CN116595523A - Multi-engine file detection method, system, equipment and medium based on dynamic arrangement - Google Patents

Multi-engine file detection method, system, equipment and medium based on dynamic arrangement Download PDF

Info

Publication number
CN116595523A
CN116595523A CN202310485093.0A CN202310485093A CN116595523A CN 116595523 A CN116595523 A CN 116595523A CN 202310485093 A CN202310485093 A CN 202310485093A CN 116595523 A CN116595523 A CN 116595523A
Authority
CN
China
Prior art keywords
file
detection
engine
sample
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310485093.0A
Other languages
Chinese (zh)
Inventor
郭昌盛
李响
王磊
徐若愚
姜昱西
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiangmin Xinke Technology Co ltd
Original Assignee
Beijing Jiangmin Xinke Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiangmin Xinke Technology Co ltd filed Critical Beijing Jiangmin Xinke Technology Co ltd
Priority to CN202310485093.0A priority Critical patent/CN116595523A/en
Publication of CN116595523A publication Critical patent/CN116595523A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/254Fusion techniques of classification results, e.g. of results related to same input data
    • G06F18/256Fusion techniques of classification results, e.g. of results related to same input data of results relating to different input data, e.g. multimodal recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention discloses a method, a system, equipment and a medium for detecting a multi-engine file based on dynamic arrangement, wherein the method comprises the following steps: receiving a sample file; pre-analyzing the sample file to obtain a pre-analysis result; judging whether the basic information of the sample file accords with a preset detection condition or not based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result; the detection engine carries out independent detection on the sample file according to the analysis queue to obtain an analysis report result; and carrying out comprehensive judgment based on the analysis report results of each detection engine, generating comprehensive judgment results, and generating a file detection report. By the processing scheme, the problems that the single type file detection engine is limited in capability and the static file detection engine detects false alarm and missing alarm are solved.

Description

Multi-engine file detection method, system, equipment and medium based on dynamic arrangement
Technical Field
The present invention relates to the field of code detection technologies, and in particular, to a method, a system, an apparatus, and a medium for detecting a multi-engine file based on dynamic arrangement.
Background
Along with the development of network security information technology, the method for avoiding detection of malicious files and suspicious files is continuously developed and upgraded, and the modern malicious files are provided with multiple means such as shell adding and camouflage, so that the suspicious files are more difficult to analyze and detect, and a detection engine is further developed to dynamically analyze based on file behaviors from traditional comparison analysis based on static feature libraries compared with segments, and the suspicious files are detected by comprehensively utilizing technologies such as file behavior monitoring, threat information data, machine learning detection and the like. The suspicious file detection technology mainly comprises two kinds of static analysis and dynamic analysis.
The static analysis mainly comprises the steps of analyzing the binary file content of the suspicious file, extracting feature codes to form a feature library, and comparing the features of the sample file with the feature library by a detection engine to judge whether the sample file is a malicious file.
The dynamic analysis is to execute the sample file in the protected virtual environment and monitor the dynamic behavior of the sample file in the execution process through various monitoring points in kernel mode and user mode, such as file system, process, registry, network access, etc. and has the advantages of being not affected by polymorphism, modification and crust addition, and the disadvantage of being incapable of realizing multipath coverage for suspicious files in condition triggering type.
At present, various malicious code detection products exist in the domestic market, each manufacturer has a suspicious file detection engine, but due to the differences of technical implementation ways, sample capturing channels, sample analysis capability, detection analysis algorithms and the like of each manufacturer, the suspicious file detection capability of each manufacturer is different, the detection capability of different suspicious files is good, and the situations of false positive and false negative exist. Therefore, how to realize the detection of suspicious files fused by multiple engines so as to improve the comprehensive detection level of suspicious files becomes a current urgent problem to be solved.
Disclosure of Invention
In view of this, embodiments of the present disclosure provide a method for detecting multiple engine files based on dynamic arrangement, which at least partially solves the problems existing in the prior art.
In a first aspect, an embodiment of the present disclosure provides a method for detecting a multi-engine file based on dynamic arrangement, the method including the steps of:
receiving a sample file;
pre-analyzing the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
judging whether the basic information of the sample file accords with a preset detection condition or not based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result;
the detection engine carries out independent detection on the sample file according to the analysis queue to obtain an analysis report result; the detection engine comprises a static detection engine, a dynamic detection engine and an AI engine;
And carrying out comprehensive judgment based on the analysis report results of each detection engine, generating comprehensive judgment results, and generating a file detection report.
According to a specific implementation of an embodiment of the disclosure, the method further includes: and intelligently judging whether the engine needs to be self-updated according to the comprehensive judgment result.
According to a specific implementation manner of the embodiment of the present disclosure, the dynamically arranging the sample file into a corresponding detection engine analysis queue includes the following steps:
selecting a detection engine based on the type of the sample file;
and distributing the sample file to a corresponding detection engine analysis queue.
According to a specific implementation manner of the embodiment of the disclosure, the detecting engine independently detects the sample file according to the analysis queue, including:
detecting specific behaviors of each level of a shellcode execution life cycle by using Hook, instruction stream analysis and simulation execution, and judging whether malicious utilization codes exist in the sample file or not; and when the malicious utilization code exists in the sample file, analyzing the malicious utilization code and scoring the threat.
According to a specific implementation manner of the embodiment of the disclosure, the detecting engine independently detects the sample file according to the analysis queue, including: independently detecting the sample file according to a detection rule;
The detection rule includes: virus feature detection rules, file type detection rules, threat information detection rules, behavior detection rules and signature detection rules; wherein, the liquid crystal display device comprises a liquid crystal display device,
the virus characteristic detection rule judges whether the file contains viruses or not by identifying virus characteristic codes in the file;
the file type detection rule determines the type and format of the file by detecting file header, extension or other metadata, and carries out risk assessment according to the type and format;
the threat intelligence detection rules identify whether a document is associated with a known threat using threat intelligence obtained from public or private sources; the threat intelligence comprises a blacklist and a malicious software sample;
the behavior detection rule determines whether the file has potential threat behaviors by detecting the behaviors of the file in the system; the threat behavior includes creating a new process and modifying a system file;
the signature detection rules determine whether the file is from a trusted publisher or a trusted source by checking the digital signature of the file.
According to a specific implementation manner of the embodiment of the present disclosure, the performing comprehensive evaluation based on the analysis report results of each detection engine includes:
Comprehensively analyzing the results of each detection engine by combining the analysis report results and the historical data, and iterating the detection factors of the detection engines;
obtaining comprehensive grade scores FRLSN of all sample files according to the current multi-engine detection result; the calculation formula of the comprehensive grade score FRLSN is as follows:
FRLSN=FRLN*SN
wherein SN is threat index score of the Nth engine, and FRLN is the Nth engine detection factor;
calculating an average value FRLSN' of the comprehensive grade scores FRLSN to obtain a final comprehensive grade score FRLS of the sample file, wherein the calculation formula is as follows:
FRLS=(∑|FRLSN-FRLSN'|)/n
wherein n is the number of detection engines; FRLSN' is the average of the composite grade scores;
setting a dynamic arrangement strategy of the sample file based on the FRLS scoring result and the basic information of the sample file for a plurality of times; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file.
According to a specific implementation of an embodiment of the disclosure, the detection engines include: a file static detection engine, a file dynamic detection engine and an AI engine; wherein, the liquid crystal display device comprises a liquid crystal display device,
The static detection engine comprises a script static detection engine, a document static detection engine and a PE file static detection engine;
the AI detection engine comprises a script AI detection engine, a document AI detection engine and a PE file AI detection engine;
the dynamic detection engine comprises a script dynamic detection engine, a document dynamic detection engine and a PE file dynamic detection engine.
In a second aspect, embodiments of the present disclosure provide a multi-engine file detection system based on dynamic orchestration, the system comprising:
a receiving module configured to receive a sample file;
the pre-analysis module is configured to perform pre-analysis processing on the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
the dynamic arrangement module is configured to judge whether the basic information of the sample file accords with a preset detection condition or not based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result;
The detection analysis module is configured to be used for independently detecting the sample file according to the analysis queue by the detection engine to obtain an analysis report result; the detection engine comprises a static detection engine, a dynamic detection engine and an AI engine; and
and carrying out comprehensive judgment based on the analysis report results of each detection engine, generating comprehensive judgment results, and generating a file detection report.
In a third aspect, embodiments of the present disclosure further provide an electronic device, including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor, which when executed by the at least one processor, cause the at least one processor to perform the method of dynamic orchestration-based multi-engine file detection according to any one of the preceding first aspect or any implementation of the first aspect.
In a fourth aspect, the presently disclosed embodiments also provide a non-transitory computer-readable storage medium storing computer instructions that, when executed by at least one processor, cause the at least one processor to perform the multi-engine file detection method based on dynamic orchestration in any of the preceding or first implementations.
In a fifth aspect, embodiments of the present disclosure also provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the dynamic orchestration-based multi-engine file detection method according to the first aspect or any implementation of the first aspect.
The multi-engine file detection method based on dynamic arrangement in the embodiment of the disclosure can effectively solve the problems that different manufacturer engines have different detection results on different types of suspicious sample files according to different features, and the detection has false alarm, missing report and single engine detection reliability is insufficient. The method and the device can more accurately, scientifically and effectively avoid the problems of false alarm and missing report and insufficient reliability by a multi-engine linkage and suspicious sample file comprehensive grade grading mode, effectively reduce false alarm and improve the reliability of detection results.
Compared with the existing multi-engine file detection solution, the method only combines a plurality of static engines in the existing solution, and detects and obtains the result through the plurality of engines. The method solves the problems that the traditional detection mode can not detect the dynamic behavior of the file and can not carry out threat analysis on the dynamic behavior of the file.
Drawings
The foregoing is merely an overview of the present invention, and the present invention is further described in detail below with reference to the accompanying drawings and detailed description.
FIG. 1 is a schematic flow chart of a method for detecting multi-engine files based on dynamic arrangement according to an embodiment of the disclosure;
FIG. 2 is a flow chart of a method for detecting multi-engine files based on dynamic arrangement according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of a dynamic arrangement working principle provided in an embodiment of the disclosure;
fig. 4 is a schematic diagram of a working principle of multi-engine fusion suspicious file detection according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a multi-engine file detection system based on dynamic arrangement according to an embodiment of the present disclosure; and
fig. 6 is a schematic diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present disclosure will become readily apparent to those skilled in the art from the following disclosure, which describes embodiments of the present disclosure by way of specific examples. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
With the development of information technology, the technology of detecting malicious code files is continuously improved, and the security of a software system is very important for a computer software system. More and more institutions have their own virus detection engines.
However, the detection of suspicious files is more and more difficult because the malicious threat files can be avoided and detected by means of shell adding, camouflage and the like. The method has the advantages that some newly-appearing malicious threat files are detected through the traditional single engine, and the files are disguised as normal files, so that the existing scheme cannot solve the problems, and some potential safety hazards such as important information leakage in the network can be caused.
The invention provides a method and equipment for detecting multi-engine fusion suspicious files, which can support dynamic arrangement and dynamic detection. The principle of the method is that a dynamic arrangement mode combining multi-engine static detection and dynamic detection is adopted by an intelligent scheduling model, static file feature codes are extracted by using dynamic arrangement, a multi-engine feature library is compared, suspicious line text information is operated by dynamically extracting files, and suspicious identification is carried out on the files. The key point of the method is to solve the problem that file analysis and detection are more and more difficult by avoiding analysis and detection in a mode of modification, file shell adding and the like along with the continuous development of malicious codes, and improve the accuracy of file detection results. The method has the advantages that multiple mature file detection engines are scientifically and reasonably integrated, the capabilities and advantages of the multiple detection engines are fused, and the static engine, the dynamic engine and the AI engine are combined, so that automatic analysis and judgment of suspicious files under the condition of multiple engines are realized, and the overall detection and discrimination capability of the suspicious files is improved.
Suspicious file: files with unknown security that may pose a threat to computer network security.
An engine: refers to a virus detection engine.
Dynamic detection: refers to the detection by dynamic behavior analysis of a file.
Fig. 1 is a schematic diagram of a flow of a multi-engine file detection method based on dynamic arrangement according to an embodiment of the disclosure.
FIG. 2 is a flow chart of a method for detecting multi-engine files based on dynamic programming, corresponding to FIG. 1.
As shown in fig. 1, at step S110, a sample file is received.
More specifically, step S120 is next followed.
At step S120, performing a pre-analysis process on the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
more specifically, after receiving a sample file, performing pre-analysis processing on the sample file to obtain a file running operating system environment, a file executing hardware environment, a file executing software environment, a resource size required by file execution and the like, if the analyzed file is a Python file and the running environment is Ubuntu, dynamically creating a Ubuntu operating system environment with the Python file running environment; analyzing the basic information and the file authority of the sample file, such as the file type, the file size, an operating system to which the file belongs, a digital fingerprint and a digital signature, and judging whether the file accords with and meets the basic requirements of a detection strategy, such as whether the file type format accords with the detection strategy, whether the file size accords with the detection strategy, whether the file execution environment accords with the detection strategy and the like; generating a unique digital fingerprint by applying a file hash algorithm to all data in the sample file; and when the analysis is satisfied, distributing the file to analysis queues of a plurality of detection engines according to the parsed basic information, and when the analysis is not satisfied, distributing the file to a default general environment (a common windows sandbox or a linux sandbox).
Next, the process goes to step S130.
At step S130, determining whether the sample file basic information meets a preset detection condition based on the pre-analysis result; and when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result.
In an embodiment of the present invention, the dynamically arranging the sample file into a corresponding detection engine analysis queue includes the following steps:
selecting a detection engine based on the type of the sample file;
and distributing the sample file to a corresponding detection engine analysis queue.
In an embodiment of the present invention, the detecting engine independently detects the sample file according to the analysis queue, including: detecting specific behaviors of each level of a shellcode execution life cycle by using Hook, instruction stream analysis and simulation execution, and judging whether malicious utilization codes exist in the sample file or not; when the sample file has malicious utilization codes, the related detection module analyzes the malicious codes so as to know the purpose and influence of the malicious codes, and meanwhile, determines the source of the attack and carries out threat scoring in combination with threat information.
In an embodiment of the present invention, each of the detection engines includes: a file static detection engine, a file dynamic detection engine and an AI engine; wherein, the liquid crystal display device comprises a liquid crystal display device,
the static detection engine comprises a script static detection engine, a document static detection engine and a PE file static detection engine;
the AI detection engine comprises a script AI detection engine, a document AI detection engine and a PE file AI detection engine;
the dynamic detection engine comprises a script dynamic detection engine, a document dynamic detection engine and a PE file dynamic detection engine.
More specifically, the dynamic arrangement working principle is shown in fig. 3, and comprises the following steps:
step 1: file type filtering.
Firstly, starting a file from a file format decoder and a Shellcode static characteristic, and judging the type of the file in a mode of combining content semantic identification to obtain a file type result.
Step 2: matching the environment and dynamically arranging the environment.
Matching is carried out according to the filtering result of the sample file, comprehensive assessment is carried out according to the information such as the file type, the affiliated operating system, the current resource of the server, the dynamic arrangement strategy and the like, the combination is carried out based on the assessment result, namely the server state information result and the pre-analysis result, and the file static detection engine, the file dynamic detection engine, the AI engine and the file execution environment requirements are further dynamically arranged according to the result, so that a detection environment is created.
The current resources of the server refer to resources such as a current idle server, a current server CPU, a memory, a disk and the like. The dynamic arrangement method refers to dynamically selecting servers and detection environments in the topological scope server nodes according to the preconditions such as file running environments and detection environments, and organizing the detection environments in a specific sequence, so that the servers and the detection environments can cooperatively work to achieve expected targets or results. In the computer arts, orchestration generally refers to a process that automates the deployment and management of distributed applications.
In an embodiment of the present invention, the manner in which the dynamic orchestration environment is created is implemented using resource topology aware-resource allocation techniques. Topology scope refers to a network composed of a set of network devices and their links that are organized together to form a logical network. For example, in an enterprise network, each branch office may be defined as a topology scope, and devices and links within the branch office make up the network of topology scopes. Resources refer to hardware and software resources available in a computer server system, including processors, memory, storage, network bandwidth, and the like. Server resources are the basis on which computer servers can provide services and are one of the key factors in server performance.
When the environment is dynamically arranged, firstly, judging whether the server resources meet the operation requirement or not by matching an environment resource strategy and whether the server resources can be started on a node server or not by a resource water level algorithm, and meanwhile, calling a dynamic arrangement method through a topology application domain to obtain the resources, so as to obtain a matching environment result. After the resource is obtained, the resource is dynamically selected and created according to the matching environment result, namely the required system environment, the running environment, the detection engine environment and the specific detection module environment. The specific detection module is used for performing behavior monitoring in an environment injection mode, detecting the behavior of the file in the system, such as whether a new process is created, whether the system file is modified or not, and the like, so as to determine whether the file has potential threat behavior or not. For example, if the file type is Python script and the execution environment is ubuntu, the ubuntu operating system is selected, and the required Python environment is selected, and the resource is dynamically pulled to create the detection environment.
Step 3: and (5) injecting into the detection module.
After the detection environment is dynamically created, a specific detection module is executed in the environment, the detection module is injected in the running process, and the sample file is detected by utilizing the behavior characteristics.
Step 4: target application opens a sample file
In the detection environment, the sample file is opened and run using a matched target environment application (referred to as a server system environment created by dynamic orchestration) or an execution command. For example, matching a file type of Python script, the script file would be run in the detection environment using Python command line.
Step 5: utilization detection is enabled.
The APT attack is mostly performed by utilizing unknown vulnerabilities of the system, so that the detection of the attack by the unknown vulnerabilities is a key for realizing the detection of the APT attack. Most of the traditional security protection measures use signature-based mechanisms to detect and protect known threats, the detection technology is a solution proposed for the limitation of traditional signature-based technologies, and aims to detect and discover suspicious threats of mainstream client applications (IE/Office/AdobeReader), and can detect attack utilization of known vulnerabilities and unknown 0day vulnerabilities in client applications. The detection technology mainly aims at detecting the related technology of the exploit, and detection means such as Hook, instruction stream analysis and simulation execution are used for detecting specific behaviors of each level of the shellcode execution life cycle. Judging whether the sample file has malicious utilization codes or not, analyzing the malicious codes by a related detection module so as to know the purpose and influence of the malicious codes, and determining the source of the attack and carrying out threat scoring by combining threat information.
Step 6: and returning a detection result.
And (5) obtaining a detection result according to the steps 1-5, and returning.
Next, the process goes to step S140.
At step S140, the detection engine performs independent detection on the sample file according to the analysis queue, so as to obtain an analysis report result.
More specifically, each detection engine receives a detection task, then independently detects a sample file, obtains a sample threat level and a score after detection is completed, and then returns an analysis report result.
In the embodiment of the present invention, the detection engine independently detects the sample file according to the analysis queue to obtain an analysis report result, including:
and each detection engine reads the sample file from the analysis queue, performs independent detection and analysis on the sample file to obtain a sample analysis result, and generates an analysis report result.
Next, the process goes to step S150.
At step S150, comprehensive evaluation is performed based on the analysis report results of the respective detection engines, a comprehensive evaluation result is generated, and a file detection report is generated.
More specifically, comprehensive judgment is performed through analysis results of all engines, comprehensive threat index scores are obtained, comprehensive judgment results are generated, and a sample detection report is generated.
In the embodiment of the present invention, the performing the comprehensive evaluation based on the analysis report results of each detection engine includes:
comprehensively analyzing the results of each detection engine by combining the analysis report results and the historical data, and iterating the detection factors of the detection engines; the detection factor refers to a particular attribute or feature used to detect malware or other security threats. These detection factors may take many forms, such as file attributes, behavioral characteristics, network traffic, and the like. The detection engine may determine whether a file or a process is malicious based on the detection factors. The origin of the detection factor is based on analysis and research of security threats. Security specialists discover common features of some malware by analyzing various factors such as the code, behavior, and propagation patterns of the malware, which can be used to identify and detect the malware. The role of the detection factor in the detection engine is very important. The detection factors are the core of the detection engine and determine whether the detection engine can accurately identify and block security threats. The detection engine uses a plurality of detection factors to judge whether a file or a process is malicious or not, and the detection factors can mutually prove, so that the detection accuracy and reliability are improved. The detection factors are used for rapidly and accurately analyzing and identifying suspicious behaviors in the system and helping users to protect the system from being damaged by security threats.
Obtaining comprehensive grade scores FRLSN of all sample files according to the current multi-engine detection result; the calculation formula of the comprehensive grade score FRLSN is as follows:
FRLSN=FRLN*SN
wherein SN is threat index score of the Nth engine, and FRLN is the Nth engine detection factor;
calculating an average value FRLSN' of the comprehensive grade scores FRLSN to obtain a final comprehensive grade score FRLS of the sample file, wherein the calculation formula is as follows:
FRLS=(∑|FRLSN-FRLSN'|)/n
wherein n is the number of detection engines; FRLSN' is the average of the composite grade scores;
setting a dynamic arrangement strategy of the sample file based on the FRLS scoring result and the basic information of the sample file for a plurality of times; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file.
In an embodiment of the present invention, the method further includes: and intelligently judging whether the engine needs to be self-updated according to the comprehensive judgment result.
More specifically, as shown in fig. 4, the multi-engine fusion suspicious file detection working principle includes the following steps:
step 1: intelligent file identification scheduling
After receiving the file to be detected, the file intelligent identification scheduling module firstly carries out preprocessing on the file to be detected, analyzes relevant basic information of the file, such as digital fingerprints, digital signatures and types of sample files, and meets the operating system environment of the sample file operation, the hardware environment of the sample file execution, the software environment of the sample file execution and the resource size required by the sample file execution.
Step 2: dynamically creating a detection environment
Matching according to sample analysis information, comprehensively evaluating according to information such as file types, affiliated operating systems, server resources, dynamic arrangement strategies and the like, dynamically arranging a file static detection engine, a file dynamic detection engine and an AI engine, and creating a detection environment
Step 3: distribution detection
And distributing the file distribution to a dynamic engine, a static engine and an AI engine in the detection environment according to the detection rules, and entering a detection queue.
In an embodiment of the present invention, the detecting engine independently detects the sample file according to the analysis queue, including: independently detecting the sample file according to a detection rule;
the detection rule includes: virus feature detection rules, file type detection rules, threat information detection rules, behavior detection rules and signature detection rules; wherein, the liquid crystal display device comprises a liquid crystal display device,
The virus characteristic detection rule judges whether the file contains viruses or not by identifying virus characteristic codes in the file;
the file type detection rule determines the type and format of the file by detecting file header, extension or other metadata, and carries out risk assessment according to the type and format;
the threat intelligence detection rules use threat intelligence obtained from public or private sources, such as blacklists, malware samples, etc., to identify whether a file is related to a known threat;
the behavior detection rules determine whether the file has potential threat behavior by detecting the behavior of the file in the system, such as whether a new process is created, whether the system file is modified, etc.;
the signature detection rules determine whether the file is from a trusted publisher or a trusted source by checking the digital signature of the file.
Step 4: dynamic orchestration environment
Dynamically arranging and creating a multi-engine detection environment, reading sample files to be detected from respective task queues by each detection analysis engine, performing independent detection analysis on the sample files to obtain sample analysis results, and generating a sample analysis result report;
step 5: comprehensive analysis
And comprehensively analyzing the results of each detection engine by comprehensively evaluating the detection results and historical data of the platform database, iterating the detection factors of the detection engines, and realizing the self-evolution optimization capability of multi-engine detection.
Further, obtaining comprehensive grade scores FRLSNs of all suspicious files according to the current multi-engine detection results; the suspicious file comprehensive grade score FRLSN of each detection engine is obtained by multiplying the factor of the detection analysis engine by the comprehensive threat index score, and the calculation formula is as follows:
FRLSN=FRLN*SN
wherein SN is threat index score of the Nth engine, FRLN is the Nth engine detection factor
Further, average value calculation is carried out on a plurality of suspicious file comprehensive grade scores FRLSNs obtained through comprehensive analysis, and a final file comprehensive grade score FRLS is obtained, wherein the calculation formula is as follows:
FRLS=(∑|FRLSN-FRLSN'|)/n
wherein n is the number of detection engines; FRLSN' is the average of the composite grade scores.
Furthermore, a sample dynamic arrangement strategy is set by combining multiple FRLS scoring results, sample file types, running environment requirements, detection means for detecting and analyzing engines and supported running environments, and is used as a basis for automatic scheduling in multi-engine detection and analysis.
The multi-engine file detection method based on dynamic arrangement, provided by the invention, can effectively solve the problems that single type malicious code detection engines have limited capability and false alarm and missing alarm phenomena by means of dynamic and static detection of the dynamic arrangement, can scientifically and reasonably integrate various mature suspicious file detection engines, integrates the capability and advantages of various detection engines, realizes automatic analysis and judgment under the condition of multiple engines, and rapidly forms suspicious file detection description reports.
The invention adopts an open architecture irrelevant to specific products, and realizes integration, management, scheduling and automatic fusion analysis of various malicious code detection and analysis engines from multiple dimension abstract description detection and analysis engines through the structured description language, thereby improving the overall detection capability of the malicious code and having good expansibility. The invention uses a multi-engine dynamic credibility scoring mechanism, and the engine detection credibility is dynamically and objectively evaluated through each detection result iteration engine detection factor. The invention fully considers the influence of different detection engines on the detection result of the different suspicious sample files, realizes a more accurate and scientific judgment mode, and effectively avoids the problems of false alarm and missing report of a single engine and detection means.
According to the invention, after the file types are preliminarily judged in a dynamic arrangement mode, a plurality of engines and detection environments are dynamically arranged, the large-scale dynamic arrangement environment can effectively ensure that each file sample to be detected has an environment suitable for opening and running, and meanwhile, an advanced optimization technology is adopted, so that the memory resource consumption and CPU resource consumption of the sample file in the opening and running processes of the dynamic engines can be effectively reduced. Meanwhile, the dynamic arrangement fusion detection mode can bind the detection engine on the physical core of the processor to perform quick operation, and the mode of binding the process and the processor can effectively reduce resource expenditure caused by switching of the process on different processing cores of the processor, reduce resource competition among concurrent detection threads and effectively improve resource utilization rate.
FIG. 5 illustrates a dynamic orchestration-based multi-engine file detection system 300 provided by the present invention, including a receiving module 510, a pre-analysis module 520, a dynamic orchestration module 530, and a detection analysis module 540.
The receiving module 510 is configured to receive a sample file;
the pre-analysis module 520 is configured to perform pre-analysis on the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
the dynamic arrangement module 530 is configured to determine whether the sample file basic information meets a preset detection condition based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result;
the detection analysis module 540 is used for independently detecting the sample file according to the analysis queue by a detection engine to obtain an analysis report result; the detection engine comprises a static detection engine, a dynamic detection engine and an AI engine; and performing comprehensive judgment based on the analysis report results of the detection engines, generating comprehensive judgment results, and generating a file detection report.
Referring to fig. 6, an embodiment of the present disclosure also provides an electronic device 60, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the dynamic orchestration-based multi-engine file detection method of the previous method embodiments.
The disclosed embodiments also provide a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the dynamic orchestration-based multi-engine file detection method in the foregoing method embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the dynamic orchestration-based multi-engine file detection method in the foregoing method embodiments.
Referring now to fig. 6, a schematic diagram of an electronic device 60 suitable for use in implementing embodiments of the present disclosure is shown. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 6 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 6, the electronic device 60 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 601, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the electronic device 60 are also stored. The processing device 601, the ROM602, and the RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
In general, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; an output device 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, magnetic tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 60 to communicate with other devices wirelessly or by wire to exchange data. While an electronic device 60 having various means is shown, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communication means 609, or from storage means 608, or from ROM 602. The above-described functions defined in the methods of the embodiments of the present disclosure are performed when the computer program is executed by the processing device 601.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising the at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects an internet protocol address from the at least two internet protocol addresses and returns the internet protocol address; receiving an Internet protocol address returned by the node evaluation equipment; wherein the acquired internet protocol address indicates an edge node in the content distribution network.
Alternatively, the computer-readable medium carries one or more programs that, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from the at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof.
The foregoing is merely specific embodiments of the disclosure, but the protection scope of the disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the disclosure are intended to be covered by the protection scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (10)

1. A multi-engine file detection method based on dynamic programming, the method comprising the steps of:
receiving a sample file;
pre-analyzing the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
Judging whether the basic information of the sample file accords with a preset detection condition or not based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result;
the detection engine carries out independent detection on the sample file according to the analysis queue to obtain an analysis report result; the detection engine comprises a static detection engine, a dynamic detection engine and an AI engine;
and carrying out comprehensive judgment based on the analysis report results of each detection engine, generating comprehensive judgment results, and generating a file detection report.
2. The dynamic orchestration-based multi-engine file detection method according to claim 1, wherein the method further comprises: and intelligently judging whether the engine needs to be self-updated according to the comprehensive judgment result.
3. The dynamic orchestration-based multi-engine file detection method according to claim 1, wherein the dynamic orchestration of the sample files into corresponding detection engine analysis queues comprises the steps of:
selecting a detection engine based on the type of the sample file;
And distributing the sample file to a corresponding detection engine analysis queue.
4. The dynamic orchestration-based multi-engine file detection method according to claim 3, wherein the detection engine independently detects the sample files according to the analysis queue, comprising:
detecting specific behaviors of each level of a shellcode execution life cycle by using Hook, instruction stream analysis and simulation execution, and judging whether malicious utilization codes exist in the sample file or not; and when the malicious utilization code exists in the sample file, analyzing the malicious utilization code and scoring the threat.
5. The dynamic orchestration-based multi-engine file detection method according to claim 4, wherein the detection engine independently detects the sample files according to the analysis queue, comprising: independently detecting the sample file according to a detection rule;
the detection rule includes: virus feature detection rules, file type detection rules, threat information detection rules, behavior detection rules and signature detection rules; wherein, the liquid crystal display device comprises a liquid crystal display device,
the virus characteristic detection rule judges whether the file contains viruses or not by identifying virus characteristic codes in the file;
The file type detection rule determines the type and format of the file by detecting the file header and the extension name, and carries out risk assessment according to the type and format;
the threat intelligence detection rules identify whether a document is associated with a known threat using threat intelligence obtained from public or private sources; the threat intelligence comprises a blacklist and a malicious software sample;
the behavior detection rule determines whether the file has potential threat behaviors by detecting the behaviors of the file in the system; the threat behavior includes creating a new process and modifying a system file;
the signature detection rules determine whether the file is from a trusted publisher or a trusted source by checking the digital signature of the file.
6. The method for detecting a multi-engine file based on dynamic programming according to claim 1, wherein the step of comprehensively evaluating the analysis report results based on the respective detection engines comprises the steps of:
comprehensively analyzing the results of each detection engine by combining the analysis report results and the historical data, and iterating the detection factors of the detection engines;
obtaining comprehensive grade scores FRLSN of all sample files according to the current multi-engine detection result; the calculation formula of the comprehensive grade score FRLSN is as follows:
FRLSN=FRLN*SN
Wherein SN is threat index score of the Nth engine, and FRLN is the Nth engine detection factor;
calculating an average value FRLSN' of the comprehensive grade scores FRLSN to obtain a final comprehensive grade score FRLS of the sample file, wherein the calculation formula is as follows:
FRLS=(∑|FRLSN-FRLSN'|)/n
wherein n is the number of detection engines; FRLSN' is the average of the composite grade scores;
setting a dynamic arrangement strategy of the sample file based on the FRLS scoring result and the basic information of the sample file for a plurality of times; the basic information of the sample file comprises the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file.
7. The dynamic orchestration-based multi-engine file detection method according to claim 1, wherein the respective detection engines comprise: a file static detection engine, a file dynamic detection engine and an AI engine; wherein, the liquid crystal display device comprises a liquid crystal display device,
the static detection engine comprises a script static detection engine, a document static detection engine and a PE file static detection engine;
the AI detection engine comprises a script AI detection engine, a document AI detection engine and a PE file AI detection engine;
The dynamic detection engine comprises a script dynamic detection engine, a document dynamic detection engine and a PE file dynamic detection engine.
8. A multi-engine file detection system based on dynamic orchestration, the system comprising:
a receiving module configured to receive a sample file;
the pre-analysis module is configured to perform pre-analysis processing on the sample file to obtain a pre-analysis result; the pre-analysis results comprise: basic information and file authority of a sample file; the basic information of the sample file comprises a digital fingerprint, a digital signature, the type of the sample file, an operating system environment meeting the operation of the sample file, a hardware environment for executing the sample file, a software environment for executing the sample file and a resource size required by executing the sample file; the file authority comprises a digital fingerprint and a digital signature;
the dynamic arrangement module is configured to judge whether the basic information of the sample file accords with a preset detection condition or not based on the pre-analysis result; when the basic information of the sample file accords with a preset detection condition, dynamically arranging the sample file to a corresponding detection engine analysis queue according to the pre-analysis result;
The detection analysis module is configured to be used for independently detecting the sample file according to the analysis queue by the detection engine to obtain an analysis report result; the detection engine comprises a static detection engine, a dynamic detection engine and an AI engine; and
and carrying out comprehensive judgment based on the analysis report results of each detection engine, generating comprehensive judgment results, and generating a file detection report.
9. An electronic device, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor, which when executed by the at least one processor, cause the at least one processor to perform the dynamic orchestration-based multi-engine file detection method according to any one of claims 1 to 7.
10. A non-transitory computer-readable storage medium storing computer instructions that, when executed by at least one processor, cause the at least one processor to perform the dynamic orchestration-based multi-engine file detection method according to any one of claims 1 to 7.
CN202310485093.0A 2023-04-28 2023-04-28 Multi-engine file detection method, system, equipment and medium based on dynamic arrangement Pending CN116595523A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310485093.0A CN116595523A (en) 2023-04-28 2023-04-28 Multi-engine file detection method, system, equipment and medium based on dynamic arrangement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310485093.0A CN116595523A (en) 2023-04-28 2023-04-28 Multi-engine file detection method, system, equipment and medium based on dynamic arrangement

Publications (1)

Publication Number Publication Date
CN116595523A true CN116595523A (en) 2023-08-15

Family

ID=87603674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310485093.0A Pending CN116595523A (en) 2023-04-28 2023-04-28 Multi-engine file detection method, system, equipment and medium based on dynamic arrangement

Country Status (1)

Country Link
CN (1) CN116595523A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992447A (en) * 2023-09-21 2023-11-03 北京安天网络安全技术有限公司 Malicious file detection method, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992447A (en) * 2023-09-21 2023-11-03 北京安天网络安全技术有限公司 Malicious file detection method, electronic equipment and storage medium
CN116992447B (en) * 2023-09-21 2023-12-15 北京安天网络安全技术有限公司 Malicious file detection method, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
Alsaheel et al. {ATLAS}: A sequence-based learning approach for attack investigation
US10915659B2 (en) Privacy detection of a mobile application program
US20160021174A1 (en) Computer implemented method for classifying mobile applications and computer programs thereof
KR102017756B1 (en) Apparatus and method for detecting abnormal behavior
US10505960B2 (en) Malware detection by exploiting malware re-composition variations using feature evolutions and confusions
US8806644B1 (en) Using expectation measures to identify relevant application analysis results
US11936661B2 (en) Detecting malicious beaconing communities using lockstep detection and co-occurrence graph
CN109586282B (en) Power grid unknown threat detection system and method
CN109271782B (en) Method, medium, system and computing device for detecting attack behavior
US9652616B1 (en) Techniques for classifying non-process threats
EP2807598A1 (en) Identifying trojanized applications for mobile environments
WO2017185827A1 (en) Method and apparatus for determining suspicious activity of application program
NL2028230B1 (en) Methods and systems for preventing malicious activity in a computer system
US11916937B2 (en) System and method for information gain for malware detection
US11042637B1 (en) Measuring code sharing of software modules based on fingerprinting of assembly code
CN116595523A (en) Multi-engine file detection method, system, equipment and medium based on dynamic arrangement
CN109818972B (en) Information security management method and device for industrial control system and electronic equipment
Grace et al. Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection
US20190236269A1 (en) Detecting third party software elements
CN113010268B (en) Malicious program identification method and device, storage medium and electronic equipment
CN112379967B (en) Simulator detection method, device, equipment and medium
CN113839912B (en) Method, device, medium and equipment for analyzing abnormal host by active and passive combination
CN113420302A (en) Host vulnerability detection method and device
KR102174393B1 (en) Malicious code detection device
Taheri Investigating suspected background processes in Android malware classification through dynamic automated reverse engineering and semi-automated debugging

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination