CN110659490B - Malicious sample processing method and device, electronic equipment and storage medium - Google Patents
Malicious sample processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110659490B CN110659490B CN201910896781.XA CN201910896781A CN110659490B CN 110659490 B CN110659490 B CN 110659490B CN 201910896781 A CN201910896781 A CN 201910896781A CN 110659490 B CN110659490 B CN 110659490B
- Authority
- CN
- China
- Prior art keywords
- character string
- messy code
- library
- sensitive
- sensitive character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a method and a device for processing a malicious sample, electronic equipment and a storage medium, wherein the method comprises the steps of obtaining messy code character strings in the malicious sample; judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not; if the messy code character string is the encrypted sensitive character string in the preset sensitive character string library, the sensitive character string is output as the vector information of the malicious sample, the problem that no manufacturer collects and processes the messy code character string information in the sample is solved, the messy code character string in the sample can be utilized, the encrypted meaningless continuous visible character string in the sample is restored and output in a vector form, more sample vector information can be output, other variants of the same virus can be discovered, and more information is provided for subsequent judgment.
Description
Technical Field
The present invention relates to the field of anti-malicious code technologies, and in particular, to a method and an apparatus for processing a malicious sample, an electronic device, and a storage medium.
Background
The traditional vector extraction is to obtain various valuable information in the sample. Vector-level threat intelligence in the sample is extracted using a vector-level threat intelligence engine. The extracted content includes, but is not limited to, APT organization specific strings (mutexes, PDB paths, special component names, etc.), IP and domain names, statically and dynamically derived behavioral information, file structural information, etc.
In the field of malware analysis, in order to prevent malicious codes made by a lawbreaker from being detected, the used character strings are encrypted so as to prevent malicious samples from being detected due to plaintext character strings in the malicious samples. In the process of daily analysis of the malicious sample, meaningless continuous displayable messy code character strings are often encountered, and further analysis finds that the messy code character strings are reduced into necessary character strings required by the malicious sample to execute malicious behaviors through simple operation of the sample (for example, o1Syphilis N is reduced into Syphilis No 1).
Therefore, the messy code character strings which seem to be meaningless in the sample are not meaningless, and some messy code character strings can be restored into obvious malicious character strings through some simple operations. Therefore, in the process of extracting the vector information of the samples, the garbled character strings should not be discarded, and after being processed and restored to be plaintext character strings, the garbled character strings are also output together with other vector information.
At present, for some reasons of calculation, time and technology, no manufacturer collects and processes the information of the messy code character strings in the sample because the data volume of the information of the messy code character strings in the sample is too large, and the efficiency of the existing data processing technology is too low, but with the development of the software and hardware 5g technology in the future, the collection and the processing of the data are urgent.
Disclosure of Invention
First, terms appearing in the present invention are explained as follows:
encryption: the original information data is changed by a special algorithm, so that even if an unauthorized user obtains the encrypted information, the content of the information cannot be known because the unauthorized user does not know the decryption method.
Vector quantity: various information in the sample.
A shift method: the shift method is to shift the plaintext by a specific number of bits in a fixed direction, for example, shifting I love you by 4 bits right to become M pszi csy
The replacement method comprises the following steps: a plaintext and ciphertext mapping table is defined. The plaintext and ciphertext correspond to each other in the table.
The difference-between-parameter method: moving character strings, e.g. moving I love you right 1 bit becomes uI love you
Exclusive or method: XOR is also called half-add, which is equivalent to binary addition without carry: if 1 represents true and 0 represents false in binary system, the algorithm of exclusive or is: 0 ≦ 0=0,1 ≦ 0=1,0 ≦ 1,1 ≦ 1=0 (both 0 and 1), these rules are the same as addition, except that there is no carry, so exclusive or is often considered as non-carry addition.
Messy code character string: meaningless continuous displayable strings, such as: m pszi csy, uI love yo.
The embodiment of the invention provides a method and a device for processing a malicious sample, electronic equipment and a storage medium, which are used for solving the problem that messy code character string information in the sample is not collected and processed in the prior art.
Based on the above problem, an embodiment of the present invention provides a method for processing a malicious sample, where the method includes:
acquiring messy code character strings in the malicious sample;
judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not;
and if the messy code character string is the encrypted sensitive character string in a preset sensitive character string library, outputting the sensitive character string as the vector information of the malicious sample.
Optionally, the determining whether the scrambled character string is an encrypted sensitive character string in a preset sensitive character string library includes:
decrypting the messy code character string according to a preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in the preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string identical to the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is the encrypted sensitive character string in the preset sensitive character string library.
Optionally, the preset decryption module library includes one or more of a shift method, a substitution method, a parameter method, and an exclusive or method.
Optionally, the method further comprises: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
According to another aspect of the present invention, there is provided an apparatus for processing a malicious sample, the apparatus comprising:
the acquisition module is used for acquiring messy code character strings in the malicious sample;
the judging module is used for judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not;
and the output module is used for outputting the sensitive character string as the vector information of the malicious sample if the messy code character string is the encrypted sensitive character string in a preset sensitive character string library.
Optionally, the determining module is specifically configured to:
decrypting the messy code character string according to a preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in the preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string identical to the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is an encrypted sensitive character string in the preset sensitive character string library.
Optionally, the preset decryption module library includes one or more of a shift method, a substitution method, a parameter method, and an exclusive or method.
Optionally, the determining module is further configured to: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor reads the executable program codes stored in the memory to run programs corresponding to the executable program codes, and is used for executing the malicious sample processing method.
According to yet another aspect of the present invention, there is provided a computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the above-described method for processing a malicious sample.
The method comprises the steps of obtaining messy code character strings in a malicious sample; judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not; if the messy code character string is the encrypted sensitive character string in the preset sensitive character string library, the sensitive character string is output as the vector information of the malicious sample, the problem that no manufacturer collects and processes the messy code character string information in the sample is solved, the messy code character string in the sample can be utilized, the encrypted meaningless continuous displayable character string in the sample is restored and output in a vector form, and more information is provided for subsequent judgment.
Drawings
Fig. 1 is a flowchart of a malicious sample processing method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a malicious sample processing apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Specific embodiments of a method, an apparatus, an electronic device, and a storage medium for processing a malicious sample according to embodiments of the present invention are described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a malicious sample processing method according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S11: obtaining messy code character strings in the malicious sample;
step S12: judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not;
step S13: and if the messy code character string is the encrypted sensitive character string in the preset sensitive character string library, outputting the sensitive character string as vector information of the malicious sample.
The purpose of the invention is: in the process of extracting vector information from the malicious sample, the messy code character strings are utilized and attempted to be restored. And if the restoration is successful, outputting the restored character string in a vector form. Through the operation flow, the problem that no manufacturer collects the garbled character string information in the sample is solved, the garbled character string in the sample can be utilized, the encrypted meaningless continuous displayable character string in the sample is restored and output in a vector form, and more information is provided for subsequent judgment.
In some embodiments of the present invention, step S12 specifically includes:
decrypting according to the messy code character string of the preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in a preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string which is the same as the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is the encrypted sensitive character string in the preset sensitive character string library.
In some embodiments of the present invention, the predetermined decryption module library includes one or more of a shift method, a substitution method, a parameter method, and an exclusive or method.
In some embodiments of the present invention, step S13 further includes: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
Specifically, the processing method of the malicious sample provided by the invention operates as follows:
step 1: firstly, collecting and sorting malicious character strings according to daily analysis, and establishing a data set for storing the malicious character strings, namely a preset sensitive character string library;
and 2, step: according to the decryption operation of daily analysis, collection and arrangement, a module set of different decryption modules is established, namely a preset decryption module library, wherein the preset decryption module library comprises one or more of a shift method, a substitution method, a parameter method and an exclusive or method;
and step 3: then when the vector information of the sample is scanned, the vector information of the messy code character string in the sample is obtained;
and 4, step 4: according to a preset sensitive character string library and a preset decryption module library, sequentially analyzing a first messy code character string, specifically:
decrypting and restoring the messy code character string by using a decryption module in a preset decryption module library;
acquiring a sensitive character string with the same length as the messy code character string from a preset sensitive character string library;
and comparing the decrypted messy code character string with each sensitive character string with the same length, judging whether a sensitive character string identical to the decrypted messy code character string exists, if so, judging that the messy code character string is an encrypted sensitive character string in a preset sensitive character string library, and judging that the decryption is successful.
The decryption operation of the messy code character string philis No1Sy is explained by an interpolation method decryption module:
acquiring a messy code following character string in a sensitive character string library: sensitive character strings with the same length as the philis No1Sy are obtained (at this time, a sensitive character string set with the length of 12 is obtained, and the first sensitive character string is assumed to be the Syphilis No1 (the symbolic character string of the virus Trojan/Win32.Philis. A);
and the parameter error method decryption module is used for decrypting the messy code character string: performing one-bit staggering operation on the philis No1Sy to obtain a character string: yphilis No1S;
judging that the sensitive character string is different from a sensitive character string Syphilis No1;
and so on, continuing to perform a one-bit staggering operation to obtain a character string: syphilis No1;
judging that the character string is the same as the sensitive character string Syphilis No1, and judging that the decryption is successful.
If the staggered method is used, traversing the preset sensitive character string library and finding no sensitive character string which is the same as the scrambled character string after decryption and reduction, using other decryption modules in the preset decryption module library, such as a shift method, a replacement method, an exclusive-or method and the like, for decryption and comparison. And if the decryption module of the preset decryption module library is traversed, the preset sensitive character string library still has no sensitive character string which is the same as the decrypted and restored messy code character string, skipping the messy code character string, and decrypting and comparing the next messy code character string.
And 5: after decryption succeeds, the same sensitive character string corresponding to the scrambled character string after decryption and restoration is also used as a vector of the sample to be output;
and 6: and by analogy, continuously processing the next messy code character string.
In summary, when sample vector information is extracted, a garbled character string in a sample is analyzed. And traversing the garbled character string vector information in the sample. And traversing the sensitive character strings, and trying to restore the messy code character strings through a decryption module by combining each sensitive character string. And if the decryption is successful, the garbled character string is obtained by encrypting the sensitive character string, and the sensitive character string is also output to the vector information of the sample.
Fig. 2 is a schematic diagram of a malicious sample processing apparatus according to an embodiment of the present invention, as shown in fig. 2, the apparatus includes:
an obtaining module 201, configured to obtain a messy code character string in a malicious sample;
the judging module 202 is configured to judge whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library;
and the output module 203 is configured to output the sensitive character string as vector information of a malicious sample if the messy code character string is an encrypted sensitive character string in a preset sensitive character string library.
In some embodiments of the present invention, the determining module 202 is specifically configured to:
decrypting the messy code character string according to a preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in a preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string identical to the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is the encrypted sensitive character string in the preset sensitive character string library.
In some embodiments of the present invention, the predetermined decryption module library includes one or more of a shift method, a substitution method, a parameter method and an exclusive or method.
In some embodiments of the invention, the determining module 202 is further configured to: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
An embodiment of the present invention further provides an electronic device, fig. 3 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiment shown in fig. 1-2 of the present invention can be implemented, as shown in fig. 3, where the electronic device may include: the device comprises a shell 31, a processor 32, a memory 33, a circuit board 34 and a power circuit 35, wherein the circuit board 34 is arranged inside a space enclosed by the shell 31, and the processor 32 and the memory 33 are arranged on the circuit board 34; a power supply circuit 35 for supplying power to each circuit or device of the electronic apparatus; the memory 33 is used for storing executable program codes; the processor 32 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 33, for executing the program starting method according to any of the foregoing embodiments.
For the specific execution process of the above steps by the processor 32 and the steps further executed by the processor 32 by running the executable program code, reference may be made to the description of the embodiment shown in fig. 1-2 of the present invention, which is not described herein again.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This kind of equipment includes: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the aforementioned program startup method.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The method comprises the steps of obtaining messy code character strings in a malicious sample; judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not; if the messy code character string is the encrypted sensitive character string in the preset sensitive character string library, the sensitive character string is output as vector information of a malicious sample, the problem that no manufacturer collects and processes the messy code character string information in the sample is solved, the messy code character string in the sample can be utilized, the encrypted meaningless continuous displayable character string in the sample is restored and output in a vector form, more sample vector information can be output, other variants of the same virus can be discovered, and more information is provided for subsequent judgment. The updating operation can be carried out by updating the sensitive character string library and the decryption module library, so that the expansion is convenient.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are also within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for processing a malicious sample, the method comprising:
obtaining messy code character strings in the malicious sample;
judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not;
and if the messy code character string is an encrypted sensitive character string in a preset sensitive character string library, outputting the sensitive character string as vector information of the malicious sample.
2. The method for processing the malicious sample according to claim 1, wherein the determining whether the garbled character string is an encrypted sensitive character string in a preset sensitive character string library includes:
decrypting the messy code character string according to a preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in the preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string identical to the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is an encrypted sensitive character string in the preset sensitive character string library.
3. The method for processing the malicious sample according to claim 2, wherein the preset decryption module library comprises one or more of a shift method, a substitution method, a parameter method and an exclusive or method.
4. The method of processing a malicious sample according to claim 1, further comprising: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
5. An apparatus for processing a malicious sample, the apparatus comprising:
the acquisition module is used for acquiring messy code character strings in the malicious sample;
the judging module is used for judging whether the messy code character string is an encrypted sensitive character string in a preset sensitive character string library or not;
and the output module is used for outputting the sensitive character string as the vector information of the malicious sample if the messy code character string is the encrypted sensitive character string in a preset sensitive character string library.
6. The apparatus for processing malicious samples according to claim 5, wherein the determining module is specifically configured to:
decrypting the messy code character string according to a preset decryption module library to obtain a decrypted messy code character string;
traversing the sensitive character strings in the preset sensitive character string library, and comparing the decrypted messy code character strings with each sensitive character string;
and judging whether a sensitive character string identical to the decrypted messy code character string exists in the preset sensitive character string library, if so, judging that the messy code character string is the encrypted sensitive character string in the preset sensitive character string library.
7. The apparatus for processing malicious samples according to claim 6, wherein the predetermined decryption module library comprises one or more of a shift method, a substitution method, a parameter method and an exclusive or method.
8. The apparatus for processing malicious samples according to claim 5, wherein the determining module is further configured to: and if the messy code character string is not the encrypted sensitive character string in the preset sensitive character string library, skipping the messy code character string and judging the next messy code character string.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the malicious sample processing method of any one of the preceding claims 1 to 4.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of processing a malicious sample as claimed in any one of the preceding claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910896781.XA CN110659490B (en) | 2019-09-20 | 2019-09-20 | Malicious sample processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910896781.XA CN110659490B (en) | 2019-09-20 | 2019-09-20 | Malicious sample processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110659490A CN110659490A (en) | 2020-01-07 |
| CN110659490B true CN110659490B (en) | 2023-02-24 |
Family
ID=69038327
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910896781.XA Active CN110659490B (en) | 2019-09-20 | 2019-09-20 | Malicious sample processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110659490B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113434860A (en) * | 2021-07-22 | 2021-09-24 | 安天科技集团股份有限公司 | Virus detection method and device, computing equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150293A (en) * | 2011-12-06 | 2013-06-12 | 富泰华工业(深圳)有限公司 | Electronic device with messy code recovery function and messy code recovery method |
| CN104424165A (en) * | 2013-09-06 | 2015-03-18 | 北大方正集团有限公司 | Messy code detection method and system for text documents |
| CN105354496A (en) * | 2015-10-10 | 2016-02-24 | 邱寅峰 | Detection method and system of malicious program automatically generated on Android platform |
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| CN105975858A (en) * | 2015-12-08 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for malicious code detection based on virtual technology in Android system |
| CN106487771A (en) * | 2015-09-01 | 2017-03-08 | 阿里巴巴集团控股有限公司 | The acquisition methods of intrusion behavior and device |
| US9646158B1 (en) * | 2015-06-22 | 2017-05-09 | Symantec Corporation | Systems and methods for detecting malicious files |
| CN110020430A (en) * | 2019-03-01 | 2019-07-16 | 新华三信息安全技术有限公司 | A kind of fallacious message recognition methods, device, equipment and storage medium |
| CN110059455A (en) * | 2019-04-09 | 2019-07-26 | 北京迈格威科技有限公司 | Code encryption method, apparatus, electronic equipment and computer readable storage medium |
| CN110147671A (en) * | 2019-05-29 | 2019-08-20 | 北京奇安信科技有限公司 | Text string extracting method and device in a kind of program |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101122650B1 (en) * | 2010-04-28 | 2012-03-09 | 한국전자통신연구원 | Apparatus, system and method for detecting malicious code injected with fraud into normal process |
| WO2018184102A1 (en) * | 2017-04-03 | 2018-10-11 | Royal Bank Of Canada | Systems and methods for malicious code detection |
| CN107995198A (en) * | 2017-12-05 | 2018-05-04 | 北京知道创宇信息技术有限公司 | Information processing method, device, electronic equipment and storage medium |
| US10642970B2 (en) * | 2017-12-12 | 2020-05-05 | John Almeida | Virus immune computer system and method |
| CN108304721A (en) * | 2018-03-21 | 2018-07-20 | 河北师范大学 | A kind of malicious code detection system |
| CN109992969B (en) * | 2019-03-25 | 2023-03-21 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device and detection platform |
-
2019
- 2019-09-20 CN CN201910896781.XA patent/CN110659490B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150293A (en) * | 2011-12-06 | 2013-06-12 | 富泰华工业(深圳)有限公司 | Electronic device with messy code recovery function and messy code recovery method |
| CN104424165A (en) * | 2013-09-06 | 2015-03-18 | 北大方正集团有限公司 | Messy code detection method and system for text documents |
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| US9646158B1 (en) * | 2015-06-22 | 2017-05-09 | Symantec Corporation | Systems and methods for detecting malicious files |
| CN106487771A (en) * | 2015-09-01 | 2017-03-08 | 阿里巴巴集团控股有限公司 | The acquisition methods of intrusion behavior and device |
| CN105354496A (en) * | 2015-10-10 | 2016-02-24 | 邱寅峰 | Detection method and system of malicious program automatically generated on Android platform |
| CN105975858A (en) * | 2015-12-08 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for malicious code detection based on virtual technology in Android system |
| CN106855926A (en) * | 2015-12-08 | 2017-06-16 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
| CN110020430A (en) * | 2019-03-01 | 2019-07-16 | 新华三信息安全技术有限公司 | A kind of fallacious message recognition methods, device, equipment and storage medium |
| CN110059455A (en) * | 2019-04-09 | 2019-07-26 | 北京迈格威科技有限公司 | Code encryption method, apparatus, electronic equipment and computer readable storage medium |
| CN110147671A (en) * | 2019-05-29 | 2019-08-20 | 北京奇安信科技有限公司 | Text string extracting method and device in a kind of program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110659490A (en) | 2020-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Barmpatsalou et al. | A critical review of 7 years of Mobile Device Forensics | |
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| CN113141335B (en) | Network attack detection method and device | |
| US10255431B2 (en) | System and method of detecting unwanted software | |
| Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
| Thomas et al. | Memory foreshadow: memory forensics of hardware cryptocurrency wallets–a tool and visualization framework | |
| CN112256275B (en) | Code confusion method, device, electronic equipment and medium | |
| CN110659490B (en) | Malicious sample processing method and device, electronic equipment and storage medium | |
| CN111753312B (en) | Data processing method, device, equipment and system | |
| CN107070845B (en) | System and method for detecting phishing scripts | |
| CN109145589B (en) | Application program acquisition method and device | |
| CN108804917B (en) | File detection method and device, electronic equipment and storage medium | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN112395603B (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment | |
| CN115552401A (en) | Fast application detection method, device, equipment and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN109313688A (en) | Key generates source determining device, key generates source and determines that method and key generate source and determine program | |
| CN111027063A (en) | Method, device, electronic equipment and storage medium for preventing terminal from infecting worm | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| Bokolo et al. | Hybrid analysis based cross inspection framework for android malware detection | |
| Fasano et al. | Spyware Detection using Temporal Logic. | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN108881151B (en) | Joint-point-free determination method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |