CN110879889A - Method and system for detecting malicious software of Windows platform - Google Patents
Method and system for detecting malicious software of Windows platform Download PDFInfo
- Publication number
- CN110879889A CN110879889A CN201911182844.1A CN201911182844A CN110879889A CN 110879889 A CN110879889 A CN 110879889A CN 201911182844 A CN201911182844 A CN 201911182844A CN 110879889 A CN110879889 A CN 110879889A
- Authority
- CN
- China
- Prior art keywords
- application program
- malicious software
- malware
- unique identifier
- windows platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The embodiment of the invention provides a method and a system for detecting malicious software of a Windows platform, wherein the method comprises the following steps: extracting a unique identifier of an application program to be detected, and matching the unique identifier with a pre-established unique identifier library of malicious software; if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs; and calculating the weighted value of the abnormal flow and the weighted values of various sensitive behaviors to obtain the characteristic value of the application program, and if the characteristic value is greater than a preset threshold value, knowing that the application program is malicious software. The method for detecting the malicious software adopted by the embodiment of the invention has the advantages that the detection range is smaller than that of the traditional detection, the detection rule is relatively simple, the expenditure on system resources is reduced, and the detection means is adjusted on the premise of not modifying the structure of the system, so that the detection of new attacks can be ensured.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a method and a system for detecting malicious software of a Windows platform.
Background
Malicious events caused by Windows malware occur frequently, and in the face of network security threat events, on one hand, the detection work of the Windows malware faces severe challenges, and on the other hand, a method for improving the analysis and evidence obtaining capability of the Windows malware is urgently needed to be found, so that the attack on malicious attackers is strengthened.
Disclosure of Invention
Embodiments of the present invention provide a method and system for detecting malware of a Windows platform, which overcome the above problems or at least partially solve the above problems.
In a first aspect, an embodiment of the present invention provides a method for detecting malware of a Windows platform, including:
extracting a unique identifier of an application program to be detected, and matching the unique identifier with a pre-established unique identifier library of malicious software;
if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs;
and calculating the weighted value of the abnormal flow and the weighted values of various sensitive behaviors to obtain the characteristic value of the application program, and if the characteristic value is greater than a preset threshold value, knowing that the application program is malicious software.
Further, the matching the unique identifier with the unique identifier of the pre-created malware further includes:
and if the matching is successful, the application program to be detected is known to be the malicious software.
Further, the method for detecting malicious software of the Windows platform further includes:
if the application program is known to be malicious software, judging the type of the application program;
if the application program is the first type of application program, finding out the code segment causing abnormal flow and sensitive behavior from the source code of the application program, then carrying out breakpoint debugging on the code segment, and taking the code segment and a debugging result as a forensics result.
Further, the method for detecting malicious software of the Windows platform further includes:
if the application program is the second type of application program, the application program is operated firstly, abnormal data is searched from the environment, the state and the prompt information of the application program in operation, partial codes are debugged in a targeted mode according to the evidence obtaining result, code segments causing abnormal flow and sensitive behaviors are obtained, and the abnormal data and the code segments causing the abnormal flow and the sensitive behaviors are used as the evidence obtaining result.
Further, the monitoring of the flow condition when the application program runs is specifically:
obtaining a group of callback functions by obtaining a structure body pointer describing NDIS small port drive in a Windows system;
and monitoring the total flow of the Windows system and the flow of each application program according to the callback function.
Further, the monitoring of the sensitive behavior of the application program during running specifically includes:
and monitoring whether the application program has the behavior of repeatedly acquiring and modifying the user privacy data and/or the remote operation file within a certain time.
Further, the learning that the application is malware further includes:
adding the unique identification of the application to the unique identification library of malware.
In a second aspect, an embodiment of the present invention provides a system for detecting malware of a Windows platform, including:
the file information acquisition module is used for extracting the unique identifier of the application program to be detected;
the security policy module is used for matching the unique identifier with a pre-established unique identifier library of the malicious software;
the abnormal flow detection module is used for monitoring the abnormal flow condition when the application program runs when the matching fails;
the sensitive behavior detection module is used for monitoring the sensitive behavior of the application program during running when matching fails;
the security policy module is further configured to calculate a weighted value of the abnormal traffic and weighted values of various sensitive behaviors, obtain a feature value of the application program, and if the feature value is greater than a preset threshold, learn that the application program is malware.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
The method and the system for detecting the malicious software of the Windows platform provided by the embodiment of the invention have the following advantages:
① timeliness, the method for detecting malicious software adopted by the embodiment of the invention has a smaller detection range than the traditional detection, relatively simple detection rules, and reduced overhead on system resources;
② is expanded to ensure that new attacks can be detected by adjusting the detection means without modifying the architecture of the system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for detecting malicious software in a Windows platform according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of detection of malicious software of the Windows platform according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a malware detection system of a Windows platform according to another embodiment of the present invention;
fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for detecting malicious software in a Windows platform according to an embodiment of the present invention, as shown in fig. 1, including:
s101, extracting the unique identification of the application program to be detected, and matching the unique identification with a pre-established unique identification library of the malicious software.
It should be noted that, in the embodiment of the present invention, the unique identifier of the application program is obtained by obtaining the file type, the file description, the file attribute, and the digital signature information of the application program and performing comprehensive calculation.
Embodiments of the present invention maintain a blacklist, i.e. a database of unique malware identifications, for identifying known malware. The embodiment of the invention firstly extracts the unique representation of the application program to be detected and matches the unique representation with the unique identification library of the malicious software, and if the matching is successful, the application program to be detected can be directly determined to be the malicious software.
S102, if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs.
It should be noted that, if matching fails, the embodiment of the present invention needs to further monitor abnormal traffic conditions and various sensitive behaviors when the application program runs. Based on the running flow of the malicious software, the malicious software runs silently in most target computers, state information is sent to the remote server after the malicious software is started successfully, and then the malicious software receives an instruction of the remote server to perform a series of malicious behaviors, such as: the method comprises the steps of checking, modifying, renaming, deleting and downloading files of a target computer, stealing user accounts, passwords, key file information and WeChat QQ chat information, uploading the data to a remote server through a network finally, and achieving the purpose of stealing user privacy, wherein uplink flow is increased rapidly due to the fact that user data are transmitted, and therefore a flow index is one of bases for distinguishing normal software and stealing user privacy malicious software. The abnormal traffic information condition of the embodiment of the invention comprises that the uplink traffic is far greater than the downlink traffic.
The embodiment of the invention defines the behaviors of reading user privacy data, remotely operating user files and the like as sensitive behaviors, and although normal software also has the sensitive behaviors, the correlation degree of the types and the time is greatly different from that of malicious software; sensitive behaviors such as stealing user privacy, remotely operating user files and the like can complete a communication process with a remote server instead of once, and an attacker can repeatedly occur at intervals in order to exert attack capability to the maximum extent, so that the repeatability of the sensitive behaviors in time is one of bases for distinguishing malicious software.
S103, calculating weighted values of the abnormal flow and various sensitive behaviors, obtaining a characteristic value of the application program, and if the characteristic value is larger than a preset threshold value, knowing that the application program is malicious software.
It should be noted that, in the embodiment of the present invention, weighted values are set for the abnormal traffic and various sensitive behaviors, and the weighted values may be the same or different, for example, when the abnormal traffic or various sensitive behaviors occur, the weighted value is marked as 1, if the weighted value of the abnormal traffic is 0.5, the weighted value of the a-type sensitive behavior is 0.3, the weighted value of the B-type sensitive behavior is 0.8, and the weighted value of the C-type sensitive behavior is 0.5, the characteristic value of the application program is: 1 × 0.3+1 × 0.8+1 × 0.5 ═ 1.6. If the preset threshold is 1, the application program is malicious software.
The embodiment of the invention has the following advantages and positive effects:
① timeliness, the method for detecting malicious software adopted by the embodiment of the invention has a smaller detection range than the traditional detection, relatively simple detection rules, and reduced overhead on system resources;
② is expanded to ensure that new attacks can be detected by adjusting the detection means without modifying the architecture of the system.
On the basis of the foregoing embodiments, as an optional embodiment, the matching the unique identifier with a unique identifier of malware created in advance further includes: and if the matching is successful, the application program to be detected is known to be the malicious software.
On the basis of the foregoing embodiments, as an optional embodiment, the method for detecting malware of the Windows platform further includes:
if the application program is known to be malicious software, judging the type of the application program;
if the application program is the first type of application program, finding out the code segment causing abnormal flow and sensitive behavior from the source code of the application program, then carrying out breakpoint debugging on the code segment, and taking the code segment and a debugging result as a forensics result.
It should be noted that, in the embodiment of the present invention, after the application program is the malware, the method further includes a step of performing forensics on the malware, and during the forensics process, the type of the application program needs to be determined first. The embodiment of the invention divides the application programs into a simple encryption obfuscated program (a first type of application program) and a shell-added or high-strength encryption obfuscated program (a second type of application program). For the first type of application programs, a static-state-to-dynamic evidence obtaining method is adopted, authority service code blocks of sensitive behaviors are found on the basis of analyzing source codes, and malicious behaviors are detected through targeted breakpoint debugging and testing; for the second type of application program, a dynamic-to-static evidence obtaining method is adopted, a breach is found by observing the environment, the state and the prompt information of the malicious software during operation, and then static analysis is carried out to detect malicious behaviors.
Specifically, if the application program is a first type of application program, a code segment causing abnormal flow and sensitive behavior is found out from a source code of the application program, breakpoint debugging is performed on the code segment, and the code segment and a debugging result are used as a forensics result.
If the application program is the second type of application program, the application program is operated firstly, abnormal data is searched from the environment, the state and the prompt information of the application program in operation, partial codes are debugged in a targeted mode according to the evidence obtaining result, code segments causing abnormal flow and sensitive behaviors are obtained, and the abnormal data and the code segments causing the abnormal flow and the sensitive behaviors are used as the evidence obtaining result.
According to the embodiment of the invention, the mode of reading the source code of the application program is adopted to realize the evidence obtaining of the malicious behavior of the malicious software, the static analysis does not need to execute the malicious software program, on one hand, the detailed granularity analysis can be carried out on the code, and on the other hand, due to the characteristics, once the key data is hidden too deeply, the code amount rises sharply, so that the technology is difficult to implement; the dynamic analysis method can only roughly acquire the dynamic characteristics of program operation and cannot accurately position malicious behaviors. The invention integrates the static analysis and the dynamic analysis method, the static analysis provides clues for the dynamic analysis, the dynamic analysis carries out breakpoint debugging or printing aiming at the clues, and the infection process and the malicious behavior of the malicious software can be positioned efficiently.
On the basis of the foregoing embodiments, as an optional embodiment, the monitoring a traffic condition when the application program runs is specifically:
obtaining a group of callback functions by obtaining a structure body pointer describing NDIS small port drive in a Windows system;
and monitoring the total flow of the Windows system and the flow of each application program according to the callback function.
On the basis of the foregoing embodiments, as an optional embodiment, the monitoring the sensitive behavior of the application program during running specifically includes:
and monitoring whether the application program has the behavior of repeatedly acquiring and modifying the user privacy data and/or the remote operation file within a certain time.
On the basis of the foregoing embodiments, as an optional embodiment, the learning that the application is malware further includes:
adding the unique identification of the application to the unique identification library of malware.
Fig. 2 is a schematic structural diagram of detection of malicious software of a Windows platform according to an embodiment of the present invention, and as shown in fig. 2, the detection of malicious software of a Windows platform includes: the system comprises a file information acquisition module 201, a security policy module 202, an abnormal traffic detection module 203 and a sensitive behavior detection module 204, wherein:
the file information acquisition module 201 is used for extracting the unique identifier of the application program to be detected;
the security policy module 202 is configured to match the unique identifier with a pre-created unique identifier library of malware;
the abnormal flow detection module 203 is used for monitoring the abnormal flow condition of the application program during running when the matching fails;
the sensitive behavior detection module 204 is configured to monitor a sensitive behavior of the application program during running when matching fails;
the security policy module 202 is further configured to calculate a weighted value of the abnormal traffic and weighted values of various sensitive behaviors, obtain a feature value of the application program, and if the feature value is greater than a preset threshold, learn that the application program is malware
The system for detecting malicious software of a Windows platform according to the embodiment of the present invention specifically executes the flow of the embodiments of the method for detecting malicious software of each Windows platform, and please refer to the contents of the embodiments of the method for detecting malicious software of each Windows platform in detail, which is not described herein again. The detection system for the malicious software of the Windows platform provided by the embodiment of the invention has the following advantages and positive effects:
① timeliness, the method for detecting malicious software adopted by the embodiment of the invention has a smaller detection range than the traditional detection, relatively simple detection rules, and reduced overhead on system resources;
② is expanded to ensure that new attacks can be detected by adjusting the detection means without modifying the architecture of the system.
Fig. 3 is a schematic structural diagram of a malware detection system of a Windows platform according to another embodiment of the present invention, as shown in fig. 3, including a malware detection apparatus 100, a malware forensics apparatus 200, and a forensics report generation apparatus 300; specifically, the malware detection device 100 includes a file information acquisition module 101, an abnormal traffic detection module 102, a sensitive behavior detection module 103, and a security policy module 104, and the malware forensics device 200 includes a static reverse forensics module 201 and a dynamic adjustment forensics module 202.
The malicious software detection device 100 interacts with the malicious software forensics device 200 to respectively realize the malicious software detection and forensics functions on the Windows platform;
the malicious software forensics device 200 interacts with the forensics report generation device 300 to perform positioning analysis on malicious behaviors of the malicious software, and record field data in detail so as to reproduce certain network events when forensics is required in the future;
the file information acquisition module 101, the abnormal flow detection module 102 and the sensitive behavior detection module 103 interact with the security policy module 104, and data acquired by the three malware detection methods is sent to the security policy module 104 for analysis, so as to finally determine whether the application program is malware;
the static reverse evidence obtaining module 201 interacts with the dynamic adjustment evidence obtaining module 202, and the dynamic adjustment evidence obtaining module 202 specifically debugs the program code according to clues provided by the static reverse evidence obtaining module 201, so as to more efficiently locate malicious behaviors.
The workflow of the malware detection apparatus 100 includes the following steps:
A. the file information acquisition module realizes the detection of known malicious software, analyzes a malicious software sample, extracts a feature code which can uniquely identify the sample program, and establishes a feature code library for detecting the malicious software. In the process of investigation, once the target file is found to contain the feature codes in the feature code library, the file is judged to be the malicious software. The security policy module sets up the black list of malicious software accordingly, the characteristic code of the known malicious software program is stored in the black list, and the malicious software library can be added and perfected in the detection of the malicious software accumulated day by day. The system matches the application program files through a blacklist mechanism, and is considered to be malicious software once matching is successful;
B. the design idea of the abnormal flow detection module is based on the operation process of stealing user privacy information type malicious software, the malicious software mostly runs in a silent mode in a target mobile phone, state information can be sent to a far-end server after attachment is successful, and then the malicious software receives an instruction of the far-end server to perform a series of malicious behaviors, such as: calling a user address book, short messages and WeChat QQ chat information, and finally transmitting the data to a remote server through a network to achieve the purposes of stealing user privacy and consuming user fees, wherein the transmission of user data can cause the uplink flow to increase rapidly, so that the flow index is one of the bases for distinguishing normal software and malicious software;
C. the behaviors of reading and modifying the user privacy data and tampering the user files are defined as sensitive behaviors, and although normal software also has the sensitive behaviors, the association degree of the types and the time is greatly different from that of malicious software; sensitive behaviors such as stealing user privacy, consuming user resources and the like can be transmitted to a remote server not at one time, and in order to obtain benefits to the maximum extent, an attacker can repeatedly generate the sensitive behaviors at intervals, so the time repeatability is one of the bases for distinguishing malicious software;
the acquisition of the sensitive behavior is based on the UAC mechanism of the Windows platform. The main functions are that the user performs some operations that affect the system security, such as: installing or uninstalling programs, adding or deleting accounts of users, adding or modifying registries, can automatically trigger the UAC mechanism, and can be executed after user confirmation is needed. Taking the acquisition of the user account and the password as an example, when malicious software needs to steal the account and the password logged in by the user, the malicious software needs to apply for the promotion of the authority to the system service, firstly, a task scheduling reference for requesting to access the user account and the password is sent to a system process, the system process can detect whether an application program has the corresponding authority, if the request is legal, the system process can respond to the request, and the application initiating the request returns an operation execution result. The sensitive behavior detection module acquires the sensitive behavior of the program and the time rule thereof and sends the sensitive behavior and the time rule to the security policy module for further analysis;
D. all the information acquired by the three modes is sent to a security policy module, and the security policy module performs comprehensive evaluation on all data to finally detect malicious software;
the security policy module establishes and maintains a malware blacklist for identifying known malware; the module firstly constructs a normal user behavior, then compares the actual monitored user behavior, calculates the weighted value of the program according to the basic information of the application program acquired by the abnormal flow detection module and the sensitive behavior detection module, and once the weighted value exceeds a defined threshold value, the application program is considered as suspicious malware and is sent to the malware forensics module for further analysis. Generally, normal application programs do not modify or transmit call records and short messages, but the frequency of occurrence of malicious software in the running process is extremely high, so that the weighted value of the operation instructions is high, the function of the resident memory is not only available for the malicious software, but also available for the normal application programs, and the weighted value is low. The security policy module needs to have strong sensitivity to the normal state of the user to reduce the possibility of false alarm.
The workflow of the malware forensics device 200 includes the following steps:
A. the static reverse evidence obtaining module realizes evidence obtaining of malicious behaviors of the malicious software in a mode of reading source codes of the application program, static analysis does not need to execute the malicious software program, on one hand, detailed granularity analysis can be carried out on the codes, and on the other hand, due to the characteristics, once key data are hidden too deeply, the code amount rises sharply, and the technology is difficult to implement; the dynamic analysis method can only roughly acquire the dynamic characteristics of program operation and cannot accurately position malicious behaviors. According to the comprehensive static and dynamic analysis method, the static analysis provides clues for dynamic analysis, and the dynamic analysis carries out breakpoint debugging or printing aiming at the clues, so that the infection process and malicious behaviors of malicious software can be efficiently positioned;
each application software installed on the Windows platform can be decompiled to generate a corresponding assembly code, and then the assembly code is analyzed on the basis, wherein OEP is an entrance for analyzing and forensics, the data type, the structure and the framework of a program are recovered and reconstructed by checking the grammar, the structure, the process, the interface and the like of the program, services related to the authority are positioned by understanding and positioning the syntax semantics, fine-grained analysis is carried out on a source code, and finally the acquired key code block of malicious behavior of the malicious software is sent to a dynamic debugging forensics module;
B. on the basis of clues provided by static analysis, the invention adopts a dynamic breakpoint debugging mode to evidence malicious behaviors of malicious software. The dynamic debugging mode is to directly run the application program to track the execution flow of the software and obtain the intermediate result of the program execution, usually adopts the mode of injecting log printing or breakpoint to realize dynamic debugging, adds the code called by log in the disassembled program, repackages the program into EXE program to run, and can print and output the result through the log command, thereby understanding the infection and attack process of the malicious software.
The workflow of the forensic result generation apparatus 300 includes the following steps:
a. receiving and recording a code segment of malicious behaviors of the malicious software sent by the static reverse evidence obtaining module;
b. receiving and recording malicious software malicious behavior breakpoint debugging codes sent by the dynamic debugging evidence obtaining module and a running result;
c. malware forensics results are generated that detail live data to recreate certain network events at a later time when forensics is needed.
Fig. 4 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 4, the electronic device may include: a processor (processor)410, a communication Interface 420, a memory (memory)430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. The processor 410 may call a computer program stored on the memory 430 and operable on the processor 410 to execute the malware detection method of the Windows platform provided by the above embodiments, for example, the method includes: extracting a unique identifier of an application program to be detected, and matching the unique identifier with a pre-established unique identifier library of malicious software; if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs; and calculating the weighted value of the abnormal flow and the weighted values of various sensitive behaviors to obtain the characteristic value of the application program, and if the characteristic value is greater than a preset threshold value, knowing that the application program is malicious software.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, is implemented to perform the method for detecting malicious software of a Windows platform provided in the foregoing embodiments, for example, the method includes: extracting a unique identifier of an application program to be detected, and matching the unique identifier with a pre-established unique identifier library of malicious software; if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs; and calculating the weighted value of the abnormal flow and the weighted values of various sensitive behaviors to obtain the characteristic value of the application program, and if the characteristic value is greater than a preset threshold value, knowing that the application program is malicious software.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for detecting malicious software of a Windows platform is characterized by comprising the following steps:
extracting a unique identifier of an application program to be detected, and matching the unique identifier with a pre-established unique identifier library of malicious software;
if the matching fails, monitoring abnormal flow conditions and various sensitive behaviors when the application program runs;
and calculating the weighted value of the abnormal flow and the weighted values of various sensitive behaviors to obtain the characteristic value of the application program, and if the characteristic value is greater than a preset threshold value, knowing that the application program is malicious software.
2. The method for detecting malware on Windows platform as claimed in claim 1, wherein the matching of the unique identifier with the unique identifier of the pre-created malware further comprises:
and if the matching is successful, the application program to be detected is known to be the malicious software.
3. The method for detecting malware according to Windows platform of claim 1 or 2, further comprising:
if the application program is known to be malicious software, judging the type of the application program;
if the application program is the first type of application program, finding out the code segment causing abnormal flow and sensitive behavior from the source code of the application program, then carrying out breakpoint debugging on the code segment, and taking the code segment and a debugging result as a forensics result.
4. The method for detecting malware on Windows platform as claimed in claim 3, further comprising:
if the application program is the second type of application program, the application program is operated firstly, abnormal data is searched from the environment, the state and the prompt information of the application program in operation, partial codes are debugged in a targeted mode according to the evidence obtaining result, code segments causing abnormal flow and sensitive behaviors are obtained, and the abnormal data and the code segments causing the abnormal flow and the sensitive behaviors are used as the evidence obtaining result.
5. The method for detecting malicious software of a Windows platform according to claim 1, wherein the monitoring of the traffic condition of the application program during running is specifically:
obtaining a group of callback functions by obtaining a structure body pointer describing NDIS small port drive in a Windows system;
and monitoring the total flow of the Windows system and the flow of each application program according to the callback function.
6. The method for detecting malicious software of a Windows platform according to claim 1, wherein the monitoring of the sensitive behavior of the application program during running is specifically:
and monitoring whether the application program has the behavior of repeatedly acquiring and modifying the user privacy data and/or the remote operation file within a certain time.
7. The method for detecting malware of Windows platform as claimed in claim 1, wherein the learning that the application is malware further comprises:
adding the unique identification of the application to the unique identification library of malware.
8. A system for detecting malware on a Windows platform, comprising:
the file information acquisition module is used for extracting the unique identifier of the application program to be detected;
the security policy module is used for matching the unique identifier with a pre-established unique identifier library of the malicious software;
the abnormal flow detection module is used for monitoring the abnormal flow condition when the application program runs when the matching fails;
the sensitive behavior detection module is used for monitoring the sensitive behavior of the application program during running when matching fails;
the security policy module is further configured to calculate a weighted value of the abnormal traffic and weighted values of various sensitive behaviors, obtain a feature value of the application program, and if the feature value is greater than a preset threshold, learn that the application program is malware.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for detecting malware according to any one of claims 1 to 7 in the Windows platform when executing the program.
10. A non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the method for detecting malware of Windows platform according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911182844.1A CN110879889A (en) | 2019-11-27 | 2019-11-27 | Method and system for detecting malicious software of Windows platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911182844.1A CN110879889A (en) | 2019-11-27 | 2019-11-27 | Method and system for detecting malicious software of Windows platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110879889A true CN110879889A (en) | 2020-03-13 |
Family
ID=69730685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911182844.1A Pending CN110879889A (en) | 2019-11-27 | 2019-11-27 | Method and system for detecting malicious software of Windows platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110879889A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111797401A (en) * | 2020-07-08 | 2020-10-20 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
| CN112463606A (en) * | 2020-11-26 | 2021-03-09 | 深信服科技股份有限公司 | Software detection method, device, equipment and readable storage medium |
| CN113010892A (en) * | 2021-03-26 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN114297647A (en) * | 2021-12-24 | 2022-04-08 | 海光信息技术股份有限公司 | Program security detection method and related device |
| CN114721703A (en) * | 2022-05-26 | 2022-07-08 | 青服(深圳)技术研究有限公司 | Software maintenance method and system based on big data |
| JP7291919B1 (en) | 2021-12-28 | 2023-06-16 | 株式会社Ffriセキュリティ | Computer program reliability determination system, computer program reliability determination method, and computer program reliability determination program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105975856A (en) * | 2015-09-25 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for dynamic virus detection of mobile terminal |
| CN105992212A (en) * | 2015-02-13 | 2016-10-05 | 卓望数码技术(深圳)有限公司 | Method of detecting mobile phone malicious charge |
| CN107944260A (en) * | 2017-12-04 | 2018-04-20 | 郑州云海信息技术有限公司 | A kind of Behavior blocking device and method of Malware |
-
2019
- 2019-11-27 CN CN201911182844.1A patent/CN110879889A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105992212A (en) * | 2015-02-13 | 2016-10-05 | 卓望数码技术(深圳)有限公司 | Method of detecting mobile phone malicious charge |
| CN105975856A (en) * | 2015-09-25 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for dynamic virus detection of mobile terminal |
| CN107944260A (en) * | 2017-12-04 | 2018-04-20 | 郑州云海信息技术有限公司 | A kind of Behavior blocking device and method of Malware |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111797401A (en) * | 2020-07-08 | 2020-10-20 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
| CN111797401B (en) * | 2020-07-08 | 2023-12-29 | 深信服科技股份有限公司 | Attack detection parameter acquisition method, device, equipment and readable storage medium |
| CN112463606A (en) * | 2020-11-26 | 2021-03-09 | 深信服科技股份有限公司 | Software detection method, device, equipment and readable storage medium |
| CN112463606B (en) * | 2020-11-26 | 2023-11-03 | 深信服科技股份有限公司 | Software detection method, device, equipment and readable storage medium |
| CN113010892A (en) * | 2021-03-26 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN113010892B (en) * | 2021-03-26 | 2022-09-20 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting malicious behavior of small program |
| CN114297647A (en) * | 2021-12-24 | 2022-04-08 | 海光信息技术股份有限公司 | Program security detection method and related device |
| CN114297647B (en) * | 2021-12-24 | 2022-10-04 | 海光信息技术股份有限公司 | Program security detection method and related device |
| JP7291919B1 (en) | 2021-12-28 | 2023-06-16 | 株式会社Ffriセキュリティ | Computer program reliability determination system, computer program reliability determination method, and computer program reliability determination program |
| CN114721703A (en) * | 2022-05-26 | 2022-07-08 | 青服(深圳)技术研究有限公司 | Software maintenance method and system based on big data |
| CN114721703B (en) * | 2022-05-26 | 2024-02-23 | 青服(深圳)技术研究有限公司 | Software maintenance method and system based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210250372A1 (en) | Peer Device Protection | |
| CN110879889A (en) | Method and system for detecting malicious software of Windows platform | |
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US8769692B1 (en) | System and method for detecting malware by transforming objects and analyzing different views of objects | |
| CN112926048B (en) | Abnormal information detection method and device | |
| CN104506495A (en) | Intelligent network APT attack threat analysis method | |
| CN113259392B (en) | Network security attack and defense method, device and storage medium | |
| CA2996966A1 (en) | Process launch, monitoring and execution control | |
| JP2014507718A (en) | Method, computer program, and system for determining vulnerability of a computer software application to an elevation of privilege attack | |
| US11777961B2 (en) | Asset remediation trend map generation and utilization for threat mitigation | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN107666464B (en) | Information processing method and server | |
| US20210264023A1 (en) | Command inspection method and apparatus, computer device, and storage medium | |
| RU2610395C1 (en) | Method of computer security distributed events investigation | |
| JP2006146600A (en) | Operation monitoring server, terminal apparatus and operation monitoring system | |
| CN115348086B (en) | Attack protection method and device, storage medium and electronic equipment | |
| CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
| CN115174192A (en) | Application security protection method and device, electronic equipment and storage medium | |
| CN114338233A (en) | Network attack detection method and system based on flow analysis | |
| CN114238279A (en) | Database security protection method, device, system, storage medium and electronic equipment | |
| CN111934949A (en) | Safety test system based on database injection test | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN113037724B (en) | Method and device for detecting illegal access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200313 |