CN110457905A - Method for detecting virus, device, computer equipment and the storage medium of sample - Google Patents
Method for detecting virus, device, computer equipment and the storage medium of sample Download PDFInfo
- Publication number
- CN110457905A CN110457905A CN201910740513.9A CN201910740513A CN110457905A CN 110457905 A CN110457905 A CN 110457905A CN 201910740513 A CN201910740513 A CN 201910740513A CN 110457905 A CN110457905 A CN 110457905A
- Authority
- CN
- China
- Prior art keywords
- sample
- virus
- detected
- record
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The present invention relates to the method for detecting virus of sample, device, computer equipment and storage mediums, belong to antivirus techniques field.This method comprises: obtaining sample to be detected;Class record table in sample to be detected and anti-virus database is compared, type identification result is obtained according to comparison result;If determining that the sample to be detected can recognize for type according to the type identification result, the feature record to match is searched in the anti-virus database by multimode matching algorithm;According to the feature record to match, the viral diagnosis result of sample to be detected is determined.Above-mentioned technical proposal solves the problems, such as that the response time of sample virus detection is too long.In the case where not needing by configuration file, by anti-virus database can accurately determine sample to be detected viral diagnosis as a result, can effective reduced sample viral diagnosis response time.
Description
Technical field
The present invention relates to antivirus techniques fields, more particularly to the method for detecting virus, device, computer equipment of sample
And storage medium.
Background technique
Antivirus techniques carry out viral diagnosis to specific sample to realize often through Anti- Virus Engine, and detection function is strong
It is big complicated, different strategy and scheme are needed for different application scenarios and demand.In traditional antivirus techniques, normal open
Configuration file is crossed to control the detection behavior of Anti- Virus Engine and strategy, such as Anti- Virus Engine is controlled to certain by configuration file
Detection is closed in the starting of class sample.
In realizing process of the present invention, inventor has found that at least there are the following problems in traditional approach: tradition, which passes through, to be configured
The antivirus techniques that file is realized need to modify engine code, because only that modification code just can increase engine to specific new virus
The identification of sample.And the test publication process of standard will be completed by having modified engine code, this usually requires 1-2 weeks time,
The response time that this allows for sample virus detection is too long, this is not applicable under many actual scenes.
Summary of the invention
Based on this, the embodiment of the invention provides the method for detecting virus of sample, device, computer equipment and storages to be situated between
Matter, can effective reduced sample viral diagnosis response time.
The content of the embodiment of the present invention is as follows:
In a first aspect, the embodiment of the present invention provides a kind of method for detecting virus of sample, comprising the following steps: obtain to be checked
Test sample sheet;Class record table in the sample to be detected and anti-virus database is compared, is obtained according to comparison result
Type identification result;If determining that the sample to be detected can recognize for type according to the type identification result, pass through multimode
The feature record to match is searched in the anti-virus database with algorithm;According to the feature record to match, determine
The viral diagnosis result of the sample to be detected.
In one embodiment, described that the spy to match is searched in the anti-virus database by multimode matching algorithm
The step of sign record, comprising: obtain the registration table key assignments of the sample to be detected;If the registration table key assignments is nonzero value, lead to
It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database;Wherein, feature record with
Json reference format is stored in the anti-virus database.
In one embodiment, after the step of registration table key assignments for obtaining the sample to be detected, further includes: if
The registration table key assignments is zero, stops the viral diagnosis to the sample to be detected.
In one embodiment, the feature record to match according to, determines the virus of the sample to be detected
The step of testing result, comprising: the characteristic in feature record to match described in determining;Judged according to the characteristic
Whether the sample to be detected is Virus Sample;According to judging result, the viral diagnosis result is obtained.
In one embodiment, if the registration table key assignments is nonzero value, the feature record to match according to,
After the step of determining the viral diagnosis result of the sample to be detected, further includes: if being determined according to the viral diagnosis result
The sample to be detected is Virus Sample, determines the first largest sample size according to the registration table key assignments;If described to be detected
The sample size of sample is less than or equal to first largest sample size, and control Anti- Virus Engine holds the sample to be detected
The preset checking and killing virus program of row.
In one embodiment, after the step of acquisition sample to be detected, further includes: obtain the sample to be detected
Target type mark;Determine whether the sample to be detected is that can recognize type according to target type mark;If it is not, holding
The step of row class record table by the sample to be detected and anti-virus database is compared;If so, described
Target corresponding with target type mark is searched in anti-virus database and has class record, and class is had according to the target
Type record carries out checking and killing virus operation.
In one embodiment, described that the step of class record carries out checking and killing virus operation, packet are had according to the target
It includes: determining the sample size of the sample to be detected;According to the sample size, it is right in the existing class record of the target to adjust
Answer the largest sample size of target sample;According to second largest sample size adjusted, Anti- Virus Engine is controlled to institute
It states sample to be detected and executes preset checking and killing virus program.
Second aspect, the embodiment of the present invention provide a kind of viral diagnosis device of sample, comprising: sample acquisition module is used
In acquisition sample to be detected;Type identification module, for by the class record in the sample to be detected and anti-virus database
Table is compared, and obtains type identification result according to comparison result;Record search module, if for according to the type identification knot
Fruit determines that the sample to be detected can recognize for type, and phase is searched in the anti-virus database by multimode matching algorithm
The feature record matched;As a result determining module, the feature record for matching according to, determines the disease of the sample to be detected
Malicious testing result.
The third aspect, the embodiment of the present invention provide a kind of computer equipment, including memory and processor, the memory
It is stored with computer program, the processor performs the steps of when executing the computer program obtains sample to be detected;It will
Class record table in the sample to be detected and anti-virus database is compared, and obtains type identification knot according to comparison result
Fruit;If determining that the sample to be detected can recognize for type according to the type identification result, by multimode matching algorithm in institute
State the feature record searched and matched in anti-virus database;According to the feature record to match, determine described to be detected
The viral diagnosis result of sample.
Fourth aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored thereon with computer program,
The computer program performs the steps of when being executed by processor obtains sample to be detected;By the sample to be detected and instead
Class record table in virus database is compared, and obtains type identification result according to comparison result;If according to the type
Recognition result determines that the sample to be detected can recognize for type, is looked into the anti-virus database by multimode matching algorithm
The feature to match is looked for record;According to the feature record to match, the viral diagnosis result of the sample to be detected is determined.
A technical solution in above-mentioned technical proposal has the following advantages that or the utility model has the advantages that getting sample to be detected
Afterwards, the class record table in sample to be detected and anti-virus database is compared, obtains type identification result;According to type
Recognition result determines whether sample to be detected is that type can recognize, if so, through multimode matching algorithm in anti-virus database
The feature record to match is searched, with the viral diagnosis result of determination sample to be detected.The feelings by configuration file are not being needed
Under condition, it can accurately determine the viral diagnosis of sample to be detected as a result, can effective reduced sample disease by anti-virus database
The response time of poison detection, improve the efficiency of sample virus detection.
Detailed description of the invention
Fig. 1 is the applied environment figure of the method for detecting virus of sample in one embodiment;
Fig. 2 is the flow diagram of the method for detecting virus of sample in one embodiment;
Fig. 3 is the structural schematic diagram of anti-virus database in one embodiment;
Fig. 4 is the structural schematic diagram of anti-virus database in another embodiment;
Fig. 5 is the display schematic diagram of one embodiment median surface;
Fig. 6 is the flow diagram of the method for detecting virus of sample in another embodiment;
Fig. 7 is the flow diagram of the method for detecting virus of sample in further embodiment;
Fig. 8 is the flow diagram for realizing the method for detecting virus of sample in one embodiment by configuration file;
Fig. 9 is the structural block diagram of the viral diagnosis device of sample in one embodiment.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments
It is contained at least one embodiment of the application.Each position in the description occur the phrase might not each mean it is identical
Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and
Implicitly understand, embodiment described herein can be combined with other embodiments.
The method for detecting virus of sample provided by the present application can be applied in computer equipment as shown in Figure 1.The meter
Calculating machine equipment can be server, be also possible to terminal device, internal structure chart can be as shown in Figure 1.The computer equipment
Including processor, memory, network interface and the display screen connected by system bus.Wherein, processor is for providing calculating
And control ability;Memory includes non-volatile memory medium, built-in storage, which is stored with operation system
System, computer program (a kind of computer program realizes sample method for detecting virus when being executed by processor) and database,
The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium;Database is used for
The data being related in the method for detecting virus implementation procedure of sample are stored, such as: it can store existing type in the database
The data such as record sheet, class record table and characteristic log;Network interface is used to communicate with external terminal by network connection,
Such as: receive the sample to be detected that exterior terminal is sent;Display screen can be liquid crystal display or electric ink display screen.Into
One step, server can realize that terminal is set with the server cluster of the either multiple server compositions of independent server
It is standby to can be, but not limited to be various personal computers, laptop, smart phone, tablet computer and portable wearable set
It is standby.
It will be understood by those skilled in the art that structure shown in Fig. 1, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
The embodiment of the present invention provides method for detecting virus, device, computer equipment and the storage medium of a kind of sample.Below
It is described in detail respectively.
In one embodiment, the embodiment of the invention provides a kind of method for detecting virus of sample.This method is in addition to can
Can be applied on some application program or function code (these application programs applied in the computer equipment in Fig. 1
Can be run on a computing device with function code), such as: Anti- Virus Engine, antivirus software etc..As shown in Fig. 2, below with
This method is applied to be illustrated for Anti- Virus Engine (being also referred to as engine in some embodiments of the invention), including following
Step:
S201, sample to be detected is obtained.
Anti- Virus Engine can be by operations such as antivirus softwares on a computing device, which can be in real time
The sample on the disk and external device in computer equipment is detected, and then determines the viral diagnosis of each sample as a result, true
Fixed a certain or certain samples carry out viral cleaning works when being virus.In these samples, it has been determined that be viral or non-viral
Sample is properly termed as having detected sample, is properly termed as sample to be detected then without determining whether for Virus Sample.In addition,
In addition to the mode detected by Anti- Virus Engine obtains sample to be detected, the external equipment that can also be connected by computer equipment is sent
Sample to be detected.
Further, sample to be detected refers to the unknown sample of risk, that is, does not know whether it is viral sample,
Be often referred to newly to occur (Anti- Virus Engine do not detected or anti-virus database in not stored relevant information) UNKNOWN TYPE
Malicious file sample.The sample can be program segment, application program etc., be also possible in the part in entire file or file
Hold, may include the information such as text, picture, audio in this document.
In addition, the quantity of sample to be detected can be one, two even more than in the case of for two and multiple, instead
Antivirus engine can carry out sample virus detection by way of either synchronously or asynchronously.
S202, the class record table in the sample to be detected and anti-virus database is compared, is tied according to comparing
Fruit obtains type identification result.
Wherein, anti-virus database refers to being stored with and anti-virus process-related information (Virus Type, virus characteristic letter
Breath etc.) database, can store in the anti-virus database and a variety of have determined viral diagnosis result (virus or non-viral)
Sample characteristics information.Type identification result can characterize Anti- Virus Engine whether have to a certain sample carry out viral diagnosis look into
The ability killed may include that type is recognizable and type not can recognize, and type therein can recognize, it is believed that be anti-virus
Engine is able to carry out the case where viral diagnosis killing.If the sample for being stored with a certain sample to be detected in anti-virus database is special
Reference breath, then it is assumed that the sample type to be detected can recognize that Anti- Virus Engine can carry out checking and killing virus behaviour to sample to be detected
Make.
Further, class record table can recorde the type of relevant information of the sample of known viruse testing result;And this
A sample can refer to emerging sample in set period of time in the past, can also refer to all samples for having determined that viral diagnosis result
This.A wherein class record (being referred to as type feature) for class record table can be such that
“md5”:“0005db9bfbeefff9aadddbb147608ba3”,
“name”:“bmp_vbs”,
“id”:“203”,
“use”:“1”,
“bb_1”:“424D0A062020EB6E90207620202820”,
“fz”:“800000”
Wherein, some md5 value in the such sample of " md5 " field description;" name " describes the name of such sample;
" id " describes the types value of such sample, and the value of such sample indicates for identification;" use " describe this record validity, 1
Indicate this record effectively, 0 indicates that this record is invalid, and engine can ignore this record;" bb_1 " describes such sample
Characteristic, here with 16 system string representations;" fz " describes the maximum value of such specimen discerning size (that is, if such
A certain size in sample is more than " fz " corresponding value, then engine can not detect the sample).These above-mentioned notes
Record, can allow Anti- Virus Engine easily recognition detection class sample.
In some embodiments, the structure of anti-virus database can be as shown in figure 3, include in the anti-virus database
Class record table and characteristic log.Wherein, class record table can be used for recording the type mark of newly-increased recognizable sample
Know;Characteristic log is for storing feature record, and feature record can recorde type recorded in aforementioned type record sheet
Characteristic.Class record table and characteristic log can establish certain mapping relations, such as: there is record in class record table
Type A, type B and Type C then can recorde type A, type B and the corresponding characteristic information of Type C in characteristic log.Into
One step, the mapping relations of class record table and characteristic log can be one-to-one correspondence, may not be one-to-one correspondence.
If S203, determining that the sample to be detected can recognize for type according to the type identification result, pass through multimode
The feature record to match is searched in the anti-virus database with algorithm.
Wherein, the feature record in anti-virus database can be a plurality of.And it can wrap in these features record containing more
The characteristic of a file.Characteristic can be whether characterization specific sample is viral identification information, such as: feature record
In include a virus identifications, when being identified as 1, show the specific sample be virus, when being identified as 0, show that this is specific
Sample is not virus.
For different type identifications as a result, different subsequent operations can be carried out, for example, when type identification result is class
When type can recognize, the virus checker of sample to be detected can be continued, and when type identification result is that type not can recognize,
The virus checker of sample to be detected can then be stopped.
This step searches the feature record to match according to type identification result, can be type in type identification result
When can recognize, the lookup of feature record is carried out, and when type identification result is that type not can recognize, without feature record
It searches, and terminates the virus detection procedure to sample to be detected.
Further, this step is after determining the type identification result of sample to be detected, then searches the feature to match
Record, this detection logic can guarantee the orderly progress of sample virus detection, while lower the pipe of sample virus detection process
Manage cost (for type identification result be type not can recognize when, the process of feature record search can be saved) and execution at
This.
Meanwhile the feature to match with sample to be detected can be hit by conventional multimode matching algorithm and is recorded.It should
Multimode matching algorithm can be currently used various multimode matching algorithms, such as: Aho-Corasick algorithm, Wu-Manber
Algorithm etc..Certainly, in addition to multimode matching algorithm, the matching of feature record can also be carried out by other matching algorithms.
S204, the feature to match according to record, determine the viral diagnosis result of the sample to be detected.
This step according to feature record in characteristic just can determine that out whether the sample to be detected is Virus Sample, into
And available viral diagnosis result.
Certainly, viral diagnosis result is in addition to including whether sample is Virus Sample as a result, can also include the disease of sample
Malicious degree of danger, checking and killing virus mode, sample size, the sample information such as quantity in computer equipment.
Further, it when Anti- Virus Engine loads anti-virus database in initialization, obtains in the anti-virus database
Detection logic, and detected in file detection process later according to the detection logic.The detection of the present embodiment is patrolled
It collects main are as follows: Anti- Virus Engine first determines type identification according to class record table as a result, searching in turn according to type identification result
The feature record to match, determines viral diagnosis result.
The detection method of file provided by the above embodiment has following technical effect that 1, Anti- Virus Engine according to setting
Control strategy, sample to be detected can accurately be determined by class record table in anti-virus database and characteristic log
Viral diagnosis result it is not necessary to (can refer to the file using ini as suffix, be typically maintained in anti-virus and draw by configuration file
Under catalogue where holding up), and the update of anti-virus database usually only needs a few houres, that is to say, that Anti- Virus Engine at most exists
A certain unknown sample can be detected after several hours, realize the response to control unknown risks, it can effective reduced sample virus
The response time of detection greatly improves the ability of engine emergency response.2, the core control file of Anti- Virus Engine is made
For anti-virus database, which is engine-operated necessary file, can eliminate the reliance on configuration file strategy, make
A whole set of mechanism flexibly cross-platform (platform can refer to the operating system platforms such as Windows, Linux, MAC), does not need outside manufacture
The development support of (product here can refer to the antivirus software comprising Anti- Virus Engine, such as Tencent computer house keeper) reduces fortune
Seek cost.
In one embodiment, described to compare the sample to be detected and the class record table in anti-virus database
It is right, the step of type identification result is obtained according to comparison result, comprising: obtain the target type mark of the sample to be detected;
The target type is identified and is compared with the type identification information in the class record table;If the type identification information
In there are target type mark, obtain type identification result can recognize for type;If not deposited in the type identification information
It is identified in the target type, obtaining type identification result is that type not can recognize.
Wherein, type identification can be character string or coding with mark action, and " id " in previous embodiment is just
It can be used as type identification.Further, if the target type of sample to be detected is identified as " 203 ", can by with anti-disease
Each record in the class record table of malicious database is compared, and discovery item name is the type of the sample of " bmp_vbs "
Mark is consistent with target type mark, then the type identification result of the sample to be detected is determined as type can recognize;On the contrary,
Consistent type identification is identified with the target type if do not found in class record table, by the type of the sample to be detected
Recognition result, which is determined as type, not can recognize.
Further, which can be genlib.def database.
In one embodiment, the type identification result that obtains is after the unrecognizable step of type, further includes: holds
The preset Unknown Computer Virus Detection program of row.Wherein, preset Unknown Computer Virus Detection program can patrol for predetermined Unk detection
Volume.Unk can be the default treatment to unknown sample that Anti- Virus Engine there is before accessing genlib.def database
Mode can be more conventional sample process mode.
In some embodiments, determine that the process of type identification result can also be realized according to multimode matching algorithm, i.e.,
It is determined by multimode matching algorithm with the presence or absence of the type identification to match in class record table, if it is present type is known
Other result, which is determined as type, can recognize, if it does not exist, then type identification result, which is determined as type not, can recognize.
The method for detecting virus of sample provided by the above embodiment, according in target type mark and anti-virus database
Whether the comparison result of class record table waits for this as a result, it is possible to accurately determine Anti- Virus Engine and have to determine type identification
The ability that sample carries out checking and killing virus is detected, to execute subsequent operation.
In one embodiment, the class record table by the sample to be detected and anti-virus database compares
Pair step before, further includes: obtain multiple features record;By predetermined raw library tool, the multiple feature is remembered
Record is handled, and the anti-virus database is generated.
Anti-virus database may include 1-N (specific value of N can be determines according to actual conditions) item under normal conditions
Feature record.It is possible to further which 1-N feature record is generated anti-virus database by specifically giving birth to library tool, generate
Anti-virus database afterwards is loaded by Anti- Virus Engine and is used.Further, feature can also be recorded by raw library tool
It is handled with class record, and then generates anti-virus database.
Above-described embodiment generates anti-virus database according to feature record and class record, the anti-virus number generated in this way
It can easily be loaded and use by Anti- Virus Engine according to library, so that Anti- Virus Engine realizes the inspection of file according to the detection logic of setting
It surveys.
In one embodiment, described that the spy to match is searched in the anti-virus database by multimode matching algorithm
The step of sign record, comprising: obtain the registration table key assignments of the sample to be detected;If the registration table key assignments is nonzero value, lead to
It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database.
Registration table key assignments can be DWORD value etc..DWORD full name Double Word, each word are the length of 2 bytes
Degree, DWORD double word is 4 bytes, and each byte is 8, and totally 32.Further, for Anti- Virus Engine and anti-disease
The considerations of malicious database runnability (speed of service etc.), the sample size that can handle Anti- Virus Engine sample carry out centainly
Limitation, the embodiment of the present invention control whether Anti- Virus Engine can detect (if to be checked sample to be detected by DWORD value
It surveys size and is greater than the corresponding numerical value of DWORD value, then Anti- Virus Engine not can be carried out detection).Specifically, nonzero value
DWORD value is used to characterize the largest sample size of Different categories of samples in the class record table;The largest sample size is used for table
The sample size that sign Anti- Virus Engine can be executed in checking and killing virus.
Further, if the registration table key assignments is nonzero value, the feature record to match according to determines institute
After the step of stating the viral diagnosis result of sample to be detected, further includes: if according to the viral diagnosis result determine it is described to
Detection sample is Virus Sample, determines the first largest sample size according to the registration table key assignments;If the sample to be detected
Sample size is less than or equal to first largest sample size, and control Anti- Virus Engine executes the sample to be detected default
Checking and killing virus program.
Such as following two program segment is respectively provided with Anti- Virus Engine to the detection sample size of 7z and zip format most
Big value (largest sample size) is 0x1f0000:
Program segment 1:
“name”:“@eng:7z”,
“fz”:“1f0000”
Program segment 2:
“name”:“@eng:zip”,
“fz”:“1f0000”
If the sample size of some sample to be detected is greater than 0x1f0000, Anti- Virus Engine does not execute virus to it and looks into
Kill operation.
Further, in one embodiment, after the step of registration table key assignments for obtaining the sample to be detected,
If further include: the registration table key assignments is zero, stops the viral diagnosis to the sample to be detected.
When DWORD value is zero, Anti- Virus Engine cannot detect the sample to be detected, and DWORD value is nonzero value
When, Anti- Virus Engine can detect the sample to be detected within the scope of largest sample size.
Above-described embodiment controls Anti- Virus Engine to recognizable type by the DWORD value of Anti- Virus Engine database
Sample detection function unlatching/closing, moreover it is possible to the sample size that Anti- Virus Engine can be detected is controlled, is realized
The intelligence of anti-virus killing.
In one embodiment, the feature record is stored in the anti-virus database with json reference format.
In another embodiment, the type identification information can also be stored in the anti-virus with json reference format
In database.
Json is a kind of data interchange format of lightweight, be easy to people read and write, while be also easy to machine parsing and
It generates.Above-described embodiment can effectively improve database volume by type identification information and feature record with the storage of json reference format
The efficiency write and used but also the record efficiency of class record table and characteristic log improves, and then improves the virus of sample
Detection efficiency.
In one embodiment, the feature record to match according to, determines the virus of the sample to be detected
The step of testing result, comprising: the characteristic in feature record to match described in determining;Judged according to the characteristic
Whether the sample to be detected is Virus Sample;According to judging result, the viral diagnosis result is obtained.
Wherein the characteristic in a feature record can be such that
“md5”:“010df30f4f1e90d56ec9577b4aaa567c”,
“name”:“Trojan.Script.Agent”,
“id”:“203”,
“fs_2”:“Mailx.Attachments.Add(dirsystem&\“\\Mawanella.vbs\”)”,
" fs_3 ": " Mailx.DeleteAfterSubmit=True "
Wherein, " name " describes the viral name of this feature, and " id " describes the number of this feature, Anti- Virus Engine energy
This feature is identified based on this, type feature is only first hit to the viral diagnosis of unknown sample, just matching and type feature phase
Same feature record;" fs_2 " and " fs_3 " describes the characteristic of this feature, wherein including viral description information.
Further, Anti- Virus Engine can determine corresponding test sample to be checked according to the viral description information in characteristic
Whether this is Virus Sample, and obtains viral diagnosis result accordingly.
It further, can also include the type identification of corresponding types in characteristic, Anti- Virus Engine is being inquired
After class record table, corresponding feature record can be inquired according to type identification, according to feature record in characteristic
Determine whether sample to be detected is Virus Sample.
Characteristic in feature that above-described embodiment is hit record determines whether sample to be detected is Virus Sample,
Determination process is simple, high-efficient, can effectively improve the efficiency of sample virus detection.
In some embodiments, the structure of anti-virus database can be as shown in figure 4, include in the anti-virus database
Having library mark, existing class record table, class record table, (to distinguish with existing class record table, class record table can also be with
Referred to as new type record sheet) and characteristic log.Wherein, library mark be current anti-virus database mark, be used for and its
He anti-virus database difference (anti-virus database in the embodiment of the present invention can be it is multiple, Anti- Virus Engine can be by
Specific anti-virus database is accessed according to library mark, and can recorde the information of different samples in different anti-virus databases);
Existing class record table, which can be used for recording Anti- Virus Engine, can recognize the information such as type, sample size, the characteristic of sample,
Further, existing type may include the common types such as PE, Office, zip, pdf;Class record table and characteristic log
Illustrate with previous embodiment describe can be consistent.
With the development of network technology, viral species are more and more, and the anti-virus database of the embodiment of the present invention records energy
The information of the various viruses of identification, and the information such as these viral types are recorded by class record table.In this way,
Certain types of virus can be accurately identified, i.e., the multiple Virus Samples for belonging to a certain type can be carried out knowing
Not, the efficiency of sample virus detection is effectively improved.Certainly, it can also refer to the type of some specific virus sample in class record table
Information is able to achieve the viral diagnosis to some specific virus sample in this way, improves the accurate of sample virus detection
Property.
Further, the information in class record table and characteristic log periodically can be transferred to existing class record
Table, and increase new class record and feature record, to guarantee that Anti- Virus Engine can detect a greater variety of samples.
Further, when the type identification result for determining sample to be detected is that type not can recognize, it is anti-that this can be triggered
Virus database obtains information (i.e. the update of progress anti-virus database) relevant with the sample to be detected, and will acquire
Information is added in class record table and characteristic log, so that Anti- Virus Engine can in time examine the sample to be detected
It surveys, determines its viral diagnosis result.
In one embodiment, after the step of acquisition sample to be detected, further includes: obtain the sample to be detected
Target type mark;Determine whether the sample to be detected is that can recognize type according to target type mark;If it is not, holding
The step of row class record table by the sample to be detected and anti-virus database is compared;If so, described
Target corresponding with target type mark is searched in anti-virus database and has class record, and class is had according to the target
Type record carries out checking and killing virus operation.
Further, described that the step of class record carries out checking and killing virus operation is had according to the target, comprising: to determine
The sample size of the sample to be detected;If the sample size has adjusted the target according to the sample size for nonzero value
There is the second largest sample size that target sample is corresponded in class record;According to second largest sample size adjusted,
It controls Anti- Virus Engine and preset checking and killing virus program is executed to the sample to be detected;If the sample size is zero, stop
To the viral diagnosis of sample to be detected.Wherein, checking and killing virus program can refer to the program for clean to virus greening.
Wherein, determine whether the sample to be detected is the realization process that can recognize type according to target type mark
It can be with are as follows: target type is identified and is compared with the recognizable type list being stored in memory or another database, root
Determine whether sample to be detected is that can recognize type according to comparison result.Further, it can recognize that type list can be according to anti-virus
Virus Type that engine once detected determines.
According to second largest sample size adjusted, controls Anti- Virus Engine and the sample to be detected is executed
Before preset checking and killing virus program, it can also include the steps that carrying out sample to be detected detection and resolution logic, pass through inspection
Survey the position and processing side that the state of sample to be detected and Virus included in it can be obtained with resolution logic
Formula etc., accordingly, Anti- Virus Engine can be smoothly performed checking and killing virus program.
It should be noted that the checking and killing virus program can be to be checked if sample to be detected is not Virus Sample
Test sample is originally scanned or other programs, rather than have to execute the cleaning program of virus.
Adjustment largest sample size can refer to the sizes values for limiting some file destination in genlib.def, to control anti-disease
Whether malicious engine detects the sample, for example: if sample size 3M to be detected has exceeded engine detection sample
Size limitation, before the largest sample size in no adjustment genlib.def, engine will not handle this kind of sample, but
After adjusting the largest sample size in genlib.def, Anti- Virus Engine can handle sample according to the size that genlib.def is set
This, if at this moment the corresponding largest sample size of genlib.def is 4M, 4M > 3M, then Anti- Virus Engine will continue to handle this
Sample.Such processing mode can greatly extend the file extent that Anti- Virus Engine can be detected.
Above-described embodiment before sample to be detected is compared with the information in anti-virus database class record table,
Judge whether it is that can recognize that type adjusts its largest sample size if it is recognizable type, first to guarantee that anti-virus draws
Anti- Virus Engine can be controlled and execute preset disease to the sample to be detected successfully according to largest sample size adjusted by holding up
Malicious killing program, and if it is can not identification types, (executed by anti-virus database to carry out the viral diagnosis of sample
Class record table in sample to be detected and anti-virus database is compared, and then the step of determining viral diagnosis result).
Above-mentioned implementation can be understood as hierarchical detection, level-one: when can directly determine sample to be detected is that can recognize type, directly
According to largest sample size adjusted, controls Anti- Virus Engine and preset checking and killing virus journey is executed to the sample to be detected
Sequence, second level: if it is determined that sample to be detected be can not identification types, then by anti-virus database come to sample to be detected carry out
Detection, and then viral diagnosis is obtained as a result, such classification processing mode can effectively improve the efficiency of sample virus detection.
In one embodiment, the computer equipment where Anti- Virus Engine can show that sample virus detects on interface
The relevant information of process.As shown in figure 5, Anti- Virus Engine is when getting sample to be detected (i.e. control unknown risks), on interface
It shows Fig. 5 (a);If it is determined that sample to be detected can recognize for type, then sample virus detection and killing process are carried out, and can be with
Fig. 5 (b) is shown on interface;If it is determined that sample to be detected be type not can recognize, then inquire anti-virus database and according to
The logic of anti-virus database determines the type of file to be detected, and Fig. 5 (c) is shown on interface, further determines that be detected
Whether sample is recorded in anti-virus database (i.e. whether type can recognize), and determines therefrom that subsequent Virus Sample detection work
Whether carry out, if it is, Fig. 5 (d) is shown on interface, if not, showing Fig. 5 (e) on interface.Further, In
It when determining that file to be detected is virus document, can also be shown on interface and " have determined that the control unknown risks are risk file, i.e., will
Carry out the removing of virus document ", and operation is purged to file to be detected.
In one embodiment, as shown in fig. 6, the embodiment of the invention provides a kind of method for detecting virus of sample, with
Under in this way be applied to Anti- Virus Engine for be illustrated, comprising the following steps:
S601, sample to be detected is obtained.
S602, the target type mark for obtaining the sample to be detected;According to target type mark determine it is described to
Whether the type for detecting sample is that can recognize type.
If the type of S603, sample to be detected is that can recognize type, searched and the target type in anti-virus database
It identifies corresponding target and has class record, determine the sample size of the sample to be detected.
If S6031, the sample size are nonzero value, according to the sample size, adjust the target and have in class record
Second largest sample size of corresponding target sample;According to the second largest sample size adjusted, Anti- Virus Engine pair is controlled
The sample to be detected executes preset checking and killing virus program.
If S6032, the sample size are zero, stop the viral diagnosis to sample to be detected.
If the type of S604, sample to be detected be can not identification types, by the target type mark with the type remember
Type identification information in record table is compared.
If there are target type marks in S605, the type identification information, obtaining type identification result is type
It can recognize, obtain the DWORD value of the target type mark.
If S6051, the DWORD value are that nonzero value is searched in the anti-virus database by multimode matching algorithm
The feature record to match, records according to the feature to match, determines the viral diagnosis result of the sample to be detected.
If S6052, the DWORD value are zero, stop the viral diagnosis to the sample to be detected.
If there is no the target types to identify in S606, the type identification information, obtaining type identification result is class
Type not can recognize, execute preset Unknown Computer Virus Detection program.
The method for detecting virus of sample provided by the above embodiment passes through in the case where not needing by configuration file
Anti-virus database can accurately determine the viral diagnosis of sample to be detected as a result, on the other hand, anti-virus database without
When method identifies sample to be detected, Anti- Virus Engine can be updated by upgrading anti-virus database, the virus of sample to be detected is examined
Brake, and the upgrading of anti-virus database is more much higher than the test efficiency for issuing of configuration file, can greatly reduce sample
The response time of viral diagnosis.
In some embodiments, Anti- Virus Engine can refer to that Tencent TAV grinds engine certainly.
In one embodiment, the above method in order to better understand, as shown in fig. 7, it is following be applied in this way it is anti-
It is illustrated for antivirus engine, elaborates the application example of the method for detecting virus of a sample of the present invention.
S701, Anti- Virus Engine receive sample to be detected.
S702, Anti- Virus Engine determine the type identification of the sample to be detected.
Whether S703, the type that sample to be detected is determined according to the type mark are that can recognize type.
If the type of S704, sample to be detected is that can recognize type, determine that genlib.def database has type note
Record corresponding DWORD value in table.
If S7041, DWORD value are nonzero value, control genlib.def database and adjust in existing class record table
Largest sample size, and complete viral diagnosis/resolution logic of sample to be detected.
If S7042, DWORD value are zero, the viral diagnosis function to sample to be detected is closed.
If the type of S705, sample to be detected be can not identification types, enter genlib.def detection logic (including
The content of S706, S707 and S708).
S706, the type identification of sample to be detected and characteristic log are compared, judges whether sample to be detected is type
It can recognize.
S707, sample type to be detected can recognize, by multimode matching algorithm anti-virus database characteristic log
The feature record that middle determination matches, and then determine the viral diagnosis result of sample to be detected.
S708, sample type to be detected not can recognize, execute Unk and detect logic.
In current antivirus techniques, anti-virus control is realized frequently with configuration file, and configuration file is mainly real
The control that now engine individual feature is opened or closed, such as: consider to close the viral diagnosis to certain class sample for performance,
Or, finding that some detection function then closes the detection function in the presence of wrong report;Certain class sample is opened for the considerations of promoting verification and measurement ratio
Viral diagnosis.As shown in figure 8, outside manufacture load when engine is in initialization parses configuration file and according to configuration file
Curriculum offering engine relevant parameter, Anti- Virus Engine handle sample according to the setting of configuration file, obtain Virus Sample set.But
It is, this to realize that anti-microbial technical solution has following problem by configuration file: 1, it is strong with product coupling, it needs
The publication of product support configuration file.When engine is applied in the scene different to the requirement in terms of performance, verification and measurement ratio, stability
When, corresponding product is also required to support the processing to configuration file.2, the primary support of non-Anti- Virus Engine cross-platform can not make
With the support for needing outside manufacture and upgrading etc. tactful, this adds increased exploitation operation costs.3, for unknown emerging
Sample file format, engine are difficult Rapid Test Desk in the case where not upgrade code and manage this risk.
The method for detecting virus of sample provided in an embodiment of the present invention has following technical effect that 1, product coupling is low,
The core control sample of Anti- Virus Engine exists as the anti-virus database sample of engine, is the necessary of Anti- Virus Engine operation
Sample, this makes the detection of file not depend on the additional support of product.2, the primary support of Anti- Virus Engine cross-platform can use,
The development cost of outside manufacture is not will increase;For example Tencent's computer house keeper is exactly to be incorporated into Anti- Virus Engine inside product,
This configuration file is that the client of computer house keeper and the gray scale strategy of rear end are supported.Because computer house keeper is under Windows
Product, therefore it can only run in Windows, if to run at other systems (such as MACOSLINUX), also need
Again it develops and allows product support configuration file strategy, and if the embodiment of the present invention is transported under the systems such as MACOSLINUX
Row, it is only necessary to upgrade anti-virus database, without doing other work.3, for unknown emerging risk, can make anti-
Antivirus engine quickly and effectively responds.In addition, inventor has found the embodiment of the present invention simultaneously by great amount of samples data test process
The influence of performance and verification and measurement ratio will not be brought to Anti- Virus Engine and anti-virus database.
It should be noted that for the various method embodiments described above, describing for simplicity, it is all expressed as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described, because according to
According to the present invention, certain steps can use other sequences or carry out simultaneously.
Based on thought identical with the method for detecting virus of the sample in above-described embodiment, the present invention also provides the diseases of sample
Malicious detection device, the device can be used for executing the method for detecting virus of above-mentioned sample.For ease of description, the viral diagnosis of sample
In the structural schematic diagram of Installation practice, part related to the embodiment of the present invention illustrate only, those skilled in the art can
To understand, the restriction of schematic structure not structure twin installation may include or combining certain than illustrating more or fewer components
A little components or different component layouts.
As shown in figure 9, the viral diagnosis device of sample includes sample acquisition module 901, type identification module 902, record
Searching module 903 and result determining module 904, detailed description are as follows:
Sample acquisition module 901, for obtaining sample to be detected.
Type identification module 902, for carrying out the class record table in the sample to be detected and anti-virus database
It compares, type identification result is obtained according to comparison result.
Record search module 903, if for determining that the sample to be detected is that type can according to the type identification result
The feature record to match is searched in identification by multimode matching algorithm in the anti-virus database.
As a result determining module 904, the feature record for matching according to, determine the virus of the sample to be detected
Testing result.
The viral diagnosis device of sample provided in this embodiment, in the case where not needing through configuration file, by anti-
Virus database can accurately determine the viral diagnosis of sample to be detected as a result, can effective reduced sample viral diagnosis response
Time.
In one embodiment, record search module 903, comprising: key assignments acquisition submodule, it is described to be detected for obtaining
The registration table key assignments of sample;Record search submodule passes through multimode matching algorithm if being nonzero value for the registration table key assignments
The feature record to match is searched in the anti-virus database;Wherein, the feature record is with the storage of json reference format
In the anti-virus database.
In one embodiment, record search module 903, further includes: detection stops submodule, if being used for the registration table
Key assignments is zero, stops the viral diagnosis to the sample to be detected.
In one embodiment, as a result determining module 904, comprising: characteristic determines submodule, for determining the phase
Characteristic in matched feature record;Sample judging submodule, it is described to be detected for being judged according to the characteristic
Whether sample is Virus Sample;Testing result determines submodule, for obtaining the viral diagnosis result according to judging result.
In one embodiment, if the registration table key assignments is nonzero value, the viral diagnosis device of sample, further includes: sample
This size determining module, if for determining that the sample to be detected is Virus Sample according to the viral diagnosis result, according to institute
It states registration table key assignments and determines the first largest sample size;First checking and killing virus module, if the sample for the sample to be detected
Size is less than or equal to first largest sample size, and control Anti- Virus Engine executes preset disease to the sample to be detected
Malicious killing program.
In one embodiment, the viral diagnosis device of sample, further includes: type identification obtains module, for obtaining
State the target type mark of sample to be detected;Type judging module, for described to be checked according to target type mark determination
Whether test sample is originally that can recognize type;Execution module is compared, is used for if it is not, executing described by the sample to be detected and anti-virus
The step of class record table in database is compared;Second checking and killing virus module, for if so, in the anti-virus data
Target corresponding with target type mark is searched in library and has class record, and class record is had according to the target and is carried out
Checking and killing virus operation.
In one embodiment, the second checking and killing virus module, comprising: sample size determines submodule, described in determining
The sample size of sample to be detected;Sample size adjusting submodule, for it is existing to adjust the target according to the sample size
The second largest sample size of target sample is corresponded in class record;Killing program implementation sub-module, for according to adjusted
Second largest sample size, control Anti- Virus Engine execute preset checking and killing virus program to the sample to be detected.
In one embodiment, the viral diagnosis device of sample provided by the present application can be implemented as a kind of computer program
Form, computer program can run in computer equipment as shown in Figure 1.Group can be stored in the memory of computer equipment
At each program module of the viral diagnosis device of the sample, for example, sample acquisition module shown in Fig. 9, type identification module,
Record search module and result determining module.The computer program that each program module is constituted makes processor execute this specification
Described in each embodiment of the application sample method for detecting virus in step.For example, computer equipment shown in FIG. 1
S201 can be executed by the sample acquisition module 901 in the viral diagnosis device of sample as shown in Figure 9, pass through type identification
Module 902 executes S202, executes S203 by record search module 903, executes S204 by result determining module 904.
In one embodiment, a kind of computer equipment, including memory and processor are provided, memory is stored with meter
Calculation machine program, when computer program is executed by processor, so that the step of processor executes the method for detecting virus of above-mentioned sample.
The step of method for detecting virus of sample can be the step in the method for detecting virus of the sample of above-mentioned each embodiment herein.
In one embodiment, a kind of computer readable storage medium is provided, computer program, computer journey are stored with
When sequence is executed by processor, so that the step of processor executes the method for detecting virus of above-mentioned sample.The virus inspection of sample herein
The step of survey method, can be the step in the method for detecting virus of the sample of above-mentioned each embodiment.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a non-volatile computer and can be read
In storage medium, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, provided herein
Each embodiment used in any reference to memory, storage, database or other media, may each comprise non-volatile
And/or volatile memory.Nonvolatile memory may include that read-only memory (ROM), programming ROM (PROM), electricity can be compiled
Journey ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory
(RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM
(SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM
(ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), straight
Connect memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application
Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (10)
1. a kind of method for detecting virus of sample, which comprises the following steps:
Obtain sample to be detected;
Class record table in the sample to be detected and anti-virus database is compared, type is obtained according to comparison result
Recognition result;
If determining that the sample to be detected can recognize for type according to the type identification result, by multimode matching algorithm in institute
State the feature record searched and matched in anti-virus database;
According to the feature record to match, the viral diagnosis result of the sample to be detected is determined.
2. the method according to claim 1, wherein it is described by multimode matching algorithm in the anti-virus data
The step of feature record to match is searched in library, comprising:
Obtain the registration table key assignments of the sample to be detected;
If the registration table key assignments is nonzero value, is searched by multimode matching algorithm and to be matched in the anti-virus database
Feature record;Wherein, the feature record is stored in the anti-virus database with json reference format.
3. according to the method described in claim 2, it is characterized in that, the registration table key assignments for obtaining the sample to be detected
After step, further includes:
If the registration table key assignments is zero, stop the viral diagnosis to the sample to be detected.
4. according to the method described in claim 2, it is characterized in that, the feature record to match according to, determines institute
The step of stating the viral diagnosis result of sample to be detected, comprising:
The characteristic in feature record to match described in determination;
Judge whether the sample to be detected is Virus Sample according to the characteristic;
According to judging result, the viral diagnosis result is obtained.
5. according to the method described in claim 4, it is characterized in that, if the registration table key assignments be nonzero value, it is described according to institute
After the step of stating the feature record to match, determining the viral diagnosis result of the sample to be detected, further includes:
If determining that the sample to be detected is Virus Sample according to the viral diagnosis result, determined according to the registration table key assignments
First largest sample size;
If the sample size of the sample to be detected is less than or equal to first largest sample size, Anti- Virus Engine pair is controlled
The sample to be detected executes preset checking and killing virus program.
6. method according to any one of claims 1 to 5, which is characterized in that the step of acquisition sample to be detected it
Afterwards, further includes:
Obtain the target type mark of the sample to be detected;
Determine whether the sample to be detected is that can recognize type according to target type mark;
If it is not, executing the step of class record table by the sample to be detected and anti-virus database is compared;
If so, searching target corresponding with target type mark in the anti-virus database has class record, root
Have class record according to the target and carries out checking and killing virus operation.
7. according to the method described in claim 6, it is characterized in that, described have class record progress virus according to the target
The step of killing operates, comprising:
Determine the sample size of the sample to be detected;
According to the sample size, adjust the target have corresponded in class record target sample the second maximum sample it is big
It is small;
According to second largest sample size adjusted, it is preset to the sample execution to be detected to control Anti- Virus Engine
Checking and killing virus program.
8. a kind of viral diagnosis device of sample characterized by comprising
Sample acquisition module, for obtaining sample to be detected;
Type identification module, for the class record table in the sample to be detected and anti-virus database to be compared, root
Type identification result is obtained according to comparison result;
Record search module, if leading to for determining that the sample to be detected can recognize for type according to the type identification result
It crosses multimode matching algorithm and searches the feature record to match in the anti-virus database;
As a result determining module, the feature record for matching according to, determines the viral diagnosis knot of the sample to be detected
Fruit.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists
In, the processor realizes claim 1 to 7 described in any item methods when executing computer program the step of.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of claim 1 to 7 described in any item methods are realized when being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910740513.9A CN110457905A (en) | 2019-08-12 | 2019-08-12 | Method for detecting virus, device, computer equipment and the storage medium of sample |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910740513.9A CN110457905A (en) | 2019-08-12 | 2019-08-12 | Method for detecting virus, device, computer equipment and the storage medium of sample |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110457905A true CN110457905A (en) | 2019-11-15 |
Family
ID=68485937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910740513.9A Pending CN110457905A (en) | 2019-08-12 | 2019-08-12 | Method for detecting virus, device, computer equipment and the storage medium of sample |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110457905A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110881049A (en) * | 2019-12-16 | 2020-03-13 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN115208690A (en) * | 2022-08-09 | 2022-10-18 | 中国光大银行股份有限公司 | Screening processing system based on data classification and classification |
-
2019
- 2019-08-12 CN CN201910740513.9A patent/CN110457905A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110881049A (en) * | 2019-12-16 | 2020-03-13 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN110881049B (en) * | 2019-12-16 | 2022-02-15 | 淮安信息职业技术学院 | Computer network safety intelligent control system |
CN115208690A (en) * | 2022-08-09 | 2022-10-18 | 中国光大银行股份有限公司 | Screening processing system based on data classification and classification |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Han et al. | MalDAE: Detecting and explaining malware based on correlation and fusion of static and dynamic characteristics | |
US10891378B2 (en) | Automated malware signature generation | |
US9665713B2 (en) | System and method for automated machine-learning, zero-day malware detection | |
WO2019109743A1 (en) | Url attack detection method and apparatus, and electronic device | |
CN107391671B (en) | A kind of document leakage detection method and system | |
CN101777062B (en) | Context-aware real-time computer-protection systems and methods | |
TWI720932B (en) | System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats | |
CN101751535B (en) | Data loss protection through application data access classification | |
US11256803B2 (en) | Malware detection: selection apparatus, selection method, and selection program | |
US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
CN108985057B (en) | Webshell detection method and related equipment | |
CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
US11182481B1 (en) | Evaluation of files for cyber threats using a machine learning model | |
Awad et al. | Modeling malware as a language | |
CN110457905A (en) | Method for detecting virus, device, computer equipment and the storage medium of sample | |
CN109388551A (en) | There are the method for loophole probability, leak detection method, relevant apparatus for prediction code | |
EP3425549A1 (en) | System and method of determining text containing confidential data | |
CN107491691A (en) | A kind of long-range forensic tools Safety Analysis System based on machine learning | |
US20240241954A1 (en) | Method of detecting android malware based on heterogeneous graph and apparatus thereof | |
KR20190020998A (en) | Apparatus, method and system for detecting malicious code | |
Rowe | Identifying forensically uninteresting files using a large corpus | |
CN115809466B (en) | Security requirement generation method and device based on STRIDE model, electronic equipment and medium | |
CN113810338B (en) | Abnormal service address detection method and device, and computer readable storage medium | |
Rowe | Identifying forensically uninteresting files in a large corpus | |
Ramesh et al. | Integrated malware analysis using markov based model in machine learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |