JP6842367B2 - ファイル中の悪意のあるコードの検出システム及び方法 - Google Patents

ファイル中の悪意のあるコードの検出システム及び方法 Download PDF

Info

Publication number
JP6842367B2
JP6842367B2 JP2017098800A JP2017098800A JP6842367B2 JP 6842367 B2 JP6842367 B2 JP 6842367B2 JP 2017098800 A JP2017098800 A JP 2017098800A JP 2017098800 A JP2017098800 A JP 2017098800A JP 6842367 B2 JP6842367 B2 JP 6842367B2
Authority
JP
Japan
Prior art keywords
processor
execution
log
computing device
emulator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2017098800A
Other languages
English (en)
Japanese (ja)
Other versions
JP2018041438A5 (enExample
JP2018041438A (ja
Inventor
ワイ. ゴロフキン マキシム
ワイ. ゴロフキン マキシム
ブイ. モナスティルスキ アレクセイ
ブイ. モナスティルスキ アレクセイ
ブイ. ピンティスキー ウラディスラフ
ブイ. ピンティスキー ウラディスラフ
エー. パヴリュシュチク ミハイル
エー. パヴリュシュチク ミハイル
ブイ. ブツゾフ ヴィタリ
ブイ. ブツゾフ ヴィタリ
ブイ. カラソフスキー ドミトリー
ブイ. カラソフスキー ドミトリー
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Publication of JP2018041438A publication Critical patent/JP2018041438A/ja
Publication of JP2018041438A5 publication Critical patent/JP2018041438A5/ja
Application granted granted Critical
Publication of JP6842367B2 publication Critical patent/JP6842367B2/ja
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)
JP2017098800A 2016-09-08 2017-05-18 ファイル中の悪意のあるコードの検出システム及び方法 Active JP6842367B2 (ja)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
RU2016136224A RU2637997C1 (ru) 2016-09-08 2016-09-08 Система и способ обнаружения вредоносного кода в файле
RU2016136224 2016-09-08
US15/431,162 2017-02-13
US15/431,162 US10460099B2 (en) 2016-09-08 2017-02-13 System and method of detecting malicious code in files

Publications (3)

Publication Number Publication Date
JP2018041438A JP2018041438A (ja) 2018-03-15
JP2018041438A5 JP2018041438A5 (enExample) 2020-12-17
JP6842367B2 true JP6842367B2 (ja) 2021-03-17

Family

ID=60581263

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2017098800A Active JP6842367B2 (ja) 2016-09-08 2017-05-18 ファイル中の悪意のあるコードの検出システム及び方法

Country Status (4)

Country Link
US (1) US10460099B2 (enExample)
JP (1) JP6842367B2 (enExample)
CN (1) CN107808094B (enExample)
RU (1) RU2637997C1 (enExample)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3070076B1 (fr) * 2017-08-09 2019-08-09 Idemia Identity And Security Procede de protection d'un dispositif electronique contre des attaques par injection de faute
US10810099B2 (en) 2017-09-11 2020-10-20 Internatinal Business Machines Corporation Cognitive in-memory API logging
KR101976992B1 (ko) * 2017-11-16 2019-05-10 숭실대학교산학협력단 시그니처 추출을 이용한 분석회피기법 자동 인식 장치 및 그 방법
US11250123B2 (en) * 2018-02-28 2022-02-15 Red Hat, Inc. Labeled security for control flow inside executable program code
US10922409B2 (en) * 2018-04-10 2021-02-16 Microsoft Technology Licensing, Llc Deep reinforcement learning technologies for detecting malware
US11017078B2 (en) 2018-04-24 2021-05-25 Microsoft Technology Licensing, Llc Environmentally-trained time dilation
US10965444B2 (en) * 2018-04-24 2021-03-30 Microsoft Technology Licensing, Llc Mitigating timing attacks via dynamically triggered time dilation
CN110717180B (zh) * 2018-07-13 2021-09-28 北京安天网络安全技术有限公司 基于自定位行为的恶意文档检测方法、系统及存储介质
CN109492391B (zh) * 2018-11-05 2023-02-28 腾讯科技(深圳)有限公司 一种应用程序的防御方法、装置和可读介质
EP3674940B1 (en) * 2018-12-28 2024-05-29 AO Kaspersky Lab System and method of forming a log when executing a file with vulnerabilities in a virtual machine
RU2724790C1 (ru) * 2018-12-28 2020-06-25 Акционерное общество "Лаборатория Касперского" Система и способ формирования журнала при исполнении файла с уязвимостями в виртуальной машине
WO2020180298A1 (en) * 2019-03-05 2020-09-10 Intel Corporation Deterministic trusted executed container through managed runtime language metadata
CN113268726B (zh) * 2020-02-17 2023-10-20 华为技术有限公司 程序代码执行行为的监控方法、计算机设备
US11775640B1 (en) * 2020-03-30 2023-10-03 Amazon Technologies, Inc. Resource utilization-based malicious task detection in an on-demand code execution system
CN111506437A (zh) * 2020-03-31 2020-08-07 北京安码科技有限公司 基于windows原始调用接口的靶场应用程序调用方法、系统、电子设备及存储介质
EP3926470B1 (en) * 2020-06-19 2023-08-16 AO Kaspersky Lab Emulator and emulation method
US11636203B2 (en) 2020-06-22 2023-04-25 Bank Of America Corporation System for isolated access and analysis of suspicious code in a disposable computing environment
US11797669B2 (en) 2020-06-22 2023-10-24 Bank Of America Corporation System for isolated access and analysis of suspicious code in a computing environment
US11880461B2 (en) 2020-06-22 2024-01-23 Bank Of America Corporation Application interface based system for isolated access and analysis of suspicious code in a computing environment
US11269991B2 (en) 2020-06-22 2022-03-08 Bank Of America Corporation System for identifying suspicious code in an isolated computing environment based on code characteristics
US11574056B2 (en) 2020-06-26 2023-02-07 Bank Of America Corporation System for identifying suspicious code embedded in a file in an isolated computing environment
CN113918941A (zh) * 2020-07-07 2022-01-11 华为技术有限公司 异常行为检测的方法、装置、计算设备和存储介质
RU2757807C1 (ru) * 2020-08-24 2021-10-21 Акционерное общество "Лаборатория Касперского" Система и способ обнаружения вредоносного кода в исполняемом файле
US20230244787A1 (en) * 2022-01-28 2023-08-03 Palo Alto Networks, Inc. System and method for detecting exploit including shellcode
US12242609B2 (en) * 2022-03-29 2025-03-04 Acronis International Gmbh Exact restoration of a computing system to the state prior to infection
US12373327B2 (en) * 2022-04-28 2025-07-29 Twilio Inc. Data logging for API usage analytics
US12333008B2 (en) * 2022-08-31 2025-06-17 Crowdstrike, Inc. Emulation-based malware detection
CN119106417B (zh) * 2024-11-11 2025-03-11 开元华创科技(集团)有限公司 用于应用程序的安全检测方法、系统及存储介质

Family Cites Families (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7568233B1 (en) * 2005-04-01 2009-07-28 Symantec Corporation Detecting malicious software through process dump scanning
US7779472B1 (en) 2005-10-11 2010-08-17 Trend Micro, Inc. Application behavior based malware detection
US7664626B1 (en) * 2006-03-24 2010-02-16 Symantec Corporation Ambiguous-state support in virtual machine emulators
US7814544B1 (en) * 2006-06-22 2010-10-12 Symantec Corporation API-profile guided unpacking
US20100031353A1 (en) * 2008-02-04 2010-02-04 Microsoft Corporation Malware Detection Using Code Analysis and Behavior Monitoring
US20160012223A1 (en) * 2010-10-19 2016-01-14 Cyveillance, Inc. Social engineering protection appliance
US20100169972A1 (en) * 2008-12-31 2010-07-01 Microsoft Corporation Shared repository of malware data
US20110041179A1 (en) * 2009-08-11 2011-02-17 F-Secure Oyj Malware detection
US9213838B2 (en) * 2011-05-13 2015-12-15 Mcafee Ireland Holdings Limited Systems and methods of processing data associated with detection and/or handling of malware
AU2011293160B2 (en) * 2010-08-26 2015-04-09 Verisign, Inc. Method and system for automatic detection and analysis of malware
RU2011138462A (ru) * 2011-09-20 2013-04-10 Закрытое акционерное общество "Лаборатория Касперского" Использование решений пользователей для обнаружения неизвестных компьютерных угроз
RU2472215C1 (ru) * 2011-12-28 2013-01-10 Закрытое акционерное общество "Лаборатория Касперского" Способ выявления неизвестных программ с использованием эмуляции процесса загрузки
RU2491615C1 (ru) * 2012-02-24 2013-08-27 Закрытое акционерное общество "Лаборатория Касперского" Система и способ формирования записей для обнаружения программного обеспечения
US9092625B1 (en) * 2012-07-03 2015-07-28 Bromium, Inc. Micro-virtual machine forensics and detection
US9355247B1 (en) * 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9471783B2 (en) * 2013-03-15 2016-10-18 Mcafee, Inc. Generic unpacking of applications for malware detection
KR101477050B1 (ko) * 2014-05-28 2015-01-08 충남대학교산학협력단 메모리 덤프 기법을 이용한 어플리케이션의 실행코드 추출 방법
CN104021346B (zh) * 2014-06-06 2017-02-22 东南大学 基于程序流程图的Android恶意软件检测方法
CN107004088B (zh) 2014-12-09 2020-03-31 日本电信电话株式会社 确定装置、确定方法及记录介质
US10341355B1 (en) * 2015-06-23 2019-07-02 Amazon Technologies, Inc. Confidential malicious behavior analysis for virtual computing resources
CN105760787B (zh) * 2015-06-30 2019-05-31 卡巴斯基实验室股份制公司 用于检测随机存取存储器中的恶意代码的系统及方法

Also Published As

Publication number Publication date
US10460099B2 (en) 2019-10-29
CN107808094A (zh) 2018-03-16
RU2637997C1 (ru) 2017-12-08
CN107808094B (zh) 2021-06-04
JP2018041438A (ja) 2018-03-15
US20180068115A1 (en) 2018-03-08

Similar Documents

Publication Publication Date Title
JP6842367B2 (ja) ファイル中の悪意のあるコードの検出システム及び方法
JP2018041438A5 (enExample)
US7603713B1 (en) Method for accelerating hardware emulator used for malware detection and analysis
US10242186B2 (en) System and method for detecting malicious code in address space of a process
RU2514141C1 (ru) Способ эмуляции вызовов системных функций для обхода средств противодействия эмуляции
CN102799817B (zh) 用于使用虚拟化技术进行恶意软件保护的系统和方法
US9852295B2 (en) Computer security systems and methods using asynchronous introspection exceptions
KR102206115B1 (ko) 인터프리터 가상 머신을 이용한 행동 멀웨어 탐지
RU2665911C2 (ru) Система и способ анализа файла на вредоносность в виртуальной машине
EP3048551B1 (en) Systems and methods for active operating system kernel protection
RU2628921C1 (ru) Система и способ выполнения антивирусной проверки файла на виртуальной машине
US9740864B2 (en) System and method for emulation of files using multiple images of the emulator state
US11048795B2 (en) System and method for analyzing a log in a virtual machine based on a template
US9202053B1 (en) MBR infection detection using emulation
RU2649794C1 (ru) Система и способ формирования журнала в виртуальной машине для проведения антивирусной проверки файла
RU2592383C1 (ru) Способ формирования антивирусной записи при обнаружении вредоносного кода в оперативной памяти
EP3293660A1 (en) System and method of detecting malicious code in files
EP2720170B1 (en) Automated protection against computer exploits
EP2866167A1 (en) System and method for preserving and subsequently restoring emulator state
HK1246905B (zh) 使用解释器虚拟机的行为恶意软件检测

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20170721

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20180904

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20181203

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20190604

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20191004

C60 Trial request (containing other claim documents, opposition documents)

Free format text: JAPANESE INTERMEDIATE CODE: C60

Effective date: 20191004

A911 Transfer to examiner for re-examination before appeal (zenchi)

Free format text: JAPANESE INTERMEDIATE CODE: A911

Effective date: 20191015

C21 Notice of transfer of a case for reconsideration by examiners before appeal proceedings

Free format text: JAPANESE INTERMEDIATE CODE: C21

Effective date: 20191023

A912 Re-examination (zenchi) completed and case transferred to appeal board

Free format text: JAPANESE INTERMEDIATE CODE: A912

Effective date: 20191213

C211 Notice of termination of reconsideration by examiners before appeal proceedings

Free format text: JAPANESE INTERMEDIATE CODE: C211

Effective date: 20191217

C22 Notice of designation (change) of administrative judge

Free format text: JAPANESE INTERMEDIATE CODE: C22

Effective date: 20200623

C13 Notice of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: C13

Effective date: 20200804

A601 Written request for extension of time

Free format text: JAPANESE INTERMEDIATE CODE: A601

Effective date: 20201102

A524 Written submission of copy of amendment under article 19 pct

Free format text: JAPANESE INTERMEDIATE CODE: A524

Effective date: 20201104

C23 Notice of termination of proceedings

Free format text: JAPANESE INTERMEDIATE CODE: C23

Effective date: 20201222

C03 Trial/appeal decision taken

Free format text: JAPANESE INTERMEDIATE CODE: C03

Effective date: 20210209

C30A Notification sent

Free format text: JAPANESE INTERMEDIATE CODE: C3012

Effective date: 20210209

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20210219

R150 Certificate of patent or registration of utility model

Ref document number: 6842367

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250