CN109033839A - A kind of malware detection method based on dynamic multiple features - Google Patents

A kind of malware detection method based on dynamic multiple features Download PDF

Info

Publication number
CN109033839A
CN109033839A CN201810905958.3A CN201810905958A CN109033839A CN 109033839 A CN109033839 A CN 109033839A CN 201810905958 A CN201810905958 A CN 201810905958A CN 109033839 A CN109033839 A CN 109033839A
Authority
CN
China
Prior art keywords
virtual machine
classifier
guest virtual
malware
behavioral characteristics
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201810905958.3A
Other languages
Chinese (zh)
Inventor
张健
高铖
宫良
宫良一
郑禄鑫
周超群
蔡长亮
栗文真
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University of Technology
Original Assignee
Tianjin University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University of Technology filed Critical Tianjin University of Technology
Priority to CN201810905958.3A priority Critical patent/CN109033839A/en
Publication of CN109033839A publication Critical patent/CN109033839A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A kind of malware detection method based on dynamic multiple features.It includes the Malware and normal software continuously launched to the guest virtual machine run on Xen virtual platform as sample: the core dump file of guest virtual machine is obtained using LibVMI;The behavioral characteristics for extracting multiple types from core dump file using Volatility memory forensics analysis frame, by these behavioral characteristics constitutive characteristic collection;Best base classifier is chosen, final integrated classifier is constructed, feature set is input in integrated classifier, finds out optimal feature combination and integrated learning model as classification results.Effect of the present invention: the type and reliability for obtaining characteristic can be effectively promoted, the expense of data acquisition is reduced;By using integrated study model, generalization ability and the classification accuracy of whole classifier is effectively promoted, and enhances disaggregated model for the versatility of different types of malware detection.

Description

A kind of malware detection method based on dynamic multiple features
Technical field
The invention belongs to computer information safety technique fields, soft more particularly to a kind of malice based on dynamic multiple features Part detection method.
Background technique
In recent years, being continuously increased with the value volume and range of product of Malware is based on to reduce the pressure of manual analysis The malware detection method of machine learning is widely used.It is main generally, based on the malware detection method of machine learning Include two processes of feature extraction and the modeling of classification/clustering algorithm.Wherein, soft according to malice whether is run in feature extraction Part can be divided into dynamic detection and static detection two ways.
(1) static detection
Static detection refers to that its software feature and malice row that may be present can be analyzed by not needing operation Malware For, thus analytic process is relatively simple easy and safe and reliable.The basic thought of static analysis is the executable of checking system It whether there is malicious act, but the not deep instruction for checking file in file.It is extracted in existing static detection Feature is mainly byte n-gram, and the information of PE section is embedded in character string information, signature, check value and metadata etc..These features Extraction, mainly in the case where not running Malware, directly from the binary file of Malware or PE file Extraction obtains.
(2) dynamic detection
Dynamic analysis are actually to execute program sample in controllably analysis environment, monitor the program behavior in implementation procedure, Record important execution information.A kind of method of observation program behavior is to be come monitoring program and operation by analysis API Calls The interaction of system.Dynamic detection must be set up in a safe and reliable environment, and this environment is self-existent, Bu Huiying Other working environments are rung, while also being needed with restorability.Extracted feature mainly includes journey in existing dynamic detection System in sort run is called, API Calls and the network traffic information of generation etc..
Generally speaking, first, current Malware static detection and dynamic testing method are mainly extracted from host Feature, security mechanism are often in same privilege level with Malware, acquired characteristic information be easily subject to distort and Deception;Second, in existing feature extracting method, the feature of single type is often only extracted, the malice for being difficult detection of complex is soft Part;Third, existing machine learning method are often based only on single classifier model, and the generalization ability of whole classifier is poor, no Suitable for the malware detection scene based on multiclass feature.
Summary of the invention
To solve the above-mentioned problems, the purpose of the present invention is to provide a kind of malware detections based on dynamic multiple features Method.
In order to achieve the above object, the malware detection method provided by the invention based on dynamic multiple features includes by suitable The following steps that sequence carries out:
Step 1) creates guest virtual machine after having built Xen virtual platform on physical entity machine, installs Windows Operating system after being installed to Windows operating system, saves the memory image of the operating system, then to fortune immediately Guest virtual machine of the row on Xen virtual platform continuously launches Malware and normal software as sample:
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then submitted Give Volatility memory forensics analysis frame;
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame The behavioral characteristics of multiple types, by these behavioral characteristics constitutive characteristic collection;
Step 4) chooses best base classifier, constructs final integrated classifier, is then input to features described above collection It states in integrated classifier, finds out optimal feature combination and integrated learning model as classification results, thus complete Malware Detection.
In step 1), described built on physical entity machine creates guest virtual machine after Xen virtual platform, Windows operating system is installed, after being installed to Windows operating system, the memory for saving the operating system immediately is fast According to then continuously being launched to the guest virtual machine run on Xen virtual platform as the Malware of sample and normal The method of software includes the following steps:
1.1) Xen virtual platform is installed on physical entity machine, and creates client virtual on Xen virtual platform Machine installs Windows operating system;
1.2) after Windows operating system is installed, the memory of the operating system is saved using xlsave order Snapshot, the consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware as sample into guest virtual machine And normal software.
In step 2), after the complete sample of the operation, the core dump text of guest virtual machine is obtained using LibVMI Part, the method for being then forwarded to Volatility memory forensics analysis frame include the following steps:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used The memory image of system is to the state for the operating system being just installed, and repeatedly step 1), continues to throw into guest virtual machine later Setting-out sheet.
In step 3), when the sample executes, using Volatility memory forensics analysis frame from core dump The behavioral characteristics that multiple types are extracted in file are included the following steps: by the method for these behavioral characteristics constitutive characteristic collection
3.1) it is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility executable The API sequence of routine call sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, make For first kind behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, the privs of Volatility are used, Psxview, svcscan, handles, mutantscan and thrdscan plug-in unit obtain executable journey from core dump file The memory member feature including call back function, dll, module and handle of sequence, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file into guest virtual machine using the procdump plug-in unit of Volatility The malice of dispensing or normal executable program parse binary executable using the PEfile module of python later The information of each PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 4.3) is converted into gray level image, intercepts preceding 1000 pixels Value, as the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 4.3) is subjected to decompiling using IDAPro, obtains mov, push, add Operation code inside, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression carried out to above-mentioned every a kind of behavioral characteristics, construction feature vector, and by all feature vector structures At feature set.
In step 4), the selection best base classifier constructs final integrated classifier, then by features described above Collection is input in above-mentioned integrated classifier, finds out the combination of optimal feature and integrated learning model as classification results, thus complete Method at the detection of Malware includes the following steps:
Choose Bayesian network (BN), logistic regression (LR), support vector machines (SMO), arest neighbors (IBK) and J48 These base combining classifiers are built into final integrated classifier as best base classifier by classifier, then by above-mentioned spy Collection is input in integrated classifier, selects AdaBoostM1 as integrated study model, and Vote, which is used as, combines strategy, in Vote In successively add Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier, select later Cross-validation10 in TestOptions rolls over cross validation, finally obtains Malware or normal software Classification results.
Malware detection method provided by the invention based on dynamic multiple features has the following beneficial effects:
1) type and reliability for obtaining characteristic can be effectively promoted, the expense of data acquisition is reduced;
2) have compared to based on single feature or static malware detection method, multiple features dynamic malware detection method Improve to effect the detectability for complicated Malware;
3) by using integrated study model, generalization ability and the classification accuracy of whole classifier is effectively promoted, And disaggregated model is enhanced for the versatility of different types of malware detection.
Detailed description of the invention
Fig. 1 is the malware detection method flow diagram provided by the invention based on dynamic multiple features;
Specific embodiment
With reference to the accompanying drawing with specific example to the malware detection method provided by the invention based on dynamic multiple features It is described in detail.
As shown in Figure 1, the malware detection method provided by the invention based on dynamic multiple features includes carrying out in order The following steps:
Step 1) creates guest virtual machine after having built Xen virtual platform on physical entity machine, installs Windows Operating system after being installed to Windows operating system, saves the memory image of the operating system immediately, in order to avoid system It is contaminated, it is ensured that the consistency of system when subsequent each detection, it is then empty to the client run on Xen virtual platform Quasi- machine continuously launches the Malware and normal software as sample;
Specific step is as follows:
1.1) Xen virtual platform is installed on physical entity machine, and creates client virtual on Xen virtual platform Machine installs Windows operating system;
1.2) after Windows operating system is installed, the memory of the operating system is saved using xlsave order Snapshot, the consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware as sample into guest virtual machine And normal software.
It must be launched one by one when launching sample, after a sample dispensing finishes and completes data collection, it is necessary to close visitor Family virtual machine restores memory image, launches next sample again later.
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then submitted Give Volatility memory forensics analysis frame;
Specific step is as follows:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used The memory image of system is to the state for the operating system being just installed, and repeatedly step 1), continues to throw into guest virtual machine later Setting-out sheet.
This step must start again dump memory after sample runs 30s in operation, can guarantee to be collected into this way The dynamic behaviour of enough samples;After the completion of the core dump of guest virtual machine, it is necessary to close guest virtual machine, restore behaviour Make the memory image of system, launches next sample again later.
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame The behavioral characteristics of multiple types, by these behavioral characteristics constitutive characteristic collection;
Specific step is as follows:
3.1) it is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility executable The API sequence of routine call sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, make For first kind behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, the privs of Volatility are used, Psxview, svcscan, handles, mutantscan and thrdscan plug-in unit obtain executable journey from core dump file The memory member feature including returning function, dll, module and handle of sequence, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file into guest virtual machine using the procdump plug-in unit of Volatility The malice of dispensing or normal executable program parse binary executable using the PEfile module of python later The information of each PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 3.3) is converted into gray level image, intercepts preceding 1000 pixels Value, as the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 3.3) is subjected to decompiling using IDAPro, obtains mov, push, add Operation code inside, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression carried out to above-mentioned every a kind of behavioral characteristics, construction feature vector, and by all feature vector structures At feature set.
It, can be simultaneously using corresponding Volatility plug-in unit to core dump when obtaining the behavioral characteristics of multiple types File is analyzed, to improve the efficiency of analysis.
Step 4) chooses best base classifier, constructs final integrated classifier, is then input to features described above collection It states in integrated classifier, finds out optimal feature combination and integrated learning model as classification results, thus complete Malware Detection.
Specific step is as follows:
Choose Bayesian network (BN), logistic regression (LR), support vector machines (SMO), arest neighbors (IBK) and J48 These base combining classifiers are built into final integrated classifier as best base classifier by classifier, then by above-mentioned spy Collection is input in integrated classifier, selects AdaBoostM1 as integrated study model, and Vote, which is used as, combines strategy, in Vote In successively add Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier, select later Cross-validation10 in TestOptions rolls over cross validation, finally obtains Malware or normal software Classification results.
Feature set used in this step and integrated learning model must be constituted by the way of gradually adding up, to select Optimal feature combination and integrated learning model.
By lot of experiment validation, discovery, which is worked as, uses PEF+3GF+BPF+API+MMF as feature set, BN+LR+SMO+ When IBK+J48 is as integrated study model, the generalization ability of model is most strong, and the accuracy highest classified, and can reach preferable Malware detection purpose.
The method of the present invention is examined oneself technology and memory forensics analysis technology by using virtual machine, from the memory of guest virtual machine In, the behavioral characteristics of multiple types about Malware are disposably extracted, including operation code 3-gram feature is (referred to as 3GF), the feature (abbreviation that API feature (abbreviation API), byte pixelintensity feature (abbreviation BPF), PE are saved PEF) and memory member feature (abbreviation MMF), the characteristic view of Malware is featured from multiple angles.Also, by a large amount of real It tests, has found the base classifier that can best adapt to every a kind of behavioral characteristics.By using AdaBoost integrated learning approach Multiple base combining classifiers are constructed final integrated classifier, entirety is effectively promoted with the combination strategy of Voting The classification accuracy of classifier and generalization ability.Since used feature extracting method is from virtual machine management program (Hypervisor) for layer disposably with the outer internal information for obtaining guest virtual machine, the information credibility extracted is higher, and number It is smaller according to the expense of acquisition.Secondly as having extracted the behavioral characteristics of multiple types, therefore can describe to dislike from multiple angles The characteristic view of meaning software, keeps model stronger for the detectability of complicated Malware.Finally, due to use integrated study Method can effectively adapt to the inspection of the Malware of multiple types so that the generalization ability of model and classification accuracy are higher It surveys.

Claims (5)

1. a kind of malware detection method based on dynamic multiple features, it is characterised in that: described based on dynamic multiple features Malware detection method includes the following steps carried out in order:
Step 1) creates guest virtual machine, installation Windows operation after having built Xen virtual platform on physical entity machine System after being installed to Windows operating system, saves the memory image of the operating system immediately, then to running on Guest virtual machine on Xen virtual platform continuously launches Malware and normal software as sample:
After step 2) has run sample, the core dump file of guest virtual machine is obtained using LibVMI, is then forwarded to Volatility memory forensics analysis frame;
When step 3) sample executes, extracted from core dump file using Volatility memory forensics analysis frame multiple The behavioral characteristics of type, by these behavioral characteristics constitutive characteristic collection;
Step 4) chooses best base classifier, constructs final integrated classifier, features described above collection is then input to above-mentioned collection In constituent class device, optimal feature combination and integrated learning model are found out as classification results, thus completes the inspection of Malware It surveys.
2. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 1) In, described built on physical entity machine creates guest virtual machine after Xen virtual platform, installation Windows operation System after being installed to Windows operating system, saves the memory image of the operating system immediately, then to running on It includes such as that guest virtual machine on Xen virtual platform, which is continuously launched as the Malware of sample and the method for normal software, Lower step:
1.1) Xen virtual platform is installed on physical entity machine, and creates guest virtual machine on Xen virtual platform, Windows operating system is installed;
1.2) after Windows operating system is installed, the memory image of the operating system is saved using xlsave order, The consistency of operating system when guaranteeing experiment every time;
1.3) the injector plug-in unit of DRAKVUF is used continuously to launch the Malware and just as sample into guest virtual machine Normal software.
3. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 2) In, after the complete sample of the operation, the core dump file of guest virtual machine is obtained using LibVMI, is then forwarded to The method of Volatility memory forensics analysis frame includes the following steps:
2.1) after the sample launched in step 1) into guest virtual machine is run 30 seconds, the dump- of LibVMI is used The core dump file of memory plug-in unit acquisition guest virtual machine;
2.2) above-mentioned core dump file is submitted into Volatility memory forensics analysis frame;
2.3) after the completion of the core dump file acquisition of guest virtual machine, xlrestore order recovery operation system is used Memory image is to the state for the operating system being just installed, and repeatedly step 1), continues to launch sample into guest virtual machine later This.
4. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 3) In, when the sample executes, extracted from core dump file using Volatility memory forensics analysis frame multiple The behavioral characteristics of type are included the following steps: by the method for these behavioral characteristics constitutive characteristic collection
3.1) executable program is obtained from the core dump file of guest virtual machine using the impscan plug-in unit of Volatility The API sequence of calling sorts to these API sequences by the frequency occurred, chooses and most frequent preceding 500 API occur, as the A kind of behavioral characteristics;
3.2) callbacks, dlllist, ldrmodules, modules, privs, the psxview of Volatility are used, What svcscan, handles, mutantscan and thrdscan plug-in unit obtained executable program from core dump file includes Memory member feature including call back function, dll, module and handle, as the second class behavioral characteristics, abbreviation MMF;
3.3) it is extracted from core dump file using the procdump plug-in unit of Volatility and is launched into guest virtual machine Malice or normal executable program, parse each of binary executable using the PEfile module of python later The information of PE section, as third class behavioral characteristics, abbreviation PEF;
3.4) binary executable obtained in step 4.3) is converted into gray level image, intercepts preceding 1000 pixel values, As the 4th class behavioral characteristics, abbreviation BPF;
3.5) executable file obtained in step 4.3) is subjected to decompiling using IDAPro, including obtaining mov, push, add Operation code, selection operation code 3-gram is as the 5th class behavioral characteristics, abbreviation 3GF;
3.6) vector expression, construction feature vector are carried out to above-mentioned every a kind of behavioral characteristics, and constitutes spy by all feature vectors Collection.
5. the malware detection method according to claim 1 based on dynamic multiple features, it is characterised in that: in step 4) In, the selection best base classifier constructs final integrated classifier, is then input to features described above collection above-mentioned integrated In classifier, optimal feature combination and integrated learning model are found out as classification results, thus completes the detection of Malware Method include the following steps:
Bayesian network, logistic regression, support vector machines, arest neighbors and J48 classifier are chosen as best base classifier, By these base combining classifiers, it is built into final integrated classifier, then features described above collection is input in integrated classifier, Select AdaBoostM1 as integrated study model, Vote, which is used as, combines strategy, and Bayesian network is successively added in Vote, is patrolled This base of a fruit recurrence, support vector machines, arest neighbors and J48 classifier are collected, selects the cross- in TestOptions later Validation10 rolls over cross validation, finally obtains the classification results of Malware or normal software.
CN201810905958.3A 2018-08-10 2018-08-10 A kind of malware detection method based on dynamic multiple features Withdrawn CN109033839A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810905958.3A CN109033839A (en) 2018-08-10 2018-08-10 A kind of malware detection method based on dynamic multiple features

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810905958.3A CN109033839A (en) 2018-08-10 2018-08-10 A kind of malware detection method based on dynamic multiple features

Publications (1)

Publication Number Publication Date
CN109033839A true CN109033839A (en) 2018-12-18

Family

ID=64632608

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810905958.3A Withdrawn CN109033839A (en) 2018-08-10 2018-08-10 A kind of malware detection method based on dynamic multiple features

Country Status (1)

Country Link
CN (1) CN109033839A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829306A (en) * 2019-02-20 2019-05-31 哈尔滨工程大学 A kind of Malware classification method optimizing feature extraction
CN110012013A (en) * 2019-04-04 2019-07-12 电子科技大学成都学院 A kind of virtual platform threat behavior analysis method and system based on KNN
CN110263539A (en) * 2019-05-15 2019-09-20 湖南警察学院 A kind of Android malicious application detection method and system based on concurrent integration study
CN110837641A (en) * 2019-11-13 2020-02-25 电子科技大学广东电子信息工程研究院 Malicious software detection method and detection system based on memory analysis
CN110865866A (en) * 2019-09-29 2020-03-06 中通服咨询设计研究院有限公司 Virtual machine safety detection method based on introspection technology
CN111382439A (en) * 2020-03-28 2020-07-07 玉溪师范学院 Malicious software detection method based on multi-mode deep learning
CN112965789A (en) * 2021-03-25 2021-06-15 绿盟科技集团股份有限公司 Virtual machine memory space processing method, device, equipment and medium
CN113010268A (en) * 2021-03-22 2021-06-22 腾讯科技(深圳)有限公司 Malicious program identification method and device, storage medium and electronic equipment
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
US20140137180A1 (en) * 2012-11-13 2014-05-15 Bitdefender IPR Management Ltd. Hypervisor-Based Enterprise Endpoint Protection
CN104182269A (en) * 2014-08-12 2014-12-03 山东省计算中心(国家超级计算济南中心) Physical memory forensic method for KVM (Kernel-based Virtual Machine)
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
CN108255716A (en) * 2018-01-10 2018-07-06 天津理工大学 A kind of software assessment method based on cloud computing technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
US20140137180A1 (en) * 2012-11-13 2014-05-15 Bitdefender IPR Management Ltd. Hypervisor-Based Enterprise Endpoint Protection
CN104182269A (en) * 2014-08-12 2014-12-03 山东省计算中心(国家超级计算济南中心) Physical memory forensic method for KVM (Kernel-based Virtual Machine)
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
CN108255716A (en) * 2018-01-10 2018-07-06 天津理工大学 A kind of software assessment method based on cloud computing technology

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张健: "基于KVM虚拟化环境的异常行为检测技术研究", 《信息网络安全》 *
牛鹏飞: "基于Xen的异常行为在线检测平台研究与设计", 《信息网络安全》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829306A (en) * 2019-02-20 2019-05-31 哈尔滨工程大学 A kind of Malware classification method optimizing feature extraction
CN109829306B (en) * 2019-02-20 2023-07-21 哈尔滨工程大学 Malicious software classification method for optimizing feature extraction
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN110012013A (en) * 2019-04-04 2019-07-12 电子科技大学成都学院 A kind of virtual platform threat behavior analysis method and system based on KNN
CN110263539A (en) * 2019-05-15 2019-09-20 湖南警察学院 A kind of Android malicious application detection method and system based on concurrent integration study
CN110865866A (en) * 2019-09-29 2020-03-06 中通服咨询设计研究院有限公司 Virtual machine safety detection method based on introspection technology
CN110865866B (en) * 2019-09-29 2022-04-05 中通服咨询设计研究院有限公司 Virtual machine safety detection method based on introspection technology
CN110837641A (en) * 2019-11-13 2020-02-25 电子科技大学广东电子信息工程研究院 Malicious software detection method and detection system based on memory analysis
CN111382439A (en) * 2020-03-28 2020-07-07 玉溪师范学院 Malicious software detection method based on multi-mode deep learning
CN113010268A (en) * 2021-03-22 2021-06-22 腾讯科技(深圳)有限公司 Malicious program identification method and device, storage medium and electronic equipment
CN112965789A (en) * 2021-03-25 2021-06-15 绿盟科技集团股份有限公司 Virtual machine memory space processing method, device, equipment and medium
CN112965789B (en) * 2021-03-25 2024-05-03 绿盟科技集团股份有限公司 Virtual machine memory space processing method, device, equipment and medium

Similar Documents

Publication Publication Date Title
CN109033839A (en) A kind of malware detection method based on dynamic multiple features
US11275830B2 (en) System and method for video backdoor attack
CN108304720B (en) Android malicious program detection method based on machine learning
Li et al. Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection
Jian et al. A novel framework for image-based malware detection with a deep neural network
US11481492B2 (en) Method and system for static behavior-predictive malware detection
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Duan et al. Detective: Automatically identify and analyze malware processes in forensic scenarios via DLLs
Massarelli et al. Android malware family classification based on resource consumption over time
Almomani et al. An automated vision-based deep learning model for efficient detection of android malware attacks
CN111639337B (en) Unknown malicious code detection method and system for massive Windows software
CN103761481A (en) Method and device for automatically processing malicious code sample
CN103679030B (en) Malicious code analysis and detection method based on dynamic semantic features
Agrawal et al. Neural sequential malware detection with parameters
CN112528284A (en) Malicious program detection method and device, storage medium and electronic equipment
CN113935033A (en) Feature-fused malicious code family classification method and device and storage medium
Kakisim et al. Sequential opcode embedding-based malware detection method
US20220318387A1 (en) Method and Computer for Learning Correspondence Between Malware and Execution Trace of the Malware
CN111435391A (en) Method and apparatus for automatically determining interactive GUI elements to be interacted with in GUI
Li et al. Open source software security vulnerability detection based on dynamic behavior features
Pirch et al. Tagvet: Vetting malware tags using explainable machine learning
Onwuzurike et al. A family of droids: Analyzing behavioral model based Android malware detection via static and dynamic analysis
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
Su et al. Detection of android malware by static analysis on permissions and sensitive functions
Yaseen et al. A Deep Learning-based Approach for Malware Classification using Machine Code to Image Conversion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20181218

WW01 Invention patent application withdrawn after publication