CN109033839A - A kind of malware detection method based on dynamic multiple features - Google Patents
A kind of malware detection method based on dynamic multiple features Download PDFInfo
- Publication number
- CN109033839A CN109033839A CN201810905958.3A CN201810905958A CN109033839A CN 109033839 A CN109033839 A CN 109033839A CN 201810905958 A CN201810905958 A CN 201810905958A CN 109033839 A CN109033839 A CN 109033839A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- classifier
- guest virtual
- malware
- behavioral characteristics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of malware detection method based on dynamic multiple features.It includes the Malware and normal software continuously launched to the guest virtual machine run on Xen virtual platform as sample: the core dump file of guest virtual machine is obtained using LibVMI;The behavioral characteristics for extracting multiple types from core dump file using Volatility memory forensics analysis frame, by these behavioral characteristics constitutive characteristic collection;Best base classifier is chosen, final integrated classifier is constructed, feature set is input in integrated classifier, finds out optimal feature combination and integrated learning model as classification results.Effect of the present invention: the type and reliability for obtaining characteristic can be effectively promoted, the expense of data acquisition is reduced;By using integrated study model, generalization ability and the classification accuracy of whole classifier is effectively promoted, and enhances disaggregated model for the versatility of different types of malware detection.
Description
Technical field
The invention belongs to computer information safety technique fields, soft more particularly to a kind of malice based on dynamic multiple features
Part detection method.
Background technique
In recent years, being continuously increased with the value volume and range of product of Malware is based on to reduce the pressure of manual analysis
The malware detection method of machine learning is widely used.It is main generally, based on the malware detection method of machine learning
Include two processes of feature extraction and the modeling of classification/clustering algorithm.Wherein, soft according to malice whether is run in feature extraction
Part can be divided into dynamic detection and static detection two ways.
(1) static detection
Static detection refers to that its software feature and malice row that may be present can be analyzed by not needing operation Malware
For, thus analytic process is relatively simple easy and safe and reliable.The basic thought of static analysis is the executable of checking system
It whether there is malicious act, but the not deep instruction for checking file in file.It is extracted in existing static detection
Feature is mainly byte n-gram, and the information of PE section is embedded in character string information, signature, check value and metadata etc..These features
Extraction, mainly in the case where not running Malware, directly from the binary file of Malware or PE file
Extraction obtains.
(2) dynamic detection
Dynamic analysis are actually to execute program sample in controllably analysis environment, monitor the program behavior in implementation procedure,
Record important execution information.A kind of method of observation program behavior is to be come monitoring program and operation by analysis API Calls
The interaction of system.Dynamic detection must be set up in a safe and reliable environment, and this environment is self-existent, Bu Huiying
Other working environments are rung, while also being needed with restorability.Extracted feature mainly includes journey in existing dynamic detection
System in sort run is called, API Calls and the network traffic information of generation etc..
Generally speaking, first, current Malware static detection and dynamic testing method are mainly extracted from host
Feature, security mechanism are often in same privilege level with Malware, acquired characteristic information be easily subject to distort and
Deception;Second, in existing feature extracting method, the feature of single type is often only extracted, the malice for being difficult detection of complex is soft
Part;Third, existing machine learning method are often based only on single classifier model, and the generalization ability of whole classifier is poor, no
Suitable for the malware detection scene based on multiclass feature.
Summary of the invention
To solve the above-mentioned problems, the purpose of the present invention is to provide a kind of malware detections based on dynamic multiple features
Method.
In order to achieve the above object, the malware detection method provided by the invention based on dynamic multiple features includes by suitable
The following steps that sequence carries out:
Step 1) creates guest virtual machine after having built Xen virtual platform on physical entity machine, installs Windows
Operating system after being installed to Windows operating system, saves the memory image of the operating system, then to fortune immediately
Guest virtual machine of the row on Xen virtual platform continuously launches Malware and normal software as sample:
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then submitted
Give Volatility memory forensics analysis frame;
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame
The behavioral characteristics of multiple types, by these behavioral characteristics constitutive characteristic collection;
Step 4) chooses best base classifier, constructs final integrated classifier, is then input to features described above collection
It states in integrated classifier, finds out optimal feature combination and integrated learning model as classification results, thus complete Malware
Detection.
In step 1), described built on physical entity machine creates guest virtual machine after Xen virtual platform,
Windows operating system is installed, after being installed to Windows operating system, the memory for saving the operating system immediately is fast
According to then continuously being launched to the guest virtual machine run on Xen virtual platform as the Malware of sample and normal
The method of software includes the following steps:
1.1) Xen virtual platform is installed on physical entity machine, and creates client virtual on Xen virtual platform
Machine installs Windows operating system;
1.2) after Windows operating system is installed, the memory of the operating system is saved using xlsave order
Snapshot, the consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware as sample into guest virtual machine
And normal software.
In step 2), after the complete sample of the operation, the core dump text of guest virtual machine is obtained using LibVMI
Part, the method for being then forwarded to Volatility memory forensics analysis frame include the following steps:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used
The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used
The memory image of system is to the state for the operating system being just installed, and repeatedly step 1), continues to throw into guest virtual machine later
Setting-out sheet.
In step 3), when the sample executes, using Volatility memory forensics analysis frame from core dump
The behavioral characteristics that multiple types are extracted in file are included the following steps: by the method for these behavioral characteristics constitutive characteristic collection
3.1) it is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility executable
The API sequence of routine call sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, make
For first kind behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, the privs of Volatility are used,
Psxview, svcscan, handles, mutantscan and thrdscan plug-in unit obtain executable journey from core dump file
The memory member feature including call back function, dll, module and handle of sequence, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file into guest virtual machine using the procdump plug-in unit of Volatility
The malice of dispensing or normal executable program parse binary executable using the PEfile module of python later
The information of each PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 4.3) is converted into gray level image, intercepts preceding 1000 pixels
Value, as the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 4.3) is subjected to decompiling using IDAPro, obtains mov, push, add
Operation code inside, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression carried out to above-mentioned every a kind of behavioral characteristics, construction feature vector, and by all feature vector structures
At feature set.
In step 4), the selection best base classifier constructs final integrated classifier, then by features described above
Collection is input in above-mentioned integrated classifier, finds out the combination of optimal feature and integrated learning model as classification results, thus complete
Method at the detection of Malware includes the following steps:
Choose Bayesian network (BN), logistic regression (LR), support vector machines (SMO), arest neighbors (IBK) and J48
These base combining classifiers are built into final integrated classifier as best base classifier by classifier, then by above-mentioned spy
Collection is input in integrated classifier, selects AdaBoostM1 as integrated study model, and Vote, which is used as, combines strategy, in Vote
In successively add Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier, select later
Cross-validation10 in TestOptions rolls over cross validation, finally obtains Malware or normal software
Classification results.
Malware detection method provided by the invention based on dynamic multiple features has the following beneficial effects:
1) type and reliability for obtaining characteristic can be effectively promoted, the expense of data acquisition is reduced;
2) have compared to based on single feature or static malware detection method, multiple features dynamic malware detection method
Improve to effect the detectability for complicated Malware;
3) by using integrated study model, generalization ability and the classification accuracy of whole classifier is effectively promoted,
And disaggregated model is enhanced for the versatility of different types of malware detection.
Detailed description of the invention
Fig. 1 is the malware detection method flow diagram provided by the invention based on dynamic multiple features;
Specific embodiment
With reference to the accompanying drawing with specific example to the malware detection method provided by the invention based on dynamic multiple features
It is described in detail.
As shown in Figure 1, the malware detection method provided by the invention based on dynamic multiple features includes carrying out in order
The following steps:
Step 1) creates guest virtual machine after having built Xen virtual platform on physical entity machine, installs Windows
Operating system after being installed to Windows operating system, saves the memory image of the operating system immediately, in order to avoid system
It is contaminated, it is ensured that the consistency of system when subsequent each detection, it is then empty to the client run on Xen virtual platform
Quasi- machine continuously launches the Malware and normal software as sample;
Specific step is as follows:
1.1) Xen virtual platform is installed on physical entity machine, and creates client virtual on Xen virtual platform
Machine installs Windows operating system;
1.2) after Windows operating system is installed, the memory of the operating system is saved using xlsave order
Snapshot, the consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware as sample into guest virtual machine
And normal software.
It must be launched one by one when launching sample, after a sample dispensing finishes and completes data collection, it is necessary to close visitor
Family virtual machine restores memory image, launches next sample again later.
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then submitted
Give Volatility memory forensics analysis frame;
Specific step is as follows:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used
The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used
The memory image of system is to the state for the operating system being just installed, and repeatedly step 1), continues to throw into guest virtual machine later
Setting-out sheet.
This step must start again dump memory after sample runs 30s in operation, can guarantee to be collected into this way
The dynamic behaviour of enough samples;After the completion of the core dump of guest virtual machine, it is necessary to close guest virtual machine, restore behaviour
Make the memory image of system, launches next sample again later.
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame
The behavioral characteristics of multiple types, by these behavioral characteristics constitutive characteristic collection;
Specific step is as follows:
3.1) it is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility executable
The API sequence of routine call sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, make
For first kind behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, the privs of Volatility are used,
Psxview, svcscan, handles, mutantscan and thrdscan plug-in unit obtain executable journey from core dump file
The memory member feature including returning function, dll, module and handle of sequence, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file into guest virtual machine using the procdump plug-in unit of Volatility
The malice of dispensing or normal executable program parse binary executable using the PEfile module of python later
The information of each PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 3.3) is converted into gray level image, intercepts preceding 1000 pixels
Value, as the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 3.3) is subjected to decompiling using IDAPro, obtains mov, push, add
Operation code inside, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression carried out to above-mentioned every a kind of behavioral characteristics, construction feature vector, and by all feature vector structures
At feature set.
It, can be simultaneously using corresponding Volatility plug-in unit to core dump when obtaining the behavioral characteristics of multiple types
File is analyzed, to improve the efficiency of analysis.
Step 4) chooses best base classifier, constructs final integrated classifier, is then input to features described above collection
It states in integrated classifier, finds out optimal feature combination and integrated learning model as classification results, thus complete Malware
Detection.
Specific step is as follows:
Choose Bayesian network (BN), logistic regression (LR), support vector machines (SMO), arest neighbors (IBK) and J48
These base combining classifiers are built into final integrated classifier as best base classifier by classifier, then by above-mentioned spy
Collection is input in integrated classifier, selects AdaBoostM1 as integrated study model, and Vote, which is used as, combines strategy, in Vote
In successively add Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier, select later
Cross-validation10 in TestOptions rolls over cross validation, finally obtains Malware or normal software
Classification results.
Feature set used in this step and integrated learning model must be constituted by the way of gradually adding up, to select
Optimal feature combination and integrated learning model.
By lot of experiment validation, discovery, which is worked as, uses PEF+3GF+BPF+API+MMF as feature set, BN+LR+SMO+
When IBK+J48 is as integrated study model, the generalization ability of model is most strong, and the accuracy highest classified, and can reach preferable
Malware detection purpose.
The method of the present invention is examined oneself technology and memory forensics analysis technology by using virtual machine, from the memory of guest virtual machine
In, the behavioral characteristics of multiple types about Malware are disposably extracted, including operation code 3-gram feature is (referred to as
3GF), the feature (abbreviation that API feature (abbreviation API), byte pixelintensity feature (abbreviation BPF), PE are saved
PEF) and memory member feature (abbreviation MMF), the characteristic view of Malware is featured from multiple angles.Also, by a large amount of real
It tests, has found the base classifier that can best adapt to every a kind of behavioral characteristics.By using AdaBoost integrated learning approach
Multiple base combining classifiers are constructed final integrated classifier, entirety is effectively promoted with the combination strategy of Voting
The classification accuracy of classifier and generalization ability.Since used feature extracting method is from virtual machine management program
(Hypervisor) for layer disposably with the outer internal information for obtaining guest virtual machine, the information credibility extracted is higher, and number
It is smaller according to the expense of acquisition.Secondly as having extracted the behavioral characteristics of multiple types, therefore can describe to dislike from multiple angles
The characteristic view of meaning software, keeps model stronger for the detectability of complicated Malware.Finally, due to use integrated study
Method can effectively adapt to the inspection of the Malware of multiple types so that the generalization ability of model and classification accuracy are higher
It surveys.
Claims (5)
1. a kind of malware detection method based on dynamic multiple features, it is characterised in that: described based on dynamic multiple features
Malware detection method includes the following steps carried out in order:
Step 1) creates guest virtual machine, installation Windows operation after having built Xen virtual platform on physical entity machine
System after being installed to Windows operating system, saves the memory image of the operating system immediately, then to running on
Guest virtual machine on Xen virtual platform continuously launches Malware and normal software as sample:
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then forwarded to
Volatility memory forensics analysis frame;
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame multiple
The behavioral characteristics of type, by these behavioral characteristics constitutive characteristic collection;
Step 4) chooses best base classifier, constructs final integrated classifier, features described above collection is then input to above-mentioned collection
In constituent class device, optimal feature combination and integrated learning model are found out as classification results, thus completes the inspection of Malware
It surveys.
2. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 1)
In, described built on physical entity machine creates guest virtual machine after Xen virtual platform, installation Windows operation
System after being installed to Windows operating system, saves the memory image of the operating system immediately, then to running on
It includes such as that guest virtual machine on Xen virtual platform, which is continuously launched as the Malware of sample and the method for normal software,
Lower step:
1.1) Xen virtual platform is installed on physical entity machine, and creates guest virtual machine on Xen virtual platform,
Windows operating system is installed;
1.2) after Windows operating system is installed, the memory image of the operating system is saved using xlsave order,
The consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware and just as sample into guest virtual machine
Normal software.
3. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 2)
In, after the complete sample of the operation, the core dump file of guest virtual machine is obtained using LibVMI, is then forwarded to
The method of Volatility memory forensics analysis frame includes the following steps:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used
The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used
Memory image is to the state for the operating system being just installed, and repeatedly step 1), continues to launch sample into guest virtual machine later
This.
4. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 3)
In, when the sample executes, extracted from core dump file using Volatility memory forensics analysis frame multiple
The behavioral characteristics of type are included the following steps: by the method for these behavioral characteristics constitutive characteristic collection
3.1) executable program is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility
The API sequence of calling sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, as the
A kind of behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, privs, the psxview of Volatility are used,
What svcscan, handles, mutantscan and thrdscan plug-in unit obtained executable program from core dump file includes
Memory member feature including call back function, dll, module and handle, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file using the procdump plug-in unit of Volatility and is launched into guest virtual machine
Malice or normal executable program, parse each of binary executable using the PEfile module of python later
The information of PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 4.3) is converted into gray level image, intercepts preceding 1000 pixel values,
As the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 4.3) is subjected to decompiling using IDAPro, including obtaining mov, push, add
Operation code, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression, construction feature vector are carried out to above-mentioned every a kind of behavioral characteristics, and constitutes spy by all feature vectors
Collection.
5. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 4)
In, the selection best base classifier constructs final integrated classifier, is then input to features described above collection above-mentioned integrated
In classifier, optimal feature combination and integrated learning model are found out as classification results, thus completes the detection of Malware
Method include the following steps:
Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier are chosen as best base classifier,
By these base combining classifiers, it is built into final integrated classifier, then features described above collection is input in integrated classifier,
Select AdaBoostM1 as integrated study model, Vote, which is used as, combines strategy, and Bayesian network is successively added in Vote, is patrolled
This base of a fruit recurrence, support vector machines, arest neighbors and J48 classifier are collected, selects the cross- in TestOptions later
Validation10 rolls over cross validation, finally obtains the classification results of Malware or normal software.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810905958.3A CN109033839A (en) | 2018-08-10 | 2018-08-10 | A kind of malware detection method based on dynamic multiple features |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810905958.3A CN109033839A (en) | 2018-08-10 | 2018-08-10 | A kind of malware detection method based on dynamic multiple features |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109033839A true CN109033839A (en) | 2018-12-18 |
Family
ID=64632608
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810905958.3A Withdrawn CN109033839A (en) | 2018-08-10 | 2018-08-10 | A kind of malware detection method based on dynamic multiple features |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109033839A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829306A (en) * | 2019-02-20 | 2019-05-31 | 哈尔滨工程大学 | A kind of Malware classification method optimizing feature extraction |
CN110012013A (en) * | 2019-04-04 | 2019-07-12 | 电子科技大学成都学院 | A kind of virtual platform threat behavior analysis method and system based on KNN |
CN110263539A (en) * | 2019-05-15 | 2019-09-20 | 湖南警察学院 | A kind of Android malicious application detection method and system based on concurrent integration study |
CN110837641A (en) * | 2019-11-13 | 2020-02-25 | 电子科技大学广东电子信息工程研究院 | Malicious software detection method and detection system based on memory analysis |
CN110865866A (en) * | 2019-09-29 | 2020-03-06 | 中通服咨询设计研究院有限公司 | Virtual machine safety detection method based on introspection technology |
CN111382439A (en) * | 2020-03-28 | 2020-07-07 | 玉溪师范学院 | Malicious software detection method based on multi-mode deep learning |
CN112965789A (en) * | 2021-03-25 | 2021-06-15 | 绿盟科技集团股份有限公司 | Virtual machine memory space processing method, device, equipment and medium |
CN113010268A (en) * | 2021-03-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Malicious program identification method and device, storage medium and electronic equipment |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
US20140137180A1 (en) * | 2012-11-13 | 2014-05-15 | Bitdefender IPR Management Ltd. | Hypervisor-Based Enterprise Endpoint Protection |
CN104182269A (en) * | 2014-08-12 | 2014-12-03 | 山东省计算中心(国家超级计算济南中心) | Physical memory forensic method for KVM (Kernel-based Virtual Machine) |
CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
CN108255716A (en) * | 2018-01-10 | 2018-07-06 | 天津理工大学 | A kind of software assessment method based on cloud computing technology |
-
2018
- 2018-08-10 CN CN201810905958.3A patent/CN109033839A/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
US20140137180A1 (en) * | 2012-11-13 | 2014-05-15 | Bitdefender IPR Management Ltd. | Hypervisor-Based Enterprise Endpoint Protection |
CN104182269A (en) * | 2014-08-12 | 2014-12-03 | 山东省计算中心(国家超级计算济南中心) | Physical memory forensic method for KVM (Kernel-based Virtual Machine) |
CN104715201A (en) * | 2015-03-31 | 2015-06-17 | 北京奇虎科技有限公司 | Method and system for detecting malicious acts of virtual machine |
CN108255716A (en) * | 2018-01-10 | 2018-07-06 | 天津理工大学 | A kind of software assessment method based on cloud computing technology |
Non-Patent Citations (2)
Title |
---|
张健: "基于KVM虚拟化环境的异常行为检测技术研究", 《信息网络安全》 * |
牛鹏飞: "基于Xen的异常行为在线检测平台研究与设计", 《信息网络安全》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829306A (en) * | 2019-02-20 | 2019-05-31 | 哈尔滨工程大学 | A kind of Malware classification method optimizing feature extraction |
CN109829306B (en) * | 2019-02-20 | 2023-07-21 | 哈尔滨工程大学 | Malicious software classification method for optimizing feature extraction |
EP3918500B1 (en) * | 2019-03-05 | 2024-04-24 | Siemens Industry Software Inc. | Machine learning-based anomaly detections for embedded software applications |
CN110012013A (en) * | 2019-04-04 | 2019-07-12 | 电子科技大学成都学院 | A kind of virtual platform threat behavior analysis method and system based on KNN |
CN110263539A (en) * | 2019-05-15 | 2019-09-20 | 湖南警察学院 | A kind of Android malicious application detection method and system based on concurrent integration study |
CN110865866A (en) * | 2019-09-29 | 2020-03-06 | 中通服咨询设计研究院有限公司 | Virtual machine safety detection method based on introspection technology |
CN110865866B (en) * | 2019-09-29 | 2022-04-05 | 中通服咨询设计研究院有限公司 | Virtual machine safety detection method based on introspection technology |
CN110837641A (en) * | 2019-11-13 | 2020-02-25 | 电子科技大学广东电子信息工程研究院 | Malicious software detection method and detection system based on memory analysis |
CN111382439A (en) * | 2020-03-28 | 2020-07-07 | 玉溪师范学院 | Malicious software detection method based on multi-mode deep learning |
CN113010268A (en) * | 2021-03-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Malicious program identification method and device, storage medium and electronic equipment |
CN112965789A (en) * | 2021-03-25 | 2021-06-15 | 绿盟科技集团股份有限公司 | Virtual machine memory space processing method, device, equipment and medium |
CN112965789B (en) * | 2021-03-25 | 2024-05-03 | 绿盟科技集团股份有限公司 | Virtual machine memory space processing method, device, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109033839A (en) | A kind of malware detection method based on dynamic multiple features | |
US11275830B2 (en) | System and method for video backdoor attack | |
CN108304720B (en) | Android malicious program detection method based on machine learning | |
Li et al. | Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection | |
Jian et al. | A novel framework for image-based malware detection with a deep neural network | |
US11481492B2 (en) | Method and system for static behavior-predictive malware detection | |
Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
Duan et al. | Detective: Automatically identify and analyze malware processes in forensic scenarios via DLLs | |
Massarelli et al. | Android malware family classification based on resource consumption over time | |
Almomani et al. | An automated vision-based deep learning model for efficient detection of android malware attacks | |
CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
CN103761481A (en) | Method and device for automatically processing malicious code sample | |
CN103679030B (en) | Malicious code analysis and detection method based on dynamic semantic features | |
Agrawal et al. | Neural sequential malware detection with parameters | |
CN112528284A (en) | Malicious program detection method and device, storage medium and electronic equipment | |
CN113935033A (en) | Feature-fused malicious code family classification method and device and storage medium | |
Kakisim et al. | Sequential opcode embedding-based malware detection method | |
US20220318387A1 (en) | Method and Computer for Learning Correspondence Between Malware and Execution Trace of the Malware | |
CN111435391A (en) | Method and apparatus for automatically determining interactive GUI elements to be interacted with in GUI | |
Li et al. | Open source software security vulnerability detection based on dynamic behavior features | |
Pirch et al. | Tagvet: Vetting malware tags using explainable machine learning | |
Onwuzurike et al. | A family of droids: Analyzing behavioral model based Android malware detection via static and dynamic analysis | |
CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
Su et al. | Detection of android malware by static analysis on permissions and sensitive functions | |
Yaseen et al. | A Deep Learning-based Approach for Malware Classification using Machine Code to Image Conversion |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20181218 |
|
WW01 | Invention patent application withdrawn after publication |