CN109472141A - A kind of method and system based on time series Difference test malicious code - Google Patents

A kind of method and system based on time series Difference test malicious code Download PDF

Info

Publication number
CN109472141A
CN109472141A CN201711468588.3A CN201711468588A CN109472141A CN 109472141 A CN109472141 A CN 109472141A CN 201711468588 A CN201711468588 A CN 201711468588A CN 109472141 A CN109472141 A CN 109472141A
Authority
CN
China
Prior art keywords
file
detected
determined
apocrypha
grey
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711468588.3A
Other languages
Chinese (zh)
Other versions
CN109472141B (en
Inventor
刘佳男
王颖
李柏松
王小丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ahtech Network Safe Technology Ltd
Original Assignee
Beijing Ahtech Network Safe Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ahtech Network Safe Technology Ltd filed Critical Beijing Ahtech Network Safe Technology Ltd
Priority to CN201711468588.3A priority Critical patent/CN109472141B/en
Publication of CN109472141A publication Critical patent/CN109472141A/en
Application granted granted Critical
Publication of CN109472141B publication Critical patent/CN109472141B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of method and system based on time series Difference test malicious code, wherein the described method includes: obtaining manually from the minimum value t being created to the time required to executing a filemin;Obtain file to be detected from be created to execute used in time tFile;Judge tFileWhether t is more than or equal tominIf then determining that file to be detected is low apocrypha, otherwise determine file to be detected for high apocrypha.The low apocrypha and the high apocrypha can also be detected further, it is final to determine it is text of an annotated book part, grey file or black file.The invention avoids the detections that malicious act is all carried out to all samples, improve detection efficiency.

Description

A kind of method and system based on time series Difference test malicious code
Technical field
The present invention relates to field of information security technology, more particularly to one kind to be based on time series Difference test malicious code Method and system.
Background technique
Traditional malice sample testing method includes static detection and two kinds of dynamic detection.Wherein, static detection is to rely on The condition code proposed from known malicious sample is detected, therefore does not have Detection capability for unknown malicious code;Dynamic is examined Survey is to run malice sample, and then detect to malice sample.It is currently, there are some patent documents Be disclosed as the file of detection in need construct exclusive running environment, according to operation of the file destination in each running environment Behavior determines whether file destination is malice sample.And the shortcomings that dynamic testing method, is excessively to depend on the building of environment, There may be situations such as can not effectively triggering.
Summary of the invention
In view of the above technical problems, the present invention is based on samples has carried out sample from the time series difference for being created to execution Sorting, avoid all samples are all carried out malicious act matching etc. operation, improve detection efficiency.
Inventors discovered through research that after malice sample travels to computer, from creation file to file used in execution Time much fewer than the time that file or copied files are downloaded in manual operation to execution, therefore can use this time difference To carry out the sorting of malice sample, the efficiency of raising malice pattern detection.
The present invention realizes with the following method: a method of based on time series Difference test malicious code, packet It includes:
It obtains manually from the minimum value t being created to the time required to executing a filemin
Obtain file to be detected from be created to execute used in time tFile
Judge tFileWhether t is more than or equal tominIf then determining that file to be detected is low apocrypha, text to be detected is otherwise determined Part is high apocrypha.
Further, described to determine file to be detected for after low apocrypha, further includes: whether to judge file to be detected Have digital signature, text of an annotated book part is determined as if having, is further detected if not having.
Further, described further to be detected, comprising: judge file to be detected whether create startup item or Otherwise service carries out the matching in malicious act library to file to be detected, determines if successful match if being otherwise determined as grey file For black file, otherwise it is determined as grey file.
Wherein, after the judgement file to be detected is high apocrypha, further includes: judge whether file to be detected creates Otherwise startup item or service carry out the matching in malicious act library if be otherwise determined as grey file to file to be detected, if Then it is determined as black file with success, grey file is determined as if it fails to match.
The present invention can be realized using following system: a kind of to be based on time series Difference test malicious code System, comprising:
Manual time's analysis module, for obtaining manually from the minimum value t being created to the time required to executing a filemin
Real time obtain module, for obtain file to be detected from be created to execute used in time tFile
Apocrypha determination module, for judging tFileWhether t is more than or equal tominIf then determining that file to be detected is low suspicious Otherwise file determines file to be detected for high apocrypha.
Further, described to determine file to be detected for after low apocrypha, further includes: whether to judge file to be detected Have digital signature, text of an annotated book part is determined as if having, is further detected if not having.
Further, described further to be detected, comprising: judge file to be detected whether create startup item or Otherwise service carries out the matching in malicious act library to file to be detected, determines if successful match if being otherwise determined as grey file For black file, otherwise it is determined as grey file.
Wherein, after the judgement file to be detected is high apocrypha, further includes: judge whether file to be detected creates Otherwise startup item or service carry out the matching in malicious act library if be otherwise determined as grey file to file to be detected, if Then it is determined as black file with success, grey file is determined as if it fails to match.
The present invention proposes a kind of non-transitorycomputer readable storage medium simultaneously, is stored thereon with computer program, should A kind of as above any method based on time series Difference test malicious code is realized when program is executed by processor.
To sum up, the present invention provides a kind of method and system based on time series Difference test malicious code, utilizes evil Meaning sample downloads to computer and executes the used time to sample, downloads file or copied files to file with manual operation The difference of the time of execution carries out the sorting of sample.And then it avoids all carrying out all sample files subsequent detection behaviour Make, to improve the detection efficiency of malice sample.
Detailed description of the invention
In order to illustrate more clearly of technical solution of the present invention, letter will be made to attached drawing needed in the embodiment below Singly introduce, it should be apparent that, the accompanying drawings in the following description is only some embodiments recorded in the present invention, for this field For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of 1 process of embodiment of the method based on time series Difference test malicious code provided by the invention Figure;
Fig. 2 is a kind of 2 flow chart of embodiment of the method based on time series Difference test malicious code provided by the invention;
Fig. 3 is a kind of system embodiment structure chart based on time series Difference test malicious code provided by the invention.
Specific embodiment
The present invention gives a kind of method and system embodiment based on time series Difference test malicious code, in order to So that those skilled in the art is more fully understood the technical solution in the embodiment of the present invention, and makes above-mentioned purpose of the invention, spy Advantage of seeking peace can be more obvious and easy to understand, is described in further detail with reference to the accompanying drawing to technical solution in the present invention:
Present invention firstly provides a kind of embodiments of the method 1 based on time series Difference test malicious code, such as Fig. 1 institute Show, comprising:
S101: it obtains manually from the minimum value t being created to the time required to executing a filemin
S102: obtain file to be detected from be created to execute used in time tFile
S103: judge tFileWhether t is more than or equal tominIf then determining that file to be detected is low apocrypha, otherwise determine to be checked Survey file is high apocrypha.
Preferably, described to determine file to be detected for after low apocrypha, further includes: to judge whether file to be detected has Standby digital signature, text of an annotated book part is determined as if having, is further detected if not having.
It is highly preferred that described further detected, comprising: judge whether file to be detected creates startup item or clothes Otherwise business carries out the matching in malicious act library to file to be detected, is determined as if successful match if being otherwise determined as grey file Otherwise black file is determined as grey file.
Wherein, after the judgement file to be detected is high apocrypha, further includes: judge whether file to be detected creates Otherwise startup item or service carry out the matching in malicious act library if be otherwise determined as grey file to file to be detected, if Then it is determined as black file with success, grey file is determined as if it fails to match.
Invention also provides a kind of embodiments of the method 2 based on time series Difference test malicious code, such as Fig. 2 It is shown, comprising:
S201: it obtains manually from the minimum value t being created to the time required to executing a filemin
S202: obtain file to be detected from be created to execute used in time tFile
S203: judge tFileWhether t is more than or equal tominIf then determining that file to be detected is low apocrypha, and execute Otherwise S204 determines that file to be detected for high apocrypha, and continues to execute S205.
S204: judging whether file to be detected has digital signature, and text of an annotated book part is determined as if having, if do not have after It is continuous to execute S205.
S205: judging whether file to be detected creates startup item or service, if being otherwise determined as grey file, otherwise after It is continuous to execute S206.
S206: the matching in malicious act library is carried out to file to be detected, black file is determined as if successful match, is otherwise sentenced It is set to grey file.
Secondly the present invention provides a kind of system embodiment based on time series Difference test malicious code, such as Fig. 3 It is shown, comprising:
Manual time's analysis module 301, for obtaining manually from the minimum value t being created to the time required to executing a filemin
Real time obtain module 302, for obtain file to be detected from be created to execute used in time tFile
Apocrypha determination module 303, for judging tFileWhether t is more than or equal tominIf then determine file to be detected be it is low can File is doubted, otherwise determines file to be detected for high apocrypha.
Preferably, described to determine file to be detected for after low apocrypha, further includes: to judge whether file to be detected has Standby digital signature, text of an annotated book part is determined as if having, is further detected if not having.
It is highly preferred that described further detected, comprising: judge whether file to be detected creates startup item or clothes Otherwise business carries out the matching in malicious act library to file to be detected, is determined as if successful match if being otherwise determined as grey file Otherwise black file is determined as grey file.
Wherein, after the judgement file to be detected is high apocrypha, further includes: judge whether file to be detected creates Otherwise startup item or service carry out the matching in malicious act library if be otherwise determined as grey file to file to be detected, if Then it is determined as black file with success, grey file is determined as if it fails to match.
The present invention discloses a kind of non-transitorycomputer readable storage mediums, are stored thereon with computer program, A kind of as above any side based on time series Difference test malicious code is realized when the program is executed by processor Method.
All the embodiments in this specification are described in a progressive manner, the same or similar between each embodiment Part may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system For embodiment, since it is substantially similar to the method embodiment, so being described relatively simple, related place is implemented referring to method The part explanation of example.
As described above, above-described embodiment gives a kind of method based on time series Difference test malicious code and is It unites embodiment, first carries out file to be detected with the minimum time for manually performing same operation from time for being created to execution pair Than being determined as low apocrypha if required time is more than or equal to artificial minimum time;If required time is less than artificial minimum Between, then it is determined as high apocrypha.At the same time it can also to the file to be detected for being determined as low apocrypha or high apocrypha It is further detected, is finally determined as text of an annotated book part, grey file or black file.The above embodiment of the present invention is due to to be checked Test sample has originally carried out preliminary sorting, avoids the detection that all samples are made whether with malice, and then substantially increases detection effect Rate.
Above embodiments are to illustrative and not limiting technical solution of the present invention.Appointing for spirit and scope of the invention is not departed from What modification or part replacement, are intended to be within the scope of the claims of the invention.

Claims (9)

1. a kind of method based on time series Difference test malicious code characterized by comprising
It obtains manually from the minimum value t being created to the time required to executing a filemin
Obtain file to be detected from be created to execute used in time tFile
Judge tFileWhether t is more than or equal tominIf then determining that file to be detected is low apocrypha, text to be detected is otherwise determined Part is high apocrypha.
2. the method as described in claim 1, which is characterized in that described to determine file to be detected to go back after low apocrypha Include: to judge whether file to be detected has digital signature, text of an annotated book part is determined as if having, if it is further not have progress Detection.
3. method according to claim 2, which is characterized in that described further to be detected, comprising: judge file to be detected Startup item or service are whether created, if being otherwise determined as grey file, malicious act library otherwise is carried out to file to be detected Matching, black file is determined as if successful match, is otherwise determined as grey file.
4. method as claimed in claim 1 or 3, which is characterized in that after the judgement file to be detected is high apocrypha, Further include: judge whether file to be detected creates startup item or service, if being otherwise determined as grey file, otherwise to be detected File carries out the matching in malicious act library, and black file is determined as if successful match, is determined as grey file if it fails to match.
5. a kind of system based on time series Difference test malicious code characterized by comprising
Manual time's analysis module, for obtaining manually from the minimum value t being created to the time required to executing a filemin
Real time obtain module, for obtain file to be detected from be created to execute used in time tFile
Apocrypha determination module, for judging tFileWhether t is more than or equal tominIf then determining that file to be detected is low suspicious Otherwise file determines file to be detected for high apocrypha.
6. system as claimed in claim 5, which is characterized in that described to determine file to be detected to go back after low apocrypha Include: to judge whether file to be detected has digital signature, text of an annotated book part is determined as if having, if it is further not have progress Detection.
7. system as claimed in claim 6, which is characterized in that described further to be detected, comprising: judge file to be detected Startup item or service are whether created, if being otherwise determined as grey file, malicious act library otherwise is carried out to file to be detected Matching, black file is determined as if successful match, is otherwise determined as grey file.
8. system as described in claim 5 or 7, which is characterized in that after the judgement file to be detected is high apocrypha, Further include: judge whether file to be detected creates startup item or service, if being otherwise determined as grey file, otherwise to be detected File carries out the matching in malicious act library, and black file is determined as if successful match, is determined as grey file if it fails to match.
9. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program quilt It realizes when processor executes such as a kind of Difference test malicious code based on time series as described in any in claim 1-4 Method.
CN201711468588.3A 2017-12-29 2017-12-29 Method and system for detecting malicious code based on time-series difference Active CN109472141B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711468588.3A CN109472141B (en) 2017-12-29 2017-12-29 Method and system for detecting malicious code based on time-series difference

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711468588.3A CN109472141B (en) 2017-12-29 2017-12-29 Method and system for detecting malicious code based on time-series difference

Publications (2)

Publication Number Publication Date
CN109472141A true CN109472141A (en) 2019-03-15
CN109472141B CN109472141B (en) 2022-01-04

Family

ID=65658227

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711468588.3A Active CN109472141B (en) 2017-12-29 2017-12-29 Method and system for detecting malicious code based on time-series difference

Country Status (1)

Country Link
CN (1) CN109472141B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797398A (en) * 2020-06-28 2020-10-20 韩山师范学院 Malicious code visualization and variation detection method, system, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140123280A1 (en) * 2012-10-30 2014-05-01 Gabriel Kedma Runtime detection of self-replicating malware
US8938807B1 (en) * 2012-10-29 2015-01-20 Trend Micro Inc. Malware removal without virus pattern
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
US20160156658A1 (en) * 2010-08-26 2016-06-02 Verisign, Inc. Method and system for automatic detection and analysis of malware
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160156658A1 (en) * 2010-08-26 2016-06-02 Verisign, Inc. Method and system for automatic detection and analysis of malware
US8938807B1 (en) * 2012-10-29 2015-01-20 Trend Micro Inc. Malware removal without virus pattern
US20140123280A1 (en) * 2012-10-30 2014-05-01 Gabriel Kedma Runtime detection of self-replicating malware
US20170046512A1 (en) * 2012-10-30 2017-02-16 Gabriel Kedma Runtime detection of self-replicating malware
US9178900B1 (en) * 2013-11-20 2015-11-03 Trend Micro Inc. Detection of advanced persistent threat having evasion technology
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797398A (en) * 2020-06-28 2020-10-20 韩山师范学院 Malicious code visualization and variation detection method, system, device and storage medium
CN111797398B (en) * 2020-06-28 2024-02-02 韩山师范学院 Malicious code visualization and variant detection method, system, equipment and storage medium

Also Published As

Publication number Publication date
CN109472141B (en) 2022-01-04

Similar Documents

Publication Publication Date Title
US10063582B1 (en) Securing compromised network devices in a network
US10621349B2 (en) Detection of malware using feature hashing
JP6088713B2 (en) Vulnerability discovery device, vulnerability discovery method, and vulnerability discovery program
US9171155B2 (en) System and method for evaluating malware detection rules
US11108787B1 (en) Securing a network device by forecasting an attack event using a recurrent neural network
CN112005532B (en) Method, system and storage medium for classifying executable files
WO2014166312A1 (en) Method and system for advertisement plug-in recognition
CA2804258A1 (en) Systems and methods for alternating malware classifiers in an attempt to frustrate brute-force malware testing
KR101858620B1 (en) Device and method for analyzing javascript using machine learning
US9069963B2 (en) Statistical inspection systems and methods for components and component relationships
KR20210098297A (en) Computet program for detecting software vulnerability based on binary code clone
Agarkar et al. Malware detection & classification using machine learning
Ravi et al. Analysing corpus of office documents for macro-based attacks using machine learning
JP5441043B2 (en) Program, information processing apparatus, and information processing method
CN109472141A (en) A kind of method and system based on time series Difference test malicious code
US8418170B2 (en) Method and system for assessing deployment and un-deployment of software installations
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
CN106650447A (en) Method and system for preventing PowerShell malicious code execution
CN114282216A (en) Malicious software detection method and device, computer equipment and storage medium
EP2854065B1 (en) A system and method for evaluating malware detection rules
US12132755B2 (en) Scoring application vulnerabilities
Hindarto et al. Android-manifest extraction and labeling method for malware compilation and dataset creation.
US8566942B2 (en) System, method, and computer program product for tracking the migration of objects to determine whether to perform a network based check
CN103699838A (en) Identification method and equipment of viruses
Shaw et al. Cloud based malware detection technique

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant