CN108446561A - A kind of malicious code behavioural characteristic extracting method - Google Patents
A kind of malicious code behavioural characteristic extracting method Download PDFInfo
- Publication number
- CN108446561A CN108446561A CN201810234875.6A CN201810234875A CN108446561A CN 108446561 A CN108446561 A CN 108446561A CN 201810234875 A CN201810234875 A CN 201810234875A CN 108446561 A CN108446561 A CN 108446561A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- behavioural characteristic
- mathematical model
- extracting method
- characteristic extracting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of malicious code behavioural characteristic extracting methods, include the following steps:S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and the one-to-one mathematical model of behavioural characteristic;S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, which includes executing instruction sequence and behavior sequence;S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.The present invention is based on the execution informations of malicious code to carry out the acquisition of its characteristic by mathematical model, and accuracy rate is higher;Simulation analysis can be carried out to malicious code behavior simultaneously, realize the acquisition of each target component.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of malicious code behavioural characteristic extracting method.
Background technology
As computer is applied in each field increasingly extensive, malicious code has become current internet and computer security
One of chief threat, Malicious Code Detection becomes the major issue of software and system safety.It is continuous with computer technology
Development, malicious code show the feature that spread speed is fast, infection ability is strong, destructive power is big, cause increasingly severe safety
Influence even economic loss.With the development of malicious code technology, obfuscation and concealing technology are utilized, it can be in the short time
Interior to generate a large amount of mutation, traditional feature extraction and matching method based on code characteristic can not carry out effective protection to it.
Therefore, the adaptability of the accuracy and extracted feature that improve malicious code feature extraction becomes current urgent problem to be solved.
Existing malicious code feature extracting method can be divided into static analysis extraction and dynamic analysis extraction.Due to general
Malicious code source code can not be obtained, static extracting method generally needs first to carry out dis-assembling to code, then extracts feature.It is static
Extraction often relies on dis-assembling technology, and malicious code can be used obfuscation that dis-assembling is made to can not be successfully progress, thus can not
Effectively extraction code characteristic;But static extracting method analysis code is comprehensive, is not limited to single-pathway, can assist dynamic analysis.
Dynamic Extraction method extracts feature in malicious code implementation procedure, the code that the code analyzed as actually executes.To keep away
Operating system can be generated malice influence by exempting from practical execution code, produce the Commissioning Analysis method using virtual machine, such as
The virtual machine systems such as VMware, VirtualPC, but malicious code can be by checking that the methods of code execution time checks it in void
It is executed on quasi- machine, to change behavior confrontation analysis.
Invention content
The object of the present invention is to provide a kind of malicious code behavioural characteristic extracting method, the execution information based on malicious code
The acquisition of its characteristic is carried out by mathematical model, accuracy rate is higher;Emulation point can be carried out to malicious code behavior simultaneously
Analysis, realizes the acquisition of each target component.
To achieve the above object, the technical solution that the present invention takes is:
A kind of malicious code behavioural characteristic extracting method, includes the following steps:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and row
It is characterized one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, the execution information
Including executing instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
Wherein, a virtual start module is equipped in the mathematical model, for establishing mould each member in the block with mathematical model
After plain opening relationships, parameter is changed in specified range, to drive various simulating analysis for different
Parameter carries out calculating solution.
Wherein, described to state the data that virtual parameter start module is inputted and have with the coherent element in simulating analysis
Direct or indirect correspondence.
Wherein, several virtual parameter modules are equipped in the mathematical model, to be inserted into energy in the mathematical model established
Reach the logic unit for directly acquiring corresponding result or information object, can be carried out certainly according to the target component of simulating analysis
Definition.
Wherein, the mathematical model is built based on Simulink.
Wherein, the step S3 specifically comprises the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31, obtains executing instruction sequence and behavior sequence
Arrange corresponding weight;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and behavior sequence correspond to
Fuzzy vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malice
The behavioural characteristic data of code.
Wherein, the step S32 carries out the acquisition of weight based on gray relative analysis method.
The invention has the advantages that:
The acquisition of its characteristic is carried out by mathematical model based on the execution information of malicious code, accuracy rate is higher;Together
When can to malicious code behavior carry out simulation analysis, realize the acquisition of each target component.
Description of the drawings
Fig. 1 is a kind of flow chart of malicious code behavioural characteristic extracting method of the present invention.
Specific implementation mode
In order to make objects and advantages of the present invention be more clearly understood, the present invention is carried out with reference to embodiments further
It is described in detail.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to limit this hair
It is bright.
As shown in Figure 1, an embodiment of the present invention provides a kind of malicious code behavioural characteristic extracting methods, including walk as follows
Suddenly:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and row
It is characterized one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, the execution information
Including executing instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
The mathematical model is built based on Simulink, is inside equipped with a virtual start module, is used for and mathematical model
After establishing mould each element opening relationships in the block, parameter is changed in specified range, to drive various emulation point
Analysis method carries out calculating solution for different parameters.It is described state data that virtual parameter start module is inputted with emulation point
Coherent element in analysis method has direct or indirect correspondence.Several virtual parameter moulds are equipped in the mathematical model
Block can reach the logic unit for directly acquiring corresponding result or information object to be inserted into the mathematical model established, can
It is carried out according to the target component of simulating analysis self-defined.
The step S3 specifically comprises the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31 based on gray relative analysis method, is held
Row instruction sequence and the corresponding weight of behavior sequence;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and behavior sequence correspond to
Fuzzy vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malice
The behavioural characteristic data of code.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the principle of the present invention, it can also make several improvements and retouch, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (7)
1. a kind of malicious code behavioural characteristic extracting method, which is characterized in that include the following steps:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, it is special to establish code execution information and behavior
Levy one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, which includes
Execute instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
2. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that in the mathematical model
Equipped with a virtual start module, after establishing mould each element opening relationships in the block with mathematical model, in specified range
Parameter is changed, to drive various simulating analysis to carry out calculating solution for different parameters.
3. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that described to state virtual parameter
The data that start module is inputted have direct or indirect correspondence with the coherent element in simulating analysis.
4. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that in the mathematical model
Equipped with several virtual parameter modules, corresponding result or information are directly acquired to be inserted into reach in the mathematical model established
The logic unit of target can carry out self-defined according to the target component of simulating analysis.
5. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that the mathematical model base
It is built in Simulink.
6. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that the step S3 is specific
Include the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31, obtains executing instruction sequence and behavior sequence pair
The weight answered;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and the corresponding mould of behavior sequence
Paste vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malicious code
Behavioural characteristic data.
7. a kind of malicious code behavioural characteristic extracting method as claimed in claim 6, which is characterized in that the step S32 bases
The acquisition of weight is carried out in gray relative analysis method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810234875.6A CN108446561A (en) | 2018-03-21 | 2018-03-21 | A kind of malicious code behavioural characteristic extracting method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810234875.6A CN108446561A (en) | 2018-03-21 | 2018-03-21 | A kind of malicious code behavioural characteristic extracting method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108446561A true CN108446561A (en) | 2018-08-24 |
Family
ID=63196010
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810234875.6A Pending CN108446561A (en) | 2018-03-21 | 2018-03-21 | A kind of malicious code behavioural characteristic extracting method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108446561A (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN102300208A (en) * | 2011-06-21 | 2011-12-28 | 常州艾可泰自动化设备有限公司 | Optimized protection strategy against dissemination of malicious software of wireless sensor network |
CN103679030A (en) * | 2013-12-12 | 2014-03-26 | 中国科学院信息工程研究所 | Malicious code analysis and detection method based on dynamic semantic features |
CN104966019A (en) * | 2014-06-16 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Method and system for heuristically detecting possible threats of a document |
US20160378989A1 (en) * | 2015-06-25 | 2016-12-29 | Electronics And Telecommunications Research Institute | Apparatus and method for monitoring android platform-based application |
CN107018030A (en) * | 2017-06-01 | 2017-08-04 | 厦门华厦学院 | Mobile network's trouble analysis system based on intelligent terminal |
CN107231382A (en) * | 2017-08-02 | 2017-10-03 | 上海上讯信息技术股份有限公司 | A kind of Cyberthreat method for situation assessment and equipment |
CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
-
2018
- 2018-03-21 CN CN201810234875.6A patent/CN108446561A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN102300208A (en) * | 2011-06-21 | 2011-12-28 | 常州艾可泰自动化设备有限公司 | Optimized protection strategy against dissemination of malicious software of wireless sensor network |
CN103679030A (en) * | 2013-12-12 | 2014-03-26 | 中国科学院信息工程研究所 | Malicious code analysis and detection method based on dynamic semantic features |
CN104966019A (en) * | 2014-06-16 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Method and system for heuristically detecting possible threats of a document |
US20160378989A1 (en) * | 2015-06-25 | 2016-12-29 | Electronics And Telecommunications Research Institute | Apparatus and method for monitoring android platform-based application |
CN107018030A (en) * | 2017-06-01 | 2017-08-04 | 厦门华厦学院 | Mobile network's trouble analysis system based on intelligent terminal |
CN107231382A (en) * | 2017-08-02 | 2017-10-03 | 上海上讯信息技术股份有限公司 | A kind of Cyberthreat method for situation assessment and equipment |
CN107590388A (en) * | 2017-09-12 | 2018-01-16 | 南方电网科学研究院有限责任公司 | Malicious code detecting method and device |
CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110825040B (en) | Process control attack detection method and device for industrial control system | |
CN104834858A (en) | Method for statically detecting malicious code in android APP (Application) | |
CN106557695A (en) | A kind of malicious application detection method and system | |
CN111309222B (en) | Sliding block notch positioning and dragging track generation method for sliding block verification code | |
CN106202722B (en) | Large-scale power grid information physical real-time simulation platform | |
CN111522746B (en) | Data processing method, device, equipment and computer readable storage medium | |
CN111310155B (en) | System architecture for automatic identification of slider verification code and implementation method | |
CN111092912B (en) | Security defense method and device | |
CN105446741A (en) | API (Application Program Interface) comparison based mobile application identification method | |
Jack et al. | Real-time emulation for power equipment development. Part 1: Real-time simulation | |
CN111310156B (en) | Automatic identification method and system for slider verification code | |
CN104922907A (en) | Game process inspection method and system | |
CN107979581A (en) | The detection method and device of corpse feature | |
CN116127485A (en) | Encryption method for database data, storage medium and computer equipment | |
CN106777529A (en) | Integrated circuit fault-resistant injection attacks capability assessment method based on FPGA | |
CN108171054A (en) | The detection method and system of a kind of malicious code for social deception | |
CN108446561A (en) | A kind of malicious code behavioural characteristic extracting method | |
CN116861362A (en) | Intelligent contract attack detection method and device | |
CN108133099A (en) | A kind of analogue system implementation method based on multi-resolution models frame | |
CN107133539B (en) | Smart card personalization method and related device and system | |
CN105302715A (en) | Application user interface acquisition method and apparatus | |
US11909754B2 (en) | Security assessment system | |
CN110673507A (en) | Data simulation method and device for Internet of things equipment | |
CN112487421B (en) | Android malicious application detection method and system based on heterogeneous network | |
CN114579457A (en) | Novel power system firmware operation simulation platform and simulation method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180824 |