CN108446561A - A kind of malicious code behavioural characteristic extracting method - Google Patents

A kind of malicious code behavioural characteristic extracting method Download PDF

Info

Publication number
CN108446561A
CN108446561A CN201810234875.6A CN201810234875A CN108446561A CN 108446561 A CN108446561 A CN 108446561A CN 201810234875 A CN201810234875 A CN 201810234875A CN 108446561 A CN108446561 A CN 108446561A
Authority
CN
China
Prior art keywords
malicious code
behavioural characteristic
mathematical model
extracting method
characteristic extracting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810234875.6A
Other languages
Chinese (zh)
Inventor
王方伟
王长广
张运凯
赵冬梅
张林伟
侯卫红
李青茹
曾水光
赵琛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Normal University
Original Assignee
Hebei Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Normal University filed Critical Hebei Normal University
Priority to CN201810234875.6A priority Critical patent/CN108446561A/en
Publication of CN108446561A publication Critical patent/CN108446561A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of malicious code behavioural characteristic extracting methods, include the following steps:S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and the one-to-one mathematical model of behavioural characteristic;S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, which includes executing instruction sequence and behavior sequence;S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.The present invention is based on the execution informations of malicious code to carry out the acquisition of its characteristic by mathematical model, and accuracy rate is higher;Simulation analysis can be carried out to malicious code behavior simultaneously, realize the acquisition of each target component.

Description

A kind of malicious code behavioural characteristic extracting method
Technical field
The present invention relates to technical field of network security, and in particular to a kind of malicious code behavioural characteristic extracting method.
Background technology
As computer is applied in each field increasingly extensive, malicious code has become current internet and computer security One of chief threat, Malicious Code Detection becomes the major issue of software and system safety.It is continuous with computer technology Development, malicious code show the feature that spread speed is fast, infection ability is strong, destructive power is big, cause increasingly severe safety Influence even economic loss.With the development of malicious code technology, obfuscation and concealing technology are utilized, it can be in the short time Interior to generate a large amount of mutation, traditional feature extraction and matching method based on code characteristic can not carry out effective protection to it. Therefore, the adaptability of the accuracy and extracted feature that improve malicious code feature extraction becomes current urgent problem to be solved.
Existing malicious code feature extracting method can be divided into static analysis extraction and dynamic analysis extraction.Due to general Malicious code source code can not be obtained, static extracting method generally needs first to carry out dis-assembling to code, then extracts feature.It is static Extraction often relies on dis-assembling technology, and malicious code can be used obfuscation that dis-assembling is made to can not be successfully progress, thus can not Effectively extraction code characteristic;But static extracting method analysis code is comprehensive, is not limited to single-pathway, can assist dynamic analysis. Dynamic Extraction method extracts feature in malicious code implementation procedure, the code that the code analyzed as actually executes.To keep away Operating system can be generated malice influence by exempting from practical execution code, produce the Commissioning Analysis method using virtual machine, such as The virtual machine systems such as VMware, VirtualPC, but malicious code can be by checking that the methods of code execution time checks it in void It is executed on quasi- machine, to change behavior confrontation analysis.
Invention content
The object of the present invention is to provide a kind of malicious code behavioural characteristic extracting method, the execution information based on malicious code The acquisition of its characteristic is carried out by mathematical model, accuracy rate is higher;Emulation point can be carried out to malicious code behavior simultaneously Analysis, realizes the acquisition of each target component.
To achieve the above object, the technical solution that the present invention takes is:
A kind of malicious code behavioural characteristic extracting method, includes the following steps:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and row It is characterized one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, the execution information Including executing instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
Wherein, a virtual start module is equipped in the mathematical model, for establishing mould each member in the block with mathematical model After plain opening relationships, parameter is changed in specified range, to drive various simulating analysis for different Parameter carries out calculating solution.
Wherein, described to state the data that virtual parameter start module is inputted and have with the coherent element in simulating analysis Direct or indirect correspondence.
Wherein, several virtual parameter modules are equipped in the mathematical model, to be inserted into energy in the mathematical model established Reach the logic unit for directly acquiring corresponding result or information object, can be carried out certainly according to the target component of simulating analysis Definition.
Wherein, the mathematical model is built based on Simulink.
Wherein, the step S3 specifically comprises the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31, obtains executing instruction sequence and behavior sequence Arrange corresponding weight;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and behavior sequence correspond to Fuzzy vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malice The behavioural characteristic data of code.
Wherein, the step S32 carries out the acquisition of weight based on gray relative analysis method.
The invention has the advantages that:
The acquisition of its characteristic is carried out by mathematical model based on the execution information of malicious code, accuracy rate is higher;Together When can to malicious code behavior carry out simulation analysis, realize the acquisition of each target component.
Description of the drawings
Fig. 1 is a kind of flow chart of malicious code behavioural characteristic extracting method of the present invention.
Specific implementation mode
In order to make objects and advantages of the present invention be more clearly understood, the present invention is carried out with reference to embodiments further It is described in detail.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to limit this hair It is bright.
As shown in Figure 1, an embodiment of the present invention provides a kind of malicious code behavioural characteristic extracting methods, including walk as follows Suddenly:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, establish code execution information and row It is characterized one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, the execution information Including executing instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
The mathematical model is built based on Simulink, is inside equipped with a virtual start module, is used for and mathematical model After establishing mould each element opening relationships in the block, parameter is changed in specified range, to drive various emulation point Analysis method carries out calculating solution for different parameters.It is described state data that virtual parameter start module is inputted with emulation point Coherent element in analysis method has direct or indirect correspondence.Several virtual parameter moulds are equipped in the mathematical model Block can reach the logic unit for directly acquiring corresponding result or information object to be inserted into the mathematical model established, can It is carried out according to the target component of simulating analysis self-defined.
The step S3 specifically comprises the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31 based on gray relative analysis method, is held Row instruction sequence and the corresponding weight of behavior sequence;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and behavior sequence correspond to Fuzzy vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malice The behavioural characteristic data of code.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the principle of the present invention, it can also make several improvements and retouch, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (7)

1. a kind of malicious code behavioural characteristic extracting method, which is characterized in that include the following steps:
S1, according to the difference of malicious code execution information, set corresponding behavioural characteristic, it is special to establish code execution information and behavior Levy one-to-one mathematical model;
S2, the operation that malicious code is carried out by virtual execution device, extract the execution information of malicious code, which includes Execute instruction sequence and behavior sequence;
S3, using the code execution information of acquisition as the input quantity of data model, obtain the behavioural characteristic data of malicious code.
2. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that in the mathematical model Equipped with a virtual start module, after establishing mould each element opening relationships in the block with mathematical model, in specified range Parameter is changed, to drive various simulating analysis to carry out calculating solution for different parameters.
3. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that described to state virtual parameter The data that start module is inputted have direct or indirect correspondence with the coherent element in simulating analysis.
4. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that in the mathematical model Equipped with several virtual parameter modules, corresponding result or information are directly acquired to be inserted into reach in the mathematical model established The logic unit of target can carry out self-defined according to the target component of simulating analysis.
5. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that the mathematical model base It is built in Simulink.
6. a kind of malicious code behavioural characteristic extracting method as described in claim 1, which is characterized in that the step S3 is specific Include the following steps:
S31, the parsing to malicious code resource and composed structure;
S32, analysis and normalized are carried out to the analysis result of step S31, obtains executing instruction sequence and behavior sequence pair The weight answered;
S33, by the parsing to executing instruction sequence and behavior sequence, obtain executing instruction sequence and the corresponding mould of behavior sequence Paste vector;
S34, sequence and the corresponding weight of behavior sequence and fuzzy vector inputting mathematical model will be executed instruction, and will obtain malicious code Behavioural characteristic data.
7. a kind of malicious code behavioural characteristic extracting method as claimed in claim 6, which is characterized in that the step S32 bases The acquisition of weight is carried out in gray relative analysis method.
CN201810234875.6A 2018-03-21 2018-03-21 A kind of malicious code behavioural characteristic extracting method Pending CN108446561A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810234875.6A CN108446561A (en) 2018-03-21 2018-03-21 A kind of malicious code behavioural characteristic extracting method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810234875.6A CN108446561A (en) 2018-03-21 2018-03-21 A kind of malicious code behavioural characteristic extracting method

Publications (1)

Publication Number Publication Date
CN108446561A true CN108446561A (en) 2018-08-24

Family

ID=63196010

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810234875.6A Pending CN108446561A (en) 2018-03-21 2018-03-21 A kind of malicious code behavioural characteristic extracting method

Country Status (1)

Country Link
CN (1) CN108446561A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN102300208A (en) * 2011-06-21 2011-12-28 常州艾可泰自动化设备有限公司 Optimized protection strategy against dissemination of malicious software of wireless sensor network
CN103679030A (en) * 2013-12-12 2014-03-26 中国科学院信息工程研究所 Malicious code analysis and detection method based on dynamic semantic features
CN104966019A (en) * 2014-06-16 2015-10-07 哈尔滨安天科技股份有限公司 Method and system for heuristically detecting possible threats of a document
US20160378989A1 (en) * 2015-06-25 2016-12-29 Electronics And Telecommunications Research Institute Apparatus and method for monitoring android platform-based application
CN107018030A (en) * 2017-06-01 2017-08-04 厦门华厦学院 Mobile network's trouble analysis system based on intelligent terminal
CN107231382A (en) * 2017-08-02 2017-10-03 上海上讯信息技术股份有限公司 A kind of Cyberthreat method for situation assessment and equipment
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detecting method and device
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895521A (en) * 2009-05-22 2010-11-24 中国科学院研究生院 Network worm detection and characteristic automatic extraction method and system
CN102054149A (en) * 2009-11-06 2011-05-11 中国科学院研究生院 Method for extracting malicious code behavior characteristic
CN102300208A (en) * 2011-06-21 2011-12-28 常州艾可泰自动化设备有限公司 Optimized protection strategy against dissemination of malicious software of wireless sensor network
CN103679030A (en) * 2013-12-12 2014-03-26 中国科学院信息工程研究所 Malicious code analysis and detection method based on dynamic semantic features
CN104966019A (en) * 2014-06-16 2015-10-07 哈尔滨安天科技股份有限公司 Method and system for heuristically detecting possible threats of a document
US20160378989A1 (en) * 2015-06-25 2016-12-29 Electronics And Telecommunications Research Institute Apparatus and method for monitoring android platform-based application
CN107018030A (en) * 2017-06-01 2017-08-04 厦门华厦学院 Mobile network's trouble analysis system based on intelligent terminal
CN107231382A (en) * 2017-08-02 2017-10-03 上海上讯信息技术股份有限公司 A kind of Cyberthreat method for situation assessment and equipment
CN107590388A (en) * 2017-09-12 2018-01-16 南方电网科学研究院有限责任公司 Malicious code detecting method and device
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis

Similar Documents

Publication Publication Date Title
CN110825040B (en) Process control attack detection method and device for industrial control system
CN104834858A (en) Method for statically detecting malicious code in android APP (Application)
CN106557695A (en) A kind of malicious application detection method and system
CN111309222B (en) Sliding block notch positioning and dragging track generation method for sliding block verification code
CN104123501B (en) A kind of viral online test method based on many assessor set
CN106202722B (en) Large-scale power grid information physical real-time simulation platform
CN107220539B (en) Demand-based IMA security verification analysis method
CN111522746B (en) Data processing method, device, equipment and computer readable storage medium
CN111310155B (en) System architecture for automatic identification of slider verification code and implementation method
CN111092912B (en) Security defense method and device
CN105446741A (en) API (Application Program Interface) comparison based mobile application identification method
Jack et al. Real-time emulation for power equipment development. Part 1: Real-time simulation
CN111310156B (en) Automatic identification method and system for slider verification code
CN107979581A (en) The detection method and device of corpse feature
CN105677574A (en) Android application vulnerability detection method and system based on function control flow
CN116127485A (en) Encryption method for database data, storage medium and computer equipment
CN106777529A (en) Integrated circuit fault-resistant injection attacks capability assessment method based on FPGA
CN107437088A (en) File identification method and device
CN108446561A (en) A kind of malicious code behavioural characteristic extracting method
CN116861362A (en) Intelligent contract attack detection method and device
CN108133099A (en) A kind of analogue system implementation method based on multi-resolution models frame
CN107133539B (en) Smart card personalization method and related device and system
US11909754B2 (en) Security assessment system
CN110673507A (en) Data simulation method and device for Internet of things equipment
CN112487421B (en) Android malicious application detection method and system based on heterogeneous network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180824