TWI640891B - Method and apparatus for detecting malware - Google Patents

Abstract

The present invention discloses a method and apparatus for detecting a malicious program. The device collects host file activity tracks or network traffic in an uninterrupted manner, and performs suspicious behavior analysis on the stored data. When a malicious attack is detected, the time at which the data is received and the time at which the attack occurred can be clearly indicated. Then, suspicious files can be recovered from the network traffic or host activity records for malware analysis and whether the files are malicious. If the result of the analysis is a malicious program, the malware's sentiment is made into a detection rule and fed back to the module for suspicious behavior detection and malware detection. The invention utilizes the above method to restore a long-term latent malicious program that has not been detected by the anti-virus software and has been erased for the first time, and helps to clarify the original appearance of the attack event.

Description

Method and apparatus for detecting malware

The present invention relates to a method and apparatus for detecting a malicious program.

With the rapid development of the Internet, the lives of modern people are inseparable from the Internet. The popularity of mobile networks allows people to access the Internet from anywhere on the smartphone or tablet. In recent years, more and more malicious programs have been packaged in the data stream, and the data stream has invaded the computer host. Malware can have a lot of bad effects on the host computer. In response to this, more and more anti-virus software is on the market to detect or erase malicious programs in the host.

However, anti-virus software often cannot detect all kinds of malicious programs in the first time, and hackers also erase the trajectory of malicious programs in various ways. In addition, malware detection of all data streams typically takes a lot of time and computing power.

The invention provides an apparatus for detecting a malicious program, comprising: a storage unit and a processor. The storage unit records a plurality of modules. The processor is coupled to the storage unit and accesses and executes the modules stored in the storage unit. The modules include: a suspicious behavior analysis module and a malware analysis module. The suspicious behavior analysis module includes: saving a module, recording a data stream, and establishing an index of the data stream. The suspicious behavior detection module detects the suspicious behavior of the data stream and records the time point of the suspicious behavior according to the suspicious behavior detection rule. The file extraction module extracts a suspicious file sample from the data stream based on the time point and the index. The malware analysis module determines whether the suspicious file sample is a malicious program.

The present invention provides a method for detecting a malicious program, comprising: recording a data stream and establishing an index of the data stream. A point in time at which suspicious behavior exists in the data stream and the suspicious behavior is recorded based on the suspicious behavior detection rule. Based on the time point and the index, a suspicious file sample is extracted from the data stream. And determine whether the suspicious file sample is a malicious program.

Based on the above, the present invention can screen suspicious file samples through suspicious behavior detection rules and perform malware analysis only on suspicious samples. In this way, the time and computing power of malware analysis can be reduced, and the burden on the system can be reduced. In addition, the present invention can recover potentially attacked files from the terminal track and set new suspicious behavior or malware detection rules based on the files to detect the next similar attack behavior.

The above described features and advantages of the invention will be apparent from the following description.

The present invention discloses a method and apparatus for detecting a malicious program. Anti-virus software usually does not detect long-term latent malware during the first time of infection. When the anti-virus software updates the detection rules, usually the malicious program has evaded detection by self-delete. The invention seals and indexes the data through the network traffic accommodating technology and the host file activity trajectory accommodating technology. When a suspicious attack is detected in the monitoring environment, the file extraction module can be used to recover the file for a specific time and data range, thereby enabling the event handler to retrieve the malicious sample and assist in restoring the attack event. For the restored file, the present invention can also automatically perform malware analysis, further confirm that the file is a malicious program, and feed back the key data contained in the sample to the malware information database, and add or update the malicious program detection rule.

1 is an apparatus 10 for detecting a malicious program, including but not limited to a processor 20 and a storage unit 30, in accordance with an embodiment of the present invention. The storage unit 30 can be any type of fixed or removable random access memory (RAM), read only memory (ROM), flash memory, hard disk drive, solid state hard A solid-state drive or the like or a combination of the above components, and used to record a plurality of main modules, including a suspicious behavior analysis module 310, a malware analysis module 320, a save database 330, The suspicious behavior detection rule database 340, the suspicious sample database 350, and the malware situation database 360.

The processor 20 is coupled to the storage unit 30 and may be a central processing unit (CPU) or other programmable general purpose or special purpose microprocessor (Microprocessor), digital signal processor (DSP), and programmable. Controller, Special Application Integrated Circuit (ASIC) or other similar component or combination of the above. In the embodiment of the present invention, the processing unit 20 is configured to perform all functions of the device 10 for detecting malicious programs, and can access and execute the modules recorded in the storage unit 30.

The suspicious behavior analysis module 310 is used to determine whether there is suspicious behavior in the data stream, and extracts suspicious file samples at the time when the suspicious behavior occurs, so as to facilitate subsequent malware analysis. The suspicious behavior analysis module 310 includes a plurality of sub-modules, which are a save module 311, a suspicious behavior detection module 312, and a file extraction module 313.

The save module 311 is used to record the data stream and build an index. When the type of the data stream is the host file, the save module 311 collects the file activity track on the host system through the monitoring program. The file activity track includes, but is not limited to, the file transaction history, the host program call application interface (API), the program execution API call and the auto start setting/machine code, as shown in Table 1. Table 1. Host activity track collection data table <TABLE border="1"borderColor="#000000"width="85%"><TBODY><tr><td><b>Collectiontarget</b></td><td><b>CollectingContent</b></td></tr><tr><td> File Removal API Call</td><td> File Path and File Content</td></ Tr><tr><td> File Execution API Call</td><td> Execution File Path and File Content</td></tr><tr><td> Automatically Start Setpoint/Machine Code Modification</ Td><td> File Path and Archive Content</td></tr><tr><td> Powershell Execution Call</td><td> Powershell Script Path and Content</td></tr><tr><td> Files that conform to custom file path detection rules</td><td> File path and file contents</td></tr><tr><td> Files that match the characteristics of custom Yara rules</ Td><td> file path and file content</td></tr><tr><td> file matching custom hash value</td><td> file path and file content</td></tr ></TBODY></TABLE> When the type of the data stream is network traffic, the save module 311 stores the network traffic in the PCAP file format through the network traffic mirroring. The save module 311 can be parsed and recorded for protocols such as TELNET, FTP, HTTP, POP3, SMTP or DNS for TCP/IP layer protocols and common application layer communication protocols. The save module 311 indexes the collected information, the date and time, and the UID (Unique ID) of the host in the monitored environment, and stores the data in the save database 330.

The suspicious behavior detection module 312 is configured to compare the data stream (ie, the host activity track or network traffic) according to the suspicious behavior detection rule in the suspicious behavior detection rule database 340, and detect the data stream. Suspicious behavior or attack. The suspicious behavior detection module 312 also records the point in time at which suspicious behavior or an attack event occurs. When the type of data stream is network traffic, the data of the suspicious behavior detection rule may include, but is not limited to, an IP address, a port, a protocol header (such as HTTP/SMTP/POP3/FTP/DNS), and Packet content features are compared. When the type of the data stream is a host file, the data of the suspicious behavior detection rule may include, but is not limited to, a file creation API, a program startup API, a system schedule start change, and an automatic startup setting/machine code. When suspicious behavior is found, the suspicious behavior detection module 312 will record the host name of the monitored host or the IP corresponding to the network traffic, and record the date and time when the event occurred.

The file extraction module 313 is configured to extract suspicious file samples from the data stream based on the date and time and index of the suspicious event. The file extraction module 313 compares the host name/IP and the suspicious event occurrence time according to the suspicious behavior detection module 312. Then, the file extraction module 313 performs file reduction extraction from the saved database 330, and the extracted suspicious file samples are stored in a compressed file format. For example, the file extraction module 313 can name and index the SHA256 hash value of the restored suspicious file sample and store it in the suspect sample database 350. The malware analysis module 320 can then perform automated malware analysis on the suspect file samples. The device 10 can reduce the amount of system computing resources and extraction time required for file extraction by this method.

The malware analysis module 320 analyzes whether the suspicious file sample is a malicious program based on the malware detection rule. The malware analysis module 320 includes a plurality of sub-modules, which are a credit rating module 321 , a static analysis module 322 , a dynamic analysis module 323 , and an emotional feedback module 324 , wherein the reputation evaluation module 321 , static The analysis module 322 and the dynamic analysis module 323 can analyze whether the suspicious file sample is a malicious program based on different malware detection rules.

The reputation rating module 321 is a module that the malware analysis module 320 first executes. The reputation rating module 321 queries the information system with the SHA256 hash value of the suspicious file sample, wherein the information system can be, for example, an external malware database or a malware repository. If there is a related record of the malicious program in the sample of the suspicious file, the record is directly read and the malicious file of the suspect file is determined, and no subsequent analysis is performed (ie, the static analysis module 322 and the dynamic analysis module 323 are not required to be executed. Program analysis function). If the reputation rating module 321 determines that the suspicious file sample is not a malicious program, the static analysis module 322 performs further analysis on the suspect file sample.

The static analysis module 322 can perform static analysis feature comparison through the YARA feature rule, the execution file Mutex information, the execution program database information and the execution file signature content, so as to determine whether the suspicious file sample is a malicious program. The execution speed of the static analysis module 322 is faster than the dynamic analysis module 323, the false positive rate is lower, and the false negative rate is higher. If the static analysis feature comparison is met, the suspicious file sample is directly classified as a malicious program, and no subsequent analysis is performed (ie, the malicious program analysis function of the dynamic analysis module 323 is not required).

The dynamic analysis module 323 records the suspicious behavior of the suspicious file samples and performs dynamic analysis through sandbox analysis technology. The implementation of this technique is time consuming, but all the behavior of the suspicious file samples can be recorded in detail for subsequent feature detection rules. The items recorded by the dynamic analysis module 323 are as shown in Table 2 below. Table 2, malicious program dynamic analysis record project table <TABLE border="1"borderColor="#000000"width="85%"><TBODY><tr><td><b>type</b></td><td><b>Record Project Name</b></td><td><b>Example of Actual Record Content</b></td></tr><tr><td> Generate File Behavior </td><td> File Type Generated</td><td></td></tr><tr><td> File Path Generated</td><td> C:\windows\system32\a .exe </td></tr><tr><td> Generated malware analysis results</td><td> Malicious rating: 0.7 </td></tr><tr><td> Road Connection Behavior</td><td> Connection IP and Service埠</td><td> 168.95.1.1:53 </td></tr><tr><td> ICMP Protocol Contents</td ><td> 8.8.8.8 </td></tr><tr><td> HTTP Protocol Contents</td><td> http://www.cht.com.tw </td></tr ><tr><td> DNS Protocol Contents</td><td> www.google.com </td></tr><tr><td> SMTP Protocol Contents</td><td> HELO MAIL FROM annie@company.com; RCPT TO bob@company.com </td></tr><tr><td> Key API Calls</td><td> Network Behavior API </td><td> getaddrinfo Function</td></tr><tr><td> File System API </td><td> FindFirstFile Function</td ></tr><tr><td> Registered Code API </td><td> RegOpenKeyEx Function</td></tr><tr><td> Program Related API </td><td> CreateProcess Function </td></tr><tr><td> System Service Related APIs </td><td> OpenService Functions</td></tr></TBODY></TABLE>

After the suspicious file sample is subjected to malware analysis by the above three modules, the malware analysis module 320 will give a malicious rating (for example, between 0.0 and 1.0 points). When the malicious rating score is higher than the threshold, the suspicious file sample is determined to be a malicious program and marked. Then, the emotional feedback module 324 extracts key information of the malicious program. Key information includes, but is not limited to, connection relay stations, specific directory or file paths, registration code changes, and more. The emotive feedback module 324 automatically generates a suspicious behavior detection rule and/or a malicious program detection rule corresponding to the suspicious file sample, and feeds the suspicious behavior detection rule back to the suspicious behavior detection rule database 340 and/or Or return the malware detection rules to the malware repository. The suspicious behavior analysis module 310 can restart the analysis process by the updated suspicious behavior detection rule to discover other undiscovered suspicious files or malicious programs.

2 is a flow diagram of a main flow of a method 200 of detecting a malicious program, which may be implemented by the apparatus 10 of the present invention, in accordance with an embodiment of the present invention.

In step S210, the save module 311 records the data stream and establishes an index of the data stream. For example, the save module 311 can be used to collect the TCP/IP layer network packet of the monitored host and the file activity track on the system.

In step S220, the suspicious behavior detection module 312 detects suspicious behavior existing in the data stream according to the suspicious behavior detection rule, and records the time point at which the suspicious behavior occurs. For example, when the type of the data stream is a host file, the suspicious behavior detection module 312 can detect whether there is suspicious file creation, deletion, and execution on the system from the host activity track data. The comparison content includes, but is not limited to, the file type, the file hash value, the file creation source, the parent program of the file execution, and the system registration code. When the type of the data stream is network traffic, the suspicious behavior detection module 312 performs a blacklist IP address, a high-risk communication protocol, a suspicious file download, or a transmission behavior. If the risk score of the suspicious behavior is found to exceed the system-set risk score threshold, the process proceeds to step S230, otherwise the process ends directly.

In step S230, the file extraction module 313 extracts a suspicious file sample from the data stream based on the time point and index of the suspicious behavior. For example, the file extraction module 313 can obtain the host name, IP address, and date and time of the occurrence of the suspicious behavior from step S220, and use the index as the index to the suspicious behavior analysis module 310 to perform the search. The file extraction module 313 restores the suspicious file sample by using the file restoration technology, and then sends the suspicious file sample to the malware analysis module 320 for automated analysis.

In step S240, the malware analysis module 320 performs malicious program analysis on the suspicious file samples. The method of analyzing malware will be explained in the following Figure 3. After the malware analysis module 320 performs the analysis of the malicious program, it will give a suspicious file sample malicious rating (for example, between 0.0 and 10.0 points). When the score is higher than the threshold, it will be determined as a malicious program and enter the step. S250, otherwise the process is completed after the file is directly created.

In step S250, the emotive feedback module 324 retrieves the information of the suspicious file sample determined to be a malicious program, and generates the information of the malicious program into a detection rule (for example, a suspicious behavior detection rule or a malicious program detection rule). And the detection rule is fed back to the suspicious behavior analysis module 310 and retrieved, and a new round of analysis process is restarted to discover other undiscovered suspicious files or malicious programs. Please refer to Table 3 below for the malware information extracted by the emotive feedback module 324. Table 3, malicious program information retrieval table <TABLE border="1"borderColor="#000000"width="85%"><TBODY><tr><td><b>type</b></td><td><b>Madware Content Information</b></td></tr><tr><td> Static File Content</td><td> Special Strings</td></tr><Tr><td> SHA-256 hash value</td></tr><tr><td> fuzzy hash value</td></tr><tr><td> execution file Mutex string</td></tr><tr><td> Execution file PDB information</td></tr><tr><td> Network connection behavior</td><td> Connection IP address</td></tr><tr><td> HTTP URL </td></tr><tr><td> DNS Query Domain Name</td></tr><tr><td> Operating System Behavior</td><td> Auto Start Set/Machine Code</td></tr><tr><td> Write System File Name</td></tr><tr><td> Write Work Schedule Name</td></tr><tr><td> Create subroutine name</td></tr></TBODY></TABLE>

3 is a flow diagram further illustrating the suspicious behavior analysis of step S220, which may be implemented by apparatus 10 of the present invention, in accordance with an embodiment of the present invention. Step S220 can be performed by means of periodic scheduling (for example, setting the preset frequency to 1 time/1 day) to monitor whether there is suspicious behavior in the environment.

In step S310, the suspicious behavior detection module 312 is used to compare the traffic suspicious behavior of the network. If the traffic behavior of a host complies with the suspicious behavior detection rule, the date and time of the IP and suspicious behavior of the host are recorded. And the process goes to step S330, otherwise it goes to step S320 to check whether there is suspicious file behavior on the host.

In step S320, the suspicious behavior detection module 312 is used to perform the suspicious behavior comparison of the host file. If the suspicious behavior detection rule is met, the matching host name and the date and time when the suspicious behavior occurs are recorded, and the process proceeds to step S430. Otherwise it ends directly.

In step S330, the file extraction module 313 can use the IP, host name and date and time of the host as parameters to restore the suspicious file sample from the data stream, and send the suspicious file sample to the malware analysis module 320 for automatic analysis. .

4 is a flow diagram further illustrating the malware analysis of step S240, which may be implemented by apparatus 10 of the present invention, in accordance with an embodiment of the present invention.

In step S410, the reputation rating module 321 calculates the SHA256 hash value of the suspicious file sample and performs data query to the information system, wherein the information system can be, for example, an external malicious program database or from a malicious program. Database 360. If the suspicious file sample already has relevant information in the database, it can be directly marked as a malicious program without performing subsequent analysis. If the sample is an unknown sample, it proceeds to step S420.

In step S420, the static analysis module 322 performs static analysis feature comparison through static content such as YARA rule, execution file Mutex, execution and other PDB information and execution file signature content. The execution speed of the static analysis feature alignment is relatively fast compared to the dynamic analysis of step S430. If the static analysis feature comparison is met, the suspicious file sample is directly classified as a malicious program, and if not, the process proceeds to step S430.

In step S430, the dynamic analysis module 323 performs dynamic analysis through a sandbox analysis technology (sandbox). All the behaviors of the suspicious file samples in the monitored sandbox environment are recorded during the analysis. The behavior record table can be found in Table 4 below. Table 4, malicious program dynamic analysis behavior record table <TABLE border="1"borderColor="#000000"width="85%"><TBODY><tr><td><b>type</b></td><td><b>Record Project Name</b></td><td><b>Example of Actual Record Content</b></td></tr><tr><td> Generate File Behavior </td><td> File Type Generated</td><td></td></tr><tr><td> File Path Generated</td><td> C:\windows\system32\a .exe </td></tr><tr><td> Generated malware analysis results</td><td> Malicious rating: 6.2 </td></tr><tr><td> Network Connection Behavior</td><td> Connection IP and Service埠</td><td> 168.95.1.1:53 </td></tr><tr><td> ICMP Protocol Contents</td><td> 8.8.8.8 </td></tr><tr><td> HTTP Protocol Contents</td><td> http://www.cht.com.tw </td></tr><tr><td> DNS Protocol Contents</td><td> www.google.com </td></tr><tr><td> SMTP Protocol Contents</td><td> HELO MAIL FROM Annie@company.com; RCPT TO bob@company.com </td></tr><tr><td> Key API Calls</td><td> Network Behavior API </td><td> getaddrinfo Function </td></tr><tr><td> File System API </td><td> FindFirstFile Function</td></tr><tr><td> Registered Code API </td><td> RegOpenKeyEx Function</td></tr><tr><td> Program Related API </td><td> CreateProcess Function</td></tr><tr><td> System Service Related APIs </td><td> OpenService Functions</td></tr></TBODY></TABLE>

At step S440, the malware analysis module 320 scores the malicious rating. Specifically, each behavior detection rule has a score (for example, between 0.0 and 1.0). The sample format is shown in Table 5. Score if the behavior of the suspicious file sample matches the detection rule. If the suspicious file sample meets multiple rules at the same time, the total score is calculated in an accumulated manner. When the total score exceeds a predefined threshold (for example, the default is 0.6), the suspicious file is marked as a malicious program. If the total score is lower than the threshold, it means that the suspicious file has no obvious malware characteristics after the above module analysis, so it is marked as a normal program. Table 5, malware detection rule format table <TABLE border="1"borderColor="#000000"width="85%"><TBODY><tr><td><b>fieldname</b></td><td><b>Description</b></td><td><b>Example of actual content</b></td></tr><tr><td>Name</td><td> Name of the feature</td><td> Blackmail suspicious file behavior</td></tr><tr><td>Description</td><td> Detailed description of the malware</td>< After the td> analysis of the suspicious file is executed, there is a similar operation of the ransomware to open, modify, and save the new file. </td></tr><tr><td>Maliciousness</td><td> Maliciousness (0.0 to 1.0) </td><td> 0.6 </td></tr><tr><Td>category</td><td> category of malware</td><td>ransomware</td></tr><tr><td>family</td><td> family of malware </td><td> cryptolocker virus</td></tr><tr><td>References</td><td> Some external links help instructions</td><td> https://zh. wikipedia.org/wiki/CryptoLocker </td></tr><tr><td>Writer</td><td> Signature Writer</td><td>None</td></tr><tr><td>Enabled</td><td> If true: This feature is valid if false: This feature is invalid</td><td>True</td></tr><tr><td>Alert</td><td> If true: This feature is displayed as false in the report: this feature is not displayed in the report</td><td>True</td></tr></TBODY></TABLE>

In step S450, the malware analysis module 320 marks the suspicious file sample as a malicious program with a SHA-256 hash value as the main index.

In step S460, the malware analysis module 320 marks the suspicious file sample as a normal program with the SHA-256 hash value as the main index.

Figure 5 is an illustration of an example of an apparatus 10 for detecting malware that is actually applied to a system in accordance with the present invention.

Step 1: Make system settings. The monitoring program 60 is executed in a server and a host of a company. The activity track on the host is transmitted back to the suspicious behavior analysis module A. The router mirrors the traffic to the suspicious behavior analysis module B to analyze the network traffic and ensure that the network traffic monitoring starts after the settings are correct. Both the suspicious behavior analysis module A and the suspicious behavior analysis module B can be implemented by the suspicious behavior analysis module 310 of the present invention.

Step 2: Carry out the activity track accommodation. At the same time, it stores the traffic of the server and the track of the file activity, and indexes the date and the system IP/host name so that the check can be called later.

Step 3: Conduct suspicious behavior analysis. The preset analysis period is once a day. The Suspicious Behavior Analysis Module A and the Suspicious Behavior Analysis Module B automatically analyze whether there is suspicious behavior in the host or network traffic. Suspicious sample extraction is performed when the risk score of suspicious behavior exceeds the threshold, otherwise it ends directly.

Step 4: Perform a suspicious sample extraction. The device 10 for detecting malicious programs can index the date and time of the suspicious behavior, the relevant host IP and the host name from the traffic and host activity track system, and use the file restoration technology to restore the suspicious files and perform automatic analysis.

Step 5: Conduct a suspicious sample. Static analysis, dynamic analysis and emotional reputation evaluation of malicious files, and return to the manager after analysis, whether malicious programs, managers can follow this report for tracking or security incident investigation. End if no suspicious programs are found.

Step 6: Conduct sample emotional feedback. Extract key information from the behavior of discovered malware, such as malware connection relay stations, writing specific directories during the execution of malicious programs, or creating specific files, writing registration code, and so on. The above information is made into suspicious behavior detection rules and malware detection rules.

Step 7: Generate threats. Suspicious behavior detection rules and malware detection rules are sent to the suspicious behavior analysis module and the malware analysis module for detection. The saved traffic is used to check other malicious programs that have been implanted in the past to find out that other骇 Hosting to improve administrator visibility into internal information systems.

In summary, the present invention can screen suspicious file samples through suspicious behavior detection rules and perform malware analysis only on suspicious samples. In this way, the time and computing power of malware analysis can be reduced, and the burden on the system can be reduced. In addition, the present invention can recover potentially attacked files from the terminal track and set new suspicious behavior or malware detection rules based on the files to detect the next similar attack behavior.

The features and effects of the invention:

The method for detecting malware provided by the embodiment of the present invention has the following advantages when compared with the foregoing citations and other conventional techniques: 1. The sample backtracking mechanism in the present invention can be restored by the attacker. The sample of malicious programs is of great help to the investigation of the security incident. 2. Through the suspicious behavior detection mechanism in the present invention, a small number of hosted hosts and attack time can be selected from a large number of records, and then the files are restored from the original data, instead of being directly restored from all the contained records. All files. This approach can significantly reduce the loss of system computing resources and storage space. 3. The malware analysis method proposed by the present invention includes using external credit rating, static feature detection and dynamic behavior analysis, and can be correctly detected when malware is deformed, packed, or coded. 4. The system of the present invention has the function of converting the key information of the malicious program sample into the detection rule, and feedbacks the suspicious behavior detection rule database and the malicious program feature database, which can help the user to generate the threat of geopolitical security. Capital.

Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.

10‧‧‧ device

20‧‧‧ processor

200‧‧‧ method

30‧‧‧ storage unit

310‧‧‧Suspicious Behavior Analysis Module

311‧‧‧Save module

312‧‧‧Suspicious Behavior Detection Module

313‧‧‧File Extraction Module

320, A, B‧‧‧ malware analysis module

321‧‧‧Reputation rating module

322‧‧‧Static Analysis Module

323‧‧‧Dynamic Analysis Module

324‧‧‧Emotional feedback module

330‧‧‧Save the database

340‧‧‧Suspicious Behavior Detection Rules Database

350‧‧‧Suspicious sample database

360‧‧‧ Malware program database

60‧‧‧Host monitor program

S210, S220, S230, S240, S250, S310, S320, S330, S410, S420, S430, S440, S450, S460‧‧ steps

1 is an apparatus for detecting a malicious program in accordance with an embodiment of the present invention. 2 is a flow diagram of a main flow of a method of detecting a malicious program in accordance with an embodiment of the present invention. 3 is a flow chart further illustrating the suspicious behavior analysis of step S220, in accordance with an embodiment of the present invention. 4 is a flow chart further illustrating the malware analysis of step S240, in accordance with an embodiment of the present invention. Figure 5 is a diagram showing an example of a device for detecting a malicious program actually applied to a system in accordance with the present invention.

Claims (10)

An apparatus for detecting a malicious program, comprising: a storage unit, recording a plurality of modules; and a processor coupled to the storage unit and accessing and executing the modules stored by the storage unit, the modules including The suspicious behavior analysis module includes: saving a module, recording a data stream and establishing an index of the data stream; the suspicious behavior detection module detects the suspicious behavior existing in the data stream according to the suspicious behavior detection rule and records the a point in time for suspicious behavior; and a file extraction module that extracts a sample of suspicious files from the data stream based on the time point and the index, wherein the index includes a date corresponding to the suspicious behavior, an internet protocol address, and a host Name; and a malware analysis module to determine whether the suspicious file sample is a malicious program. The device of claim 1, wherein the malware analysis module analyzes whether the suspicious file sample is a malicious program based on a malware detection rule, and the malware analysis module comprises: a reputation rating module. Check whether the suspicious file sample is a known malicious program. If yes, determine that the suspicious file sample is a malicious program; the static analysis module passes the YARA feature rule, executes the file Mutex information, executes the file program database, and executes the file signature. At least one of the content determines whether the suspicious file sample is a malicious program; and the dynamic analysis module determines whether the suspicious file sample is a malicious program through a sandbox analysis technology. The device of claim 2, wherein the malware analysis module performs: performing a malicious rating on the suspicious file sample analyzed by the malware detection rule, if the suspicious file sample has a high malicious level If the threshold is exceeded, the suspect file sample is determined to be a malicious program. The device of claim 3, wherein the malware analysis module further comprises: an emotional feedback module, reporting information of the suspicious file sample determined to be a malicious program, and generating a correlation with the suspicious file sample Suspicious behavior detection rules, or malware detection rules related to the suspicious file sample. The device of claim 1, wherein the suspicious behavior detection rule is associated with a file type, a file hash value, a file creation source, a parent program for executing the file, a system registration code, a blacklist IP address, and a high value. At least one of a risk communication protocol, a suspicious file download, and a suspicious file transfer. A method for detecting a malicious program, comprising: recording a data stream and establishing an index of the data stream; detecting a suspicious behavior existing in the data stream according to the suspicious behavior detection rule and recording a time point of the suspicious behavior; And the index, extracting a suspicious file sample from the data stream, wherein the index includes a date corresponding to the suspicious behavior, an internet protocol address, and a host name; and determining whether the suspicious file sample is a malicious program. The method of claim 6, wherein the method further comprises: analyzing whether the suspicious file sample is a malicious program based on the malware detection rule, comprising: querying whether the suspicious file sample is a known malicious program, and if so, Determining whether the suspicious file sample is a malicious program through at least one of the YARA feature rule, the execution file Mutex information, the execution file program database, and the execution file signature content; and determining whether the suspicious file sample is a malicious program; A sandbox analysis technique is used to determine whether the suspicious file sample is a malicious program. The method of claim 7, further comprising: performing a malicious rating on the suspicious file sample analyzed by the malware detection rule, and if the malicious level of the suspicious file sample is higher than a threshold, determining the The suspicious file sample is a malicious program. The method of claim 8, further comprising: reporting information of the suspicious file sample determined to be a malicious program, and generating a suspicious behavior detection rule related to the suspicious file sample, or generating the suspicious file Sample related malware detection rules. The method of claim 6, wherein the suspicious behavior detection rule is associated with a file type, a file hash value, a file creation source, a parent program for executing the file, a system registration code, a blacklist IP address, and a high value. At least one of a risk communication protocol, a suspicious file download, and a suspicious file transfer.