CN109800569A - Program identification method and device - Google Patents
Program identification method and device Download PDFInfo
- Publication number
- CN109800569A CN109800569A CN201811641190.XA CN201811641190A CN109800569A CN 109800569 A CN109800569 A CN 109800569A CN 201811641190 A CN201811641190 A CN 201811641190A CN 109800569 A CN109800569 A CN 109800569A
- Authority
- CN
- China
- Prior art keywords
- program
- line
- identified
- operation behavior
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
This application discloses a kind of program identification method, device, computer equipment and computer storage mediums, are related to computer security technical field, can reduce security risk existing for computer system, improve the safety of operating system.The described method includes: obtaining the behavioral chain that rogue program sample executes operation behavior, and the behavioral chain that the rogue program sample executes operation behavior is stored to local data base;When detecting that program to be identified executes operation behavior, the behavioral chain that the program to be identified executes operation behavior is generated;The behavioral chain that the program to be identified executes operation behavior is carried out similarity with the behavioral chain that rogue program sample in the local data base executes operation behavior to compare;If similarity comparison result meets condition of similarity, determine that the program to be identified is rogue program, intercepts the rogue program and execute corresponding operation.
Description
Technical field
The present invention relates to computer security technical field, more particularly, to program identification method, device, computer equipment and
Computer storage medium.
Background technique
Rogue program is a recapitulative term, refers to that any intentional creation is used to execute without permission and is usually nocuousness
The software program of behavior.Computer virus, Key Logger, password eavesdropper, Word and Excel macrovirus, draws at backdoor programs
It is soft to lead area's virus, script virus (batch, windows shell, java etc.), wooden horse, crime software, spyware and advertisement
Part etc. is all some examples that can be referred to as rogue program.
In existing killing system, it is based on existing program sample, after malicious act occurs for program, which is sentenced
Be set to rogue program, extract the characteristic value of rogue program respective file, by the corresponding characteristic value of rogue program file store to
Whether local data base is later rogue program come discriminating program according to the characteristic value of rogue program respective file, and to malice
The operations such as program intercepted, killing.
Although above-mentioned killing system can achieve the purpose that protect client device to a certain extent, however, by this
Ground database purchase rogue program feature identifies the mode of rogue program only for the rogue program occurred, for
Do not occur but equally there is the program of operation behavior can not identify, is not attacked so that killing system cannot be intercepted successfully
Hit successful rogue program.
Summary of the invention
In view of this, the present invention provides the storages of a kind of program identification method, device, computer equipment and computer to be situated between
Matter, main purpose are security risk existing for reduction computer system, improve the safety of operating system.
According to the present invention on one side, a kind of program identification method is provided, this method comprises:
The behavioral chain that rogue program sample executes operation behavior is obtained, and the rogue program sample is executed into operation behavior
Behavioral chain store to local data base;
When detecting that program to be identified executes operation behavior, the behavior that the program to be identified executes operation behavior is generated
Chain;
The behavioral chain that the program to be identified executes operation behavior is held with rogue program sample in the local data base
The behavioral chain of row operation behavior carries out similarity comparison;
If similarity comparison result meets condition of similarity, determine that the program to be identified is rogue program, intercepts institute
It states rogue program and executes corresponding operation.
Further, the corresponding behavioral chain of the acquisition rogue program sample, and the rogue program sample is corresponding
Behavioral chain is stored to local data base
Rogue program sample is collected, the operation behavior of the rogue program sample is extracted;
The operation behavior that the rogue program sample is parsed by sandbox mechanism obtains rogue program sample and executes operation row
For behavioral chain;
The behavioral chain that the rogue program sample executes operation behavior is stored to local data base.
Further, the operation behavior that the rogue program sample is parsed by sandbox mechanism, obtains rogue program
Sample execute operation behavior behavioral chain include:
The behavior operation during operation behavior is executed by rogue program sample described in sandbox mechanism monitors, obtains malice
Multiple sub-line that program sample generates during operation behavior are;
Multiple sub-line that the rogue program sample is generated during operation behavior are to arrange according to execution sequence
Sequence obtains the behavioral chain that rogue program sample executes operation behavior.
Further, described when detecting that program to be identified executes operation behavior, it generates the program to be identified and executes
The behavioral chain of operation behavior includes:
When detecting that program to be identified executes operation behavior, obtains program to be identified and produced during executing operation behavior
Raw multiple sub-line are;
Multiple sub-line that the program to be identified is generated during executing operation behavior are to carry out according to execution sequence
Sequence generates the behavioral chain that the program to be identified executes operation behavior.
Further, it is disliked in the behavioral chain and the local data base that the program to be identified is executed to operation behavior
The behavioral chain that meaning program sample executes operation behavior carries out similarity comparison
The program to be identified is extracted respectively executes multiple sub-line and the local data base in the behavioral chain of operation behavior
Middle rogue program sample multiple sub-line in the behavioral chain for executing operation behavior, obtain the corresponding multiple sons of the program to be identified
Behavior and the corresponding multiple sub-line of the rogue program sample are;
It is and the rogue program sample pair by the corresponding multiple sub-line of the program to be identified according to default comparison rules
The multiple sub-line answered are to carry out similarity comparison.
Further, the default comparison rules include corresponding to identical sub-line according to behavioral chain to carry out similarity ratio for quantity
Right, described according to preset rules is corresponding with the rogue program sample more by the corresponding multiple sub-line of the program to be identified
A sub- behavior carries out similarity comparison
Traversing the corresponding multiple sub-line of the program to be identified respectively is multiple sons corresponding with the rogue program sample
Row, counting identical sub-line is quantity;
Be quantity according to the identical sub-line is and the rogue program by the corresponding multiple sub-line of the program to be identified
The corresponding multiple sub-line of sample are to carry out similarity comparison;
If the similarity comparison result meets condition of similarity, determines that the program to be identified is rogue program, block
The rogue program execution corresponding operation is cut to specifically include:
If the identical sub-line is that quantity is greater than the first default value, determine the program to be identified for malice journey
Sequence intercepts the rogue program and executes corresponding operation.
Further, the default comparison rules further include corresponding to the sequence identification that sub-line is execution according to behavioral chain to carry out
Similarity compares, it is described according to preset rules will the corresponding multiple sub-line of the program to be identified for and the rogue program sample
Corresponding multiple sub-line are to carry out similarity comparison to include:
Traversing the corresponding multiple sub-line of the program to be identified respectively is multiple sons corresponding with the rogue program sample
Row, statistics sub-line are the sequence identification executed;
According to the sub-line be the sequence identification that executes will the corresponding multiple sub-line of the program to be identified for and the evil
The corresponding multiple sub-line of program sample of anticipating are to carry out similarity comparison;
If the similarity comparison result meets condition of similarity, determines that the program to be identified is rogue program, block
It is specific to cut the rogue program execution corresponding operation further include:
It is the suitable of execution according to the sub-line if the identical sub-line is that quantity is less than or equal to the first default value
It is quantity that sequence identifier lookup same sequence, which identifies sub-line,;
If the same sequence mark sub-line is that quantity is greater than the second default value, determine that the program to be identified is
Rogue program intercepts the rogue program and executes corresponding operation, and second default value is less than the first default value.
According to the present invention on the other hand, a kind of program identification device is provided, described device includes:
Acquiring unit executes the behavioral chain of operation behavior for obtaining rogue program sample, and by the rogue program sample
The behavioral chain of this execution operation behavior is stored to local data base;
Generation unit is executed for when detecting that program to be identified executes operation behavior, generating the program to be identified
The behavioral chain of operation behavior;
Comparing unit, for will be disliked in the behavioral chain and the local data base of the program execution operation behavior to be identified
The behavioral chain that program sample of anticipating executes operation behavior carries out similarity comparison;
Judging unit determines the program to be identified if meeting condition of similarity for similarity comparison result to dislike
Meaning program intercepts the rogue program and executes corresponding operation.
Further, the acquiring unit includes:
Collection module extracts the operation behavior of the rogue program sample for collecting rogue program sample;
Parsing module obtains rogue program for parsing the operation behavior of the rogue program sample by sandbox mechanism
The behavioral chain of sample execution operation behavior;
Memory module, the behavioral chain for the rogue program sample to be executed operation behavior are stored to local data base.
Further, the parsing module is specifically used for executing behaviour by rogue program sample described in sandbox mechanism monitors
Make the behavior operation in action process, obtaining multiple sub-line that rogue program sample generates during operation behavior is;
The parsing module is specifically also used to the multiple sons for generating the rogue program sample during operation behavior
Behavior is ranked up according to execution sequence, obtains the behavioral chain that rogue program sample executes operation behavior.
Further, the generation unit includes:
Module is obtained, for program to be identified being obtained and executing behaviour when detecting that program to be identified executes operation behavior
The multiple sub-line for making to generate in action process are;
Sorting module, multiple sub-line for generating the program to be identified during executing operation behavior be according to
Execution sequence is ranked up, and generates the behavioral chain that the program to be identified executes operation behavior.
Further, the comparing unit includes:
Extraction module executes multiple sub-line and institute in the behavioral chain of operation behavior for extracting the program to be identified respectively
Rogue program sample multiple sub-line in the behavioral chain for executing operation behavior in local data base are stated, the program to be identified is obtained
Corresponding multiple sub-line are and the corresponding multiple sub-line of the rogue program sample are;
Comparison module, for according to default comparison rules will the corresponding multiple sub-line of the program to be identified for and the evil
The corresponding multiple sub-line of program sample of anticipating are to carry out similarity comparison.
Further, the default comparison rules include corresponding to identical sub-line according to behavioral chain to carry out similarity ratio for quantity
It is right,
The comparison module, specifically for traverse respectively the corresponding multiple sub-line of the program to be identified be and the malice
The corresponding multiple sub-line of program sample, counting identical sub-line is quantity;
The comparison module is specifically also used to according to the identical sub-line be that quantity is corresponding more by the program to be identified
A sub- behavior multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare;
The judging unit, if be also used to the identical sub-line be quantity be greater than the first default value, determine described in
Program to be identified is rogue program, intercepts the rogue program and executes corresponding operation.
Further, the default comparison rules further include corresponding to the sequence identification that sub-line is execution according to behavioral chain to carry out
Similarity compares,
The comparison module, being specifically also used to traverse the corresponding multiple sub-line of the program to be identified respectively is and the evil
The corresponding multiple sub-line of meaning program sample, statistics sub-line are the sequence identification executed;
The comparison module is specifically also used to be the sequence identification that executes according to the sub-line by the program pair to be identified
The multiple sub-line answered are that multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare;
The judging unit, if being also used to the identical sub-line is that quantity is less than or equal to the first default value, root
Searching same sequence mark sub-line according to the sequence identification that the sub-line is execution is quantity;
The judging unit, if being also used to the same sequence mark sub-line is that quantity is greater than the second default value,
Determine that the program to be identified is rogue program, intercepts the rogue program and execute corresponding operation, second default value
Less than the first default value.
Another aspect according to the present invention provides a kind of computer equipment, including memory and processor, the storage
The step of device is stored with computer program, and the processor realizes program identification method when executing the computer program.
Another aspect according to the present invention provides a kind of computer storage medium, is stored thereon with computer program, institute
State the step of program identification method is realized when computer program is executed by processor.
By above-mentioned technical proposal, the present invention provides a kind of program identification method and device, passes through and obtains rogue program sample
The behavioral chain of this execution operation behavior, and the behavioral chain that rogue program sample executes operation behavior is stored to local data base,
Due to the process that behavior chained record has rogue program to execute operation behavior, thus when detecting program execution operation behavior to be identified
When, program to be identified can be executed to rogue program sample in the behavioral chain and local data base of operation behavior and execute operation behavior
Behavioral chain carry out similarity comparison, by similarity comparison result meet condition of similarity programmed decision to be identified be malice journey
Sequence intercepts rogue program and executes corresponding operation.With carry out program identification only for the rogue program that has occurred in the prior art
Mode compare, the embodiment of the present invention by extract rogue program execute operation behavior behavioral chain, and then with program to be identified
The behavioral chain for executing operation behavior is compared, for not occurring but equally having the similarity and evil of the program of operation behavior
The similarity for program of anticipating is higher, and then is rogue program by the higher programmed decision of similarity, to improve the peace of program execution
Quan Xing, to reduce the security risk of operating system.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of program identification method flow diagram provided in an embodiment of the present invention;
Fig. 2 shows another program identification method flow diagrams provided in an embodiment of the present invention;
Fig. 3 shows a kind of program identification device structural schematic diagram provided in an embodiment of the present invention;
Fig. 4 shows another program identification device structural schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of program identification methods, can reduce security risk existing for computer system
Purpose, as shown in Figure 1, this method comprises:
101, it obtains rogue program sample and executes the behavioral chain of operation behavior, and the rogue program sample is executed into operation
The behavioral chain of behavior is stored to local data base.
Wherein, rogue program typically refers to the Duan Chengxu write with attack intension, as Trojan Horse, worm,
Virus etc., it is generally the case that rogue program sample here is the existing program sample by killing after operation behavior, and for
It attacks failed program and is not belonging to existing program sample, it can't be by killing.
For the embodiment of the present invention, since rogue program sample can be related to various rows during executing operation behavior
For operation, such as fill in registration table, collect registration information, inquiry network state behavior operation, so rogue program sample execute
Operation behavior is corresponding with a series of behavior operating processes, and behavior operating process is equivalent to behavioral chain, can specifically pass through monitoring
During rogue program sample executes operation behavior, each behavior operation, and record each behavior and operate corresponding behaviour
Make information, to obtain the behavioral chain that rogue program sample executes operation behavior, the rogue program sample execution of behavior chained record
Each behavior operates corresponding operation information during operation behavior, and the rogue program sample is executed operation behavior
Behavioral chain is stored to local data base.
It should be noted that each behavior operation has sequence after line in above-mentioned behavioral chain, for example, a behavioral chain can
To include but is not limited to following steps, the first step, collection procedure progress information, second step, from program process information
Attack process is selected, third step injects malicious code in attack process, and the 4th step adjusts entry address and base address, and extensive
Multiple process.
102, it when detecting that program to be identified executes operation behavior, generates the program to be identified and executes operation behavior
Behavioral chain.
For the embodiment of the present invention, program whether program to be identified is unknown malice, when detecting that program to be identified exists
When executing operation behavior, the behavior for needing to treat recognizer is analyzed, and identifies whether program to be identified is malice journey
Sequence,.
Specifically can by the data such as the file to different location and the program being recorded in memory, driving, module into
Row scanning, scanning mode can be inquired to open, reading, analyzing, taking feature, being transmitted to backstage, so that monitoring system is just
In the program of execution, program that system is carrying out can choose here as program to be identified, thus to be identified when detect
When program executes operation behavior, the behavioral chain that program to be identified executes operation behavior is generated, and then execute according to program to be identified
The behavioral chain of operation behavior identifies program to be identified.
It is understood that in order to improve the efficiency of program identification, it can be in the program process that monitoring system is carrying out
In, sensitive or abnormal operation behavior program preferentially will be present and identify as process priority to be identified, to guarantee malice journey
Sequence can be found at the first time and intercept, and improve the safety of operating system.
103, the program to be identified is executed into rogue program sample in the behavioral chain and the local data base of operation behavior
The behavioral chain of this execution operation behavior carries out similarity comparison.
Wherein, the behavioral chain that rogue program sample executes operation behavior in local data base is known malicious program attack mistake
Each behavior operates corresponding operation information in journey, and the behavioral chain that program to be identified executes operation behavior is that unknown program operated
Each behavior operates corresponding operation information in journey.For the embodiment of the present invention, rogue program sample can specifically executed
Each behavior operates corresponding operation information in attack process and program to be identified executes each behavior behaviour during operation behavior
Make corresponding operation information and carries out similarity comparison.
It should be noted that having since behavior each during executing operation behavior operates between corresponding operation information
Relevant property, for example, being all associated, usual situation for the operation information of several steps before the operation usually of operation behavior
It is identical, and in order to improve attack effect, for the operation informations of rear several steps, often existing characteristics are modified, so logical
The comparison of the similarity between behavioral chain may be implemented in the relevance crossed between operation information.
If 104, similarity comparison result meets condition of similarity, determines that the program to be identified is rogue program, block
It cuts the rogue program and executes corresponding operation.
For the embodiment of the present invention, similarity comparison result may include same operation behavior quantity in behavioral chain, may be used also
To include corresponding execution sequence of operation behavior etc. in behavioral chain, here to the content in similarity comparison result without limit
It is fixed, it can specifically be added according to the actual situation, similarly, condition of similarity can be to be arranged for same operation behavior quantity
Threshold value can be the rule etc. for the corresponding execution sequence setting of operation behavior.
If similarity comparison result meets condition of similarity, illustrate that program to be identified has with rogue program to a certain extent
There is same operation behavior, then determines program to be identified for rogue program, so that intercepting rogue program executes corresponding operation.
The present invention provides a kind of program identification method, and the behavioral chain of operation behavior is executed by obtaining rogue program sample,
And store the behavioral chain that rogue program sample executes operation behavior to local data base, since behavior chained record has rogue program
The process of operation behavior is executed, to can execute program to be identified when detecting that program to be identified executes operation behavior
The behavioral chain that rogue program sample executes operation behavior in the behavioral chain and local data base of operation behavior carries out similarity and compares,
It is rogue program by the programmed decision to be identified that similarity comparison result meets condition of similarity, intercepts rogue program and execute accordingly
Operation.Compared with carrying out program mirror only for the rogue program occurred otherwise in the prior art, the embodiment of the present invention is logical
It crosses and extracts the behavioral chain that rogue program executes operation behavior, and then the behavioral chain for executing operation behavior with program to be identified is compared
Right, the similarity of the similarity and rogue program for not occurring but equally with the program of operation behavior is higher, and then will
The higher programmed decision of similarity is rogue program, so that the safety of program execution is improved, to reduce operating system
Security risk.
The embodiment of the invention provides another program identification methods, can reduce security risk existing for computer system
Purpose, as shown in Figure 2, which comprises
201, rogue program sample is collected, the operation behavior of the rogue program sample is extracted.
Under normal conditions, operation behavior existing for rogue program include two aspect, one be malice operation behavior, such as
Refuse network service, internet worm etc., these behaviors are intended to consume server resource, influence server normal work, even
The paralysis of network where server;The other is the intrusion behavior of malice, this behavior is more economical to lead to server sensitive information
Leakage, invader can do at will, vandalism server.
For the embodiment of the present invention, the operation row of rogue program sample can be specifically extracted by condition code killing technology
For condition code killing technology here can be the condition code extracted in rogue program sample code, pass through special word character string
Condition code is extracted, extracts to lead to and kills condition code etc., the behaviour of rogue program sample can also be extracted by heuristic killing technology
Make behavior, it, can be with for example, by analyzing the features such as the sequence that executes instruction of rogue program sample or specific behavior combined situation
It is the operation behavior that rogue program sample is extracted by virtual machine killing technology, for example, leading to when scanning rogue program sample
It crosses for rogue program sample to be loaded into virtual machine environment and run, so that allowing rogue program sample to shell automatically reverts to existing shape
State.
202, the operation behavior that the rogue program sample is parsed by sandbox mechanism obtains rogue program sample and executes behaviour
Make the behavioral chain of behavior.
Wherein, it is equivalent to virtual machine environment under sandbox mechanism, it, can be to every in rogue program sample by redirecting technique
One operation behavior is tested, and is operated to extract each behavior during malice sample executes operation behavior, is formed and disliked
Program sample of anticipating executes the behavioral chain of operation behavior.
For the embodiment of the present invention, after extracting the operation behavior of rogue program sample, since sandbox mechanism is in close
The environment closed, safety with higher are parsed the operation behavior of rogue program sample by sandbox mechanism, may be implemented to evil
Meaning program sample carries out going deep into parsing.
203, the behavioral chain that the rogue program sample executes operation behavior is stored to local data base.
For the embodiment of the present invention, since each rogue program sample executes operation behavior there are a behavioral chain,
Operation behaviors are executed by parsing multiple rogue program samples, multiple behavioral chains can be obtained, it here can be according to presetting
Rule to rogue program sample execute operation behavior behavioral chain divide after store to local data base.
Specific pre-set rule can such as take to execute the targeted object of operation behavior according to rogue program sample
Be engaged in device registration information, database etc., can also for according to rogue program sample execute operation behavior function, such as virus, worm,
Wooden horse etc..
204, it when detecting that program to be identified executes operation behavior, obtains program to be identified and is executing operation behavior process
Multiple sub-line of middle generation are.
Since program to be identified is related to multiple instruction during executing operation behavior, each instruction is equivalent to a son
Behavior, and each sub-line be between there is relevance, so detecting that program to be identified executes program to be identified and execute behaviour
When making behavior, specifically multiple instruction involved in operation behavior process can be executed by monitoring program to be identified, to obtain
Multiple sub-line that program to be identified generates during executing operation behavior are.
For example, program to be identified is to execute creation user account, it can by instruction involved in monitoring creation user account
To include but is not limited to creation process, the corresponding service of calling account, setting service parameter etc., each instruction is equivalent to one
Sub-line is.
205, the multiple sub-line for generating the program to be identified during executing operation behavior are according to execution sequence
It is ranked up, generates the behavioral chain that the program to be identified executes operation behavior.
It is understood that having between multiple sub-line that program to be identified generates during executing operation behavior are
Relevance simultaneously, each sub-line be between also have sequencing, such as which sub-line be first carrying out, which sub-line be held after
Row, by being to be ranked up according to execution sequence by sub-line, to generate the behavioral chain that program to be identified executes operation behavior.
It is for convenience to distinguish to sub-line each in behavioral chain, can is to mark to sub-line each in behavioral chain
Know, so that each sub-line is to have sequence identification in behavioral chain.
206, the program to be identified is extracted respectively executes multiple sub-line and the local number in the behavioral chain of operation behavior
According to rogue program sample in library execute operation behavior behavioral chain in multiple sub-line, it is corresponding more to obtain the program to be identified
A sub- behavior and the corresponding multiple sub-line of the rogue program sample are.
For the embodiment of the present invention, program to be identified here executes each in multiple sub-line in the behavioral chain of operation behavior
Sub-line is all multiple in the behavioral chain for executing operation behavior with rogue program sample in sequence identification and local data base
Sub-line all has sequence identification.
207, it is and the rogue program sample by the corresponding multiple sub-line of the program to be identified according to default comparison rules
This corresponding multiple sub-line is to carry out similarity comparison.
It whether is rogue program since program to be identified is uncertain, program to be identified may be security procedure, it is also possible to
For non-success attack before, classified rogue program does not illustrate to be identified if program to be identified is rogue program
There is very high similarity, it is generally the case that rogue program was being attacked between program and the rogue program sample being classified
Cheng Zhong, not each attack can all succeed, and the rogue program failed for attack can also execute the malice journey with success attack
The identical operation behavior of sequence such as collects information, checks network state etc..
Here default comparison rules may include corresponding to identical sub-line according to behavioral chain to carry out similarity comparison for quantity,
It is specifically corresponding with the rogue program sample multiple by the corresponding multiple sub-line of the program to be identified according to preset rules
Sub-line is that carry out similarity comparison may include: to traverse the corresponding multiple sub-line of program to be identified respectively to be and rogue program sample
Corresponding multiple sub-line, counting identical sub-line is quantity;It is quantity by the corresponding multiple sons of program to be identified according to identical sub-line
Behavior multiple sub-line corresponding with rogue program sample are to carry out similarity to compare.
Here default comparison rules can also include corresponding to the sequence identification that sub-line is execution according to behavioral chain to carry out phase
Compared like degree, specifically according to preset rules will the corresponding multiple sub-line of the program to be identified for and the rogue program sample pair
The multiple sub-line answered be carry out similarity comparison may include: traverse respectively the corresponding multiple sub-line of program to be identified be and malice
The corresponding multiple sub-line of program sample, statistics sub-line are the sequence identification executed;It is that the sequence identification executed will be to according to sub-line
The corresponding multiple sub-line of recognizer are that multiple sub-line corresponding with rogue program sample are to carry out similarity to compare.
The embodiment of the present invention by that will be and malice by the corresponding multiple sub-line of program to be identified according to default comparison rules
The corresponding multiple sub-line of program sample are to carry out similarity comparison, to can be detected when rogue program is attack success
Malicious act trend out improves the safety of system to carry out security protection to nonevent rogue program.
If 208a, the identical sub-line are that quantity is greater than the first default value, the program to be identified is determined to dislike
Meaning program intercepts the rogue program and executes corresponding operation.
For the embodiment of the present invention, if identical sub-line is greater than the first default value, program to be identified and malice journey
Sequence sample is to illustrate there is very high similitude between program to be identified and rogue program sample there are multiple identical sub-line, then
Determine program to be identified for rogue program, and intercept rogue program execute corresponding operation.
If corresponding with step 208a have step 208b, the identical sub-line to be less than or equal to the first present count for quantity
It is quantity that value, which is then the sequence identification lookup same sequence mark sub-line executed according to the sub-line,.
For the embodiment of the present invention, if identical sub-line is to illustrate journey to be identified less than or equal to the first default value
Sequence and rogue program sample and be to need be that the sequence identification lookup that executes is identical suitable according to sub-line there is no multiple identical sub-line
It is quantity that sequence, which identifies sub-line, further treats recognizer by the sequence identification that subprogram executes and is determined.
If it is that quantity is greater than the second default value that 209b, the same sequence, which identify sub-line, determine described to be identified
Program is rogue program, intercepts the rogue program and executes corresponding operation.
Wherein, the second default value is less than the first default value, if same sequence in the sequence identification that subprogram executes
Identifying sub-line is that quantity is more, equally illustrates there is very high similarity between program to be identified and rogue program sample, then sentences
Fixed program to be identified is rogue program, and intercepts rogue program and execute corresponding operation.
Further, the specific implementation as Fig. 1 the method identifies the embodiment of the invention provides a kind of program and fills
It sets, as shown in figure 3, described device includes: acquiring unit 31, generation unit 32, comparing unit 33, judging unit 34.
Acquiring unit 31 can be used for obtaining the behavioral chain that rogue program sample executes operation behavior, and by the malice
The behavioral chain that program sample executes operation behavior is stored to local data base;
Generation unit 32 can be used for generating the journey to be identified when detecting that program to be identified executes operation behavior
The behavioral chain of sequence execution operation behavior;
Comparing unit 33 can be used for executing the program to be identified the behavioral chain and the local data of operation behavior
The behavioral chain that rogue program sample executes operation behavior in library carries out similarity comparison;
Judging unit 34 determines the journey to be identified if can be used for similarity comparison result meets condition of similarity
Sequence is rogue program, intercepts the rogue program and executes corresponding operation.
The present invention provides a kind of program identification device, and the behavioral chain of operation behavior is executed by obtaining rogue program sample,
And store the behavioral chain that rogue program sample executes operation behavior to local data base, since behavior chained record has rogue program
The process of operation behavior is executed, to can execute program to be identified when detecting that program to be identified executes operation behavior
The behavioral chain that rogue program sample executes operation behavior in the behavioral chain and local data base of operation behavior carries out similarity and compares,
It is rogue program by the programmed decision to be identified that similarity comparison result meets condition of similarity, intercepts rogue program and execute accordingly
Operation.Compared with carrying out program mirror only for the rogue program occurred otherwise in the prior art, the embodiment of the present invention is logical
It crosses and extracts the behavioral chain that rogue program executes operation behavior, and then the behavioral chain for executing operation behavior with program to be identified is compared
Right, the similarity of the similarity and rogue program for not occurring but equally with the program of operation behavior is higher, and then will
The higher programmed decision of similarity is rogue program, so that the safety of program execution is improved, to reduce operating system
Security risk.
As the further explanation of program identification device shown in Fig. 4, Fig. 4 is another program according to embodiments of the present invention
The structural schematic diagram of identification device, as shown in figure 4, the acquiring unit 31 includes:
Collection module 311 can be used for collecting rogue program sample, extract the operation behavior of the rogue program sample;
Parsing module 312 can be used for parsing the operation behavior of the rogue program sample by sandbox mechanism, be disliked
Program sample of anticipating executes the behavioral chain of operation behavior;
Memory module 313, the behavioral chain that can be used for executing the rogue program sample operation behavior are stored to local
Database.
Further, the parsing module 312, specifically can be used for through rogue program sample described in sandbox mechanism monitors
The behavior operation during operation behavior is executed, multiple sub-line that rogue program sample generates during operation behavior are obtained
For;
The parsing module 312 specifically can be also used for generating the rogue program sample during operation behavior
Multiple sub-line be ranked up according to execution sequence, obtain rogue program sample execute operation behavior behavioral chain.
Further, the generation unit 32 includes:
Module 321 is obtained, can be used for obtaining program to be identified when detecting that program to be identified executes operation behavior and existing
Executing the multiple sub-line generated during operation behavior is;
Sorting module 322 can be used for the multiple sons for generating the program to be identified during executing operation behavior
Behavior is ranked up according to execution sequence, generates the behavioral chain that the program to be identified executes operation behavior.
Further, the comparing unit 33 includes:
Extraction module 331 can be used for extracting respectively multiple in the behavioral chain of the program execution operation behavior to be identified
Rogue program sample multiple sub-line in the behavioral chain for executing operation behavior in sub-line and the local data base, obtain it is described to
The corresponding multiple sub-line of recognizer are and the corresponding multiple sub-line of the rogue program sample are;
Comparison module 332, can be used for be by the corresponding multiple sub-line of the program to be identified according to default comparison rules
Multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare.
Further, the default comparison rules include corresponding to identical sub-line according to behavioral chain to carry out similarity ratio for quantity
It is right,
The comparison module 322, specifically can be used for traversing respectively the corresponding multiple sub-line of the program to be identified be with
The corresponding multiple sub-line of the rogue program sample, counting identical sub-line is quantity;
The comparison module 322 specifically can be also used for according to the identical sub-line being quantity by the program to be identified
Corresponding multiple sub-line are that multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare;
The judging unit 34 is sentenced if can be also used for the identical sub-line is that quantity is greater than the first default value
The fixed program to be identified is rogue program, intercepts the rogue program and executes corresponding operation.
Further, the default comparison rules further include corresponding to the sequence identification that sub-line is execution according to behavioral chain to carry out
Similarity compares,
The comparison module 322, specifically can be also used for traversing the corresponding multiple sub-line of the program to be identified respectively be
Multiple sub-line corresponding with the rogue program sample, statistics sub-line are the sequence identification executed;
The comparison module 322, specifically can be also used for be according to the sub-line execute sequence identification by described wait know
The corresponding multiple sub-line of other program are that multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare;
The judging unit 34, if can be also used for the identical sub-line is that quantity is less than or equal to the first present count
It is quantity that value, which is then the sequence identification lookup same sequence mark sub-line executed according to the sub-line,;
The judging unit 34, if can be also used for the same sequence mark sub-line is that quantity is greater than the second present count
Value, then determine that the program to be identified is rogue program, intercepts the rogue program and executes corresponding operation, described second is default
Numerical value is less than the first default value.
It should be noted that other of each functional unit involved by a kind of program identification device provided in this embodiment are corresponding
Description, can be with reference to the corresponding description in Fig. 1 and Fig. 2, and details are not described herein.
It is deposited thereon based on above-mentioned method as depicted in figs. 1 and 2 correspondingly, the present embodiment additionally provides a kind of storage medium
Computer program is contained, which realizes above-mentioned program identification method as depicted in figs. 1 and 2 when being executed by processor.
Based on this understanding, the technical solution of the application can be embodied in the form of software products, which produces
Product can store in a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions
With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution the application is each
Method described in implement scene.
Based on above-mentioned method and Fig. 3 as depicted in figs. 1 and 2 and virtual bench embodiment shown in Fig. 4, for reality
Existing above-mentioned purpose, the embodiment of the present application also provides a kind of computer equipments, are specifically as follows personal computer, server, net
Network equipment etc., the entity device include storage medium and processor;Storage medium, for storing computer program;Processor is used
In execution computer program to realize above-mentioned program identification method as depicted in figs. 1 and 2.
Optionally, which can also include user interface, network interface, camera, radio frequency (Radio
Frequency, RF) circuit, sensor, voicefrequency circuit, WI-FI module etc..User interface may include display screen
(Display), input unit such as keyboard (Keyboard) etc., optional user interface can also connect including USB interface, card reader
Mouthful etc..Network interface optionally may include standard wireline interface and wireless interface (such as blue tooth interface, WI-FI interface).
It will be understood by those skilled in the art that the entity device structure that program provided in this embodiment identifies is not constituted pair
The restriction of the entity device may include more or fewer components, perhaps combine certain components or different component cloth
It sets.
It can also include operating system, network communication module in storage medium.Operating system is that the above-mentioned computer of management is set
The program of standby hardware and software resource, supports the operation of message handling program and other softwares and/or program.Network communication mould
Block leads to for realizing the communication between each component in storage medium inside, and between other hardware and softwares in the entity device
Letter.
Through the above description of the embodiments, those skilled in the art can be understood that the application can borrow
It helps software that the mode of necessary general hardware platform is added to realize, hardware realization can also be passed through.Pass through the skill of application the application
Art scheme, compared with currently available technology, by extract rogue program execute operation behavior behavioral chain, and then with journey to be identified
The behavioral chain that sequence executes operation behavior is compared, for do not occur but the similarity of the same program with operation behavior with
The similarity of rogue program is higher, and then is rogue program by the higher programmed decision of similarity, to improve program execution
Safety, to reduce the security risk of operating system.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.It will be appreciated by those skilled in the art that the mould in device in implement scene
Block can according to implement scene describe be distributed in the device of implement scene, can also carry out corresponding change be located at be different from
In one or more devices of this implement scene.The module of above-mentioned implement scene can be merged into a module, can also be into one
Step splits into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.Disclosed above is only the application
Several specific implementation scenes, still, the application is not limited to this, and the changes that any person skilled in the art can think of is all
The protection scope of the application should be fallen into.
Claims (10)
1. a kind of program identification method, which is characterized in that the described method includes:
The behavioral chain that rogue program sample executes operation behavior is obtained, and the rogue program sample is executed to the row of operation behavior
It stores for chain to local data base;
When detecting that program to be identified executes operation behavior, the behavioral chain that the program to be identified executes operation behavior is generated;
The program to be identified is executed into rogue program sample in the behavioral chain and the local data base of operation behavior and executes behaviour
The behavioral chain for making behavior carries out similarity comparison;
If similarity comparison result meets condition of similarity, determines that the program to be identified is rogue program, intercept the evil
Program of anticipating executes corresponding operation.
2. the method according to claim 1, wherein the corresponding behavioral chain of the acquisition rogue program sample, and
The corresponding behavioral chain of the rogue program sample is stored to local data base and includes:
Rogue program sample is collected, the operation behavior of the rogue program sample is extracted;
The operation behavior that the rogue program sample is parsed by sandbox mechanism obtains rogue program sample and executes operation behavior
Behavioral chain;
The behavioral chain that the rogue program sample executes operation behavior is stored to local data base.
3. according to the method described in claim 2, it is characterized in that, described parse the rogue program sample by sandbox mechanism
Operation behavior, obtain rogue program sample execute operation behavior behavioral chain include:
The behavior operation during operation behavior is executed by rogue program sample described in sandbox mechanism monitors, obtains rogue program
Multiple sub-line that sample generates during operation behavior are;
Multiple sub-line that the rogue program sample is generated during operation behavior are to be ranked up according to execution sequence, are obtained
The behavioral chain of operation behavior is executed to rogue program sample.
4. the method according to claim 1, wherein described ought detect that program to be identified executes operation behavior
When, generating the behavioral chain that the program to be identified executes operation behavior includes:
When detecting that program to be identified executes operation behavior, obtain what program to be identified generated during executing operation behavior
Multiple sub-line are;
It is to be ranked up according to execution sequence by multiple sub-line that the program to be identified generates during executing operation behavior,
Generate the behavioral chain that the program to be identified executes operation behavior.
5. the method according to claim 1, wherein the row that the program to be identified is executed to operation behavior
It is compared for the behavioral chain progress similarity that chain executes operation behavior with rogue program sample in the local data base and includes:
It extracts in the behavioral chain of the program execution operation behavior to be identified and is disliked in multiple sub-line and the local data base respectively
Meaning program sample multiple sub-line in the behavioral chain for executing operation behavior, obtaining the corresponding multiple sub-line of the program to be identified is
And the corresponding multiple sub-line of the rogue program sample are;
It by the corresponding multiple sub-line of the program to be identified is corresponding with the rogue program sample according to default comparison rules
Multiple sub-line are to carry out similarity comparison.
6. according to the method described in claim 5, it is characterized in that, the default comparison rules include corresponding to phase according to behavioral chain
Be that quantity carries out similarity comparison with sub-line, it is described according to preset rules will the corresponding multiple sub-line of the program to be identified for
The corresponding multiple sub-line of the rogue program sample are to carry out similarity comparison to include:
Traversing the corresponding multiple sub-line of the program to be identified respectively is multiple sub-line corresponding with the rogue program sample, system
Counting identical sub-line is quantity;
Be quantity according to the identical sub-line is and the rogue program sample by the corresponding multiple sub-line of the program to be identified
Corresponding multiple sub-line are to carry out similarity comparison;
If the similarity comparison result meets condition of similarity, determine that the program to be identified is rogue program, intercepts institute
Rogue program execution corresponding operation is stated to specifically include:
If the identical sub-line is that quantity is greater than the first default value, determines that the program to be identified is rogue program, block
It cuts the rogue program and executes corresponding operation.
7. according to the method described in claim 5, it is characterized in that, the default comparison rules further include corresponding according to behavioral chain
Sub-line is that the sequence identification executed carries out similarity comparison, described according to preset rules that the program to be identified is corresponding multiple
Sub-line is that multiple sub-line corresponding with the rogue program sample are to carry out similarity to compare and include:
Traversing the corresponding multiple sub-line of the program to be identified respectively is multiple sub-line corresponding with the rogue program sample, system
Meter sub-line is the sequence identification executed;
According to the sub-line be the sequence identification that executes will the corresponding multiple sub-line of the program to be identified for and the malice journey
The corresponding multiple sub-line of sequence sample are to carry out similarity comparison;
If the similarity comparison result meets condition of similarity, determine that the program to be identified is rogue program, intercepts institute
It is specific to state rogue program execution corresponding operation further include:
It is the sequence mark executed according to the sub-line if the identical sub-line is that quantity is less than or equal to the first default value
Knowing lookup same sequence mark sub-line is quantity;
If the same sequence mark sub-line is that quantity is greater than the second default value, determine the program to be identified for malice
Program intercepts the rogue program and executes corresponding operation, and second default value is less than the first default value.
8. a kind of program identification device, which is characterized in that described device includes:
Acquiring unit executes the behavioral chain of operation behavior for obtaining rogue program sample, and the rogue program sample is held
The behavioral chain of row operation behavior is stored to local data base;
Generation unit executes operation for when detecting that program to be identified executes operation behavior, generating the program to be identified
The behavioral chain of behavior;
Comparing unit, for the program to be identified to be executed malice journey in the behavioral chain and the local data base of operation behavior
The behavioral chain that sequence sample executes operation behavior carries out similarity comparison;
Judging unit determines the program to be identified for malice journey if meeting condition of similarity for similarity comparison result
Sequence intercepts the rogue program and executes corresponding operation.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists
In the step of processor realizes any one of claims 1 to 7 the method when executing the computer program.
10. a kind of computer storage medium, is stored thereon with computer program, which is characterized in that the computer program is located
The step of reason device realizes method described in any one of claims 1 to 7 when executing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641190.XA CN109800569A (en) | 2018-12-29 | 2018-12-29 | Program identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811641190.XA CN109800569A (en) | 2018-12-29 | 2018-12-29 | Program identification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109800569A true CN109800569A (en) | 2019-05-24 |
Family
ID=66558219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811641190.XA Pending CN109800569A (en) | 2018-12-29 | 2018-12-29 | Program identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109800569A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111783295A (en) * | 2020-06-28 | 2020-10-16 | 中国人民公安大学 | Dynamic identification and prediction evaluation method and system for urban community specific human behavior chain |
| CN112580042A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Malicious program resisting method and device, storage medium and computer equipment |
| CN113722705A (en) * | 2021-11-02 | 2021-11-30 | 北京微步在线科技有限公司 | Malicious program clearing method and device |
| CN114640507A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | WebShell detection method and device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101187872A (en) * | 2007-10-31 | 2008-05-28 | 白杰 | Program kind distinguishing method based on behavior, device and program control method and device |
| CN103839005A (en) * | 2013-11-22 | 2014-06-04 | 北京智谷睿拓技术服务有限公司 | Malware detection method and malware detection system of mobile operating system |
| CN105653949A (en) * | 2014-11-17 | 2016-06-08 | 华为技术有限公司 | Malicious program detection method and device |
| CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
| CN106709338A (en) * | 2016-05-30 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Program detection method and device |
-
2018
- 2018-12-29 CN CN201811641190.XA patent/CN109800569A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101187872A (en) * | 2007-10-31 | 2008-05-28 | 白杰 | Program kind distinguishing method based on behavior, device and program control method and device |
| CN103839005A (en) * | 2013-11-22 | 2014-06-04 | 北京智谷睿拓技术服务有限公司 | Malware detection method and malware detection system of mobile operating system |
| CN105653949A (en) * | 2014-11-17 | 2016-06-08 | 华为技术有限公司 | Malicious program detection method and device |
| CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
| CN106709338A (en) * | 2016-05-30 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Program detection method and device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112580042A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Malicious program resisting method and device, storage medium and computer equipment |
| CN112580042B (en) * | 2019-09-30 | 2024-02-02 | 奇安信安全技术(珠海)有限公司 | Method and device for combating malicious programs, storage medium and computer equipment |
| CN111783295A (en) * | 2020-06-28 | 2020-10-16 | 中国人民公安大学 | Dynamic identification and prediction evaluation method and system for urban community specific human behavior chain |
| CN111783295B (en) * | 2020-06-28 | 2020-12-22 | 中国人民公安大学 | Dynamic identification and prediction evaluation method and system for urban community specific human behavior chain |
| CN113722705A (en) * | 2021-11-02 | 2021-11-30 | 北京微步在线科技有限公司 | Malicious program clearing method and device |
| CN113722705B (en) * | 2021-11-02 | 2022-02-08 | 北京微步在线科技有限公司 | Malicious program clearing method and device |
| CN114640507A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | WebShell detection method and device and storage medium |
| CN114640507B (en) * | 2022-02-28 | 2024-03-12 | 天翼安全科技有限公司 | WebShell detection method, webShell detection device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10791133B2 (en) | System and method for detecting and mitigating ransomware threats | |
| US8365286B2 (en) | Method and system for classification of software using characteristics and combinations of such characteristics | |
| CN109800569A (en) | Program identification method and device | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
| US20080005796A1 (en) | Method and system for classification of software using characteristics and combinations of such characteristics | |
| CN109145603A (en) | A kind of Android privacy leakage behavioral value methods and techniques based on information flow | |
| Shahzad et al. | In-execution dynamic malware analysis and detection by mining information in process control blocks of Linux OS | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| EP2465068A1 (en) | Malware detection | |
| Sethi et al. | A novel malware analysis framework for malware detection and classification using machine learning approach | |
| Lee et al. | Screening smartphone applications using malware family signatures | |
| CN107247902A (en) | Malware categorizing system and method | |
| CN110674479B (en) | Abnormal behavior data real-time processing method, device, equipment and storage medium | |
| CN110071924B (en) | Big data analysis method and system based on terminal | |
| CN109726601A (en) | The recognition methods of unlawful practice and device, storage medium, computer equipment | |
| CN107103237A (en) | A kind of detection method and device of malicious file | |
| Sethi et al. | A novel malware analysis for malware detection and classification using machine learning algorithms | |
| US11222115B2 (en) | Data scan system | |
| CN115630373B (en) | Cloud service security analysis method, monitoring equipment and analysis system | |
| Sharma et al. | Survey for detection and analysis of android malware (s) through artificial intelligence techniques | |
| CN109299610A (en) | Dangerous sensitizing input verifies recognition methods in Android system | |
| US11822666B2 (en) | Malware detection | |
| CN111125701B (en) | File detection method, equipment, storage medium and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: Qianxin Technology Group Co., Ltd Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: Beijing Qianxin Technology Co., Ltd |