CN110457905A - Method for detecting virus, device, computer equipment and the storage medium of sample - Google Patents

Method for detecting virus, device, computer equipment and the storage medium of sample Download PDF

Info

Publication number
CN110457905A
CN110457905A CN201910740513.9A CN201910740513A CN110457905A CN 110457905 A CN110457905 A CN 110457905A CN 201910740513 A CN201910740513 A CN 201910740513A CN 110457905 A CN110457905 A CN 110457905A
Authority
CN
China
Prior art keywords
sample
virus
detected
record
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910740513.9A
Other languages
Chinese (zh)
Inventor
姜澎
毕磊
于涛
马劲松
崔精兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Cloud Computing Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Cloud Computing Beijing Co Ltd filed Critical Tencent Cloud Computing Beijing Co Ltd
Priority to CN201910740513.9A priority Critical patent/CN110457905A/en
Publication of CN110457905A publication Critical patent/CN110457905A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)

Abstract

The present invention relates to the method for detecting virus of sample, device, computer equipment and storage mediums, belong to antivirus techniques field.This method comprises: obtaining sample to be detected;Class record table in sample to be detected and anti-virus database is compared, type identification result is obtained according to comparison result;If determining that the sample to be detected can recognize for type according to the type identification result, the feature record to match is searched in the anti-virus database by multimode matching algorithm;According to the feature record to match, the viral diagnosis result of sample to be detected is determined.Above-mentioned technical proposal solves the problems, such as that the response time of sample virus detection is too long.In the case where not needing by configuration file, by anti-virus database can accurately determine sample to be detected viral diagnosis as a result, can effective reduced sample viral diagnosis response time.

Description

Method for detecting virus, device, computer equipment and the storage medium of sample
Technical field
The present invention relates to antivirus techniques fields, more particularly to the method for detecting virus, device, computer equipment of sample And storage medium.
Background technique
Antivirus techniques carry out viral diagnosis to specific sample to realize often through Anti- Virus Engine, and detection function is strong It is big complicated, different strategy and scheme are needed for different application scenarios and demand.In traditional antivirus techniques, normal open Configuration file is crossed to control the detection behavior of Anti- Virus Engine and strategy, such as Anti- Virus Engine is controlled to certain by configuration file Detection is closed in the starting of class sample.
In realizing process of the present invention, inventor has found that at least there are the following problems in traditional approach: tradition, which passes through, to be configured The antivirus techniques that file is realized need to modify engine code, because only that modification code just can increase engine to specific new virus The identification of sample.And the test publication process of standard will be completed by having modified engine code, this usually requires 1-2 weeks time, The response time that this allows for sample virus detection is too long, this is not applicable under many actual scenes.
Summary of the invention
Based on this, the embodiment of the invention provides the method for detecting virus of sample, device, computer equipment and storages to be situated between Matter, can effective reduced sample viral diagnosis response time.
The content of the embodiment of the present invention is as follows:
In a first aspect, the embodiment of the present invention provides a kind of method for detecting virus of sample, comprising the following steps: obtain to be checked Test sample sheet;Class record table in the sample to be detected and anti-virus database is compared, is obtained according to comparison result Type identification result;If determining that the sample to be detected can recognize for type according to the type identification result, pass through multimode The feature record to match is searched in the anti-virus database with algorithm;According to the feature record to match, determine The viral diagnosis result of the sample to be detected.
In one embodiment, described that the spy to match is searched in the anti-virus database by multimode matching algorithm The step of sign record, comprising: obtain the registration table key assignments of the sample to be detected;If the registration table key assignments is nonzero value, lead to It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database;Wherein, feature record with Json reference format is stored in the anti-virus database.
In one embodiment, after the step of registration table key assignments for obtaining the sample to be detected, further includes: if The registration table key assignments is zero, stops the viral diagnosis to the sample to be detected.
In one embodiment, the feature record to match according to, determines the virus of the sample to be detected The step of testing result, comprising: the characteristic in feature record to match described in determining;Judged according to the characteristic Whether the sample to be detected is Virus Sample;According to judging result, the viral diagnosis result is obtained.
In one embodiment, if the registration table key assignments is nonzero value, the feature record to match according to, After the step of determining the viral diagnosis result of the sample to be detected, further includes: if being determined according to the viral diagnosis result The sample to be detected is Virus Sample, determines the first largest sample size according to the registration table key assignments;If described to be detected The sample size of sample is less than or equal to first largest sample size, and control Anti- Virus Engine holds the sample to be detected The preset checking and killing virus program of row.
In one embodiment, after the step of acquisition sample to be detected, further includes: obtain the sample to be detected Target type mark;Determine whether the sample to be detected is that can recognize type according to target type mark;If it is not, holding The step of row class record table by the sample to be detected and anti-virus database is compared;If so, described Target corresponding with target type mark is searched in anti-virus database and has class record, and class is had according to the target Type record carries out checking and killing virus operation.
In one embodiment, described that the step of class record carries out checking and killing virus operation, packet are had according to the target It includes: determining the sample size of the sample to be detected;According to the sample size, it is right in the existing class record of the target to adjust Answer the largest sample size of target sample;According to second largest sample size adjusted, Anti- Virus Engine is controlled to institute It states sample to be detected and executes preset checking and killing virus program.
Second aspect, the embodiment of the present invention provide a kind of viral diagnosis device of sample, comprising: sample acquisition module is used In acquisition sample to be detected;Type identification module, for by the class record in the sample to be detected and anti-virus database Table is compared, and obtains type identification result according to comparison result;Record search module, if for according to the type identification knot Fruit determines that the sample to be detected can recognize for type, and phase is searched in the anti-virus database by multimode matching algorithm The feature record matched;As a result determining module, the feature record for matching according to, determines the disease of the sample to be detected Malicious testing result.
The third aspect, the embodiment of the present invention provide a kind of computer equipment, including memory and processor, the memory It is stored with computer program, the processor performs the steps of when executing the computer program obtains sample to be detected;It will Class record table in the sample to be detected and anti-virus database is compared, and obtains type identification knot according to comparison result Fruit;If determining that the sample to be detected can recognize for type according to the type identification result, by multimode matching algorithm in institute State the feature record searched and matched in anti-virus database;According to the feature record to match, determine described to be detected The viral diagnosis result of sample.
Fourth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer program, The computer program performs the steps of when being executed by processor obtains sample to be detected;By the sample to be detected and instead Class record table in virus database is compared, and obtains type identification result according to comparison result;If according to the type Recognition result determines that the sample to be detected can recognize for type, is looked into the anti-virus database by multimode matching algorithm The feature to match is looked for record;According to the feature record to match, the viral diagnosis result of the sample to be detected is determined.
A technical solution in above-mentioned technical proposal has the following advantages that or the utility model has the advantages that getting sample to be detected Afterwards, the class record table in sample to be detected and anti-virus database is compared, obtains type identification result;According to type Recognition result determines whether sample to be detected is that type can recognize, if so, through multimode matching algorithm in anti-virus database The feature record to match is searched, with the viral diagnosis result of determination sample to be detected.The feelings by configuration file are not being needed Under condition, it can accurately determine the viral diagnosis of sample to be detected as a result, can effective reduced sample disease by anti-virus database The response time of poison detection, improve the efficiency of sample virus detection.
Detailed description of the invention
Fig. 1 is the applied environment figure of the method for detecting virus of sample in one embodiment;
Fig. 2 is the flow diagram of the method for detecting virus of sample in one embodiment;
Fig. 3 is the structural schematic diagram of anti-virus database in one embodiment;
Fig. 4 is the structural schematic diagram of anti-virus database in another embodiment;
Fig. 5 is the display schematic diagram of one embodiment median surface;
Fig. 6 is the flow diagram of the method for detecting virus of sample in another embodiment;
Fig. 7 is the flow diagram of the method for detecting virus of sample in further embodiment;
Fig. 8 is the flow diagram for realizing the method for detecting virus of sample in one embodiment by configuration file;
Fig. 9 is the structural block diagram of the viral diagnosis device of sample in one embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments It is contained at least one embodiment of the application.Each position in the description occur the phrase might not each mean it is identical Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and Implicitly understand, embodiment described herein can be combined with other embodiments.
The method for detecting virus of sample provided by the present application can be applied in computer equipment as shown in Figure 1.The meter Calculating machine equipment can be server, be also possible to terminal device, internal structure chart can be as shown in Figure 1.The computer equipment Including processor, memory, network interface and the display screen connected by system bus.Wherein, processor is for providing calculating And control ability;Memory includes non-volatile memory medium, built-in storage, which is stored with operation system System, computer program (a kind of computer program realizes sample method for detecting virus when being executed by processor) and database, The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium;Database is used for The data being related in the method for detecting virus implementation procedure of sample are stored, such as: it can store existing type in the database The data such as record sheet, class record table and characteristic log;Network interface is used to communicate with external terminal by network connection, Such as: receive the sample to be detected that exterior terminal is sent;Display screen can be liquid crystal display or electric ink display screen.Into One step, server can realize that terminal is set with the server cluster of the either multiple server compositions of independent server It is standby to can be, but not limited to be various personal computers, laptop, smart phone, tablet computer and portable wearable set It is standby.
It will be understood by those skilled in the art that structure shown in Fig. 1, only part relevant to application scheme is tied The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
The embodiment of the present invention provides method for detecting virus, device, computer equipment and the storage medium of a kind of sample.Below It is described in detail respectively.
In one embodiment, the embodiment of the invention provides a kind of method for detecting virus of sample.This method is in addition to can Can be applied on some application program or function code (these application programs applied in the computer equipment in Fig. 1 Can be run on a computing device with function code), such as: Anti- Virus Engine, antivirus software etc..As shown in Fig. 2, below with This method is applied to be illustrated for Anti- Virus Engine (being also referred to as engine in some embodiments of the invention), including following Step:
S201, sample to be detected is obtained.
Anti- Virus Engine can be by operations such as antivirus softwares on a computing device, which can be in real time The sample on the disk and external device in computer equipment is detected, and then determines the viral diagnosis of each sample as a result, true Fixed a certain or certain samples carry out viral cleaning works when being virus.In these samples, it has been determined that be viral or non-viral Sample is properly termed as having detected sample, is properly termed as sample to be detected then without determining whether for Virus Sample.In addition, In addition to the mode detected by Anti- Virus Engine obtains sample to be detected, the external equipment that can also be connected by computer equipment is sent Sample to be detected.
Further, sample to be detected refers to the unknown sample of risk, that is, does not know whether it is viral sample, Be often referred to newly to occur (Anti- Virus Engine do not detected or anti-virus database in not stored relevant information) UNKNOWN TYPE Malicious file sample.The sample can be program segment, application program etc., be also possible in the part in entire file or file Hold, may include the information such as text, picture, audio in this document.
In addition, the quantity of sample to be detected can be one, two even more than in the case of for two and multiple, instead Antivirus engine can carry out sample virus detection by way of either synchronously or asynchronously.
S202, the class record table in the sample to be detected and anti-virus database is compared, is tied according to comparing Fruit obtains type identification result.
Wherein, anti-virus database refers to being stored with and anti-virus process-related information (Virus Type, virus characteristic letter Breath etc.) database, can store in the anti-virus database and a variety of have determined viral diagnosis result (virus or non-viral) Sample characteristics information.Type identification result can characterize Anti- Virus Engine whether have to a certain sample carry out viral diagnosis look into The ability killed may include that type is recognizable and type not can recognize, and type therein can recognize, it is believed that be anti-virus Engine is able to carry out the case where viral diagnosis killing.If the sample for being stored with a certain sample to be detected in anti-virus database is special Reference breath, then it is assumed that the sample type to be detected can recognize that Anti- Virus Engine can carry out checking and killing virus behaviour to sample to be detected Make.
Further, class record table can recorde the type of relevant information of the sample of known viruse testing result;And this A sample can refer to emerging sample in set period of time in the past, can also refer to all samples for having determined that viral diagnosis result This.A wherein class record (being referred to as type feature) for class record table can be such that
“md5”:“0005db9bfbeefff9aadddbb147608ba3”,
“name”:“bmp_vbs”,
“id”:“203”,
“use”:“1”,
“bb_1”:“424D0A062020EB6E90207620202820”,
“fz”:“800000”
Wherein, some md5 value in the such sample of " md5 " field description;" name " describes the name of such sample; " id " describes the types value of such sample, and the value of such sample indicates for identification;" use " describe this record validity, 1 Indicate this record effectively, 0 indicates that this record is invalid, and engine can ignore this record;" bb_1 " describes such sample Characteristic, here with 16 system string representations;" fz " describes the maximum value of such specimen discerning size (that is, if such A certain size in sample is more than " fz " corresponding value, then engine can not detect the sample).These above-mentioned notes Record, can allow Anti- Virus Engine easily recognition detection class sample.
In some embodiments, the structure of anti-virus database can be as shown in figure 3, include in the anti-virus database Class record table and characteristic log.Wherein, class record table can be used for recording the type mark of newly-increased recognizable sample Know;Characteristic log is for storing feature record, and feature record can recorde type recorded in aforementioned type record sheet Characteristic.Class record table and characteristic log can establish certain mapping relations, such as: there is record in class record table Type A, type B and Type C then can recorde type A, type B and the corresponding characteristic information of Type C in characteristic log.Into One step, the mapping relations of class record table and characteristic log can be one-to-one correspondence, may not be one-to-one correspondence.
If S203, determining that the sample to be detected can recognize for type according to the type identification result, pass through multimode The feature record to match is searched in the anti-virus database with algorithm.
Wherein, the feature record in anti-virus database can be a plurality of.And it can wrap in these features record containing more The characteristic of a file.Characteristic can be whether characterization specific sample is viral identification information, such as: feature record In include a virus identifications, when being identified as 1, show the specific sample be virus, when being identified as 0, show that this is specific Sample is not virus.
For different type identifications as a result, different subsequent operations can be carried out, for example, when type identification result is class When type can recognize, the virus checker of sample to be detected can be continued, and when type identification result is that type not can recognize, The virus checker of sample to be detected can then be stopped.
This step searches the feature record to match according to type identification result, can be type in type identification result When can recognize, the lookup of feature record is carried out, and when type identification result is that type not can recognize, without feature record It searches, and terminates the virus detection procedure to sample to be detected.
Further, this step is after determining the type identification result of sample to be detected, then searches the feature to match Record, this detection logic can guarantee the orderly progress of sample virus detection, while lower the pipe of sample virus detection process Manage cost (for type identification result be type not can recognize when, the process of feature record search can be saved) and execution at This.
Meanwhile the feature to match with sample to be detected can be hit by conventional multimode matching algorithm and is recorded.It should Multimode matching algorithm can be currently used various multimode matching algorithms, such as: Aho-Corasick algorithm, Wu-Manber Algorithm etc..Certainly, in addition to multimode matching algorithm, the matching of feature record can also be carried out by other matching algorithms.
S204, the feature to match according to record, determine the viral diagnosis result of the sample to be detected.
This step according to feature record in characteristic just can determine that out whether the sample to be detected is Virus Sample, into And available viral diagnosis result.
Certainly, viral diagnosis result is in addition to including whether sample is Virus Sample as a result, can also include the disease of sample Malicious degree of danger, checking and killing virus mode, sample size, the sample information such as quantity in computer equipment.
Further, it when Anti- Virus Engine loads anti-virus database in initialization, obtains in the anti-virus database Detection logic, and detected in file detection process later according to the detection logic.The detection of the present embodiment is patrolled It collects main are as follows: Anti- Virus Engine first determines type identification according to class record table as a result, searching in turn according to type identification result The feature record to match, determines viral diagnosis result.
The detection method of file provided by the above embodiment has following technical effect that 1, Anti- Virus Engine according to setting Control strategy, sample to be detected can accurately be determined by class record table in anti-virus database and characteristic log Viral diagnosis result it is not necessary to (can refer to the file using ini as suffix, be typically maintained in anti-virus and draw by configuration file Under catalogue where holding up), and the update of anti-virus database usually only needs a few houres, that is to say, that Anti- Virus Engine at most exists A certain unknown sample can be detected after several hours, realize the response to control unknown risks, it can effective reduced sample virus The response time of detection greatly improves the ability of engine emergency response.2, the core control file of Anti- Virus Engine is made For anti-virus database, which is engine-operated necessary file, can eliminate the reliance on configuration file strategy, make A whole set of mechanism flexibly cross-platform (platform can refer to the operating system platforms such as Windows, Linux, MAC), does not need outside manufacture The development support of (product here can refer to the antivirus software comprising Anti- Virus Engine, such as Tencent computer house keeper) reduces fortune Seek cost.
In one embodiment, described to compare the sample to be detected and the class record table in anti-virus database It is right, the step of type identification result is obtained according to comparison result, comprising: obtain the target type mark of the sample to be detected; The target type is identified and is compared with the type identification information in the class record table;If the type identification information In there are target type mark, obtain type identification result can recognize for type;If not deposited in the type identification information It is identified in the target type, obtaining type identification result is that type not can recognize.
Wherein, type identification can be character string or coding with mark action, and " id " in previous embodiment is just It can be used as type identification.Further, if the target type of sample to be detected is identified as " 203 ", can by with anti-disease Each record in the class record table of malicious database is compared, and discovery item name is the type of the sample of " bmp_vbs " Mark is consistent with target type mark, then the type identification result of the sample to be detected is determined as type can recognize;On the contrary, Consistent type identification is identified with the target type if do not found in class record table, by the type of the sample to be detected Recognition result, which is determined as type, not can recognize.
Further, which can be genlib.def database.
In one embodiment, the type identification result that obtains is after the unrecognizable step of type, further includes: holds The preset Unknown Computer Virus Detection program of row.Wherein, preset Unknown Computer Virus Detection program can patrol for predetermined Unk detection Volume.Unk can be the default treatment to unknown sample that Anti- Virus Engine there is before accessing genlib.def database Mode can be more conventional sample process mode.
In some embodiments, determine that the process of type identification result can also be realized according to multimode matching algorithm, i.e., It is determined by multimode matching algorithm with the presence or absence of the type identification to match in class record table, if it is present type is known Other result, which is determined as type, can recognize, if it does not exist, then type identification result, which is determined as type not, can recognize.
The method for detecting virus of sample provided by the above embodiment, according in target type mark and anti-virus database Whether the comparison result of class record table waits for this as a result, it is possible to accurately determine Anti- Virus Engine and have to determine type identification The ability that sample carries out checking and killing virus is detected, to execute subsequent operation.
In one embodiment, the class record table by the sample to be detected and anti-virus database compares Pair step before, further includes: obtain multiple features record;By predetermined raw library tool, the multiple feature is remembered Record is handled, and the anti-virus database is generated.
Anti-virus database may include 1-N (specific value of N can be determines according to actual conditions) item under normal conditions Feature record.It is possible to further which 1-N feature record is generated anti-virus database by specifically giving birth to library tool, generate Anti-virus database afterwards is loaded by Anti- Virus Engine and is used.Further, feature can also be recorded by raw library tool It is handled with class record, and then generates anti-virus database.
Above-described embodiment generates anti-virus database according to feature record and class record, the anti-virus number generated in this way It can easily be loaded and use by Anti- Virus Engine according to library, so that Anti- Virus Engine realizes the inspection of file according to the detection logic of setting It surveys.
In one embodiment, described that the spy to match is searched in the anti-virus database by multimode matching algorithm The step of sign record, comprising: obtain the registration table key assignments of the sample to be detected;If the registration table key assignments is nonzero value, lead to It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database.
Registration table key assignments can be DWORD value etc..DWORD full name Double Word, each word are the length of 2 bytes Degree, DWORD double word is 4 bytes, and each byte is 8, and totally 32.Further, for Anti- Virus Engine and anti-disease The considerations of malicious database runnability (speed of service etc.), the sample size that can handle Anti- Virus Engine sample carry out centainly Limitation, the embodiment of the present invention control whether Anti- Virus Engine can detect (if to be checked sample to be detected by DWORD value It surveys size and is greater than the corresponding numerical value of DWORD value, then Anti- Virus Engine not can be carried out detection).Specifically, nonzero value DWORD value is used to characterize the largest sample size of Different categories of samples in the class record table;The largest sample size is used for table The sample size that sign Anti- Virus Engine can be executed in checking and killing virus.
Further, if the registration table key assignments is nonzero value, the feature record to match according to determines institute After the step of stating the viral diagnosis result of sample to be detected, further includes: if according to the viral diagnosis result determine it is described to Detection sample is Virus Sample, determines the first largest sample size according to the registration table key assignments;If the sample to be detected Sample size is less than or equal to first largest sample size, and control Anti- Virus Engine executes the sample to be detected default Checking and killing virus program.
Such as following two program segment is respectively provided with Anti- Virus Engine to the detection sample size of 7z and zip format most Big value (largest sample size) is 0x1f0000:
Program segment 1:
“name”:“@eng:7z”,
“fz”:“1f0000”
Program segment 2:
“name”:“@eng:zip”,
“fz”:“1f0000”
If the sample size of some sample to be detected is greater than 0x1f0000, Anti- Virus Engine does not execute virus to it and looks into Kill operation.
Further, in one embodiment, after the step of registration table key assignments for obtaining the sample to be detected, If further include: the registration table key assignments is zero, stops the viral diagnosis to the sample to be detected.
When DWORD value is zero, Anti- Virus Engine cannot detect the sample to be detected, and DWORD value is nonzero value When, Anti- Virus Engine can detect the sample to be detected within the scope of largest sample size.
Above-described embodiment controls Anti- Virus Engine to recognizable type by the DWORD value of Anti- Virus Engine database Sample detection function unlatching/closing, moreover it is possible to the sample size that Anti- Virus Engine can be detected is controlled, is realized The intelligence of anti-virus killing.
In one embodiment, the feature record is stored in the anti-virus database with json reference format.
In another embodiment, the type identification information can also be stored in the anti-virus with json reference format In database.
Json is a kind of data interchange format of lightweight, be easy to people read and write, while be also easy to machine parsing and It generates.Above-described embodiment can effectively improve database volume by type identification information and feature record with the storage of json reference format The efficiency write and used but also the record efficiency of class record table and characteristic log improves, and then improves the virus of sample Detection efficiency.
In one embodiment, the feature record to match according to, determines the virus of the sample to be detected The step of testing result, comprising: the characteristic in feature record to match described in determining;Judged according to the characteristic Whether the sample to be detected is Virus Sample;According to judging result, the viral diagnosis result is obtained.
Wherein the characteristic in a feature record can be such that
“md5”:“010df30f4f1e90d56ec9577b4aaa567c”,
“name”:“Trojan.Script.Agent”,
“id”:“203”,
“fs_2”:“Mailx.Attachments.Add(dirsystem&\“\\Mawanella.vbs\”)”,
" fs_3 ": " Mailx.DeleteAfterSubmit=True "
Wherein, " name " describes the viral name of this feature, and " id " describes the number of this feature, Anti- Virus Engine energy This feature is identified based on this, type feature is only first hit to the viral diagnosis of unknown sample, just matching and type feature phase Same feature record;" fs_2 " and " fs_3 " describes the characteristic of this feature, wherein including viral description information.
Further, Anti- Virus Engine can determine corresponding test sample to be checked according to the viral description information in characteristic Whether this is Virus Sample, and obtains viral diagnosis result accordingly.
It further, can also include the type identification of corresponding types in characteristic, Anti- Virus Engine is being inquired After class record table, corresponding feature record can be inquired according to type identification, according to feature record in characteristic Determine whether sample to be detected is Virus Sample.
Characteristic in feature that above-described embodiment is hit record determines whether sample to be detected is Virus Sample, Determination process is simple, high-efficient, can effectively improve the efficiency of sample virus detection.
In some embodiments, the structure of anti-virus database can be as shown in figure 4, include in the anti-virus database Having library mark, existing class record table, class record table, (to distinguish with existing class record table, class record table can also be with Referred to as new type record sheet) and characteristic log.Wherein, library mark be current anti-virus database mark, be used for and its He anti-virus database difference (anti-virus database in the embodiment of the present invention can be it is multiple, Anti- Virus Engine can be by Specific anti-virus database is accessed according to library mark, and can recorde the information of different samples in different anti-virus databases); Existing class record table, which can be used for recording Anti- Virus Engine, can recognize the information such as type, sample size, the characteristic of sample, Further, existing type may include the common types such as PE, Office, zip, pdf;Class record table and characteristic log Illustrate with previous embodiment describe can be consistent.
With the development of network technology, viral species are more and more, and the anti-virus database of the embodiment of the present invention records energy The information of the various viruses of identification, and the information such as these viral types are recorded by class record table.In this way, Certain types of virus can be accurately identified, i.e., the multiple Virus Samples for belonging to a certain type can be carried out knowing Not, the efficiency of sample virus detection is effectively improved.Certainly, it can also refer to the type of some specific virus sample in class record table Information is able to achieve the viral diagnosis to some specific virus sample in this way, improves the accurate of sample virus detection Property.
Further, the information in class record table and characteristic log periodically can be transferred to existing class record Table, and increase new class record and feature record, to guarantee that Anti- Virus Engine can detect a greater variety of samples.
Further, when the type identification result for determining sample to be detected is that type not can recognize, it is anti-that this can be triggered Virus database obtains information (i.e. the update of progress anti-virus database) relevant with the sample to be detected, and will acquire Information is added in class record table and characteristic log, so that Anti- Virus Engine can in time examine the sample to be detected It surveys, determines its viral diagnosis result.
In one embodiment, after the step of acquisition sample to be detected, further includes: obtain the sample to be detected Target type mark;Determine whether the sample to be detected is that can recognize type according to target type mark;If it is not, holding The step of row class record table by the sample to be detected and anti-virus database is compared;If so, described Target corresponding with target type mark is searched in anti-virus database and has class record, and class is had according to the target Type record carries out checking and killing virus operation.
Further, described that the step of class record carries out checking and killing virus operation is had according to the target, comprising: to determine The sample size of the sample to be detected;If the sample size has adjusted the target according to the sample size for nonzero value There is the second largest sample size that target sample is corresponded in class record;According to second largest sample size adjusted, It controls Anti- Virus Engine and preset checking and killing virus program is executed to the sample to be detected;If the sample size is zero, stop To the viral diagnosis of sample to be detected.Wherein, checking and killing virus program can refer to the program for clean to virus greening.
Wherein, determine whether the sample to be detected is the realization process that can recognize type according to target type mark It can be with are as follows: target type is identified and is compared with the recognizable type list being stored in memory or another database, root Determine whether sample to be detected is that can recognize type according to comparison result.Further, it can recognize that type list can be according to anti-virus Virus Type that engine once detected determines.
According to second largest sample size adjusted, controls Anti- Virus Engine and the sample to be detected is executed Before preset checking and killing virus program, it can also include the steps that carrying out sample to be detected detection and resolution logic, pass through inspection Survey the position and processing side that the state of sample to be detected and Virus included in it can be obtained with resolution logic Formula etc., accordingly, Anti- Virus Engine can be smoothly performed checking and killing virus program.
It should be noted that the checking and killing virus program can be to be checked if sample to be detected is not Virus Sample Test sample is originally scanned or other programs, rather than have to execute the cleaning program of virus.
Adjustment largest sample size can refer to the sizes values for limiting some file destination in genlib.def, to control anti-disease Whether malicious engine detects the sample, for example: if sample size 3M to be detected has exceeded engine detection sample Size limitation, before the largest sample size in no adjustment genlib.def, engine will not handle this kind of sample, but After adjusting the largest sample size in genlib.def, Anti- Virus Engine can handle sample according to the size that genlib.def is set This, if at this moment the corresponding largest sample size of genlib.def is 4M, 4M > 3M, then Anti- Virus Engine will continue to handle this Sample.Such processing mode can greatly extend the file extent that Anti- Virus Engine can be detected.
Above-described embodiment before sample to be detected is compared with the information in anti-virus database class record table, Judge whether it is that can recognize that type adjusts its largest sample size if it is recognizable type, first to guarantee that anti-virus draws Anti- Virus Engine can be controlled and execute preset disease to the sample to be detected successfully according to largest sample size adjusted by holding up Malicious killing program, and if it is can not identification types, (executed by anti-virus database to carry out the viral diagnosis of sample Class record table in sample to be detected and anti-virus database is compared, and then the step of determining viral diagnosis result). Above-mentioned implementation can be understood as hierarchical detection, level-one: when can directly determine sample to be detected is that can recognize type, directly According to largest sample size adjusted, controls Anti- Virus Engine and preset checking and killing virus journey is executed to the sample to be detected Sequence, second level: if it is determined that sample to be detected be can not identification types, then by anti-virus database come to sample to be detected carry out Detection, and then viral diagnosis is obtained as a result, such classification processing mode can effectively improve the efficiency of sample virus detection.
In one embodiment, the computer equipment where Anti- Virus Engine can show that sample virus detects on interface The relevant information of process.As shown in figure 5, Anti- Virus Engine is when getting sample to be detected (i.e. control unknown risks), on interface It shows Fig. 5 (a);If it is determined that sample to be detected can recognize for type, then sample virus detection and killing process are carried out, and can be with Fig. 5 (b) is shown on interface;If it is determined that sample to be detected be type not can recognize, then inquire anti-virus database and according to The logic of anti-virus database determines the type of file to be detected, and Fig. 5 (c) is shown on interface, further determines that be detected Whether sample is recorded in anti-virus database (i.e. whether type can recognize), and determines therefrom that subsequent Virus Sample detection work Whether carry out, if it is, Fig. 5 (d) is shown on interface, if not, showing Fig. 5 (e) on interface.Further, In It when determining that file to be detected is virus document, can also be shown on interface and " have determined that the control unknown risks are risk file, i.e., will Carry out the removing of virus document ", and operation is purged to file to be detected.
In one embodiment, as shown in fig. 6, the embodiment of the invention provides a kind of method for detecting virus of sample, with Under in this way be applied to Anti- Virus Engine for be illustrated, comprising the following steps:
S601, sample to be detected is obtained.
S602, the target type mark for obtaining the sample to be detected;According to target type mark determine it is described to Whether the type for detecting sample is that can recognize type.
If the type of S603, sample to be detected is that can recognize type, searched and the target type in anti-virus database It identifies corresponding target and has class record, determine the sample size of the sample to be detected.
If S6031, the sample size are nonzero value, according to the sample size, adjust the target and have in class record Second largest sample size of corresponding target sample;According to the second largest sample size adjusted, Anti- Virus Engine pair is controlled The sample to be detected executes preset checking and killing virus program.
If S6032, the sample size are zero, stop the viral diagnosis to sample to be detected.
If the type of S604, sample to be detected be can not identification types, by the target type mark with the type remember Type identification information in record table is compared.
If there are target type marks in S605, the type identification information, obtaining type identification result is type It can recognize, obtain the DWORD value of the target type mark.
If S6051, the DWORD value are that nonzero value is searched in the anti-virus database by multimode matching algorithm The feature record to match, records according to the feature to match, determines the viral diagnosis result of the sample to be detected.
If S6052, the DWORD value are zero, stop the viral diagnosis to the sample to be detected.
If there is no the target types to identify in S606, the type identification information, obtaining type identification result is class Type not can recognize, execute preset Unknown Computer Virus Detection program.
The method for detecting virus of sample provided by the above embodiment passes through in the case where not needing by configuration file Anti-virus database can accurately determine the viral diagnosis of sample to be detected as a result, on the other hand, anti-virus database without When method identifies sample to be detected, Anti- Virus Engine can be updated by upgrading anti-virus database, the virus of sample to be detected is examined Brake, and the upgrading of anti-virus database is more much higher than the test efficiency for issuing of configuration file, can greatly reduce sample The response time of viral diagnosis.
In some embodiments, Anti- Virus Engine can refer to that Tencent TAV grinds engine certainly.
In one embodiment, the above method in order to better understand, as shown in fig. 7, it is following be applied in this way it is anti- It is illustrated for antivirus engine, elaborates the application example of the method for detecting virus of a sample of the present invention.
S701, Anti- Virus Engine receive sample to be detected.
S702, Anti- Virus Engine determine the type identification of the sample to be detected.
Whether S703, the type that sample to be detected is determined according to the type mark are that can recognize type.
If the type of S704, sample to be detected is that can recognize type, determine that genlib.def database has type note Record corresponding DWORD value in table.
If S7041, DWORD value are nonzero value, control genlib.def database and adjust in existing class record table Largest sample size, and complete viral diagnosis/resolution logic of sample to be detected.
If S7042, DWORD value are zero, the viral diagnosis function to sample to be detected is closed.
If the type of S705, sample to be detected be can not identification types, enter genlib.def detection logic (including The content of S706, S707 and S708).
S706, the type identification of sample to be detected and characteristic log are compared, judges whether sample to be detected is type It can recognize.
S707, sample type to be detected can recognize, by multimode matching algorithm anti-virus database characteristic log The feature record that middle determination matches, and then determine the viral diagnosis result of sample to be detected.
S708, sample type to be detected not can recognize, execute Unk and detect logic.
In current antivirus techniques, anti-virus control is realized frequently with configuration file, and configuration file is mainly real The control that now engine individual feature is opened or closed, such as: consider to close the viral diagnosis to certain class sample for performance, Or, finding that some detection function then closes the detection function in the presence of wrong report;Certain class sample is opened for the considerations of promoting verification and measurement ratio Viral diagnosis.As shown in figure 8, outside manufacture load when engine is in initialization parses configuration file and according to configuration file Curriculum offering engine relevant parameter, Anti- Virus Engine handle sample according to the setting of configuration file, obtain Virus Sample set.But It is, this to realize that anti-microbial technical solution has following problem by configuration file: 1, it is strong with product coupling, it needs The publication of product support configuration file.When engine is applied in the scene different to the requirement in terms of performance, verification and measurement ratio, stability When, corresponding product is also required to support the processing to configuration file.2, the primary support of non-Anti- Virus Engine cross-platform can not make With the support for needing outside manufacture and upgrading etc. tactful, this adds increased exploitation operation costs.3, for unknown emerging Sample file format, engine are difficult Rapid Test Desk in the case where not upgrade code and manage this risk.
The method for detecting virus of sample provided in an embodiment of the present invention has following technical effect that 1, product coupling is low, The core control sample of Anti- Virus Engine exists as the anti-virus database sample of engine, is the necessary of Anti- Virus Engine operation Sample, this makes the detection of file not depend on the additional support of product.2, the primary support of Anti- Virus Engine cross-platform can use, The development cost of outside manufacture is not will increase;For example Tencent's computer house keeper is exactly to be incorporated into Anti- Virus Engine inside product, This configuration file is that the client of computer house keeper and the gray scale strategy of rear end are supported.Because computer house keeper is under Windows Product, therefore it can only run in Windows, if to run at other systems (such as MACOSLINUX), also need Again it develops and allows product support configuration file strategy, and if the embodiment of the present invention is transported under the systems such as MACOSLINUX Row, it is only necessary to upgrade anti-virus database, without doing other work.3, for unknown emerging risk, can make anti- Antivirus engine quickly and effectively responds.In addition, inventor has found the embodiment of the present invention simultaneously by great amount of samples data test process The influence of performance and verification and measurement ratio will not be brought to Anti- Virus Engine and anti-virus database.
It should be noted that for the various method embodiments described above, describing for simplicity, it is all expressed as a series of Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described, because according to According to the present invention, certain steps can use other sequences or carry out simultaneously.
Based on thought identical with the method for detecting virus of the sample in above-described embodiment, the present invention also provides the diseases of sample Malicious detection device, the device can be used for executing the method for detecting virus of above-mentioned sample.For ease of description, the viral diagnosis of sample In the structural schematic diagram of Installation practice, part related to the embodiment of the present invention illustrate only, those skilled in the art can To understand, the restriction of schematic structure not structure twin installation may include or combining certain than illustrating more or fewer components A little components or different component layouts.
As shown in figure 9, the viral diagnosis device of sample includes sample acquisition module 901, type identification module 902, record Searching module 903 and result determining module 904, detailed description are as follows:
Sample acquisition module 901, for obtaining sample to be detected.
Type identification module 902, for carrying out the class record table in the sample to be detected and anti-virus database It compares, type identification result is obtained according to comparison result.
Record search module 903, if for determining that the sample to be detected is that type can according to the type identification result The feature record to match is searched in identification by multimode matching algorithm in the anti-virus database.
As a result determining module 904, the feature record for matching according to, determine the virus of the sample to be detected Testing result.
The viral diagnosis device of sample provided in this embodiment, in the case where not needing through configuration file, by anti- Virus database can accurately determine the viral diagnosis of sample to be detected as a result, can effective reduced sample viral diagnosis response Time.
In one embodiment, record search module 903, comprising: key assignments acquisition submodule, it is described to be detected for obtaining The registration table key assignments of sample;Record search submodule passes through multimode matching algorithm if being nonzero value for the registration table key assignments The feature record to match is searched in the anti-virus database;Wherein, the feature record is with the storage of json reference format In the anti-virus database.
In one embodiment, record search module 903, further includes: detection stops submodule, if being used for the registration table Key assignments is zero, stops the viral diagnosis to the sample to be detected.
In one embodiment, as a result determining module 904, comprising: characteristic determines submodule, for determining the phase Characteristic in matched feature record;Sample judging submodule, it is described to be detected for being judged according to the characteristic Whether sample is Virus Sample;Testing result determines submodule, for obtaining the viral diagnosis result according to judging result.
In one embodiment, if the registration table key assignments is nonzero value, the viral diagnosis device of sample, further includes: sample This size determining module, if for determining that the sample to be detected is Virus Sample according to the viral diagnosis result, according to institute It states registration table key assignments and determines the first largest sample size;First checking and killing virus module, if the sample for the sample to be detected Size is less than or equal to first largest sample size, and control Anti- Virus Engine executes preset disease to the sample to be detected Malicious killing program.
In one embodiment, the viral diagnosis device of sample, further includes: type identification obtains module, for obtaining State the target type mark of sample to be detected;Type judging module, for described to be checked according to target type mark determination Whether test sample is originally that can recognize type;Execution module is compared, is used for if it is not, executing described by the sample to be detected and anti-virus The step of class record table in database is compared;Second checking and killing virus module, for if so, in the anti-virus data Target corresponding with target type mark is searched in library and has class record, and class record is had according to the target and is carried out Checking and killing virus operation.
In one embodiment, the second checking and killing virus module, comprising: sample size determines submodule, described in determining The sample size of sample to be detected;Sample size adjusting submodule, for it is existing to adjust the target according to the sample size The second largest sample size of target sample is corresponded in class record;Killing program implementation sub-module, for according to adjusted Second largest sample size, control Anti- Virus Engine execute preset checking and killing virus program to the sample to be detected.
In one embodiment, the viral diagnosis device of sample provided by the present application can be implemented as a kind of computer program Form, computer program can run in computer equipment as shown in Figure 1.Group can be stored in the memory of computer equipment At each program module of the viral diagnosis device of the sample, for example, sample acquisition module shown in Fig. 9, type identification module, Record search module and result determining module.The computer program that each program module is constituted makes processor execute this specification Described in each embodiment of the application sample method for detecting virus in step.For example, computer equipment shown in FIG. 1 S201 can be executed by the sample acquisition module 901 in the viral diagnosis device of sample as shown in Figure 9, pass through type identification Module 902 executes S202, executes S203 by record search module 903, executes S204 by result determining module 904.
In one embodiment, a kind of computer equipment, including memory and processor are provided, memory is stored with meter Calculation machine program, when computer program is executed by processor, so that the step of processor executes the method for detecting virus of above-mentioned sample. The step of method for detecting virus of sample can be the step in the method for detecting virus of the sample of above-mentioned each embodiment herein.
In one embodiment, a kind of computer readable storage medium is provided, computer program, computer journey are stored with When sequence is executed by processor, so that the step of processor executes the method for detecting virus of above-mentioned sample.The virus inspection of sample herein The step of survey method, can be the step in the method for detecting virus of the sample of above-mentioned each embodiment.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, provided herein Each embodiment used in any reference to memory, storage, database or other media, may each comprise non-volatile And/or volatile memory.Nonvolatile memory may include that read-only memory (ROM), programming ROM (PROM), electricity can be compiled Journey ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), straight Connect memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (10)

1. a kind of method for detecting virus of sample, which comprises the following steps:
Obtain sample to be detected;
Class record table in the sample to be detected and anti-virus database is compared, type is obtained according to comparison result Recognition result;
If determining that the sample to be detected can recognize for type according to the type identification result, by multimode matching algorithm in institute State the feature record searched and matched in anti-virus database;
According to the feature record to match, the viral diagnosis result of the sample to be detected is determined.
2. the method according to claim 1, wherein it is described by multimode matching algorithm in the anti-virus data The step of feature record to match is searched in library, comprising:
Obtain the registration table key assignments of the sample to be detected;
If the registration table key assignments is nonzero value, is searched by multimode matching algorithm and to be matched in the anti-virus database Feature record;Wherein, the feature record is stored in the anti-virus database with json reference format.
3. according to the method described in claim 2, it is characterized in that, the registration table key assignments for obtaining the sample to be detected After step, further includes:
If the registration table key assignments is zero, stop the viral diagnosis to the sample to be detected.
4. according to the method described in claim 2, it is characterized in that, the feature record to match according to, determines institute The step of stating the viral diagnosis result of sample to be detected, comprising:
The characteristic in feature record to match described in determination;
Judge whether the sample to be detected is Virus Sample according to the characteristic;
According to judging result, the viral diagnosis result is obtained.
5. according to the method described in claim 4, it is characterized in that, if the registration table key assignments be nonzero value, it is described according to institute After the step of stating the feature record to match, determining the viral diagnosis result of the sample to be detected, further includes:
If determining that the sample to be detected is Virus Sample according to the viral diagnosis result, determined according to the registration table key assignments First largest sample size;
If the sample size of the sample to be detected is less than or equal to first largest sample size, Anti- Virus Engine pair is controlled The sample to be detected executes preset checking and killing virus program.
6. method according to any one of claims 1 to 5, which is characterized in that the step of acquisition sample to be detected it Afterwards, further includes:
Obtain the target type mark of the sample to be detected;
Determine whether the sample to be detected is that can recognize type according to target type mark;
If it is not, executing the step of class record table by the sample to be detected and anti-virus database is compared;
If so, searching target corresponding with target type mark in the anti-virus database has class record, root Have class record according to the target and carries out checking and killing virus operation.
7. according to the method described in claim 6, it is characterized in that, described have class record progress virus according to the target The step of killing operates, comprising:
Determine the sample size of the sample to be detected;
According to the sample size, adjust the target have corresponded in class record target sample the second maximum sample it is big It is small;
According to second largest sample size adjusted, it is preset to the sample execution to be detected to control Anti- Virus Engine Checking and killing virus program.
8. a kind of viral diagnosis device of sample characterized by comprising
Sample acquisition module, for obtaining sample to be detected;
Type identification module, for the class record table in the sample to be detected and anti-virus database to be compared, root Type identification result is obtained according to comparison result;
Record search module, if leading to for determining that the sample to be detected can recognize for type according to the type identification result It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database;
As a result determining module, the feature record for matching according to, determines the viral diagnosis knot of the sample to be detected Fruit.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists In, the processor realizes claim 1 to 7 described in any item methods when executing computer program the step of.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program The step of claim 1 to 7 described in any item methods are realized when being executed by processor.
CN201910740513.9A 2019-08-12 2019-08-12 Method for detecting virus, device, computer equipment and the storage medium of sample Pending CN110457905A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910740513.9A CN110457905A (en) 2019-08-12 2019-08-12 Method for detecting virus, device, computer equipment and the storage medium of sample

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910740513.9A CN110457905A (en) 2019-08-12 2019-08-12 Method for detecting virus, device, computer equipment and the storage medium of sample

Publications (1)

Publication Number Publication Date
CN110457905A true CN110457905A (en) 2019-11-15

Family

ID=68485937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910740513.9A Pending CN110457905A (en) 2019-08-12 2019-08-12 Method for detecting virus, device, computer equipment and the storage medium of sample

Country Status (1)

Country Link
CN (1) CN110457905A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881049A (en) * 2019-12-16 2020-03-13 淮安信息职业技术学院 Computer network safety intelligent control system
CN115208690A (en) * 2022-08-09 2022-10-18 中国光大银行股份有限公司 Screening processing system based on data classification and classification

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881049A (en) * 2019-12-16 2020-03-13 淮安信息职业技术学院 Computer network safety intelligent control system
CN110881049B (en) * 2019-12-16 2022-02-15 淮安信息职业技术学院 Computer network safety intelligent control system
CN115208690A (en) * 2022-08-09 2022-10-18 中国光大银行股份有限公司 Screening processing system based on data classification and classification

Similar Documents

Publication Publication Date Title
Han et al. MalDAE: Detecting and explaining malware based on correlation and fusion of static and dynamic characteristics
US10891378B2 (en) Automated malware signature generation
US9665713B2 (en) System and method for automated machine-learning, zero-day malware detection
WO2019109743A1 (en) Url attack detection method and apparatus, and electronic device
CN101777062B (en) Context-aware real-time computer-protection systems and methods
CN101751535B (en) Data loss protection through application data access classification
TWI720932B (en) System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats
US10380349B2 (en) Security analysis using relational abstraction of data structures
CN108985057B (en) Webshell detection method and related equipment
US11256803B2 (en) Malware detection: selection apparatus, selection method, and selection program
CN112860484A (en) Container runtime abnormal behavior detection and model training method and related device
US11182481B1 (en) Evaluation of files for cyber threats using a machine learning model
Awad et al. Modeling malware as a language
CN110457905A (en) Method for detecting virus, device, computer equipment and the storage medium of sample
CN107491691A (en) A kind of long-range forensic tools Safety Analysis System based on machine learning
CN109388551A (en) There are the method for loophole probability, leak detection method, relevant apparatus for prediction code
WO2023241529A1 (en) Vulnerability information processing method, service apparatus and vulnerability detection module
EP3425549A1 (en) System and method of determining text containing confidential data
KR20190020998A (en) Apparatus, method and system for detecting malicious code
CN114143024A (en) Black box malicious software detection countermeasure sample generation method and device based on generation countermeasure network
Rowe Identifying forensically uninteresting files using a large corpus
US11151250B1 (en) Evaluation of files for cybersecurity threats using global and local file information
CN113810338B (en) Abnormal service address detection method and device, and computer readable storage medium
Ramesh et al. Integrated malware analysis using markov based model in machine learning
KR102495329B1 (en) Malware detection system using lstm method to provide a service vaccine platform with high detction rate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination