CN114676429A - Method and device for detecting unknown risk of startup item - Google Patents
Method and device for detecting unknown risk of startup item Download PDFInfo
- Publication number
- CN114676429A CN114676429A CN202210269094.7A CN202210269094A CN114676429A CN 114676429 A CN114676429 A CN 114676429A CN 202210269094 A CN202210269094 A CN 202210269094A CN 114676429 A CN114676429 A CN 114676429A
- Authority
- CN
- China
- Prior art keywords
- file
- process file
- suspicious
- information
- recovery
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention is suitable for the field of computers, and provides a method and a device for detecting unknown risks of startup items, wherein the method comprises the following steps: acquiring startup information associated with startup items, wherein the startup information at least covers registry and system service items; cleaning a current unnecessary process, and acquiring recovery information of a cleaned registry and system service items, wherein the recovery information at least comprises a recovery type and recovery time; judging whether the starting information contains suspicious process files or not based on the recovery information and the server process starting log; when the starting information is judged to contain the suspicious process file, the suspicious process file is set to be non-automatically started, and the subsequent starting behavior of the suspicious process file is monitored; the suspicious process file is marked, the registry containing the suspicious process file and the system service item are processed and then are virtually operated, and a virtual operation result is obtained, wherein the suspicious process file system has the beneficial effects that: and the malicious files are judged step by step, so that the judgment accuracy can be effectively improved.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a method and a device for detecting unknown risks of startup items.
Background
With the development of science and technology, a large number of application programs meeting different requirements of users emerge, and many application programs are selected to be automatically started and run along with the starting of an operating system in order to be quickly started in response to the operation of the users, but some malicious codes are also started along with the starting of the operating system after invading the operating system, so that the operating system of the users is greatly threatened.
Malicious codes mainly refer to programs with undesirable intentions of endangering the safety of information and the like, generally reside in a victim computer system to destroy or steal information, and the main categories of the malicious codes include: computer viruses, worms and trojan horses, malicious code is a type of program file, also programmed by a person, and not self-generated in a computer environment or system, and is destructive or threatening to the system, latent, infectious, and dependent.
In the prior art, generally, the malicious codes are detected and eliminated after the operating system fails, and once the malicious codes are seriously destructive, great loss is brought to users.
Disclosure of Invention
An embodiment of the present invention provides a method and an apparatus for detecting an unknown risk of a startup item, which are used to solve the problems in the background art.
The embodiment of the invention is realized in such a way that, on one hand, a method for detecting unknown risks of startup items comprises the following steps:
acquiring startup information associated with startup items, wherein the startup information at least covers registry and system service items;
cleaning a current unnecessary process, and acquiring recovery information of a registry and a system service item after cleaning, wherein the recovery information at least comprises a recovery type and recovery time;
judging whether the starting information contains suspicious process files or not based on the recovery information and the server process starting log;
when the starting information is judged to contain the suspicious process file, the suspicious process file is set to be non-automatically started, and the subsequent starting behavior of the suspicious process file is monitored;
marking the suspicious process file, performing virtual operation after processing the registry containing the suspicious process file and the system service item, and acquiring a virtual operation result;
and comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyzing the suspicious process file based on the comparison result, and determining the malicious file contained in the suspicious process file.
As a further scheme of the present invention, the cleaning of the current unnecessary process and the obtaining of the recovery information of the cleaned registry and system service items, where the recovery information at least includes a recovery type and a recovery time specifically includes:
Acquiring necessary process file information, wherein the necessary process file information at least comprises necessary process file contents and corresponding necessary process file types;
closing the file association process of the unnecessary process, and recording the first read-write time after the file of the unnecessary process is automatically started and the read-write time when the file is closed;
recording process files of a registry and system service projects in a preset time period and automatically adding new projects;
and comparing the process file corresponding to the independently newly added item with the unnecessary process file, wherein the same file contained in the comparison result is the file corresponding to the recovery information.
As a further aspect of the present invention, before the determining whether the startup information includes a suspicious process file based on the recovery information and the server process startup log, the method further includes:
acquiring a server process log;
judging whether a newly added process file exists or not based on the server process log, and if so, extracting the write-in time of the newly added process file in the server process log;
the modification time of the necessary process file is extracted.
As a still further aspect of the present invention, the determining, based on the recovery information and the server process start log, whether the start information includes a suspicious process file includes:
Judging whether the write-in time of the newly added process file and the modification time of the necessary process file are respectively associated with the recovery time of the file corresponding to the recovery information;
if so, determining the file corresponding to the corresponding recovery information as a suspicious process file;
if the judgment result is negative, determining the newly added process file exceeding the process occupation threshold value as the suspicious process file.
As a further aspect of the present invention, the determining whether the write time of the newly added process file, the modification time of the necessary process file, and the recovery time of the file corresponding to the recovery information are associated specifically includes:
comparing the write-in time of the newly added process file, the modification time of the necessary process file and the recovery time of the file corresponding to the recovery information in pairs;
setting a reference operation time difference value and a judgment independent variable of the process file, wherein the judgment independent variable is a newly added process file or a necessary process file;
if the writing or modifying time of the independent variable and the recovery time of the file corresponding to the recovery information are judged to be not more than the difference value of the reference operation time, judging that association possibly exists between the independent variable and the recovery information, and otherwise, judging that association does not exist between the independent variable and the recovery information;
and judging whether the same type of feature codes exist between the judgment independent variable possibly associated with the recovery information and the corresponding file of the recovery information, if so, judging that association exists between the judgment independent variable and the corresponding file of the recovery information, and otherwise, judging that association does not exist between the judgment independent variable and the corresponding file of the recovery information.
As a further scheme of the present invention, the marking of the suspicious process file, performing virtual operation after processing the registry and the system service items containing the suspicious process file, and obtaining the virtual operation result specifically includes:
carrying out distinguishing marking on suspicious process files one by one;
backing up the registry and the system service items containing the suspicious process files into a plurality of groups, and shelling the groups in the backup result to different degrees and different types;
and (4) performing virtual operation on results of shelling processing of different degrees and different types one by one.
As a further scheme of the present invention, the comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, and analyzing the suspicious process file based on the comparison result to determine the malicious file contained in the suspicious process file specifically includes:
counting associated behavior characteristic values in subsequent starting behaviors of the suspicious process file, wherein the associated behavior characteristic values at least comprise the times of associated malicious domain names;
obtaining operation behavior characteristic values corresponding to shelling processing of different degrees and different types in a virtual operation result, wherein the operation behavior characteristic values at least comprise anti-virtual operation times and anti-virtual operation time;
And calculating the malicious degree value corresponding to the suspicious process file according to the associated behavior characteristic value and the running behavior characteristic value by combining with respective preset single weighted proportion.
As a further aspect of the present invention, in another aspect, an apparatus for detecting a risk of unknown starting items, the apparatus comprises:
the acquisition module is used for acquiring the starting information associated with the starting item, and the starting information at least covers the registry and the system service item;
the system comprises a cleaning module, a processing module and a processing module, wherein the cleaning module is used for cleaning a current unnecessary process and acquiring recovery information of a registry and a system service item after cleaning, and the recovery information at least comprises a recovery type and recovery time;
the suspicious process file judging module is used for judging whether the starting information contains the suspicious process file or not based on the recovery information and the server process starting log;
the setting monitoring module is used for setting the suspicious process file into non-automatic starting and monitoring the subsequent starting behavior of the suspicious process file when the starting information is judged to contain the suspicious process file;
the virtual operation module is used for marking the suspicious process files, performing virtual operation after processing the registry containing the suspicious process files and the system service items, and acquiring a virtual operation result;
And the comparison and analysis module is used for comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyzing the suspicious process file based on the comparison result and determining the malicious file contained in the suspicious process file.
The method and the device for detecting unknown risks of the startup items, provided by the embodiment of the invention, can effectively detect the startup risks caused by the fact that malicious codes are started based on the registry and are registered as system service startup by covering the startup information at least with the registry and the system service items, improve the detection capability and the accuracy, clean the current unnecessary process, acquire the recovery information of the cleaned registry and the system service items, judge whether suspicious process files are contained in the startup information based on the recovery information and a server process startup log, preliminarily acquire files corresponding to the recovery information, namely the initial suspicious range of the malicious files, compare the subsequent startup behaviors of the suspicious process files with the acquired virtual operation results, analyze the suspicious process files based on the comparison results, and determine the malicious files contained in the suspicious process files, the method has the advantages that the determination range of the malicious file can be further reduced, the file is progressively processed layer by layer, the subsequent starting behavior of the suspicious process file and the obtained virtual operation result are considered, and the judgment accuracy of the malicious file is improved.
Drawings
Fig. 1 is a main flow diagram of a method of initiating a detection of an unknown risk of an item.
FIG. 2 is a flow chart of cleaning up a current unnecessary process, obtaining recovery information of a cleaned registry and system service items.
FIG. 3 is a flow diagram of determining whether a suspicious process file is included in the startup information based on the recovery information and the server process startup log.
FIG. 4 is a flowchart illustrating the steps of determining whether the write time of the newly added process file and the modification time of the necessary process file are associated with the recovery time of the file corresponding to the recovery information.
Fig. 5 is a main structural diagram of a detection device for detecting unknown risks of starting items.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Specific implementations of the present invention are described in detail below with reference to specific embodiments.
The method and the device for detecting the unknown risk of the startup item solve the technical problem in the background technology.
As shown in fig. 1, a main flow chart of a method for detecting an unknown risk of an initiating item according to an embodiment of the present invention includes:
step S10: acquiring startup information associated with startup items, wherein the startup information at least covers registry and system service items;
step S11: cleaning a current unnecessary process, and acquiring recovery information of a cleaned registry and system service items, wherein the recovery information at least comprises a recovery type and recovery time;
step S12: judging whether the starting information contains suspicious process files or not based on recovery information and a server process starting log;
step S13: when the starting information is judged to contain the suspicious process file, the suspicious process file is set to be non-automatically started, and the subsequent starting behavior of the suspicious process file is monitored;
step S14: marking the suspicious process file, performing virtual operation after processing the registry containing the suspicious process file and the system service item, and acquiring a virtual operation result; and
step S15: and comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyzing the suspicious process file based on the comparison result, and determining the malicious file contained in the suspicious process file.
In the embodiment, when the method is applied, the start information at least covers the registry and the system service items, so that the method can effectively detect the start risk caused by starting malicious codes based on the registry and registering the malicious codes as the system service, improves the detection coverage and prevents omission, cleans the current unnecessary processes to obtain the recovery information of the cleaned registry and the system service items, judges whether suspicious process files are contained in the start information based on the recovery information and a server process start log, preliminarily obtains the files corresponding to the recovery information, namely the initial suspicious range of the malicious files, compares the subsequent start behavior of the suspicious process files with the obtained virtual operation result, analyzes the suspicious process files based on the comparison result, and determines the malicious files contained in the suspicious process files, the method has the advantages that the determination range of the malicious file can be further reduced, the file is progressively processed layer by layer, the subsequent starting behavior of the suspicious process file and the obtained virtual operation result are considered, and the judgment accuracy of the malicious file is improved.
As shown in fig. 2, as a preferred embodiment of the present invention, the cleaning a current unnecessary process, and acquiring recovery information of a cleaned registry and system service items, where the recovery information at least includes a recovery type and a recovery time specifically includes:
Step S101: acquiring necessary process file information, wherein the necessary process file information at least comprises necessary process file contents and corresponding necessary process file types;
step S102: closing the file association process of the unnecessary process, and recording the first read-write time after the file of the unnecessary process is automatically started and the read-write time when the file is closed;
step S103: recording process files of a registry and system service projects in a preset time period and automatically adding new items;
step S104: and comparing the process file corresponding to the independently newly added item with the unnecessary process file, wherein the same file contained in the comparison result is the file corresponding to the recovery information.
In the embodiment, when the method is applied, the current unnecessary process is cleaned, and the recovery information of the cleaned registry and system service items is obtained, wherein the registry starting items mainly comprise Run keys, a Run once key, a Run services key, a Run once key, a load key, a Winlogon key and the like, and the file corresponding to the recovery information, namely the initial suspicious range of the malicious file, is preliminarily obtained based on the attachment and the latency of the malicious code.
As a preferred embodiment of the present invention, before determining whether the startup information includes a suspicious process file based on the recovery information and the server process startup log, the method further includes:
Step S201: acquiring a server process log;
step S202: judging whether a newly added process file exists on the basis of the server process log, and if so, extracting the write-in time of the newly added process file in the server process log;
step S203: the modification time of the necessary process file is extracted.
When the method is applied, the writing time of the new promotion program file and the modification time of the necessary process file in the server process log are extracted, so that a foundation is laid for subsequently judging whether the startup information contains the suspicious process file.
As shown in fig. 3, as a preferred embodiment of the present invention, the determining, based on the recovery information and the server process start log, whether the start information includes a suspicious process file includes:
step S121: judging whether the write-in time of the newly added process file and the modification time of the necessary process file are respectively associated with the recovery time of the file corresponding to the recovery information;
step S122: if the judgment result is yes, determining the file corresponding to the corresponding recovery information as a suspicious process file;
step S123: and if the judgment result is negative, determining the newly added process file exceeding the process occupation threshold value as the suspicious process file.
In a case of this embodiment, the determining whether there is a correlation between the writing time of the newly added process file, the modification time of the necessary process file, and the recovery time of the file corresponding to the recovery information specifically includes:
as shown in fig. 4, step S1211: comparing the writing time of the newly added process file, the modification time of the necessary process file and the recovery time of the file corresponding to the recovery information in pairs;
step S1212: setting a reference operation time difference value and a judgment independent variable of the process file, wherein the judgment independent variable is a newly added process file or a necessary process file;
step S1213: if the writing or modifying time of the independent variable and the recovery time of the file corresponding to the recovery information are judged to be not more than the difference value of the reference operation time, judging that association possibly exists between the independent variable and the recovery information, and otherwise, judging that association does not exist between the independent variable and the recovery information;
step S1214: and judging whether the same type of feature codes exist between the judgment independent variable possibly associated with the recovery information and the corresponding file of the recovery information, if so, judging that the association exists between the judgment independent variable and the corresponding file of the recovery information, and otherwise, judging that the association does not exist between the judgment independent variable and the corresponding file of the recovery information.
When the method is applied, the accuracy of judging the incidence relation of the independent variable and the file corresponding to the recovery information can be improved by judging the magnitude relation of the modification time of the independent variable, the recovery time of the file corresponding to the recovery information and the reference operation time difference value and judging the sequence of the subsequent feature codes of the same type.
As shown in fig. 5, as a preferred embodiment of the present invention, the marking a suspicious process file, performing virtual operation after processing a registry and a system service item including the suspicious process file, and acquiring a virtual operation result specifically includes:
step S141: carrying out distinguishing marking on suspicious process files one by one;
step S142: backing up the registry and the system service items containing the suspicious process files into a plurality of groups, and shelling the groups in the backup result to different degrees and different types;
step S143: and (4) carrying out virtual operation on the results of shelling processing in different degrees and different types one by one.
In the embodiment, when the method is applied, the registry containing the suspicious process files and the system service items are backed up into a plurality of groups, and the shelling processing of different degrees and different types is carried out on the groups in the backup result, so that the exposure of the suspicious process files in virtual operation can be fully maximized, a basis is provided for the subsequent detection of the anti-virtual operation times and the anti-virtual operation time, the method can act on different types of malicious codes, and the application range is improved.
As a preferred embodiment of the present invention, the comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, and analyzing the suspicious process file based on the comparison result to determine the malicious file contained in the suspicious process file specifically includes:
Step S151: counting associated behavior characteristic values in subsequent starting behaviors of the suspicious process file, wherein the associated behavior characteristic values at least comprise the times of associated malicious domain names;
step S152: obtaining operation behavior characteristic values corresponding to shelling processing of different degrees and different types in a virtual operation result, wherein the operation behavior characteristic values at least comprise anti-virtual operation times and anti-virtual operation time;
step S153: and calculating the corresponding malicious degree value of the suspicious process file according to the associated behavior characteristic value and the running behavior characteristic value by combining with respective preset single-term weighting ratios.
When the method is applied, the number of associated malicious domain names, the number of anti-virtual operation times and the weight corresponding to the anti-virtual operation time can be set by combining actual experience, for example, each weighted ratio is 0.4, 0.3 and 0.3, the product of the characteristic value numerical value and the weighted ratio is calculated, the sum of each product determines the malicious level value corresponding to the suspicious process file, when the preset malicious level value is exceeded, the suspicious process file corresponding to the value is determined to be a malicious file, the subsequent starting behavior of the process file and the obtained virtual operation result are considered in a suspicious manner, and the judgment accuracy of the malicious file is improved.
As another preferred embodiment of the present invention, as shown in fig. 5, in another aspect, a device for detecting a risk of unknown item, the device comprises:
an obtaining module 100, configured to obtain start information associated with a start item, where the start information at least covers registry and system service items;
a cleaning module 200, configured to clean a current unnecessary process, and obtain recovery information of the cleaned registry and system service items, where the recovery information at least includes a recovery type and recovery time;
a suspicious process file determining module 300, configured to determine, based on recovery information and a server process start log, whether the start information includes a suspicious process file;
the setting monitoring module 400 is configured to set the suspicious process file to be non-automatically started and monitor a subsequent starting behavior of the suspicious process file when it is determined that the start information includes the suspicious process file; and
the virtual operation module 500 is configured to mark a suspicious process file, perform virtual operation after processing a registry and system service items including the suspicious process file, and obtain a virtual operation result;
and the comparison and analysis module 600 is configured to compare the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyze the suspicious process file based on the comparison result, and determine a malicious file included in the suspicious process file.
The embodiment of the invention provides a method for detecting unknown risks of startup items, and provides a device for detecting unknown risks of startup items based on the method for detecting unknown risks of startup items, the startup information at least covers a registry and system service items, so that malicious codes can be effectively detected based on the registry and the startup risks caused by the fact that the malicious codes are registered as system service, the detection capability and the detection accuracy are improved, the current unnecessary processes are cleaned, the recovery information of the cleaned registry and system service items is obtained, whether suspicious process files are included in the startup information is judged based on the recovery information and a server process startup log, files corresponding to the recovery information, namely the initial suspicious range of malicious files, are preliminarily obtained, and the subsequent startup behaviors of the suspicious process files are compared with the obtained virtual operation results, the suspicious process file is analyzed based on the comparison result, the malicious file contained in the suspicious process file is determined, the determination range of the malicious file can be further narrowed, the suspicious process file is progressively advanced layer by layer, the subsequent starting behavior of the suspicious process file and the obtained virtual operation result are considered, and the judgment accuracy of the malicious file is improved.
In order to load the above method and system to operate smoothly, the system may include more or less components than those described above, or combine some components, or different components, besides the various modules described above, for example, input/output devices, network access devices, buses, processors, memories, and the like.
The processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like which is the control center of the system and which is connected to the various parts using various interfaces and lines.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least a portion of sub-steps or stages of other steps.
All possible combinations of the technical features of the above embodiments may not be described for the sake of brevity, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present patent should be subject to the appended claims.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
Claims (8)
1. A method of initiating detection of an unknown risk, the method comprising:
acquiring starting information associated with a starting item, wherein the starting information at least covers a registry and a system service item;
Cleaning a current unnecessary process, and acquiring recovery information of a registry and a system service item after cleaning, wherein the recovery information at least comprises a recovery type and recovery time;
judging whether the starting information contains suspicious process files or not based on the recovery information and the server process starting log;
when the starting information is judged to contain the suspicious process file, the suspicious process file is set to be non-automatically started, and the subsequent starting behavior of the suspicious process file is monitored;
marking the suspicious process file, performing virtual operation after processing the registry containing the suspicious process file and the system service item, and acquiring a virtual operation result;
and comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyzing the suspicious process file based on the comparison result, and determining the malicious file contained in the suspicious process file.
2. The method according to claim 1, wherein the cleaning of the current unnecessary process and the obtaining of the recovery information of the cleaned registry and system service items, the recovery information at least including a recovery type and a recovery time specifically include:
Acquiring necessary process file information, wherein the necessary process file information at least comprises necessary process file contents and corresponding necessary process file types;
closing the file association process of the unnecessary process, and recording the first read-write time after the file of the unnecessary process is self-started and the read-write time when the file is closed;
recording process files of a registry and system service projects in a preset time period and automatically adding new items;
and comparing the process file corresponding to the independently newly added item with the unnecessary process file, wherein the same file contained in the comparison result is the file corresponding to the recovery information.
3. The method according to claim 2, wherein before determining whether the startup information includes the suspicious process file based on the recovery information and the server process startup log, the method further comprises:
acquiring a server process log;
judging whether a newly added process file exists or not based on the server process log, and if so, extracting the write-in time of the newly added process file in the server process log;
the modification time of the necessary process file is extracted.
4. The method according to claim 3, wherein the determining whether the startup information includes a suspicious process file based on the recovery information and the server process startup log comprises:
Judging whether the write-in time of the newly added process file and the modification time of the necessary process file are respectively associated with the recovery time of the file corresponding to the recovery information;
if so, determining the file corresponding to the corresponding recovery information as a suspicious process file;
and if the judgment result is negative, determining the newly added process file exceeding the process occupation threshold value as the suspicious process file.
5. The method for detecting unknown risk of startup item according to claim 4, wherein said determining whether there is a relationship between the writing time of the newly added process file, the modification time of the necessary process file, and the recovery time of the file corresponding to the recovery information includes:
comparing the writing time of the newly added process file, the modification time of the necessary process file and the recovery time of the file corresponding to the recovery information in pairs;
setting a reference operation time difference value and a judgment independent variable of the process file, wherein the judgment independent variable is a newly added process file or a necessary process file;
if the writing or modifying time of the independent variable and the recovery time of the file corresponding to the recovery information are judged to be not more than the difference value of the reference operation time, judging that association possibly exists between the independent variable and the recovery information, and otherwise, judging that association does not exist between the independent variable and the recovery information;
And judging whether the same type of feature codes exist between the judgment independent variable possibly associated with the recovery information and the corresponding file of the recovery information, if so, judging that the association exists between the judgment independent variable and the corresponding file of the recovery information, and otherwise, judging that the association does not exist between the judgment independent variable and the corresponding file of the recovery information.
6. The method for detecting unknown risks of startup items according to claim 1, wherein the marking of the suspicious process files, the virtual operation of the registry and the system service items including the suspicious process files after the processing, and the obtaining of the virtual operation results specifically comprises:
carrying out distinguishing marking on suspicious process files one by one;
backing up the registry and the system service items containing the suspicious process files into a plurality of groups, and unshelling the groups in the backup result to different degrees and different types;
and (4) carrying out virtual operation on the results of shelling processing in different degrees and different types one by one.
7. The method for detecting unknown risk of startup item according to claim 1, wherein the step of comparing the subsequent startup behavior of the suspicious process file with the obtained virtual operation result, and analyzing the suspicious process file based on the comparison result to determine the malicious file contained in the suspicious process file specifically includes:
Counting associated behavior characteristic values in subsequent starting behaviors of the suspicious process file, wherein the associated behavior characteristic values at least comprise the times of associated malicious domain names;
obtaining operation behavior characteristic values corresponding to shelling processing of different degrees and different types in a virtual operation result, wherein the operation behavior characteristic values at least comprise anti-virtual operation times and anti-virtual operation time;
and calculating the corresponding malicious degree value of the suspicious process file according to the associated behavior characteristic value and the running behavior characteristic value by combining with respective preset single-term weighting ratios.
8. An apparatus for initiating detection of an unknown risk, the apparatus comprising:
the acquisition module is used for acquiring the starting information associated with the starting item, and the starting information at least covers the registry and the system service item;
the system comprises a cleaning module, a processing module and a processing module, wherein the cleaning module is used for cleaning a current unnecessary process and acquiring recovery information of a registry and a system service item after cleaning, and the recovery information at least comprises a recovery type and recovery time;
the suspicious process file judging module is used for judging whether the starting information contains the suspicious process file or not based on the recovery information and the server process starting log;
the setting monitoring module is used for setting the suspicious process file into non-automatic starting and monitoring the subsequent starting behavior of the suspicious process file when the starting information is judged to contain the suspicious process file;
The virtual operation module is used for marking the suspicious process files, performing virtual operation after processing the registry containing the suspicious process files and the system service items, and acquiring a virtual operation result;
and the comparison and analysis module is used for comparing the subsequent starting behavior of the suspicious process file with the obtained virtual operation result, analyzing the suspicious process file based on the comparison result and determining the malicious file contained in the suspicious process file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210269094.7A CN114676429A (en) | 2022-03-18 | 2022-03-18 | Method and device for detecting unknown risk of startup item |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210269094.7A CN114676429A (en) | 2022-03-18 | 2022-03-18 | Method and device for detecting unknown risk of startup item |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114676429A true CN114676429A (en) | 2022-06-28 |
Family
ID=82074767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210269094.7A Withdrawn CN114676429A (en) | 2022-03-18 | 2022-03-18 | Method and device for detecting unknown risk of startup item |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114676429A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
| CN103942491A (en) * | 2013-12-25 | 2014-07-23 | 国家计算机网络与信息安全管理中心 | Internet malicious code disposal method |
| US20150199512A1 (en) * | 2014-01-13 | 2015-07-16 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting abnormal behavior |
| WO2017185827A1 (en) * | 2016-04-26 | 2017-11-02 | 华为技术有限公司 | Method and apparatus for determining suspicious activity of application program |
| CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
| CN110795730A (en) * | 2018-10-23 | 2020-02-14 | 北京安天网络安全技术有限公司 | Method, system and storage medium for thoroughly eliminating malicious files |
-
2022
- 2022-03-18 CN CN202210269094.7A patent/CN114676429A/en not_active Withdrawn
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707383A (en) * | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
| CN103942491A (en) * | 2013-12-25 | 2014-07-23 | 国家计算机网络与信息安全管理中心 | Internet malicious code disposal method |
| US20150199512A1 (en) * | 2014-01-13 | 2015-07-16 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting abnormal behavior |
| WO2017185827A1 (en) * | 2016-04-26 | 2017-11-02 | 华为技术有限公司 | Method and apparatus for determining suspicious activity of application program |
| CN110795730A (en) * | 2018-10-23 | 2020-02-14 | 北京安天网络安全技术有限公司 | Method, system and storage medium for thoroughly eliminating malicious files |
| CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
Non-Patent Citations (1)
| Title |
|---|
| 王泽东: "基于行为分析的恶意软件防护系统设计", 《数字技术与应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Patel et al. | Analyzing hardware based malware detectors | |
| Chen et al. | Automatic ransomware detection and analysis based on dynamic API calls flow graph | |
| TWI401582B (en) | Monitor device, monitor method and computer program product thereof for hardware | |
| CN109933984B (en) | Optimal clustering result screening method and device and electronic equipment | |
| CN111639337B (en) | Unknown malicious code detection method and system for massive Windows software | |
| US20130239214A1 (en) | Method for detecting and removing malware | |
| CN111641588A (en) | Webpage analog input detection method and device, computer equipment and storage medium | |
| CN111984488B (en) | Memory fault detection method and device, electronic equipment and readable storage medium | |
| RU2587429C2 (en) | System and method for evaluation of reliability of categorisation rules | |
| CN108804914B (en) | Abnormal data detection method and device | |
| CN111064719B (en) | Method and device for detecting abnormal downloading behavior of file | |
| US11068595B1 (en) | Generation of file digests for cybersecurity applications | |
| CN110865866B (en) | Virtual machine safety detection method based on introspection technology | |
| Miller et al. | Insights gained from constructing a large scale dynamic analysis platform | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN108959922B (en) | Malicious document detection method and device based on Bayesian network | |
| CN114676429A (en) | Method and device for detecting unknown risk of startup item | |
| JP2005234661A (en) | Access policy creation system, method and program | |
| EP3767507A1 (en) | Data processing method against ransomware, program for executing same, and computer-readable recording medium with program recorded thereon | |
| CN115643065A (en) | Network attack event detection method and system | |
| JP7075362B2 (en) | Judgment device, judgment method and judgment program | |
| AbuAlghanam et al. | Android Malware Detection System Based on Ensemble Learning | |
| CN109583590B (en) | Data processing method and data processing device | |
| CN112367336A (en) | Webshell interception detection method, device, equipment and readable storage medium | |
| CN113254292A (en) | Distance sensing function detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220628 |
|
| WW01 | Invention patent application withdrawn after publication |