features
Kanta et al. A survey exploring open source Intelligence for smarter password cracking
Hadi et al. Performance analysis of big data intrusion detection system over random forest algorithm
CN109922065B (en) Quick identification method for malicious website
CN109376537B (en) Asset scoring method and system based on multi-factor fusion
Haddadi et al. On botnet behaviour analysis using GP and C4. 5
CN110460611B (en) Machine learning-based full-flow attack detection technology
CN104504335A (en) Fishing APP detection method and system based on page feature and URL feature
CN104123501A (en) Online virus detection method based on assembly of multiple detectors
CN106169050B (en) A kind of PoC Program extraction method based on webpage Knowledge Discovery
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
JP2015222471A (en) Malicious communication pattern detecting device, malicious communication pattern detecting method, and malicious communication pattern detecting program
CN116566674A (en) Automated penetration test method, system, electronic equipment and storage medium
Steinebach et al. Phishing detection on tor hidden services
Hu et al. Single-shot black-box adversarial attacks against malware detectors: A causal language model approach
CN108040053A (en) A kind of network security threats analysis method and system based on DNS daily record datas
Orunsolu et al. An Anti-Phishing Kit Scheme for Secure Web Transactions.
Yu et al. An explainable method of phishing emails generation and its application in machine learning
EP4137976A1 (en) Learning device, detection device, learning method, detection method, learning program, and detection program
Kumar et al. Detection of malware using deep learning techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180615

WD01 Invention patent application deemed withdrawn after publication