CN1625121A - Hierarchical cooperated network virus and malice code recognition method - Google Patents

Hierarchical cooperated network virus and malice code recognition method Download PDF

Info

Publication number
CN1625121A
CN1625121A CN 200310106551 CN200310106551A CN1625121A CN 1625121 A CN1625121 A CN 1625121A CN 200310106551 CN200310106551 CN 200310106551 CN 200310106551 A CN200310106551 A CN 200310106551A CN 1625121 A CN1625121 A CN 1625121A
Authority
CN
China
Prior art keywords
api
sequence
detector
write
script
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200310106551
Other languages
Chinese (zh)
Other versions
CN1300982C (en
Inventor
王煦法
曹先彬
罗文坚
马建辉
张四海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology of China USTC
Original Assignee
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology of China USTC filed Critical University of Science and Technology of China USTC
Priority to CNB2003101065518A priority Critical patent/CN1300982C/en
Publication of CN1625121A publication Critical patent/CN1625121A/en
Application granted granted Critical
Publication of CN1300982C publication Critical patent/CN1300982C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

A layered coordinate network virus and vicious code recognizing method. The characteristics are: use strong self-protection mechanism of biological immunity for reference, correspond the network virus and vicious code recognizing method to the multi-level protective mechanism of biological immunity system, judge the dangerous degree of the stand-by detected script through statistically analyzing the word frequency of the key words, based on the point view of 'self-collection' of register form operation analyze and judge the exceptional behavior of the register form written in the form route, and recognize non-self the executing sequence of the programming interface of the applied program, at last send all the exceptional behavior information to the network control station through the network. It well solves the problem of the identification of the unknown network virus and vicious code, and has good capacity of identification, realizes the monitoring and management of the network virus and vicious code of single system and the whole sub-network.

Description

A kind of internet worm of layered cooperative and malicious code recognition methods
Technical field:
The invention belongs to the computer network security technology field, particularly relate to the recognition technology of internet worm and malicious code.
Background technology:
According to Institute of Electrical and Electric Engineers " potentiality " magazine (the IEEE POTENTIALS that publishes in the U.S., October calendar year 2001 fourth phase 16-19 page or leaf) introduce, existing computer anti-virus recognition technology roughly can be divided into following several: (1) is primarily aimed at known viruse based on the scanning of condition code.(2) virtual machine technique, its basic thought are suspicious program to be placed to carry out under the virtual machine environment be used to judge whether be virus, but still face the effect of virtual machine and the problems such as self-security that how to guarantee virtual machine at present.(3) heuristic, its basic thought are to attempt to detect family viral and detect unknown virus by extensive condition code.This method usually depends on condition code technology and virtual machine technique, and the recognition effect to unknown virus also haves much room for improvement at present.(4) behavioural analysis method promptly utilizes the peculiar behavior that monitors virus to detect the method for virus.This method requires at first to summarize the general behavior pattern of virus, designs the finite state machine pattern of the corresponding behavior then, and state transition is corresponding to the behavior of program, and receive status is for detecting virus.The problem of this method is to the new virus that emerges in an endless stream, and is difficult to summarize a general behavior pattern.(5) verification and method.This method generates a check information and preservation in the initial condition of machine, (verification failure) reports to the police when check information generation ANOMALOUS VARIATIONS then, the subject matter of this method is that to implement expense too big, also faces problems such as the installation of new application program and edition upgrading simultaneously.Generally speaking, in existing computer anti-virus technology, the condition code scanning technique is mainly used in the identification known viruse, and all the other various recognition technologies that propose at unknown virus all also have shortcoming and limitation separately.
Because internet worm and malicious code are just to come into vogue in recent years and bringing the network safety event of serious harm, a kind of methods of computer virus infection that prevent that Chinese patent application numbers 96114050 proposes can only be taken precautions against the early stage computer virus of part, the present this anti-virus cards market of thoroughly having faded out; Chinese patent application number 96109573 firewall systems that propose are that connection or information into and out of internal network are carried out safety inspection, do not have the ability of recognition network virus and malicious code substantially.Therefore, these technology are not suitable for the identification of internet worm and malicious code.
Summary of the invention:
Deficiency at existing network virus and malicious code recognition technology, the present invention proposes a kind of internet worm and malicious code recognition methods of layered cooperative, to solve the abnormal behaviour identification problem of unknown network virus and malicious code, realize monitoring to virus of the unknown network in individual system and the whole subnet and malicious code abnormal behaviour.
The internet worm of layered cooperative of the present invention and malicious code recognition methods, comprise: from script file, isolate keyword, obtain by the method for injecting dynamic link library (Dynamic Linked Library: be called for short DLL) that application programming interface (Application Programming Interface: be called for short API) is carried out sequence and registration table writes the list item path, registration table is write the list item path and the API sequence is kept in hard disk or the internal memory; It is characterized in that:
To the keyword word frequency statistics analysis of script and make unusual judgement;
Registration table is write the list item path to carry out oneself's identification and makes unusual judgement;
The API sequence is carried out nonego identification and made unusual judgement;
Abnormal behaviour information is sent to net control station;
The script file that described script file is meant the script file write with the Javascript language, write with the VBScript language and embedded Javascript or the script file of VBScript code;
Described injection DLL acquisition API execution sequence and registration table write the list item path and are meant, by DLL is injected in the target program (being program to be monitored) as remote thread, adopt the API of the method intercepting target program of replacing Import Address Table (Import Address Table:IAT) to carry out sequence then, and write the list item path from the parameter acquisition registration table of registration table api function;
Described to script the keyword statistical analysis and make unusual judgement and be meant and from script file, isolate 29 keyword copyfile, Createobject, Delete, FolderDelete, RegWrite, Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, .save, startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write, and carry out following steps:
(1) 29 keywords are divided into three groups, first group for creating object keyword: Createobject; Second group is no risky operation keyword itself: Virus .Write, GetSpecialFolder, keys, opentextfile, readall, startup, execute .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder .run, document.write; The 3rd group is to have the keyword that possibility is destroyed operation: copyfile, Delete, FolderDelete, RegWrite .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;
(2) the desired value f of the word frequency that these 29 keywords occur in the normal script of statistics i, the desired value f of the word frequency that these 29 keywords occur in the unusual script is added up in 1≤i≤29 i', 1≤i≤29, it is poor to calculate the normalization word frequency of 29 keywords in normal and unusual script e i = ( f i - f i ′ ) / Σ i = 1 29 ( f i - f i ′ ) , 1 ≤ i ≤ 29 ;
(3) the statistics word frequency m that keyword occurs in current script to be detected i, the risk factor Risk of script to be detected is calculated in 1≤i≤29,
Risk = G Σ i = 1 29 P ( i ) F ( i )
Wherein P (i), F (i) and G are respectively:
(4) risk factor threshold value TH is defined as:
TH = Σ i = 0 29 P ( i ) / 29
When risk factor Risk surpasses threshold value TH, send early warning information to net control station;
Describedly registration table is write the list item path carry out oneself identification and make unusual judgement and take following steps:
(1) the normal registration table of target program (program to be monitored) writes the list item path under the collection normal condition, and deposits in the database, and each normal registration table writes the list item path and is called " oneself ", and its set is called " oneself's collection ";
(2) read current registration table and write the list item path, compare, if not in " oneself's collection ", then send abnormal behaviour information to net control station with original in the database " oneself " operation;
Described the API sequence carried out nonego identification and made unusual judgement and take following steps:
(1) API selection operation:
(a) the API sequence of target program under the intercepting normal condition, and be W with the sliding step 0Mode it is cut into length is L 0Trail S 0
(b) the API sequence of target program under the intercepting operation with virus state, and be W with the sliding step 0Mode it is cut into length is L 0Trail R 0
(c) compare trail S 0And R 0In different sequences, extract the api function that constitutes these sequences, with these api functions as api function collection to be monitored;
(2) according to selected api function, the API sequence of target program under the intercepting normal condition, and be that W is cut into the string that length is L with it with the sliding step, generate oneself's collection S;
(3) the current API that obtains target program carries out sequence, and is that W is cut into the string that length is L with it with the sliding step, reads N API sequence at every turn and carries out following testing process:
(a) produce initial detector collection D 0: produce pre-detector at random according to the api function of selecting, filter oneself's (promptly deleting), and then obtain the initial detector collection with the API sequence of oneself's coupling; The matching strategy here is the part matching strategy, and promptly two sequences match and if only if these two character strings are in r position consistency continuously;
(b) more current AP carries out arbitrary detector that sequence and detector are concentrated: if find to mate then this sequence of mark and total matching number added 1, when the total matching number of API sequence to be detected that obtains in real time reaches threshold value G nThe time, send out abnormal behaviour information to net control station;
(c) if evolutionary generation t surpasses threshold value G eOr all the API sequences are labeled, continue to read next group API sequence and detect; Otherwise, for unmatched API sequence, then according to the variation of affinity degree, gene library evolution, three subset D producing at random A, D G, D RWith memory collection D MCommon composition detector collection D of future generation t=D A+ D G+ D R+ D M, and D A, D G, D RSubclass satisfies D A 1 ≈ D G 2 ≈ D M 1 ;
Produce the detector subset D by the variation of affinity degree A, affinity degree variation is meant that the matching degree of arbitrary detector of concentrating when API sequence and detector is above affinity degree threshold value G fThe time, produce N by variation c(N c〉=1) individual filial generation individuality;
Produce the detector subset D by gene library evolution G, gene library evolution is meant the selection probability that improves the API that forms valid detector, i.e. P Api=P Api+ Δ P; And when reality generates detector, select probability to generate pre-detector by the roulette wheel method according to API, filter the oneself at last and generate the detector subset D G
By producing the detector subset D at random R
The existing detector that can mate unusual sequence is formed memory collection D M
Described net control station is meant to be used for receiving script, registration table is write the network program that list item path and API sequence are carried out the abnormal information that analyzing and processing obtained.
Compared with prior art, the invention has the advantages that:
1,29 selected keyword word frequency obtain the normalization word frequency in normal script and the unusual script by adding up in the present invention, and provide the risk factor that risk factor and risk factor threshold value calculation method are judged script to be detected based on this, solved the identification problem of malicious script.
2, the angle that the present invention is based on registry operations " oneself's collection " comes the discriminatory analysis registration table to write the abnormal behaviour in list item path, is applicable to all types of target program.
3, the present invention will comprise gene library evolution, produce at random, four learning and Memory modules of the variation of affinity degree and memory collection and the abnormality detection that API carries out sequence combine, make that the API sequence is carried out the abnormality detection effect of nonego identification is better, and be applicable to all types of target program.
4, the present invention uses for reference the powerful self-protective mechanism of biological immune; to carry out the keyword statistical analysis to script first, registration table is write the list item path carry out oneself identification, API is carried out sequence carry out nonego and discern the abnormal behaviour of uniting to target program these three aspects and monitor, make to the recognition effect of unknown network virus and malicious code better.
5, adopt registration table that the present invention can automatic full and accurate ground logging program to write the list item path and API carries out sequence, viral and malicious code provides the firsthand information for further phase-split network.
In sum; the present invention uses for reference the powerful self-protective mechanism of biological immune; the multilayer protection mechanism of internet worm and malicious code recognition technology and Immune System is mapped; respectively from script is carried out the keyword statistical analysis; registration table is write the list item path carry out oneself's identification; API execution sequence is carried out nonego discern the abnormal behaviour identification problem that these three aspects have solved unknown network virus and malicious code preferably; and then solved the problem that prior art is difficult to discern to virus mutation and unknown virus; not only realized monitoring, and made that the keeper can be by security situation in real time monitoring and the management of net control station to whole subnet internet worm in the individual system and malicious code abnormal behaviour.
Description of drawings:
Fig. 1 is that the present invention carries out the internet worm of layered cooperative and the workflow diagram of malicious code identification.
Embodiment:
Below in conjunction with accompanying drawing and example the inventive method is done further concrete description.
Embodiment 1:
1, utilizes several universal miniature personal computers, be linked to be a network environment by switch
Concrete employing is three Pentium IV microcomputers in the present embodiment, with a Dell notebook, and enterprise servers, add a Great Wall 24 port one 0M/100M self adaptation Ethernet switch GES-1125 switches, three Pentium IV of several microcomputers microcomputer, a Dell notebook and enterprise servers are linked to be a network by switch.
Fig. 1 has provided present embodiment and has carried out the internet worm of layered cooperative and the workflow of malicious code identification.The direction of arrow has indicated workflow to order, and the arrow afterbody is next step input, and the arrow end is next step operation of carrying out.Wherein a Pentium sequence microcomputer is used for operational network control desk 1, remaining two Pentium IV microcomputer, Dell notebook and enterprise servers all are used for carrying out script are carried out keyword word frequency statistics analysis 2, registration table is write the list item path carry out oneself identification 3 and API is carried out sequence carry out nonego and discern 4, and the analysis result of these three aspects is all sent to net control station 1.
2, to the keyword statistical analysis of script and make malicious code and judge unusually
As script is carried out the keyword word frequency statistics analyze 2 among Fig. 1, specifically take following operating procedure:
(1) collects a large amount of normal foot presents and malicious script file, suggestion normal foot presents and malicious script file all are no less than 50, isolate 29 keyword copyfile from script file, Createobject, Delete, FolderDelete, RegWrite, Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, .save, startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write:
(2) 29 keywords are divided into three groups, first group for creating object keyword: Createobject, second group is no risky operation keyword: Virus itself, .Write, GetSpecialFolder, keys, opentextfile, readall, startup, execute, .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder, .run, document.write, the 3rd group is to have the keyword that possibility is destroyed operation: copyfile, Delete, FolderDelete, RegWrite, .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;
(3) as the normal script keyword word frequency statistics A1 among Fig. 1: the desired value f that adds up the word frequency that these 29 keywords occur in the normal script i(1≤i≤29);
(4) as the unusual script keyword word frequency statistics A2 among Fig. 1: the desired value f of the word frequency that these 29 keywords occur in the statistics malicious script i' (1≤i≤29);
(5) as the calculating normalization word frequency A3 among Fig. 1: it is poor to calculate the normalization word frequency of 29 keywords in normal and unusual script e i = ( f i - f i ′ ) / Σ i = 1 29 ( f i - f i ′ ) ( 1 ≤ i ≤ 29 ) ;
(6) as the script A4 to be detected of the analysis among Fig. 1: from hard disk, read the script file of appointment or from the temporary file catalogue of browser (as IExplore.exe), read the script file that browser is being visited, the statistics word frequency m that these 29 keywords occur in this script i
(7) calculate A5 as the risk factor among Fig. 1: calculate the risk factor Risk of script to be detected,
Risk = G Σ i = 0 29 P ( i ) F ( i )
Wherein P (i), F (i) and G are respectively:
Figure A20031010655100113
(8) calculate the risk factor threshold value, the computational methods of risk factor threshold value TH are:
TH = Σ i = 0 29 P ( i ) / 29
(9) as the transmission early warning information A6 among Fig. 1: when risk factor Risk surpasses threshold value TH, early warning information is sent to net control station 1 (Socket according to Windows operating system works out corresponding transmitting/receiving program) by network.
3,, registration table is write the list item path carries out oneself and discern and make unusual judgement and can take following implementation step as registration table is write the list item path carry out oneself identification 3 among Fig. 1:
(1) write list item path B1 as the intercepting registration table among Fig. 1: the DLL that injects intercepting registration table api function is to target program, as IExplore.exe and Outlook.exe, obtain registration table api function implementation status and parameter, and write the list item path from the parameter acquisition registration table of registration table api function.Inject the method for DLL and can use the remote thread method for implanting, the remote thread function can be referring to the CreateRemoteThread among the MSDN, (ImportAddress Table: the API that method Import Address Table) can intercept target program carries out sequence injecting DLL employing substitute I AT, attention will be to GetProcAddress and LoadLibraryA, LoadLibraryExA, LoadLibraryW, LoadLibraryExW does special processing, specifically can publish referring to Microsoft, " Windows kernel programming " (Programming Applications for Windows) of cut in the Jeffree (Jeffrey Ritcher) work;
(2) as the oneself of the collection among Fig. 1 B2: operational objective program under normal condition, as not containing the webpage of malicious code with IExplore.exe visit or collecting the mail that do not contain internet worm and malicious code etc. with Outlook.exe, the normal registration table of collecting target program (is IExplore.exe or Outlook.exe at this) under the normal condition writes the list item path, and deposit in the database, each normal registration table writes the list item path and is called " oneself ", and its set is called " oneself's collection ";
(3) write list item path B3 as the current registration table to be detected of the collection among Fig. 1: in the target program running, the registration table that obtains target program by the DLL that injects in real time writes the list item path, as the operation of the registry writes of IExplore.exe or Outlook.exe, and registration table is write the list item path be kept in the shared drive; Meanwhile, the registration table detection module reads current registration table and writes the list item path from shared drive, compares with original in the database " oneself " operation, discerns B4 as the oneself among Fig. 1; If in " oneself's collection ", then do not send abnormal behaviour information to net control station, as the transmission abnormal behaviour information B5 among Fig. 1.
4,, the API sequence is carried out nonego identification and made unusual judgement and can take following implementation step as API is carried out sequence carry out nonego identification 4 among Fig. 1.
Need to prove: if do not consider speed, can not move (1) step and (2) step, directly use all api functions; Perhaps do not move for (1) step, directly in all api functions, choose.
(1) at first whole api functions are renumberd, and the api function general collection used of definite target program, as the API set C1 of the use among Fig. 1:
(a) because all api function is too much, about 3000, api function can be divided into 20 groups, every group about 150, and at the corresponding DLL that injects of each group api function generation;
(b) these DLL are injected target program respectively,,, and from the file of record, obtain the api function tabulation that target program uses normal and be with operational objective program under the malicious situation as IExplore.exe or Outlook.exe;
(2) API selection operation, choose C2 as the API among Fig. 1:
(a) the API sequence of target program under the intercepting normal condition, and be W with the sliding step 0Mode it is cut into length is L 0Trail S 0, W wherein 0Value can be for 1 to L 0Between arbitrary integer, suggestion is got
Figure A20031010655100121
L 0Value can be for greater than 8 integer, suggestion gets 8,16,32 or 64;
(b) the API sequence of target program under the intercepting operation with virus state, and be W with the sliding step 0Mode it is cut into length is L 0Trail R 0
(c) compare trail S 0And R 0In different sequences, extract the api function that constitutes these sequences, with these api functions as api function collection to be monitored;
(3) renumber C3 as the API among Fig. 1: selected api function is renumberd, so that expression API sequence;
(4) as the oneself of the collection among Fig. 1 C4: according to selected api function, intercept the API sequence of target program under the normal condition, and it is cut into the string that length is L, generate oneself's collection S, wherein W with sliding step W 0Value can be for 1 to L 0Between arbitrary integer, suggestion is got L 0Value can be for greater than 8 integer, suggestion gets 8,16,32 or 64;
(5) the current API that obtains target program carries out sequence, reads N API sequence at every turn and carries out following testing process, and as IExplore.exe or Outlook.exe, suggestion N value is 128, carries out sequence C 5 as the current API that obtains target program among Fig. 1:
(a), produce initial detector collection D as the start detection among Fig. 1 and judge whether termination condition satisfies C7 0: produce pre-detector at random according to the api function of selecting, filter oneself's (promptly deleting), and then obtain the initial detector collection with the API sequence of oneself's coupling; The matching strategy here is the part matching strategy, and promptly two sequences match and if only if these two character strings are in r position consistency continuously;
(b) as the coupling C6 among Fig. 1, more current API carries out arbitrary detector that sequence and detector are concentrated: if find to mate then this sequence of mark and total matching number added 1, when the total matching number of API sequence to be detected that obtains in real time reaches threshold value G nThe time, send out abnormal behaviour information to net control station, as the transmission abnormal behaviour information C8 among Fig. 1;
(c) as the start detection among Fig. 1 and judge whether termination condition satisfies C7, if evolutionary generation t surpasses threshold value G eOr all the API sequence is labeled, continues next group API sequence is detected;
(d) for unmatched API sequence, then according to the variation of affinity degree, gene library evolution, three subset D producing at random A, D G, D RWith memory collection D MCommon composition detector collection D of future generation t=D A+ D G+ D R+ D M, and D A, D G, D RSubclass satisfies D A 1 ≈ D G 2 ≈ D M 1 ;
(e) as the variation of the affinity degree among Fig. 1 C9, detector subset D AProduced by affinity degree variation, the variation of affinity degree is meant that the matching degree of arbitrary detector of concentrating when API sequence and detector is above affinity degree threshold value G fThe time, produce N by variation c(N c〉=1) individual filial generation individuality;
A kind of advise the concrete variation method that adopts can for: surpass the affinity threshold value that makes a variation if current API carries out sequence and arbitrary detector match bit array, generate several a of [1, L] at random, morphed in this detector a position, obtain a filial generation detector; So circulation is 4 times, and each detector that need make a variation is generated 4 filial generation detectors.
(f) as the gene library evolution C10 among Fig. 1: the detector subset D GProduced by gene library evolution, gene library evolution is meant the selection probability that improves the API that forms valid detector, makes that this API has higher selection probability, i.e. P when generating pre-detector by the roulette wheel method Api=P Api+ Δ P.The selection probability that it is pointed out that all API is consistent when beginning, has identical selected probability P ApiAnd for avoiding local optimum, the step-length of gene library evolution is very little each time, and promptly API selects the incremental change Δ P of probability very little, and for all API, Δ P is identical here;
API selects the code of probability lift portion to be abbreviated as in the gene library evolution:
For (each gene Gene of valid detector)
Begin
Selection probability P [Gene]=P[Gene of this gene Gene]+Δ P.
End
Wherein Δ P is less usually counting.If for any Gene, initial p [Gene] is 100, and Δ P can be made as 0.1 or 0.01.
(g) as the C11 of generation at random among Fig. 1, detector subset D RBy producing at random, produce detector at random and be meant to concentrate for detector and keep a certain proportion of detector to come from the mode that produces at random that this is in order to keep the diversity of detector at each;
(h) as the memory collection C12 among Fig. 1: memory collection D MBe made up of the detector that can mate unusual sequence, it both can generate by off-line before beginning detects in real time, and the detector that also can detect unusual sequence in the actual monitoring process joins memory and concentrates;
5, net control station 1 is the program with network data newspaper receiving function, can write with visual programming tools, writes as VC++ or Delphi, has visualization interface and also can report and the storehouse that reads and writes data by receiving network data; Database can use Microsoft SQL Server database.The keeper can obtain by net control station and script, registration table are write list item path and API sequence carry out the abnormal behaviour information that analyzing and processing obtains.
6, according to the method described above, comprise script is carried out keyword word frequency statistics analysis 2, registration table is write the list item path carries out oneself identification 3 and API is carried out sequence carry out nonego identification 4, listed the testing result at 75 kinds of Email viruses, Email worm-type virus and malicious code below, the result shows that the present invention has good effect to internet worm and malicious code.
Sequence number Title Kind Whether report virus to be
????1 ????Bloodhound.vbs.worm ??Email,worm
????2 The Bloodhound.vbs.worm mutation ??Email,worm Be
????3 ????vbs.mesut ??email Be
????4 ????Jesus ??Email,worm Be
????5 ????Vbs.jadra ??email Be
????6 ????Vbs.infi ??email Be
????7 ????Vbs.hatred.b ??email Be
????8 ????Vbs.godog ??email Be
????9 ????Vbs.hard ??Email,worm Be
????10 ????Vbs.gascript ??Email,Trojan Be
????11 ????I-Worm.CIAN ??email Be
????12 ????Vbs.vbswg.qen ??Email,worm Be
????13 ????I-Worm.doublet ??Email,worm Be
????14 ????White?house ??Email,worm Be
????15 ????I-Worm.chu ??email Be
????16 ????Loveletter ??Email,worm Be
????17 ????freelink ??Email,worm Be
????18 ????Mbop.d ??Email,worm Be
????19 ????Kounikewa ??Email,worm Be
????20 ????json888 Malicious code Be
????21 ????gator[1] Malicious code Be
????22 ????overkill2 Malicious code Be
????23 ????redlof Malicious code Be
????24 ????script.unrealer Malicious code Be
????25 ????vbs.both Malicious code Be
????26 ????VBS.kremp Malicious code Be
????27 ????script.exploit Malicious code Not
????28 ????script.happytime Malicious code Be
????29 ????vbs.godog Malicious code Be
????30 ????I-worm.doublet Malicious code Be
????31 ????I-worm.chu Malicious code Be
????32 ????vbs.baby Malicious code Be
????33 ????vbs.gascript Malicious code Be
????34 ????vbs.jesus Malicious code Be
????35 ????vbs.mbop.d Malicious code Be
????36 ????vbs.fasan Malicious code Be
????37 ????vbs.hard.vbs Malicious code Be
????38 ????vbs.infi Malicious code Be
????39 ????vbs.jadra Malicious code Be
????40 ????LOVE-LETTER-FOR-YOU Malicious code Be
????41 ????vbs.mesut Malicious code Be
????42 ????JS.Exception.Exploit1 Malicious code Be
????43 ????JS.Exception.Exploit2 Malicious code Be
????44 Self-editing Writefile Malicious code Be
????45 The Writefile mutation Malicious code Be
????46 ????IRC.salim Malicious code Be
????47 ????Vbs.vbswg.qen Malicious code Be
????48 ????Bloodhound.vbs.3 Malicious code Be
????49 Bloodhound.vbs.3 mutation 1 Malicious code Be
????50 Bloodhound.vbs.3 mutation 2 Malicious code Be
????51 Bloodhound.vbs.3 mutation 3 Malicious code Be
????52 Bloodhound.vbs.3 mutation 4 Malicious code Be
????53 Bloodhound.vbs.3 mutation 5 Malicious code Be
????54 Bloodhound.vbs.3 mutation 6 Malicious code Be
????55 Bloodhound.vbs.3 mutation 7 Malicious code Be
????56 Bloodhound.vbs.3 mutation 8 Malicious code Be
????57 Bloodhound.vbs.3 mutation 9 Malicious code Be
????58 ????Vbs.bound Malicious code Be
????59 ????Vbs.charl Malicious code Be
????60 ????VBS.Phram.D(vbs.cheese) Malicious code Be
????61 ????Vbs.entice Malicious code Be
????62 ????Vbs.ave.a Malicious code Be
????63 ????Vbs.exposed Malicious code Be
????64 ????Vbs.annod(vbs.jadra) Malicious code Be
????65 ????Vbs.nomekop Malicious code Be
????66 ????Html.reality(vbs.reality) Malicious code Be
????67 ????Bloodhound.vbs.3 Malicious code Be
????68 Bloodhound.vbs.3 mutation 1 Malicious code Be
????69 Bloodhound.vbs.3 mutation 2 Malicious code Be
????70 Bloodhound.vbs.3 mutation 3 Malicious code Be
????71 Bloodhound.vbs.3 mutation 4 Malicious code Be
????72 Bloodhound.vbs.3 mutation 5 Malicious code Be
????73 Bloodhound.vbs.3 mutation 6 Malicious code Be
????74 Bloodhound.vbs.3 mutation 7 Malicious code Be
????75 Bloodhound.vbs.3 mutation 8 Malicious code Be

Claims (1)

1, a kind of internet worm of layered cooperative and malicious code recognition methods comprise:
From script file, isolate keyword, obtain by the method for injecting dynamic link library (being called for short DLL) that application programming interface (being called for short API) is carried out sequence and registration table writes the list item path, registration table is write the list item path and the API sequence is kept in hard disk or the internal memory; It is characterized in that:
To the keyword word frequency statistics analysis of script and make unusual judgement;
Registration table is write the list item path to carry out oneself's identification and makes unusual judgement;
The API sequence is carried out nonego identification and made unusual judgement;
Abnormal behaviour information is sent to net control station;
The script file that described script file is meant the script file write with the Javascript language, write with the VBScript language and embedded Javascript or the script file of VBScript code;
Described injection DLL acquisition API execution sequence and registration table write the list item path and are meant, by DLL is injected in the target program as remote thread, the API execution sequence of the method intercepting target program of Import Address Table (being called for short IAT) is replaced in employing then, and writes the list item path from the parameter acquisition registration table of registration table api function;
Described to script the keyword statistical analysis and make unusual judgement and be meant and from script file, isolate 29 keyword copyfile, Createobject, Delete, FolderDelete, RegWrite, Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, .save, startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write, and carry out following steps:
(1) 29 keywords are divided into three groups, first group for creating object keyword: Createobject; Second group is no risky operation keyword itself: Virus .Write, GetSpecialFolder, keys, opentextfile, readall, startup, execute .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder .run, document.write; The 3rd group is to have the keyword that possibility is destroyed operation: copyfile, Delete, FolderDelete, RegWrite .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;
(2) the desired value f of the word frequency that these 29 keywords occur in the normal script of statistics i, the desired value f of the word frequency that these 29 keywords occur in the unusual script is added up in 1≤i≤29 i', 1≤i≤29, it is poor to calculate the normalization word frequency of 29 keywords in normal and unusual script e i = ( f i - f i ′ ) / Σ i = 1 29 ( f i - f i ′ ) , 1≤i≤29:
(3) the statistics word frequency m that keyword occurs in current script to be detected i, the risk factor Risk of script to be detected is calculated in 1≤i≤29,
Risk = G Σ i = 1 29 P ( i ) F ( i )
Wherein P (i), F (i) and G are respectively:
Figure A2003101065510003C2
(4) risk factor threshold value TH is defined as:
TH = Σ i = 0 29 P ( i ) / 29
When risk factor Risk surpasses threshold value TH, send early warning information to net control station;
Describedly registration table is write the list item path carry out oneself identification and make unusual judgement and take following steps:
(1) the normal registration table of target program writes the list item path under the collection normal condition, and deposits in the database, and each normal registration table writes the list item path and is called " oneself ", and its set is called " oneself's collection ";
(2) read current registration table and write the list item path, compare, if not in " oneself's collection ", then send abnormal behaviour information to net control station with original in the database " oneself " operation;
Described the API sequence carried out nonego identification and made unusual judgement and take following steps:
(1) API selection operation:
(a) the API sequence of target program under the intercepting normal condition, and be W with the sliding step 0Mode it is cut into length is L 0Trail S 0
(b) the API sequence of target program under the intercepting operation with virus state, and be W with the sliding step 0Mode it is cut into length is L 0Trail R 0
(c) compare trail S 0And R 0In different sequences, extract the api function that constitutes these sequences, with these api functions as api function collection to be monitored;
(2) according to selected api function, the API sequence of target program under the intercepting normal condition, and be that W is cut into the string that length is L with it with the sliding step, generate oneself's collection S;
(3) the current API that obtains target program carries out sequence, and is that W is cut into the string that length is L with it with the sliding step, reads N API sequence at every turn and carries out following testing process:
(a) produce initial detector collection D 0: produce pre-detector at random according to selected api function, filter the oneself, and then obtain the initial detector collection; The matching strategy here is the part matching strategy, and promptly two sequences match and if only if these two character strings are in r position consistency continuously;
(b) more current AP carries out arbitrary detector that sequence and detector are concentrated: if find to mate then this sequence of mark and total matching number added 1, when the total matching number of API sequence to be detected that obtains in real time reaches threshold value G nThe time, send out abnormal behaviour information to net control station;
(c) if evolutionary generation t surpasses threshold value G eOr all the API sequences are labeled, continue to read next group API sequence and detect; Otherwise, for unmatched API sequence, then according to the variation of affinity degree, gene library evolution, three subset D producing at random A, D G, D RWith memory collection D MCommon composition detector collection D of future generation i=D A+ D G+ D R+ D M, and D A, D G, D RSubclass satisfies D A 1 ≈ D G 2 ≈ D M 1 ;
Produce the detector subset D by the variation of affinity degree A, affinity degree variation is meant that the matching degree of arbitrary detector of concentrating when API sequence and detector is above affinity degree threshold value G fThe time, produce N by variation c(N c〉=1) individual filial generation individuality;
Produce the detector subset D by gene library evolution G, gene library evolution is meant the selection probability that improves the API that forms valid detector, i.e. P Api=P Api+ Δ P; And when reality generates detector, select probability to generate pre-detector by the roulette wheel method according to API, filter the oneself at last and generate the detector subset D G
By producing the detector subset D at random R
The existing detector that can mate unusual sequence is formed memory collection D M
Described net control station is meant to be used for receiving script, registration table is write the network program that list item path and API sequence are carried out the abnormal information that analyzing and processing obtained.
CNB2003101065518A 2003-12-05 2003-12-05 Hierarchical cooperated network virus and malice code recognition method Expired - Fee Related CN1300982C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2003101065518A CN1300982C (en) 2003-12-05 2003-12-05 Hierarchical cooperated network virus and malice code recognition method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2003101065518A CN1300982C (en) 2003-12-05 2003-12-05 Hierarchical cooperated network virus and malice code recognition method

Publications (2)

Publication Number Publication Date
CN1625121A true CN1625121A (en) 2005-06-08
CN1300982C CN1300982C (en) 2007-02-14

Family

ID=34757609

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2003101065518A Expired - Fee Related CN1300982C (en) 2003-12-05 2003-12-05 Hierarchical cooperated network virus and malice code recognition method

Country Status (1)

Country Link
CN (1) CN1300982C (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100437614C (en) * 2005-11-16 2008-11-26 白杰 Method for identifying unknown virus programe and clearing method thereof
CN100450012C (en) * 2005-07-15 2009-01-07 复旦大学 Invasion detecting system and method based on mobile agency
CN101350052B (en) * 2007-10-15 2010-11-03 北京瑞星信息技术有限公司 Method and apparatus for discovering malignancy of computer program
CN101359351B (en) * 2008-09-25 2010-11-10 中国人民解放军信息工程大学 Multilayer semantic annotation and detection method against malignancy
CN101213555B (en) * 2005-06-30 2011-03-30 普瑞维克斯有限公司 Methods and apparatus for dealing with malware
CN101547126B (en) * 2008-03-27 2011-10-12 北京启明星辰信息技术股份有限公司 Network virus detecting method based on network data streams and device thereof
WO2011137803A1 (en) * 2011-05-20 2011-11-10 华为技术有限公司 Method and device for selecting open application programming interface
CN102256242A (en) * 2011-04-14 2011-11-23 中兴通讯股份有限公司 System and method for processing service application
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
CN101576947B (en) * 2009-06-05 2012-08-08 成都市华为赛门铁克科技有限公司 Method, device and system for file protection treatment
CN101901221B (en) * 2009-05-27 2012-08-29 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
CN101416441B (en) * 2006-03-31 2012-10-10 英特尔公司 Hierarchical trust based posture reporting and policy enforcement
CN102722672A (en) * 2012-06-04 2012-10-10 奇智软件(北京)有限公司 Method and device for detecting authenticity of operating environment
US9154492B2 (en) 2013-09-27 2015-10-06 The University Of North Carolina At Charlotte Moving target defense against cross-site scripting
CN101414340B (en) * 2007-10-15 2015-12-02 北京瑞星信息技术有限公司 A kind of method preventing remote thread from starting
CN106126980A (en) * 2016-08-03 2016-11-16 北京英贝思科技有限公司 A kind of code protection method and system
CN108197470A (en) * 2008-10-20 2018-06-22 王英 Fast signature scan
CN108243056A (en) * 2016-12-27 2018-07-03 大唐移动通信设备有限公司 A kind of method and device for obtaining exception information
CN108985064A (en) * 2018-07-16 2018-12-11 中国人民解放军战略支援部队信息工程大学 A kind of method and device identifying malice document

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6859212B2 (en) * 1998-12-08 2005-02-22 Yodlee.Com, Inc. Interactive transaction center interface
US7092861B1 (en) * 2000-11-02 2006-08-15 Koninklijke Philips Electronics N.V. Visual anti-virus in a network control environment

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101213555B (en) * 2005-06-30 2011-03-30 普瑞维克斯有限公司 Methods and apparatus for dealing with malware
CN100450012C (en) * 2005-07-15 2009-01-07 复旦大学 Invasion detecting system and method based on mobile agency
CN100437614C (en) * 2005-11-16 2008-11-26 白杰 Method for identifying unknown virus programe and clearing method thereof
CN101416441B (en) * 2006-03-31 2012-10-10 英特尔公司 Hierarchical trust based posture reporting and policy enforcement
CN101350052B (en) * 2007-10-15 2010-11-03 北京瑞星信息技术有限公司 Method and apparatus for discovering malignancy of computer program
CN101414340B (en) * 2007-10-15 2015-12-02 北京瑞星信息技术有限公司 A kind of method preventing remote thread from starting
CN101547126B (en) * 2008-03-27 2011-10-12 北京启明星辰信息技术股份有限公司 Network virus detecting method based on network data streams and device thereof
CN101359351B (en) * 2008-09-25 2010-11-10 中国人民解放军信息工程大学 Multilayer semantic annotation and detection method against malignancy
CN108197470A (en) * 2008-10-20 2018-06-22 王英 Fast signature scan
CN101901221B (en) * 2009-05-27 2012-08-29 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
CN101576947B (en) * 2009-06-05 2012-08-08 成都市华为赛门铁克科技有限公司 Method, device and system for file protection treatment
CN102622536A (en) * 2011-01-26 2012-08-01 中国科学院软件研究所 Method for catching malicious codes
CN102622536B (en) * 2011-01-26 2014-09-03 中国科学院软件研究所 Method for catching malicious codes
CN102256242A (en) * 2011-04-14 2011-11-23 中兴通讯股份有限公司 System and method for processing service application
US8839276B2 (en) 2011-05-20 2014-09-16 Huawei Technologies Co., Ltd. Open application programming interface selection method and device
WO2011137803A1 (en) * 2011-05-20 2011-11-10 华为技术有限公司 Method and device for selecting open application programming interface
CN102722672A (en) * 2012-06-04 2012-10-10 奇智软件(北京)有限公司 Method and device for detecting authenticity of operating environment
CN102722672B (en) * 2012-06-04 2015-10-14 北京奇虎科技有限公司 A kind of method and device detecting running environment authenticity
US9521133B2 (en) 2013-09-27 2016-12-13 The University Of North Carolina At Charlotte Moving target defense against cross-site scripting
US9154492B2 (en) 2013-09-27 2015-10-06 The University Of North Carolina At Charlotte Moving target defense against cross-site scripting
CN106126980A (en) * 2016-08-03 2016-11-16 北京英贝思科技有限公司 A kind of code protection method and system
CN108243056A (en) * 2016-12-27 2018-07-03 大唐移动通信设备有限公司 A kind of method and device for obtaining exception information
CN108243056B (en) * 2016-12-27 2020-11-20 大唐移动通信设备有限公司 Method and device for acquiring abnormal information
CN108985064A (en) * 2018-07-16 2018-12-11 中国人民解放军战略支援部队信息工程大学 A kind of method and device identifying malice document
CN108985064B (en) * 2018-07-16 2023-10-20 中国人民解放军战略支援部队信息工程大学 Method and device for identifying malicious document

Also Published As

Publication number Publication date
CN1300982C (en) 2007-02-14

Similar Documents

Publication Publication Date Title
CN1300982C (en) Hierarchical cooperated network virus and malice code recognition method
US8955133B2 (en) Applying antimalware logic without revealing the antimalware logic to adversaries
Rieck et al. Learning and classification of malware behavior
Cesare et al. Malwise—an effective and efficient classification system for packed and polymorphic malware
CN101512522B (en) System and method for analyzing web content
Crussell et al. Andarwin: Scalable detection of semantically similar android applications
US9715588B2 (en) Method of detecting a malware based on a white list
Alrizah et al. Errors, misunderstandings, and attacks: Analyzing the crowdsourcing process of ad-blocking systems
DE60303753T2 (en) Selective recognition of malicious computer code
US7860870B2 (en) Detection of abnormal user click activity in a search results page
CN102664878B (en) Method and equipment for detection of counterfeit domain names
Stokes et al. WebCop: Locating Neighborhoods of Malware on the Web.
KR101260028B1 (en) Automatic management system for group and mutant information of malicious code
CN103150509B (en) A kind of virus detection system based on virtual execution
US20080091708A1 (en) Enhanced Detection of Search Engine Spam
Naseer et al. Malware detection: issues and challenges
Schlumberger et al. Jarhead analysis and detection of malicious java applets
CN1304914C (en) System and method for digital watermarking of data repository
Provos et al. Search worms
Pan et al. Webshell detection based on executable data characteristics of php code
Martins et al. Generating quality threat intelligence leveraging OSINT and a cyber threat unified taxonomy
Sun et al. AFLTurbo: Speed up path discovery for greybox fuzzing
Bai et al. Dynamic k-gram based software birthmark
Small et al. To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads.
Wang et al. Two-stage checkpoint based security monitoring and fault recovery architecture for embedded processor

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C19 Lapse of patent right due to non-payment of the annual fee
CF01 Termination of patent right due to non-payment of annual fee