CN115605866A - Suspicious software detection method, device and computer readable medium - Google Patents

Suspicious software detection method, device and computer readable medium Download PDF

Info

Publication number
CN115605866A
CN115605866A CN202080100927.6A CN202080100927A CN115605866A CN 115605866 A CN115605866 A CN 115605866A CN 202080100927 A CN202080100927 A CN 202080100927A CN 115605866 A CN115605866 A CN 115605866A
Authority
CN
China
Prior art keywords
file
information
determining
executable file
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080100927.6A
Other languages
Chinese (zh)
Inventor
高永吉
李锐
王哲
万朔
闫韬
马工速
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of CN115605866A publication Critical patent/CN115605866A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention relates to the technical field of safety, in particular to a suspicious software detection method, a suspicious software detection device and a computer readable medium, which are used for realizing the quick and effective detection of suspicious software. A suspicious software detection method (200) comprising: determining (S201) at least one file (40) that changes in a device (30); -searching (S202) for an executable file (41) from at least one file (40); for each found executable file (41), performing the following operations: determining (S203) first information (51) comprising information of an operation that causes a change to the executable file (41); determining (S204) second information (52) indicating properties of the executable file (41); based on the first information (51) and the second information (52), a degree of suspicion of the executable file (41) is determined (S205).

Description

Suspicious software detection method, device and computer readable medium Technical Field
The embodiment of the invention relates to the technical field of safety, in particular to a suspicious software detection method, a suspicious software detection device and a computer readable medium.
Background
One task of security analysis is to detect suspicious software installed on a device. An attacker may maliciously install such software to tamper with sensitive data, modify configuration files, etc., and should therefore be sufficiently effective to detect such suspicious software.
However, with the development of computer technology, the capacity of the storage medium of the device is larger and larger, and suspicious software is searched from the storage medium like a large sea fishing needle, so that a method for effectively detecting the suspicious software is urgently needed.
At present, a white list and a black list are mainly adopted when suspicious software is detected. Among other things, software whitelisting is a method that allows only certain software and applications to run to maintain security. It is a collection of trusted software. In other words, software that is not on the white list is considered untrusted, at least suspicious. And software blacklisting is a method of prohibiting only certain software and applications from running to maintain security. It is a collection of untrusted software, even very suspicious software or malware. The method adopts a white list and a black list, suspicious software detection is carried out through signatures, a huge signature database needs to be maintained, and a large amount of information in the signature database is redundant for the detection of a certain specific device.
Disclosure of Invention
Consider that most of the data on the device is clean. If clean data can be filtered out as much as possible, the detection range can be narrowed, and the detection data volume can be reduced, so that the quick and effective detection of suspicious software can be realized. Therefore, the embodiment of the invention provides a suspicious software detection method, a suspicious software detection device and a computer readable medium. By adopting the scheme provided by the embodiment of the invention, the detection range of the suspicious software can be effectively reduced, and the detection efficiency is higher.
In a first aspect, a suspicious software detection method is provided. The method can comprise the following steps:
-determining at least one file in which a change has occurred in a device;
-finding an executable file from said at least one file;
-for each executable file found, performing the following operations: determining first information, wherein the first information comprises information of an operation for changing the executable file; determining second information, wherein the second information is used for indicating the attribute of the executable file; and determining the suspicious degree of the executable file according to the first information and the second information.
In a second aspect, a suspicious software detection apparatus is provided, which may include:
-a look-up module configured to determine at least one file in which a change has occurred in a device, and to look up an executable file from the at least one file;
-a detection module configured to perform, for each executable file found, the following operations: determining first information, wherein the first information comprises information of an operation for changing the executable file; determining second information, wherein the second information is used for indicating the attribute of the executable file; and determining the suspicious degree of the executable file according to the first information and the second information.
In a third aspect, a suspicious software detection apparatus is provided, including: at least one memory configured to store computer readable code; at least one processor configured to invoke the computer readable code to perform the steps provided by the first aspect.
In a fourth aspect, a computer readable medium having computer readable instructions stored thereon, which, when executed by a processor, cause the processor to perform the steps provided by the first aspect.
The file change information on the device to be detected is obtained, the executable file is searched from the changed file, and the suspicious software is detected from the executable file. The detection range of suspicious software can be effectively reduced, and the detection efficiency is improved.
For any of the above aspects, optionally, third information for recording a file state in the device at each time point in a time period may be obtained, and the at least one file that has changed in the device during the time period may be determined by comparing the third information at each time point. Therefore, the existing third information can be utilized to conveniently and quickly determine the changed file, and the detection access of suspicious software is effectively reduced. Such as: the changed files are determined by comparing the VSS snapshot files at different points in time. The VSS snapshot file is designed for data recovery, VSS snapshot files at different time points are ingeniously used for acquiring file change information, and accordingly the detection range of suspicious software is narrowed, and convenience and high efficiency are achieved.
Further, the third information at various points in time may be compared to determine information of the operation that changed each of the searched executable files within the time period. The operational information may be used to determine the extent of suspicious executable files.
For any of the above aspects, optionally, determining whether each of the at least one file is an executable file according to the meta information of the file.
For any of the above aspects, optionally, the first information includes at least one of the following information:
-operation information for creating a file;
-modifying the operational information of the file;
-operation information for deleting files.
For any of the above aspects, optionally, the second information includes at least one of the following information:
-a file name;
-a file storage path;
-file creation time;
-a file type;
-a digital signature.
Drawings
Fig. 1 is a schematic structural diagram of a suspicious software detecting apparatus according to an embodiment of the present invention.
Fig. 2 is a flowchart of a suspicious software detection method according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating determining a suspicious level of a file according to a file operation according to an embodiment of the present invention.
FIG. 4 is a flowchart illustrating determining a suspicious level of a file according to file attributes according to an embodiment of the present invention.
List of reference numbers:
Figure PCTCN2020094742-APPB-000001
Detailed Description
the subject matter described herein will now be discussed with reference to example embodiments. It should be understood that these embodiments are discussed only to enable those skilled in the art to better understand and thereby implement the subject matter described herein, and are not intended to limit the scope, applicability, or examples set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the scope of the embodiments of the invention. Various examples may omit, substitute, or add various procedures or components as needed. For example, the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. In addition, features described with respect to some examples may also be combined in other examples.
As used herein, the term "include" and its variants mean open-ended terms, meaning "including but not limited to. The term "based on" means "based at least in part on". The terms "one embodiment" and "an embodiment" mean "at least one embodiment". The term "another embodiment" means "at least one other embodiment". The terms "first," "second," and the like may refer to different or the same objects. Other definitions, whether explicit or implicit, may be included below. Unless the context clearly dictates otherwise, the definition of a term is consistent throughout the specification.
The following describes embodiments of the present invention in detail with reference to the accompanying drawings.
In the embodiment of the present invention, the apparatus for implementing suspicious software detection is referred to as suspicious software detection apparatus 10. The suspicious software detecting device 10 can obtain information about file changes on the device 30 to be detected, search an executable file from the changed file, and detect suspicious software from the executable file. The detection range of suspicious software is narrowed by acquiring the information of file change, and the detection efficiency is greatly improved. The device 30 to be detected may be any computer device, or a device having a computer architecture, and may include a computer, a notebook computer, a tablet computer, an industrial personal computer, a server, an embedded device, and the like. The method can be used for detecting various devices such as industrial control devices and household devices.
The suspected software detecting device 10 may be implemented as a network of computer processors to execute the suspected software detecting method 200 in the embodiment of the present invention. The suspicious software detecting apparatus 10 may also be a single computer as shown in fig. 1, which obtains the information 53 of the file status on the device to be detected 30 through the communication module 103. The suspicious software detection apparatus 10 may also include at least one memory 101 comprising a computer-readable medium, such as Random Access Memory (RAM). The apparatus 10 further comprises at least one processor 102 coupled to the at least one memory 101. Computer-executable instructions are stored in the at least one memory 101 and, when executed by the at least one processor 102, may cause the at least one processor 102 to perform the steps described herein. The at least one processor 102 may include a microprocessor, an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a state machine, etc. Examples of computer readable media include, but are not limited to, floppy diskettes, CD-ROMs, magnetic disks, memory chips, ROMs, RAMs, ASICs, configured processors, all-optical media, all-magnetic tape or other magnetic media, or any other medium from which a computer processor can read instructions. In addition, various other forms of computer-readable media may transmit or carry instructions to a computer, including a router, private or public network, or other wired or wireless transmission device or channel. The instructions may comprise code in any computer programming language, including C, C + +, C, visual Basic, java, and JavaScript.
The at least one memory 101 shown in fig. 1 may contain a suspicious software detection program 20 when executed by the at least one processor 102, causing the at least one processor 102 to perform the method 200 for suspicious software detection described in embodiments of the present invention. The suspicious software detection program 20 may include:
-a lookup module 201 configured to determine at least one file 40 in which a change has occurred in the device 30, and to lookup an executable file 41 from the at least one file 40;
-a detection module 202 configured to perform, for each found executable file 41, the following operations:
-determining first information 51, the first information comprising information of the operation that caused the executable file 41 to change;
-determining second information 52, the second information being indicative of properties of the executable file 41;
-determining the extent of the suspicious executable file 41 based on the first information 51 and the second information 52.
Optionally, the finding module 201, when determining at least one file 40 that has changed in the device 30, is configured to:
-obtaining third information 53 for recording the file status in the device 30 at various points in time during a period of time;
comparing the third information 53 at the respective points in time to determine at least one file 40 that has changed in the device 30 during the time period.
Among them, first information 51 (including information of an operation for changing executable file 41), second information 52 (information indicating an attribute of executable file 41), and third information 53 (information for a file state in recording apparatus 30) may be stored in at least one memory 101.
For example, the first information 51 may include at least one of the following information:
operation information 511 of creating a file;
-modify operation information 512 of the file;
operation information for deleting files 513.
The second information 52 may include at least one of the following information:
-a file name 521;
-a file storage path 522;
-file processing time 523;
-a file type 524;
a digital signature 525.
It should be mentioned that embodiments of the invention may include devices having architectures different from that shown in fig. 2. The above architecture is merely exemplary and is provided to illustrate the method 200 provided by embodiments of the present invention. Such as: the suspicious software detecting apparatus 10 may be implemented as a piece of software, including a suspicious software detecting program 20, which may be deployed on the device 30 to be detected for detecting suspicious software on the device 30.
In addition, the modules can also be regarded as functional modules implemented by hardware, and are used for implementing various functions involved in the suspicious software detection method, for example, control Logic of various processes involved in the method is burned into a chip such as a Field-Programmable Gate Array (FPGA) chip or a Complex Programmable Logic Device (CPLD) in advance, and the functions of the modules are executed by the chip or the Device, and the specific implementation manner may be determined by engineering practice.
As shown in fig. 2, an exemplary method 200 according to an embodiment of the present invention includes the steps of:
-S201: determining at least one file 40 that has changed in one device 30;
-S202: searching for executable files 41 from the at least one file 40, and for each searched executable file 41, performing the following operations:
-S203: determining first information 51, the first information including information of an operation that causes the executable file 41 to change;
-S204: determining second information 52, the second information indicating the attribute of the executable file 41;
-S205: based on the first information 51 and the second information 52, the extent of the suspicious activity of the executable file 41 is determined.
Alternatively, in step S201, the suspicious software detecting device 10 may obtain third information 53 for recording the file status in the device 30 at each time point in a time period, and determine at least one file 40 that has changed in the device 30 in the time period by comparing the third information 53 at each time point; in step S203, the third information 53 at each time point may be compared to determine the information of the operation that changes each found executable file 41 in the time period.
Taking the device 30 to be detected running the Volume Snapshot Service (VSS) as an example, in step S201, the VSS Snapshot file at each time point in a period of time may be obtained. The VSS snapshot files are sorted according to time, and then adjacent VSS snapshot files are compared one by one, so as to identify the changed file 40 and identify information of operations for changing the files, where the operations include: creation, deletion, and modification.
In step S202, it may be determined whether the file is an executable file according to the meta information of the changed file 40, such as the format of the file. Such as: in the WINDOWS operating system, different types of files have different formats, and the types of the files can be determined by analyzing the file formats. The executable file may include a script, a binary executable file, and the like. This further narrows the scope of detection of suspicious software.
In step S205, the degree of suspicious of executable file 41 may be determined according to determined first information 51 and second information 52. Such as: the degree of suspicious of an executable file 41 may be measured by means of a score, the lower the score, the higher the degree of suspicious. One possible implementation is to score according to the first information 51 to obtain a first score value 71; scoring based on the second information 52 to obtain a second score value 72. An overall score value (e.g., a sum of two score values or a weighted sum) is then calculated based on the first score value 71 and the second score value 72, and the degree of suspicious activity of the executable file 41 is determined based on the overall score value.
Next, referring to fig. 3, a sub-step S2051 of determining the first score value 71 based on the first information 51 will be described. Sub-step S2051 may further include:
-S20511: the content of the first information 51 is determined, and if the information 51 includes operation information 511 for creating a file, substep S20512 is performed, if the information 51 includes operation information 512 for modifying a file, substep S20513 is performed, and if the information 51 includes operation information 513 for deleting a file, substep S20514 is performed.
-S20512: determining a first fractional value 71 minus 2;
-S20513: determining a first fractional value 71 minus 1;
-S20514: a first score value 71 minus 1 is determined.
The above process of determining the first score value 71 according to the first information 51 is only an example, and actually there are many ways to determine, as can be seen from the above manner, the suspicious degree of the executable file 41 is determined to be high for the operation of creating a file, while the suspicious degree of the executable file 41 is determined to be slightly low for the operations of modifying and deleting a file, and the suspicious degree is not considered for a file without change. Therefore, as long as the above judgment rule can be implemented, the purpose of determining the suspicious degree of the executable file according to the type of the file operation can be achieved.
Next, referring to fig. 4, a sub-step S2052 of determining the second score value 72 based on the second information 52 will be described. Sub-step S2052 may further include:
-S20521: comparing the file name 521 of the executable file 41 with the system file name 521', if the file name determination condition 61 is satisfied (for example, the similarity between the two is greater than a preset threshold), that means they are similar, performing the sub-step S20522, otherwise, skipping the sub-step S20522 and directly performing the sub-step S20523.
-S20522: the second score value 72 is determined minus 3, after which sub-step S20523 is performed.
-S20523: compare file storage path 522 of executable file 41 to specified directory 522', where specified directory 522' may include, but is not limited to: a system directory, a user profile (user profile) directory, a temporary (temp) directory, etc., if the file storage path determination condition 62 is satisfied (e.g., the directories are the same), then the substep S20524 is executed, otherwise, the substep S20524 is skipped and the substep S20525 is directly executed.
-S20524: the second score value 72 is determined minus 1, after which sub-step S20525 is performed.
-S20525: comparing the file processing time 523 of the executable file 41 with the creation time value range 523', if a file processing time judgment condition 63 is satisfied (for example, the time related to one file includes the file creation time, the file modification time, the file access time and the MFT record change time, if the file creation time is greater than other types of file times, or all types of file times are 0, both of these conditions are satisfied), executing the sub-step S20526, otherwise, skipping the sub-step S20526 and directly executing the sub-step S20527.
-S20526: the second score value 72 is determined minus 2, after which sub-step S20527 is performed.
-S20527: the file type 524 of the executable file 41 is compared with the specified file type 524', if the file type judgment condition 64 is satisfied (for example, the file type is a system file, a hidden file, a read-only file or an archive file), the substep S20528 is executed, otherwise, the substep S20529 is directly executed by skipping the substep S20528.
-S20528: for any of the system files, hidden files, read-only files, and archived files, the second score value 72 is determined minus 1 as long as the executable file 41 belongs to any of the file types, and if the executable file 41 belongs to three of the four types, the second score value 72 is determined minus 3.
-S20529: it is determined whether the digital signature 525 of the executable file 41 satisfies the digital signature determination condition 65 (for example, the digital signature is valid), if so, the sub-step S20530 is executed, otherwise, the sub-step S20530 is skipped to directly obtain the final second score value 72.
-S20530: a second score value 72 plus 50 is determined.
The above process of determining the second score value 72 according to the second information 52 is only an example, and actually there are many ways to determine, as can be seen from the above, if the file name of the executable file 41 that is changed is similar to the system file name, the file creation time meets the preset condition under the specified directory 522', the file type is the specified file type 524', the suspicious degree is greater, and if the digital signature is valid, the suspicious degree is greatly reduced. Therefore, as long as the above judgment rule can be implemented, the purpose of determining the suspicious degree of the executable file according to the type of the file operation can be achieved.
The following examples are given. An scvhost. Exe file and an application. Exe file are mirrored and the first score value 71 and the second score value 72 are determined using the above procedure and the overall score value is determined therefrom to determine the extent of suspicion of the executable file 41. The total score values for these two files are-8 and 50, respectively, indicating a greater degree of suspicion of scvhost.
Table 1 shows the determination of the second score value 72. Table 2 shows the determination of the first score value 71 and the total score value.
TABLE 1
Figure PCTCN2020094742-APPB-000002
TABLE 2
Figure PCTCN2020094742-APPB-000003
In addition, an embodiment of the present invention further provides a computer-readable medium, where the computer-readable medium has computer-readable instructions stored thereon, and when the computer-readable instructions are executed by a processor, the processor is caused to execute the above-mentioned suspicious software detection method. Examples of the computer-readable medium include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD + RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the computer readable instructions may be downloaded from a server computer or from a cloud over a communications network.
In summary, embodiments of the present invention provide a suspicious software detection method, a suspicious software detection device, and a computer-readable medium. In the traditional method, a white list and a black list are adopted, huge and comprehensive data need to be maintained, and the scheme provided by the embodiment of the invention does not need to maintain a database in advance. Also, most of the data in the white and black lists is redundant for the detection of a particular device or system. In the scheme provided by the embodiment of the invention, the detection result is based on the file in the equipment, so that the detection result is more accurate and is applicable to various equipment and systems. Furthermore, the signature database needs to be updated frequently by adopting a white list and a black list, and the scheme provided by the embodiment of the invention can realize the detection of suspicious software only by detecting the change of the file in the equipment without updating the database. Finally, the white list and the black list are set based on known suspicious software, and unknown suspicious software cannot be detected.
It should be noted that not all steps and modules in the above flows and system structure diagrams are necessary, and some steps or modules may be omitted according to actual needs. The execution order of the steps is not fixed and can be adjusted as required. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by a plurality of physical entities, or some components in a plurality of independent devices may be implemented together.

Claims (10)

  1. A suspicious software detection method (200), comprising:
    -determining (S201) at least one file (40) in a device (30) that has changed;
    -looking up (S202) an executable file (41) from said at least one file (40);
    -for each executable file (41) found, performing the following operations:
    -determining (S203) first information (51) comprising information of an operation that causes a change to the executable file (41);
    -determining (S204) second information (52) indicating properties of the executable file (41);
    -determining (S205) the degree of suspicious of the executable file (41) based on said first information (51) and said second information (52).
  2. The method according to claim 1, wherein determining (S201) at least one file (40) that has changed in a device (30) comprises:
    -obtaining third information (53) for recording the status of files in the device (30) at various points in time during a period of time;
    -comparing said third information (53) at respective points in time to determine said at least one file (40) that changed in said device (30) during said period of time.
  3. The method according to claim 2, wherein said determining (S203) the first information (51) comprises:
    -comparing said third information (53) at various points in time to determine information of the operations that changed each executable file (41) found during said period of time.
  4. The method according to claim 1, wherein finding (S202) an executable file (41) from the at least one file (40) comprises:
    -determining whether each of said at least one file (40) is an executable file based on meta information of the file.
  5. The method according to claim 1, wherein the first information (51) comprises at least one of:
    -operation information (511) of creating a file;
    -modify operation information (512) of the file;
    -operation information (513) to delete the file.
  6. The method of claim 1, wherein the second information (52) comprises at least one of:
    -a file name (521);
    -a file storage path (522);
    -a file creation time (523);
    -a file type (524);
    -a digital signature (525).
  7. A suspicious software detection apparatus (10) comprising:
    -a search module (201) configured to determine at least one file (40) in which a change has occurred in a device (30), and to search for executable files (41) from said at least one file (40);
    -a detection module (202) configured to perform, for each found executable file (41), the following operations:
    -determining first information (51) comprising information of an operation that causes a change of the executable file (41);
    -determining second information (52) indicative of properties of the executable file (41);
    -determining the extent of the suspicious executable file (41) on the basis of said first information (51) and said second information (52).
  8. The apparatus of claim 7, wherein the lookup module (201), in determining the at least one file (40) that changes in one device (30), is configured to:
    -obtaining third information (53) for recording the status of files in the device (30) at various points in time during a period of time;
    -comparing said third information (53) at respective points in time to determine said at least one file (40) that changed in said device (30) during said period of time.
  9. A suspicious software detection apparatus (10) comprising:
    at least one memory (101) configured to store computer readable code;
    at least one processor (102) configured to invoke the computer readable code to perform the method of any of claims 1-6.
  10. A computer readable medium having computer readable instructions stored thereon, which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
CN202080100927.6A 2020-06-05 2020-06-05 Suspicious software detection method, device and computer readable medium Pending CN115605866A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/094742 WO2021243716A1 (en) 2020-06-05 2020-06-05 Suspicious software detection method and apparatus, and computer readable medium

Publications (1)

Publication Number Publication Date
CN115605866A true CN115605866A (en) 2023-01-13

Family

ID=78830071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080100927.6A Pending CN115605866A (en) 2020-06-05 2020-06-05 Suspicious software detection method, device and computer readable medium

Country Status (2)

Country Link
CN (1) CN115605866A (en)
WO (1) WO2021243716A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302193B1 (en) * 2008-05-30 2012-10-30 Symantec Corporation Methods and systems for scanning files for malware
CN102768717B (en) * 2012-06-29 2015-01-21 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN103714269A (en) * 2013-12-02 2014-04-09 百度国际科技(深圳)有限公司 Virus identification method and device
CN105488390B (en) * 2014-12-13 2018-05-25 哈尔滨安天科技股份有限公司 A kind of apocrypha under Linux finds method and system

Also Published As

Publication number Publication date
WO2021243716A1 (en) 2021-12-09

Similar Documents

Publication Publication Date Title
US20210256127A1 (en) System and method for automated machine-learning, zero-day malware detection
EP3316166B1 (en) File-modifying malware detection
US9998484B1 (en) Classifying potentially malicious and benign software modules through similarity analysis
US9300682B2 (en) Composite analysis of executable content across enterprise network
US9621571B2 (en) Apparatus and method for searching for similar malicious code based on malicious code feature information
US8479296B2 (en) System and method for detecting unknown malware
Trinius et al. Visual analysis of malware behavior using treemaps and thread graphs
CN107992751B (en) Real-time threat detection method based on branch behavior model
EP3346664B1 (en) Binary search of byte sequences using inverted indices
KR101733000B1 (en) Method and Apparatus for Collecting Cyber Incident Information
US20120159628A1 (en) Malware detection apparatus, malware detection method and computer program product thereof
CN111988341B (en) Data processing method, device, computer system and storage medium
CN102930207A (en) API log monitoring method and device
CN114386032A (en) Firmware detection system and method for power Internet of things equipment
Park et al. Antibot: Clustering common semantic patterns for bot detection
EP3705974B1 (en) Classification device, classification method, and classification program
CN113890762B (en) Method and system for detecting web crawler behaviors based on flow data
KR102318991B1 (en) Method and device for detecting malware based on similarity
CN113177204B (en) Container mirror image security detection method, terminal device and storage medium
KR20160133927A (en) Apparatus and method for detecting rooting from terminal based on android system
KR101907681B1 (en) Method, apparatus, and system for automatically generating rule for detecting virus code, and computer readable recording medium for reciring the same
US11822666B2 (en) Malware detection
CN111191235B (en) Suspicious file analysis method, suspicious file analysis device and computer readable storage medium
CN115605866A (en) Suspicious software detection method, device and computer readable medium
US20230098919A1 (en) Malware attributes database and clustering

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination