WO2020019505A1 - Malicious software detection method and related device - Google Patents

Malicious software detection method and related device Download PDF

Info

Publication number
WO2020019505A1
WO2020019505A1 PCT/CN2018/108474 CN2018108474W WO2020019505A1 WO 2020019505 A1 WO2020019505 A1 WO 2020019505A1 CN 2018108474 W CN2018108474 W CN 2018108474W WO 2020019505 A1 WO2020019505 A1 WO 2020019505A1
Authority
WO
WIPO (PCT)
Prior art keywords
software
execution
sandbox
target
under test
Prior art date
Application number
PCT/CN2018/108474
Other languages
French (fr)
Chinese (zh)
Inventor
郑彪
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019505A1 publication Critical patent/WO2020019505A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • the present application relates to the field of computer technology, and in particular, to a malware detection method and related equipment.
  • malware detection on the market is mainly divided into dynamic and static: static detection requires the collection of characteristic information of known malware in advance, and it is not effective in detecting the latest malware and variants of existing malware; dynamic detection It mainly runs samples in the sandbox environment and collects the behavior characteristics of the software to determine whether it will cause harm. At present, most malwares have the ability to detect the sandbox environment. There is a large difference between the sandbox environment and the actual production environment. Malware does not trigger malicious behavior, and its ability to detect malware behavior is too weak and fine-grained.
  • the embodiments of the present application provide a malware detection method and related equipment, which can analyze the malicious behavior of the malware, which is helpful to improve the fine granularity of the malware detection.
  • an embodiment of the present application provides a method for detecting malware, which includes:
  • the malicious behavior exists in the software under test, it is determined that the software under test is malicious software, and the malicious behavior corresponding to the software under test is output.
  • an embodiment of the present application provides a malware detection apparatus.
  • the malware detection apparatus includes a unit for executing the method in the first aspect.
  • an embodiment of the present application provides a server.
  • the server includes a processor, a network interface, and a memory.
  • the processor, the network interface, and the memory are connected to each other.
  • the network interface is controlled by the processor.
  • the memory is used for receiving and sending messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
  • an embodiment of the present application provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
  • the server when the server detects that the software under test has malicious behavior, it can determine that the software under test is malicious software and output the malicious behavior corresponding to the software under test, which is beneficial to improving the fine-grained detection of malware.
  • FIG. 1 is a schematic diagram of an execution tree of a program corresponding to a software under test according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a malware detection method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of another malware detection method according to an embodiment of the present application.
  • FIG. 4 is a schematic block diagram of a malware detection apparatus according to an embodiment of the present application.
  • FIG. 5 is a schematic block diagram of a server according to an embodiment of the present application.
  • malware detection on the market is mainly divided into dynamic and static: static detection requires the collection of characteristic information of known malware in advance, and it is not effective in detecting the latest malware and variants of existing malware; dynamic detection It mainly runs samples in the sandbox environment and collects the behavior characteristics of the software to determine whether it will cause harm. At present, most malwares have the ability to detect the sandbox environment. There is a large difference between the sandbox environment and the actual production environment. Malicious software does not trigger malicious behaviors. In addition, dynamic detection often only focuses on a few system APIs. The ability to detect malicious software behaviors is too weak and the granularity is insufficient.
  • this application proposes a malware detection method, which can obtain the first configuration information of each sandbox and the second configuration information of the software under test in one or more sandboxes, and according to each sandbox
  • the first configuration information and the second configuration information of the target determine the target sandbox that matches the software under test in one or more sandboxes, and then call the target sandbox to perform symbolic analysis on the software under test to obtain the functions of the software under test.
  • the corresponding equivalent execution paths, and call the target sandbox execution target equivalent execution path, and record the execution trajectory and the invoked system resources corresponding to the equivalent execution path of the software to be tested, and then according to the execution trajectory and the invoked system resources Determine whether the software under test has malicious behavior.
  • determine that the software under test is malicious software determines that the software under test is malicious software, and output the malicious behavior corresponding to the software under test. Not only can it be determined whether the software under test is malicious software, but it can also output the malicious behavior corresponding to the software under test if it is determined that the software under test is malicious, which is conducive to improving the fine granularity of malware detection.
  • the malware described in this application not only covers viruses, worms, and trojan horses that perform malicious tasks on computer systems, but also includes malicious web pages and malicious plug-ins, which are not complete software programs. However, malicious web pages and malicious plug-ins need to be attached to certain framework software (for example, malicious web pages correspond to browsers, and malicious plug-ins also have corresponding framework software). Security analysis of this plug-in class is also included in the category of malware analysis .
  • a word document containing a macro virus can be considered as the input for analysis and detection, and the office word used to open the document in this application is considered as a component of the setting of the sandbox environment; similarly, if a malicious web page is to be detected, the web page is regarded as
  • the general browsers chrome, edge, ie, or firefox are considered as part of the sandbox environment, and other parts are the same as the detection scheme.
  • the sandbox described in this application is equivalent to a sandbox virtual machine in information security.
  • a sandbox virtual machine specifically refers to monitoring an execution environment that restricts software behavior with a certain security policy.
  • the system resources described in this application may include resources provided by non-test software itself, which are required to execute the equivalent target execution path corresponding to the target software.
  • system resources can include graphics card drivers, wallet key analysis, network communications, CPU usage information, file system access reads and writes, and so on.
  • the software under test is a rebound, the system resources include file system access to read and write, network ports open, network send and receive packets, the registry modified by hiding its own process, and so on.
  • This system resource also includes the target system interface in the target sandbox called during the execution of the target equivalent execution path corresponding to the software under test.
  • symbolic execution The symbolic execution analysis (hereinafter referred to as symbolic execution) described in this application is an important formal method and an analysis technique researched by the academic community.
  • the key idea of symbolic execution is to change the input into a symbolic value, so that the output value calculated by the program is a function of the symbolic input value, which is a symbolization process.
  • all execution paths of the program corresponding to the software under test can be expressed as trees, that is, execution trees. Branches of branches represent the true true and false false branch directions at branch statements.
  • the execution path of the program is usually Is a sequence of true and false.
  • the equivalent execution path of all functions of the software under test obtained by symbolic execution analysis is actually the process of symbolic execution traversing the program execution tree.
  • the example code of the program corresponding to the software under test is:
  • the execution tree corresponding to the above example is shown in Figure 1. From Figure 1, it can be seen that the testme () function has three execution paths. The round rectangular box is the three sets of inputs corresponding to the three equivalent execution paths, which are the three sets. Input can traverse the program.
  • the input set composed of all input values is an equivalent execution path of all functions of the software under test described in this application.
  • FIG. 2 is a schematic flowchart of a malware detection method according to an embodiment of the present application. The method is applied to a server in which one or more sandboxes are deployed in advance. As shown in the figure, the malware detection method may be include:
  • the server obtains the first configuration information of each sandbox and the second configuration information of the software to be tested in one or more sandboxes, and according to the first configuration information and the second configuration information of each sandbox in one or more The target sandbox that matches the software under test is determined in each sandbox.
  • the first configuration information may include the operating system version, kernel information, and link libraries of each sandbox in one or more sandboxes.
  • the second configuration information may include verification information (such as the MD5 value) of the software to be tested. , The operating system version that the software under test can run, the link library that the sample software runs on, etc., the first configuration information and the second configuration information are interrelated. There may be one or more first configuration information. Specifically, each sandbox may correspond to different first configuration information, or multiple sandboxes may correspond to the same first configuration information.
  • the operating system version may include an operating system version type, such as a Windows system or Linux, and may also include an operating system version number, such as Windows 2007 or Windows 2010.
  • the server when it detects the input of the software to be tested, it can obtain the second configuration information of the software to be tested, and the first configuration information of each sandbox in one or more sandboxes.
  • the configuration information is compared with one or more sandboxes respectively corresponding to the first configuration information. If it is determined that the first configuration information of any sandbox matches the second configuration information, then any one of the sandboxes is determined as the target sandbox.
  • the server is pre-deployed with 2 sandboxes.
  • the first configuration information is the operating system version of each sandbox.
  • the operating system version of the first sandbox is windows and the operating system version of the second sandbox is linux.
  • the second configuration information is the operating system version of the software under test, and the operating system version is linux.
  • the server can match the determined operating system version linux of the software under test with the operating system version linux of the second sandbox.
  • the second sandbox can be determined as the target sandbox.
  • the server invokes the target sandbox to perform symbolic execution analysis on the software to be tested to obtain an equivalent execution path corresponding to each function of the software to be tested.
  • the server may input the software to be tested into the target sandbox, invoke the target sandbox to perform symbolic analysis on the software to be tested, and perform the analysis on the symbol.
  • the execution tree process of the corresponding program of the software under test is traversed to obtain an input set of all functions of the software under test.
  • Each input value array in the input set corresponds to an equivalent execution path.
  • the input set is all functions of the software under test. Equivalent execution path.
  • the server calls the target sandbox to execute the target equivalent execution path, and records the execution track corresponding to the target execution equivalent path of the software to be tested and the system resources to be called.
  • the target equivalent execution path is one or more of the equivalent execution paths corresponding to each function of the software under test.
  • the server determines whether the software under test has a malicious behavior according to the execution trace and the system resources invoked.
  • the server determines that the software under test is malicious software, and outputs the malicious behavior corresponding to the software under test.
  • the server may further include all functions in the equivalent execution path according to the historical execution frequency of each malware execution path in the preset sample library.
  • One or more equivalent execution paths are determined as target equivalent execution paths, and the historical execution frequency of the target equivalent execution paths is greater than or equal to a preset execution frequency threshold.
  • the execution frequency threshold is 60
  • the historical execution frequencies of the execution paths s1 and s2 in the preset sample database are 70 and 80, respectively.
  • the server after the server obtains the equivalent execution path of each function of the software under test, it can execute the execution path in the equivalent execution path of all functions according to the historical execution frequency of each malware execution path in the preset sample library.
  • s1 and execution path s2 are determined as target equivalent execution paths.
  • the server may call the target sandbox to execute the target equivalent execution path, and record the execution trajectory corresponding to the target execution equivalent path of the software under test and the system resources to be called.
  • the target equivalent execution path may have one or more.
  • the server needs to call the target sandbox to execute the n target equivalent execution paths.
  • the server needs to record the execution trajectory corresponding to the execution of each target equivalent execution path in the n target equivalent execution paths and the system resources called. That is, the n target equivalent execution paths correspond to n types of execution trajectories and calls. Of system resources.
  • the resources provided by the non-test software itself required to execute the equivalent target execution path corresponding to the target software are the system resources mentioned above.
  • system resources can include graphics card drivers, wallet key analysis, network communications, CPU usage information, file system access reads and writes, and so on.
  • the software under test is a rebound, the system resources include file system access to read and write, network ports open, network send and receive packets, the registry modified by hiding its own process, and so on.
  • the system resource also includes a system interface called during execution of the target equivalent execution path corresponding to the software under test.
  • a sample library (namely, a preset sample library) including multiple malwares may be established in advance, and the preset sample library stores various malwares, and respective malicious behaviors of the various malwares.
  • the malicious behaviors Including malicious execution traces of malware and system resources called during the execution of the malware. For example, if a malware sample performs a heap spray, it needs to call the virtual function to forge the virtual function table, and there will be a stack variable overflow when the virtual function table is forged. The act of calling the virtual function to falsify the virtual function table is the malicious execution trace of the malware performing a heap spray.
  • the server compares the execution trajectory recorded during the execution of each target equivalent execution path with the malicious execution trajectory of each malware in the preset sample library. If the recorded execution trajectory is determined to be any Or the similarity of malicious execution trajectories of multiple malwares (hereinafter referred to as target malware) is higher than the preset trajectory similarity threshold, the system resources called during the target equivalent execution path can be further compared with each of the preset sample libraries. The system resources called during the running of the target malware are compared. If the system resources called during the target equivalent execution path are similar to the system resources called during the running of any target malware, the similarity is higher than the preset resources.
  • target malware the similarity of malicious execution trajectories of multiple malware
  • Degree threshold it is determined that the software under test has malicious behavior, and the malicious behavior includes an execution trajectory corresponding to an execution target equivalent execution path and a called system resource. Further, when the server determines that the software under test has the malicious behavior, the server can determine that the software under test is malicious software and output the malicious behavior, so that the user can visually view the malicious behavior of the software under test, which is beneficial to improving the malicious behavior. Fine-grained software detection.
  • the server may call the target sandbox to perform symbolic execution analysis on the software to be tested to obtain the equivalent execution path corresponding to each function of the software under test, and call the target sandbox to execute the target equivalent execution path, and record the target The execution trajectory and the called system resources corresponding to the equivalent execution path of the test software execution target, and then determine whether the software under test has malicious behavior according to the execution trajectory and the called system resources.
  • the software under test has malicious behavior, determine that the software under test is Malware, and outputting the malicious behavior corresponding to the software under test helps to improve the fine-grained detection of malware.
  • FIG. 3 is a schematic flowchart of another malware detection method according to an embodiment of the present application. The method is applied to a server in which one or more sandboxes are deployed in advance. As shown in the figure, the malware detection method Can include:
  • the server performs assembly instruction level translation and fragmentation processing on one or more sandbox callable system interfaces, and obtains the target system interface after the translation and fragmentation processing.
  • the server stores the target system interface and the system interface corresponding to each sandbox in a system interface library of the sandbox.
  • the server may group each sandbox callable system interface, and then divide the assembly instructions corresponding to each group of system interfaces into slices according to a preset rule, and then insert corresponding ones between the slices.
  • Non-functional assembler instructions (the non-functional assembler instructions are used for analysis records or restricted uses), and then realize the assembly instruction level translation and fragment processing for each sandbox callable system interface.
  • a system interface ie, a target system interface
  • each sandbox translation and fragmentation processing is associated with a system interface that the sandbox can call and stored in a system interface library of the sandbox.
  • the preset rule may be slicing with a jump instruction as a flag, and slicing with the jump instruction may ensure the continuity of the storage section operated by the code fragment. Because jumps require increased attention, malicious behaviors generally occur after jumps, so that the execution process of each slice can be analyzed and recorded, and fine-grained segmentation of assembly instructions according to security analysis is achieved, which is conducive to improving malware. Fine-grained detection.
  • the above system interface can not only include the operating system interface, but also for large open source software (such as browser chrome, firefox, libre, office, etc.) can also build a software interface assembly level translation processing into the system interface library, especially for some malicious
  • the behavior often involves recording the interfaces for subsequent analysis. For example, translating at the cross-domain api inside the browser can observe the cross-domain behavior of the software under test, so as to observe the phishing behavior of some malicious plugins. In this way, more behavior trajectories of the software to be tested can be detected, that is, whether the software to be tested is malicious software is determined based on more malicious behaviors, thereby improving the accuracy of malware detection.
  • each sandbox when modifying each sandbox, you can also adjust the direction of the transformation according to the specific detection behavior, such as the worm, etc., and pay more attention to how it spreads the infection. You can focus on access and reading The resource interface related to the write operation, and the relevant interface of the mail is called for assembly instruction level translation and fragmentation processing. The information recorded by these interfaces can be used to describe the specific transmission path of the infection of the software under test; monitoring for theft of user passwords For keyboard input, the focus is on the transmission of input signals on the system bus, and the assembly interface-level translation and fragmentation processing of the relevant interface of the system bus.
  • the server obtains the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software under test, and according to the first configuration information and the second configuration information of each sandbox in one or more The target sandbox that matches the software under test is determined in each sandbox.
  • the server invokes the target sandbox to perform symbolic execution analysis on the software to be tested to obtain an equivalent execution path corresponding to each function of the software to be tested.
  • the server when calling the target sandbox to perform symbolic execution analysis on the software under test, can detect whether the current execution path of the function obtained by performing the symbol analysis is executed to any system interface in the system interface library that calls the target sandbox. If the current execution path of the function obtained by performing the symbol analysis is executed to any system interface, the current execution path of the function is ended, and an equivalent execution path corresponding to the current execution path of the function is generated.
  • whether to execute to any system interface or system interface as a constraint is that any software under test must complete certain functions. Once it involves resource scheduling outside the software under test, it must call the system interface. When an execution path needs to call an external resource, aborting the execution path will not affect the integrity of the path. Adopting such constraints can avoid infinite loops, prevent path explosions, and reduce overhead.
  • the server calls the target sandbox to execute the target equivalent execution path, and records the execution trajectory corresponding to the software target execution target equivalent execution path and the system resources to be called.
  • the target equivalent execution path is one or more of the equivalent execution paths corresponding to each function of the software under test.
  • the server may input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox, obtain an execution flow of the target equivalent execution path, and according to a preset jump instruction in the target sandbox. Slicing the execution stream to obtain one or more execution stream fragments, and then performing respective preset operations on the one or more execution stream fragments obtained after the slice processing, can further improve the fine granularity of malware detection.
  • the execution flow is a series of assembly instructions.
  • different preset operations can be configured according to each execution stream segment function. For example, if the function corresponding to the execution stream segment is an access resource interface, then the preset operation may be an access operation; if the function corresponding to the execution stream segment is to modify a registry, the preset operation may be a modification operation. This application does not specifically limit this.
  • the server slices the execution flow according to a jump instruction preset by the current system of the target sandbox, and after obtaining one or more execution flow fragments, the server may further respectively sing in one or more execution flow fragments.
  • Binary instrumentation is introduced into each execution flow segment of and the binary instrumentation is called to record the execution trajectory after performing the respective preset operation on the one or more execution flow segments, and to call each execution of the corresponding preset operation.
  • System resources to further improve the granularity of malware detection.
  • a specific jump instruction may be used to determine the position of the instrumentation.
  • the assembly of the most common unconditional jump jmp instruction is taken as an example.
  • the above operands are related to the memory address. That is, modifying the operands can make the corresponding program of the software under test jump to the specified address and execute the prepared memory code segment. For example, "200H" in jmp 200H is the operand.
  • the server determines whether the software under test has a malicious behavior according to the execution trace and the system resources invoked.
  • the server determines that the software under test is malicious software, and outputs the malicious behavior corresponding to the software under test.
  • steps 306 to 307 For specific implementations of steps 306 to 307, reference may be made to related descriptions of steps 204 to 205 in the foregoing embodiment, and details are not described herein again.
  • the server when the server analyzes the execution trajectory and the system resources that are called, the server has a strict causal progressive relationship due to the general malicious software attack method. If you analyze the execution trajectory of the software under test, compared with the sample malware in the preset sample library, the execution trajectory is only changed in some steps. Based on the results of the malicious behavior of the sample malware, determine the cause. If the results are the same but the reasons are different, you can determine that a new malicious behavior has been determined. That is, it can be judged that the software under test is a new type of malware, and a new malicious behavior exists.
  • the attack methods and behaviors of the software under test can also be compared, or the affinity of the software under test can be analyzed to detect whether the software under test is a variant of known malware. .
  • a new detection rule corresponding to the new malicious behavior may be generated, and the new malicious behavior and the new detection rule are associated and stored in the server for subsequent distribution.
  • cloud detection and killing of new variants or new malware can be achieved, so as to detect zero-day vulnerabilities.
  • the server may also obtain sample software feature values of the sample software, and The feature value is compared with the malware feature value of the malware in the preset software library. If the sample software feature value matches the malware feature value, determine that the sample software is malware and detect whether the current detection mode is the preset detection mode. If the current detection mode is a preset detection mode, determine the sample software as the software to be tested, and trigger the acquisition of the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested. step.
  • the server when the server compares the sample software feature value with the malware feature value of the malware in the preset software library, the server may have a feature similarity between the sample software feature value and any malware feature value greater than or equal to the preset feature similarity.
  • the degree threshold value it is determined that the sample software characteristic value matches the characteristic value of any one of the malwares.
  • the server determines that the sample software characteristic values do not match the malware characteristic values, it determines that the sample software is non-malware software, determines the sample software as the software to be tested, and triggers acquiring the one or more Steps of the first configuration information of each sandbox in the sandbox and the second configuration information of the software under test.
  • the server compares the sample software feature value with the malware feature value of the malware in the preset software library, the server can compare the feature similarity between the sample software feature value and each malware feature value to a preset feature similarity threshold. , It is determined that the sample software characteristic value does not match the malware characteristic value.
  • the preset detection mode may be preset by a user according to his own detection needs.
  • the preset detection mode can be, for example, an expert detection mode.
  • the expert detection mode can not only detect that the software to be tested is malicious software, but also detect malicious behaviors of the malicious software.
  • the server when the server determines that the sample software is malicious software and the current detection mode is not a preset detection mode, it can directly end the detection and output an alarm message so that the background operation and maintenance personnel can perform subsequent operations. Alternatively, the server may directly delete the software under test.
  • the server may perform assembly instruction-level translation and fragmentation processing on the system interfaces callable by each sandbox in one or more sandboxes to obtain the target system interface after the translation and fragmentation processing, and
  • the target system interface and system interface corresponding to each sandbox are associated and stored in the system interface library of the sandbox.
  • the target sandbox is called to perform symbolic execution analysis on the software to be tested to obtain the equivalent execution path corresponding to each function of the software under test
  • the target sandbox is called to execute the target equivalent execution path
  • the software equivalent to the test is recorded
  • the software under test has malicious behavior, it determines that the software under test is malicious software and outputs
  • the malicious behavior corresponding to the detection software is helpful to improve the fine granularity of the malware detection.
  • An embodiment of the present application further provides a malware detection device, which is configured on a server in which one or more sandboxes are deployed in advance.
  • the apparatus includes a module for performing the method described in FIG. 2 or FIG. 3.
  • FIG. 4 it is a schematic block diagram of a malware detection apparatus according to an embodiment of the present application.
  • the malware detection apparatus of this embodiment includes:
  • An obtaining module 40 configured to obtain first configuration information of each sandbox in the one or more sandboxes and second configuration information of software to be tested;
  • a determining module 41 configured to determine, in the one or more sandboxes, the software to be tested according to the first configuration information and the second configuration information of each sandbox obtained by the obtaining module; Matching target sandbox;
  • An invoking module 42 for invoking the target sandbox to perform symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test;
  • the calling module 42 is further configured to call the target sandbox to execute the target equivalent execution path, and record the execution trajectory corresponding to the target equivalent execution path executed by the software under test and the system resources to be called.
  • the equivalent execution path is one or more of equivalent execution paths corresponding to respective functions of the software under test;
  • the determining module 41 is further configured to determine whether the software under test has a malicious behavior according to the execution trace and the invoked system resources. When it is determined that the software under test has the malicious behavior, determine the software under test.
  • the software is malicious software
  • An output module 43 is configured to output the malicious behavior corresponding to the software to be tested when the determining module determines that the software to be tested is the malicious software.
  • the apparatus further includes:
  • a processing module 44 is configured to perform assembly instruction level translation and fragmentation processing on each of the sandbox callable system interfaces in the one or more sandboxes to obtain a target system interface after the translation and fragmentation processing;
  • the storage module 45 is configured to store the target system interface and the system interface corresponding to each sandbox in a system interface library of the sandbox.
  • the calling module 42 is specifically configured to detect whether the current execution path of the function obtained by executing the symbol analysis is executed to the target sandbox when the symbol execution analysis is performed on the software under test. Calling any of the system interfaces in the system interface library of the target sandbox; if the current execution path of the function obtained by performing the symbol analysis is executed to the any system interface, the current execution path of the function is ended And generate an equivalent execution path corresponding to the current execution path of the function.
  • the calling module 42 is specifically configured to input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox to obtain an execution flow of the target equivalent execution path. Slicing the execution stream according to a preset jump instruction in the target sandbox to obtain one or more execution stream fragments; performing respective correspondence on the one or more execution stream fragments obtained after the slice processing Preset actions.
  • the apparatus further includes: an instrumentation module 46, configured to introduce binary instrumentation into each of the one or more execution flow segments;
  • the calling module 42 is further specifically configured to call the binary instrumentation record to execute the execution track corresponding to the preset operation corresponding to the one or more execution stream fragments, and to execute the corresponding corresponding track.
  • System resources called by a preset operation are further specifically configured to call the binary instrumentation record to execute the execution track corresponding to the preset operation corresponding to the one or more execution stream fragments.
  • the obtaining module 40 is further configured to obtain a sample software feature value of the sample software, and compare the sample software feature value with a malware feature value of malware in a preset software library;
  • the determining module 41 is further configured to, if it is determined that the sample software characteristic value matches the malware characteristic value, determine that the sample software is malware, and then detect whether the current detection mode is a preset detection mode. If the mode is the preset detection mode, the sample software is determined as the software to be tested, and the obtaining of the first configuration information of each sandbox in the one or more sandboxes and the first Steps for configuring information;
  • the determining module 41 is further configured to determine that the sample software is non-malware software if it is determined that the sample software characteristic value does not match the malware software characteristic value; determine the sample software as the software to be tested, and trigger The step of obtaining the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested.
  • the determining module 41 is further configured to, according to the historical execution frequency of each malware execution path in the preset sample library, assign one or more of the equivalent execution paths corresponding to the functions to each other, etc.
  • the price execution path is determined as a target equivalent execution path, and the historical execution frequency of the target equivalent execution path is greater than or equal to a preset execution frequency threshold.
  • FIG. 5 is a schematic block diagram of a server provided by an embodiment of the present application, and the server is pre-deployed with one or more sandboxes.
  • the server includes a processor 501, a memory 502, and a network interface 503.
  • the processor 501, the memory 502, and the network interface 503 may be connected through a bus or other manners.
  • connection through a bus is taken as an example.
  • the network interface 503 is controlled by the processor to send and receive messages, the memory 502 is used to store a computer program, the computer program includes program instructions, and the processor 501 is used to execute the program instructions stored in the memory 502.
  • the processor 501 is configured to call the program instructions to execute: acquiring first configuration information of each sandbox in the one or more sandboxes and second configuration information of software to be tested, and according to the each The first configuration information and the second configuration information of each sandbox determine a target sandbox matching the software to be tested in the one or more sandboxes; calling the target sandbox to the target to be tested
  • the software performs symbolic execution analysis to obtain the equivalent execution path corresponding to each function of the software under test; calls the target sandbox to execute the target equivalent execution path, and records that the software under test executes the target equivalent execution
  • the execution trajectory corresponding to the path and the system resources called, the target equivalent execution path is one or more of the equivalent execution paths corresponding to the respective functions of the software under test; according to the execution trajectory and the called System resources determine whether the software under test has malicious behavior; when the software under test has malicious behavior, determine that the software under test is malicious software, and output the software under test Corresponding member of the malicious behavior
  • the processor 501 may be a central processing unit (CPU), and the processor 501 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application specific integrated circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may also store information of a device type.
  • the processor 501, the memory 502, and the network interface 503 described in the embodiment of the present application may execute the implementation manner described in the method embodiment shown in FIG. 2 or FIG. 3 provided by the embodiment of the present application, and may also execute The implementation manner of the malware detection device described in the embodiment of the present application is not described herein again.
  • a computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are executed by a processor to implement: obtaining The first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested are based on the first configuration information of each sandbox and the second configuration information.
  • a target sandbox matching the software under test is determined in the one or more sandboxes; calling the target sandbox to perform symbolic analysis on the software under test to obtain corresponding functions of the software under test
  • the equivalent execution path of the target calling the target sandbox to execute the target equivalent execution path, and recording the execution trajectory corresponding to the target equivalent execution path of the software under test and the system resources called, the target equivalent execution
  • the path is one or more of equivalent execution paths corresponding to each function of the software under test; the path is determined according to the execution trajectory and the called system resources.
  • the test software is malicious behavior; when the presence of the malicious behavior test software, the test software is determined as malware, malicious acts and the output corresponding to the software under test.
  • the computer-readable storage medium may be an internal storage unit of the server according to any one of the foregoing embodiments, such as a hard disk or a memory of the server.
  • the computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on.
  • the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the server.
  • the computer-readable storage medium may also be used to temporarily store data that has been or will be output.
  • the program can be stored in a computer-readable storage medium.
  • the program When executed, the processes of the embodiments of the methods described above may be included.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).

Abstract

Embodiments of the present application disclose a malicious software detection method and a related device. The method comprises: acquiring first configuration information of each sandbox of one or more sandboxes and second configuration information of software under test, and determining, according to the first configuration information of each sandbox and the second configuration information, a target sandbox matching the software of the one or more sandboxes; calling the target sandbox to perform symbol execution analysis on the software, so as to acquire an equivalent execution path corresponding to each function of the software; calling the target sandbox to execute a target equivalent execution path, and recording an execution trajectory and a called system resource corresponding to the target equivalent execution path executed by the software; determining, according to the execution trajectory and the called system resource, whether the software has a malicious behavior; if the software has a malicious behavior, determining that the software is malicious software, and outputting the malicious behavior corresponding to the software. The present application improves the granularity of malicious software detection.

Description

一种恶意软件检测方法及相关设备Malware detection method and related equipment
本申请要求于2018年07月27日提交中国专利局、申请号为201810851519.9、申请名称为“一种恶意软件检测方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority from a Chinese patent application filed on July 27, 2018 with the Chinese Patent Office, application number 201810851519.9, and application name "A Malware Detection Method and Related Equipment", the entire contents of which are incorporated herein by reference Applying.
技术领域Technical field
本申请涉及计算机技术领域,尤其涉及一种恶意软件检测方法及相关设备。The present application relates to the field of computer technology, and in particular, to a malware detection method and related equipment.
背景技术Background technique
随着计算机技术的飞速发展,各种网站、移动终端以及移动终端上app服务的广泛应用,服务器系统的安全性问题越来越受到重视,各种恶意软件层出不穷。目前市面上的恶意软件检测主要分为动态和静态两种:静态检测需要事先收集已知恶意软件的特征信息,对于最新出现的恶意软件和已有恶意软件的变种检测效果并不强;动态检测则主要在沙盒环境中运行样本并收集软件的行为特征从而判断是否会造成危害,而目前恶意软件大多具备对沙盒环境的检测能力,沙盒环境和实际生产环境还有着比较大的区别导致恶意软件不会触发恶意行为,对恶意软件行为检测能力过弱,细粒度不足。With the rapid development of computer technology and the widespread application of various websites, mobile terminals, and app services on mobile terminals, the security issues of server systems have received more and more attention, and various types of malware have emerged endlessly. At present, malware detection on the market is mainly divided into dynamic and static: static detection requires the collection of characteristic information of known malware in advance, and it is not effective in detecting the latest malware and variants of existing malware; dynamic detection It mainly runs samples in the sandbox environment and collects the behavior characteristics of the software to determine whether it will cause harm. At present, most malwares have the ability to detect the sandbox environment. There is a large difference between the sandbox environment and the actual production environment. Malware does not trigger malicious behavior, and its ability to detect malware behavior is too weak and fine-grained.
发明内容Summary of the Invention
本申请实施例提供了一种恶意软件检测方法及相关设备,可以分析出恶意软件存在的恶意行为,有利于提高恶意软件检测的细粒度。The embodiments of the present application provide a malware detection method and related equipment, which can analyze the malicious behavior of the malware, which is helpful to improve the fine granularity of the malware detection.
第一方面,本申请实施例提供了一种恶意软件检测方法,该方法包括:In a first aspect, an embodiment of the present application provides a method for detecting malware, which includes:
获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;Acquiring the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software under test, and according to the first configuration information of each sandbox and the second configuration information in the A target sandbox matching the software to be tested is determined in the one or more sandboxes;
调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;Calling the target sandbox to perform symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test;
调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;Calling the target sandbox to execute the target equivalent execution path, and recording the execution trajectory corresponding to the target equivalent execution path executed by the software under test and the system resources called, where the target equivalent execution path is the target to be tested One or more of the equivalent execution paths corresponding to each function of the software;
根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为;Determining whether a malicious behavior exists in the software under test according to the execution trace and the invoked system resources;
当所述待测软件存在所述恶意行为时,确定所述待测软件为恶意软件,并输出所述待测软件对应的所述恶意行为。When the malicious behavior exists in the software under test, it is determined that the software under test is malicious software, and the malicious behavior corresponding to the software under test is output.
第二方面,本申请实施例提供了一种恶意软件检测装置,该恶意软件检测装置包括用于执行上述第一方面的方法的单元。In a second aspect, an embodiment of the present application provides a malware detection apparatus. The malware detection apparatus includes a unit for executing the method in the first aspect.
第三方面,本申请实施例提供了一种服务器,该服务器包括处理器、网络接口和存储器,所述处理器、网络接口和存储器相互连接,其中,所述网络接口受所述处理器的控制用于收发消息,所述存储器用于存储支持服务器执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方面的方法。According to a third aspect, an embodiment of the present application provides a server. The server includes a processor, a network interface, and a memory. The processor, the network interface, and the memory are connected to each other. The network interface is controlled by the processor. The memory is used for receiving and sending messages, and the memory is configured to store a computer program that supports a server to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions, when executed by a processor, cause all the The processor executes the method of the first aspect.
采用本申请,可以当服务器检测到待测软件存在恶意行为时,确定待测软件为恶意软 件,并输出待测软件对应的恶意行为,有利于提高恶意软件检测的细粒度。With this application, when the server detects that the software under test has malicious behavior, it can determine that the software under test is malicious software and output the malicious behavior corresponding to the software under test, which is beneficial to improving the fine-grained detection of malware.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请实施例提供的一种待测软件对应程序的执行树示意图;FIG. 1 is a schematic diagram of an execution tree of a program corresponding to a software under test according to an embodiment of the present application; FIG.
图2是本申请实施例提供的一种恶意软件检测方法的流程示意图;2 is a schematic flowchart of a malware detection method according to an embodiment of the present application;
图3是本申请实施例提供的另一种恶意软件检测方法的流程示意图;FIG. 3 is a schematic flowchart of another malware detection method according to an embodiment of the present application; FIG.
图4是本申请实施例提供的一种恶意软件检测装置的示意性框图;4 is a schematic block diagram of a malware detection apparatus according to an embodiment of the present application;
图5是本申请实施例提供的一种服务器的示意性框图。FIG. 5 is a schematic block diagram of a server according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In the following, the technical solutions in the embodiments of the present application will be clearly and completely described with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
目前市面上的恶意软件检测主要分为动态和静态两种:静态检测需要事先收集已知恶意软件的特征信息,对于最新出现的恶意软件和已有恶意软件的变种检测效果并不强;动态检测则主要在沙盒环境中运行样本并收集软件的行为特征从而判断是否会造成危害,而目前恶意软件大多具备对沙盒环境的检测能力,沙盒环境和实际生产环境还有着比较大的区别导致恶意软件不会触发恶意行为,加上动态检测往往只关注非常少的几个系统api,对恶意软件行为检测能力过弱,细粒度不足。At present, malware detection on the market is mainly divided into dynamic and static: static detection requires the collection of characteristic information of known malware in advance, and it is not effective in detecting the latest malware and variants of existing malware; dynamic detection It mainly runs samples in the sandbox environment and collects the behavior characteristics of the software to determine whether it will cause harm. At present, most malwares have the ability to detect the sandbox environment. There is a large difference between the sandbox environment and the actual production environment. Malicious software does not trigger malicious behaviors. In addition, dynamic detection often only focuses on a few system APIs. The ability to detect malicious software behaviors is too weak and the granularity is insufficient.
为了解决上述问题,本申请提出了一种恶意软件检测方法,可以获取一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据每个沙盒的第一配置信息和第二配置信息在一个或者多个沙盒中确定出与待测软件匹配的目标沙盒,进而调用目标沙盒对待测软件进行符号执行分析,以得到待测软件各功能各自对应的等价执行路径,并调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源,进而根据执行轨迹和调用的系统资源确定待测软件是否存在恶意行为,当待测软件存在恶意行为时,确定待测软件为恶意软件,并输出待测软件对应的恶意行为。不仅可以确定待测软件是否为恶意软件,还可以在确定出待测软件是恶意行为的情况下,输出该待测软件对应的恶意行为,有利于提高恶意软件检测的细粒度。In order to solve the above problem, this application proposes a malware detection method, which can obtain the first configuration information of each sandbox and the second configuration information of the software under test in one or more sandboxes, and according to each sandbox The first configuration information and the second configuration information of the target determine the target sandbox that matches the software under test in one or more sandboxes, and then call the target sandbox to perform symbolic analysis on the software under test to obtain the functions of the software under test. The corresponding equivalent execution paths, and call the target sandbox execution target equivalent execution path, and record the execution trajectory and the invoked system resources corresponding to the equivalent execution path of the software to be tested, and then according to the execution trajectory and the invoked system resources Determine whether the software under test has malicious behavior. When the software under test has malicious behavior, determine that the software under test is malicious software, and output the malicious behavior corresponding to the software under test. Not only can it be determined whether the software under test is malicious software, but it can also output the malicious behavior corresponding to the software under test if it is determined that the software under test is malicious, which is conducive to improving the fine granularity of malware detection.
其中,本申请所描述恶意软件不仅涵盖了在计算机系统上执行恶意任务的病毒,蠕虫木马等程序,还包括恶意网页和恶意插件这种本身不是完整的软件程序。只不过恶意网页和恶意插件需要依附于一定的框架软件(比如恶意网页对应的是浏览器,恶意插件也有相对应的框架软件)这种插件类的安全性分析也包含在恶意软件分析的范畴里。例如,含有宏病毒的word文档可视为分析检测的输入,而本申请中用来打开文档的office word就视为沙盒环境的设置组成部分;类似的,如果要检测恶意网页,则网页视为分析检测的输入,通用浏览器chrome、edge、ie或者firefox等视为沙盒环境的组成部分,其他部分同检测方案。The malware described in this application not only covers viruses, worms, and trojan horses that perform malicious tasks on computer systems, but also includes malicious web pages and malicious plug-ins, which are not complete software programs. However, malicious web pages and malicious plug-ins need to be attached to certain framework software (for example, malicious web pages correspond to browsers, and malicious plug-ins also have corresponding framework software). Security analysis of this plug-in class is also included in the category of malware analysis . For example, a word document containing a macro virus can be considered as the input for analysis and detection, and the office word used to open the document in this application is considered as a component of the setting of the sandbox environment; similarly, if a malicious web page is to be detected, the web page is regarded as In order to analyze the detection input, the general browsers chrome, edge, ie, or firefox are considered as part of the sandbox environment, and other parts are the same as the detection scheme.
其中,本申请描述的沙盒等同于信息安全里的沙盒虚拟机,在信息安全里,沙盒虚拟机专指用一定的安全策略监视限制软件行为的执行环境。The sandbox described in this application is equivalent to a sandbox virtual machine in information security. In information security, a sandbox virtual machine specifically refers to monitoring an execution environment that restricts software behavior with a certain security policy.
其中,本申请所述描述的系统资源可以包括执行待测软件对应目标等价执行路径所需要用到的非待测软件本身提供的资源。例如,待测软件如果是个挖矿的,则系统资源可以包括显卡驱动、钱包秘钥解析、网络通信、cpu使用信息、文件系统访问读写等等。待测软件如果是个反弹,则系统资源包括文件系统访问读写、网络端口开放、网络收发包、隐藏自身进程而修改的注册表等等。该系统资源还包括执行待测软件对应目标等价执行路径过 程中调用的目标沙盒中的目标系统接口。The system resources described in this application may include resources provided by non-test software itself, which are required to execute the equivalent target execution path corresponding to the target software. For example, if the software under test is mining, system resources can include graphics card drivers, wallet key analysis, network communications, CPU usage information, file system access reads and writes, and so on. If the software under test is a rebound, the system resources include file system access to read and write, network ports open, network send and receive packets, the registry modified by hiding its own process, and so on. This system resource also includes the target system interface in the target sandbox called during the execution of the target equivalent execution path corresponding to the software under test.
本申请所描述的符号执行分析(以下简称符号执行)是一种重要的形式化方法,是学术界研究的一种分析技术。符号执行的关键思想是,把输入变为符号值,这样程序计算出的输出值,就是一个符号输入值的函数,这就是一个符号化过程。在本申请实施例中,待测软件对应程序的所有执行路径都可以表示为树,也即执行树,枝条的分叉代表分支语句处的正确true和错误false分支走向,该程序的执行路径通常是true和false的序列。而符号执行分析得到的待测软件的所有功能的等价执行路径,实际上就是符号执行遍历程序执行树的过程。The symbolic execution analysis (hereinafter referred to as symbolic execution) described in this application is an important formal method and an analysis technique researched by the academic community. The key idea of symbolic execution is to change the input into a symbolic value, so that the output value calculated by the program is a function of the symbolic input value, which is a symbolization process. In the embodiment of the present application, all execution paths of the program corresponding to the software under test can be expressed as trees, that is, execution trees. Branches of branches represent the true true and false false branch directions at branch statements. The execution path of the program is usually Is a sequence of true and false. The equivalent execution path of all functions of the software under test obtained by symbolic execution analysis is actually the process of symbolic execution traversing the program execution tree.
例如,待测软件对应程序的示例性代码为:For example, the example code of the program corresponding to the software under test is:
int twice(int v){inttwice (int v) {
return 2*v;return 2 * v;
}}
void testme(int x,int y){void testme (int x, int y) {
z=twice(y);z = twice (y);
if(z==x){if (z == x) {
if(x>Y+10){if (x> Y + 10) {
ERROR;ERROR;
上面的示例对应的执行树如图1所示,从图1可以看出testme()函数有3条执行路径,圆矩形方框就是三组对应三条等价执行路径的输入,也就是这三组输入就可以遍历该程序,该三组输入组数组分别为(x=0;y=1)、(x=2;y=1)以及(x=30;y=15)。符号执行的目的就是能够生成这样的输入集合,该输入集合中每个输入值数组(如x=0;y=1)对应一条等价执行路径。其中,所有输入值数值组成的输入集合就是本申请所描述的待测软件的所有功能的等价执行路径。The execution tree corresponding to the above example is shown in Figure 1. From Figure 1, it can be seen that the testme () function has three execution paths. The round rectangular box is the three sets of inputs corresponding to the three equivalent execution paths, which are the three sets. Input can traverse the program. The three input arrays are (x = 0; y = 1), (x = 2; y = 1), and (x = 30; y = 15). The purpose of symbolic execution is to be able to generate such an input set, where each input value array (such as x = 0; y = 1) corresponds to an equivalent execution path. The input set composed of all input values is an equivalent execution path of all functions of the software under test described in this application.
参见图2,图2是本申请实施例提供的一种恶意软件检测方法的流程示意图,该方法应用于预先部署有一个或者多个沙盒的服务器,如图所示,该恶意软件检测方法可包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of a malware detection method according to an embodiment of the present application. The method is applied to a server in which one or more sandboxes are deployed in advance. As shown in the figure, the malware detection method may be include:
201、服务器获取一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据每个沙盒的第一配置信息和第二配置信息在一个或者多个沙盒中确定出与待测软件匹配的目标沙盒。201. The server obtains the first configuration information of each sandbox and the second configuration information of the software to be tested in one or more sandboxes, and according to the first configuration information and the second configuration information of each sandbox in one or more The target sandbox that matches the software under test is determined in each sandbox.
其中,第一配置信息可以包括一个或者多个沙盒中每个沙盒的操作系统版本、内核信息、链接库等;第二配置信息可以包括待测软件本身的校验信息(如MD5值)、待测软件可运行的操作系统版本、样本软件运行依赖的链接库等,该第一配置信息和第二配置信息是相互关联地。其中,第一配置信息可以有一个或者多个,具体地,可以每个沙盒各自对应不同的第一配置信息,也可以多个沙盒对应同一个第一配置信息。其中,该操作系统版本可以包括操作系统版本类型,如windows系统或者linux等,还可以包括操作系统版本号,如windows 2007或者windows 2010等。The first configuration information may include the operating system version, kernel information, and link libraries of each sandbox in one or more sandboxes. The second configuration information may include verification information (such as the MD5 value) of the software to be tested. , The operating system version that the software under test can run, the link library that the sample software runs on, etc., the first configuration information and the second configuration information are interrelated. There may be one or more first configuration information. Specifically, each sandbox may correspond to different first configuration information, or multiple sandboxes may correspond to the same first configuration information. The operating system version may include an operating system version type, such as a Windows system or Linux, and may also include an operating system version number, such as Windows 2007 or Windows 2010.
在一个实施例中,当服务器检测到有待测软件输入时,可以获取待测软件的第二配置信息,以及一个或者多个沙盒中每个沙盒的第一配置信息,可以将第二配置信息与一个或者多个沙盒各自对应第一配置信息比较,如果确定出任一沙盒的第一配置信息与第二配置信息匹配,则将该任一沙盒确定为目标沙盒。In one embodiment, when the server detects the input of the software to be tested, it can obtain the second configuration information of the software to be tested, and the first configuration information of each sandbox in one or more sandboxes. The configuration information is compared with one or more sandboxes respectively corresponding to the first configuration information. If it is determined that the first configuration information of any sandbox matches the second configuration information, then any one of the sandboxes is determined as the target sandbox.
例如,服务器预先部署有2个沙盒的,第一配置信息为每个沙盒的操作系统版本,其中第一沙盒的操作系统版本为windows,第二沙盒的操作系统版本为linux;第二配置信息为待测软件的操作系统版本,该操作系统版本为linux。这种情况下,服务器获取到每个沙盒的操作系统版本和待测软件的操作系统版本后,可以将确定出待测软件的操作系统版本 linux与第二沙盒的操作系统版本linux相匹配,则可以将第二沙盒确定为目标沙盒。For example, the server is pre-deployed with 2 sandboxes. The first configuration information is the operating system version of each sandbox. The operating system version of the first sandbox is windows and the operating system version of the second sandbox is linux. The second configuration information is the operating system version of the software under test, and the operating system version is linux. In this case, after the server obtains the operating system version of each sandbox and the operating system version of the software under test, the server can match the determined operating system version linux of the software under test with the operating system version linux of the second sandbox. , The second sandbox can be determined as the target sandbox.
202、服务器调用目标沙盒对待测软件进行符号执行分析,以得到待测软件各功能各自对应的等价执行路径。202: The server invokes the target sandbox to perform symbolic execution analysis on the software to be tested to obtain an equivalent execution path corresponding to each function of the software to be tested.
在一个实施例中,服务器可以在确定出与待测软件匹配的目标沙盒后,将待测软件输入目标沙盒中,调用目标沙盒对待测软件进行符号执行分析,在符号执行分析的过程中遍历待测软件对应程序的执行树过程,得到待测软件所有功能的输入集合,该输入集合中的每一个输入值数组对应一条等价执行路径,该输入集合即为待测软件的所有功能的等价执行路径。In one embodiment, after the target sandbox matching the software to be tested is determined, the server may input the software to be tested into the target sandbox, invoke the target sandbox to perform symbolic analysis on the software to be tested, and perform the analysis on the symbol. The execution tree process of the corresponding program of the software under test is traversed to obtain an input set of all functions of the software under test. Each input value array in the input set corresponds to an equivalent execution path. The input set is all functions of the software under test. Equivalent execution path.
203、服务器调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源。该目标等价执行路径为待测软件各功能各自对应的等价执行路径中的一个或者多个。203: The server calls the target sandbox to execute the target equivalent execution path, and records the execution track corresponding to the target execution equivalent path of the software to be tested and the system resources to be called. The target equivalent execution path is one or more of the equivalent execution paths corresponding to each function of the software under test.
204、服务器根据执行轨迹和调用的系统资源确定待测软件是否存在恶意行为。204. The server determines whether the software under test has a malicious behavior according to the execution trace and the system resources invoked.
205、当待测软件存在恶意行为时,服务器确定待测软件为恶意软件,并输出待测软件对应的恶意行为。205. When the software under test has malicious behavior, the server determines that the software under test is malicious software, and outputs the malicious behavior corresponding to the software under test.
在一个实施例中,服务器得到待测软件各功能各自对应的等价执行路径之后,还可以根据预设样本库中各恶意软件执行路径的历史执行频率,将所有功能的等价执行路径中的一个或者多个等价执行路径确定为目标等价执行路径,该目标等价执行路径的历史执行频率大于或者等于预设的执行频率阈值。In one embodiment, after the server obtains the equivalent execution paths corresponding to the functions of the software under test, the server may further include all functions in the equivalent execution path according to the historical execution frequency of each malware execution path in the preset sample library. One or more equivalent execution paths are determined as target equivalent execution paths, and the historical execution frequency of the target equivalent execution paths is greater than or equal to a preset execution frequency threshold.
例如,执行频率阈值为60,预设样本库中执行路径s1和执行路径s2的历史执行频率分别为70、80。这种情况下,服务器得到待测软件各功能各自对应的等价执行路径后,可以根据预设样本库中各恶意软件执行路径的历史执行频率,在所有功能的等价执行路径中将执行路径s1和执行路径s2确定为目标等价执行路径。For example, the execution frequency threshold is 60, and the historical execution frequencies of the execution paths s1 and s2 in the preset sample database are 70 and 80, respectively. In this case, after the server obtains the equivalent execution path of each function of the software under test, it can execute the execution path in the equivalent execution path of all functions according to the historical execution frequency of each malware execution path in the preset sample library. s1 and execution path s2 are determined as target equivalent execution paths.
进一步地,服务器确定出目标等价执行路径后,可以调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源。其中,目标等价执行路径可以有一条或者多条,当目标等价执行路径有n(n为正整数)条时,那么服务器则需调用目标沙盒执行n条目标等价执行路径,与之对应地,服务器则需记录n条目标等价执行路径中每条目标等价执行路径执行对应的执行轨迹以及调用的系统资源,也即,n条目标等价执行路径对应n种执行轨迹以及调用的系统资源的记录。Further, after the server determines the target equivalent execution path, the server may call the target sandbox to execute the target equivalent execution path, and record the execution trajectory corresponding to the target execution equivalent path of the software under test and the system resources to be called. Among them, the target equivalent execution path may have one or more. When the target equivalent execution path has n (n is a positive integer), the server needs to call the target sandbox to execute the n target equivalent execution paths. Correspondingly, the server needs to record the execution trajectory corresponding to the execution of each target equivalent execution path in the n target equivalent execution paths and the system resources called. That is, the n target equivalent execution paths correspond to n types of execution trajectories and calls. Of system resources.
其中,执行待测软件对应目标等价执行路径过程中所需要用到的非待测软件本身提供的资源都是上述的系统资源。例如,待测软件如果是个挖矿的,则系统资源可以包括显卡驱动、钱包秘钥解析、网络通信、cpu使用信息、文件系统访问读写等等。待测软件如果是个反弹,则系统资源包括文件系统访问读写、网络端口开放、网络收发包、隐藏自身进程而修改的注册表等等。其中,该系统资源还包括执行待测软件对应目标等价执行路径过程中调用的系统接口。Wherein, the resources provided by the non-test software itself required to execute the equivalent target execution path corresponding to the target software are the system resources mentioned above. For example, if the software under test is mining, system resources can include graphics card drivers, wallet key analysis, network communications, CPU usage information, file system access reads and writes, and so on. If the software under test is a rebound, the system resources include file system access to read and write, network ports open, network send and receive packets, the registry modified by hiding its own process, and so on. The system resource also includes a system interface called during execution of the target equivalent execution path corresponding to the software under test.
在一个实施例中,可以预先建立包括多个恶意软件的样本库(即预设样本库),该预设样本库存储了各种恶意软件,各种恶意软件各自对应的恶意行为,该恶意行为包括恶意软件的恶意执行轨迹以及恶意软件运行过程中调用的系统资源。例如,某恶意软件样本如果执行堆喷射,则需调用虚函数伪造虚函数表,而伪造虚函数表则会存在堆栈变量溢出。该调用虚函数伪造虚函数表的行为则为该恶意软件执行堆喷射的恶意执行轨迹。In one embodiment, a sample library (namely, a preset sample library) including multiple malwares may be established in advance, and the preset sample library stores various malwares, and respective malicious behaviors of the various malwares. The malicious behaviors Including malicious execution traces of malware and system resources called during the execution of the malware. For example, if a malware sample performs a heap spray, it needs to call the virtual function to forge the virtual function table, and there will be a stack variable overflow when the virtual function table is forged. The act of calling the virtual function to falsify the virtual function table is the malicious execution trace of the malware performing a heap spray.
这种情况下,服务器将执行每条目标等价执行路径的执行过程中所记录的执行轨迹与预设样本库中各恶意软件的恶意执行轨迹进行比较,若确定出所记录的执行轨迹与任一个或者多个恶意软件(以下简称目标恶意软件)的恶意执行轨迹的相似度高于预设轨迹相似度阈值,则可以进一步将目标等价执行路径过程中调用的系统资源与预设样本库中每个目标恶意软件运行过程中所调用的系统资源进行比较,若目标等价执行路径过程中调用的系 统资源与任一目标恶意软件运行过程中所调用的系统资源的相似度高于预设资源相似度阈值,则确定该待测软件存在恶意行为,且该恶意行为包括执行目标等价执行路径对应的执行轨迹以及调用的系统资源。进一步地,服务器在确定出待测软件存在该恶意行为时,可以确定该待测软件为恶意软件并输出该恶意行为,以便于用户可以直观查看该待测软件存在的恶意行为,有利于提高恶意软件检测的细粒度。In this case, the server compares the execution trajectory recorded during the execution of each target equivalent execution path with the malicious execution trajectory of each malware in the preset sample library. If the recorded execution trajectory is determined to be any Or the similarity of malicious execution trajectories of multiple malwares (hereinafter referred to as target malware) is higher than the preset trajectory similarity threshold, the system resources called during the target equivalent execution path can be further compared with each of the preset sample libraries. The system resources called during the running of the target malware are compared. If the system resources called during the target equivalent execution path are similar to the system resources called during the running of any target malware, the similarity is higher than the preset resources. Degree threshold, it is determined that the software under test has malicious behavior, and the malicious behavior includes an execution trajectory corresponding to an execution target equivalent execution path and a called system resource. Further, when the server determines that the software under test has the malicious behavior, the server can determine that the software under test is malicious software and output the malicious behavior, so that the user can visually view the malicious behavior of the software under test, which is beneficial to improving the malicious behavior. Fine-grained software detection.
本申请实施例中,服务器可以调用目标沙盒对待测软件进行符号执行分析,以得到待测软件各功能各自对应的等价执行路径,并调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源,进而根据执行轨迹和调用的系统资源确定待测软件是否存在恶意行为,当待测软件存在恶意行为时,确定待测软件为恶意软件,并输出待测软件对应的恶意行为,有利于提高恶意软件检测的细粒度。In the embodiment of the present application, the server may call the target sandbox to perform symbolic execution analysis on the software to be tested to obtain the equivalent execution path corresponding to each function of the software under test, and call the target sandbox to execute the target equivalent execution path, and record the target The execution trajectory and the called system resources corresponding to the equivalent execution path of the test software execution target, and then determine whether the software under test has malicious behavior according to the execution trajectory and the called system resources. When the software under test has malicious behavior, determine that the software under test is Malware, and outputting the malicious behavior corresponding to the software under test helps to improve the fine-grained detection of malware.
参见图3,图3是本申请实施例提供的另一种恶意软件检测方法的流程示意图,该方法应用于预先部署有一个或者多个沙盒的服务器,如图所示,该恶意软件检测方法可包括:Referring to FIG. 3, FIG. 3 is a schematic flowchart of another malware detection method according to an embodiment of the present application. The method is applied to a server in which one or more sandboxes are deployed in advance. As shown in the figure, the malware detection method Can include:
301、服务器对一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口。301. The server performs assembly instruction level translation and fragmentation processing on one or more sandbox callable system interfaces, and obtains the target system interface after the translation and fragmentation processing.
302、服务器将每个沙盒对应的目标系统接口和系统接口关联存储至该沙盒的系统接口库中。302. The server stores the target system interface and the system interface corresponding to each sandbox in a system interface library of the sandbox.
在一个实施例中,服务器可以将每个沙盒可调用的系统接口进行分组,然后将每一组系统接口对应的汇编指令按照预设规则进行分片,然后在片与片之间插入相应的非功能性的汇编指令(该非功能性的汇编指令用于分析记录或者限制用途),进而实现对每个沙盒可调用系统接口的汇编指令级别的转译和分片处理。进一步地,将每个沙盒转译和分片处理后的系统接口(即目标系统接口)与该沙盒可调用的系统接口关联存储至该沙盒的系统接口库中。其中,该预设规则可以为以跳转指令做标志进行分片,以跳转指令分片的可以保证代码片段所操作的存储区间的连续性。由于跳转需要提高注意力,恶意行为一般都会在跳转后出现,这样可以对每片的执行过程进行分析记录,实现了对于汇编指令依照安全性分析的细粒度切分,有利于提高恶意软件检测的细粒度。In one embodiment, the server may group each sandbox callable system interface, and then divide the assembly instructions corresponding to each group of system interfaces into slices according to a preset rule, and then insert corresponding ones between the slices. Non-functional assembler instructions (the non-functional assembler instructions are used for analysis records or restricted uses), and then realize the assembly instruction level translation and fragment processing for each sandbox callable system interface. Further, a system interface (ie, a target system interface) after each sandbox translation and fragmentation processing is associated with a system interface that the sandbox can call and stored in a system interface library of the sandbox. The preset rule may be slicing with a jump instruction as a flag, and slicing with the jump instruction may ensure the continuity of the storage section operated by the code fragment. Because jumps require increased attention, malicious behaviors generally occur after jumps, so that the execution process of each slice can be analyzed and recorded, and fine-grained segmentation of assembly instructions according to security analysis is achieved, which is conducive to improving malware. Fine-grained detection.
其中,上述系统接口不仅可以包括操作系统接口,对于大型开源软件(如浏览器chrome firefox,libre office等)也可建立软件接口的汇编指令级别的转译处理存入系统接口库,尤其是针对一些恶意行为经常涉及到的接口进行记录,供后继分析。例如在浏览器内部的跨域api处做转译可以对于待测软件的跨域行为进行观测,这样对于一些恶意插件的钓鱼行为进行观测。这样可以实现对待测软件的更多行为轨迹进行检测,也即,依据更多的恶意行为来判断待测软件是否为恶意软件,进而提高恶意软件检测的准确度。Among them, the above system interface can not only include the operating system interface, but also for large open source software (such as browser chrome, firefox, libre, office, etc.) can also build a software interface assembly level translation processing into the system interface library, especially for some malicious The behavior often involves recording the interfaces for subsequent analysis. For example, translating at the cross-domain api inside the browser can observe the cross-domain behavior of the software under test, so as to observe the phishing behavior of some malicious plugins. In this way, more behavior trajectories of the software to be tested can be detected, that is, whether the software to be tested is malicious software is determined based on more malicious behaviors, thereby improving the accuracy of malware detection.
在一个实施例中,在对每个沙盒进行改造时,还可以依据具体的检测行为重点调整改造方向,如对蠕虫病毒等,更关注它是如何传播感染的,可重点对关注访问和读写操作相关的资源接口,以及调用邮件的相关接口进行汇编指令级别的转译和分片处理,通过收集这些接口记录的信息可描绘出待测软件的感染传播具体途径;对于盗用户密码类的监听键盘输入类的,则重点放在对于系统总线上输入信号的传递,对系统总线的相关接口进行汇编指令级别的转译和分片处理。In one embodiment, when modifying each sandbox, you can also adjust the direction of the transformation according to the specific detection behavior, such as the worm, etc., and pay more attention to how it spreads the infection. You can focus on access and reading The resource interface related to the write operation, and the relevant interface of the mail is called for assembly instruction level translation and fragmentation processing. The information recorded by these interfaces can be used to describe the specific transmission path of the infection of the software under test; monitoring for theft of user passwords For keyboard input, the focus is on the transmission of input signals on the system bus, and the assembly interface-level translation and fragmentation processing of the relevant interface of the system bus.
303、服务器获取一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据每个沙盒的第一配置信息和第二配置信息在一个或者多个沙盒中确定出与待测软件匹配的目标沙盒。303. The server obtains the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software under test, and according to the first configuration information and the second configuration information of each sandbox in one or more The target sandbox that matches the software under test is determined in each sandbox.
304、服务器调用目标沙盒对待测软件进行符号执行分析,以得到待测软件各功能各自对应的等价执行路径。304. The server invokes the target sandbox to perform symbolic execution analysis on the software to be tested to obtain an equivalent execution path corresponding to each function of the software to be tested.
在一个实施例中,服务器在调用目标沙盒对待测软件进行符号执行分析时,可以检测 执行符号分析得到的功能的当前执行路径是否执行至调用目标沙盒的系统接口库中的任一系统接口,若执行符号分析得到的功能的当前执行路径执行至任一系统接口,则结束功能的当前执行路径,并生成该功能的当前执行路径对应的等价执行路。其中,将是否执行至任一系统接口达系统接口作为约束条件,是由于任何待测软件要完成一定的功能,一旦涉及到待测软件外部的资源调度,都必须要调用系统接口,而在当前执行路径需要调用外部资源时,中止当条执行路径,也不会影响该路径的完整性。采用这样的约束条件可以避免死循环,防范路径爆炸,减少开销。In one embodiment, when calling the target sandbox to perform symbolic execution analysis on the software under test, the server can detect whether the current execution path of the function obtained by performing the symbol analysis is executed to any system interface in the system interface library that calls the target sandbox. If the current execution path of the function obtained by performing the symbol analysis is executed to any system interface, the current execution path of the function is ended, and an equivalent execution path corresponding to the current execution path of the function is generated. Among them, whether to execute to any system interface or system interface as a constraint is that any software under test must complete certain functions. Once it involves resource scheduling outside the software under test, it must call the system interface. When an execution path needs to call an external resource, aborting the execution path will not affect the integrity of the path. Adopting such constraints can avoid infinite loops, prevent path explosions, and reduce overhead.
305、服务器调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源。该目标等价执行路径为待测软件各功能各自对应的等价执行路径中的一个或者多个。305: The server calls the target sandbox to execute the target equivalent execution path, and records the execution trajectory corresponding to the software target execution target equivalent execution path and the system resources to be called. The target equivalent execution path is one or more of the equivalent execution paths corresponding to each function of the software under test.
在一个实施例中,服务器可以将目标等价执行路径对应的输入值数组输入目标沙盒的样本程序中,得到目标等价执行路径的执行流,并根据目标沙盒中预设的跳转指令对执行流进行切片处理,得到一个或者多个执行流片段,进而对切片处理后得到的一个或者多个执行流片段执行各自对应的预设操作,可以进一步地提高恶意软件检测的细粒度。其中,该执行流为一串汇编指令。In one embodiment, the server may input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox, obtain an execution flow of the target equivalent execution path, and according to a preset jump instruction in the target sandbox. Slicing the execution stream to obtain one or more execution stream fragments, and then performing respective preset operations on the one or more execution stream fragments obtained after the slice processing, can further improve the fine granularity of malware detection. The execution flow is a series of assembly instructions.
其中,可以依据每个执行流片段功能配置不同的预设操作。例如,该执行流片段对应的功能为访问资源接口,那么该预设操作则可以为访问操作;该执行流片段对应的功能为修改某一注册表,那么该预设操作则可以为修改操作。本申请对此不作具体限定。Among them, different preset operations can be configured according to each execution stream segment function. For example, if the function corresponding to the execution stream segment is an access resource interface, then the preset operation may be an access operation; if the function corresponding to the execution stream segment is to modify a registry, the preset operation may be a modification operation. This application does not specifically limit this.
在一个实施例中,服务器根据目标沙盒当前系统预设的跳转指令对所述执行流进行切片处理,得到一个或者多个执行流片段之后,还可以分别在一个或者多个执行流片段中的各个执行流片段中引入二进制插桩,并调用二进制插桩记录对述一个或者多个执行流片段执行各自对应的预设操作后的执行轨迹,以及执行各自对应的所述预设操作所调用的系统资源,进一步提高恶意软件检测的细粒度。In one embodiment, the server slices the execution flow according to a jump instruction preset by the current system of the target sandbox, and after obtaining one or more execution flow fragments, the server may further respectively sing in one or more execution flow fragments. Binary instrumentation is introduced into each execution flow segment of and the binary instrumentation is called to record the execution trajectory after performing the respective preset operation on the one or more execution flow segments, and to call each execution of the corresponding preset operation. System resources to further improve the granularity of malware detection.
在一个实施例中,在一个或者多个执行流片段中的各个执行流片段中引入二进制插桩时,该二进制插桩具体插在什么位置,可以结合具体的跳转指令进行插桩位置的确定。示例性的,以汇编最常见的无条件跳转jmp指令为例,jmp一共四种形式,jmp 200H和jmp cx这种段内跳转可以不用执行插桩,段内跳转危险系数较低,可以关注危险更高段间跳转(如:jmp 100H 200H和JMP DWORD PTR),进而在段间跳转指令后进行二进制插桩。In one embodiment, when a binary instrumentation is introduced into each execution flow segment of one or more execution flow segments, where is the specific insertion of the binary instrumentation, and a specific jump instruction may be used to determine the position of the instrumentation. . By way of example, the assembly of the most common unconditional jump jmp instruction is taken as an example. There are four forms of jmp. Jmp 200H and jmp ccx do not need to perform instrumentation, and the risk of jumps within a segment is low. Pay attention to the more dangerous jumps between sections (such as: jmp 100H 200H and JMP DWORD PTR), and then perform binary instrumentation after the jump instructions between sections.
其中,在进行二进制插桩时,还可以修改操作数,让待测软件对应的程序跳转到预先准备好的内存代码段,执行开发人员希望它执行的功能,然后再跳回原本的段地址。其中,上述操作数与内存地址相互联系。也即修改操作数,则可以使得待测软件对应程序跳转到指定地址,执行预先准备好的内存代码段。例如jmp 200H中的“200H”则为操作数。Among them, when performing binary instrumentation, you can also modify the operands, so that the program corresponding to the software under test jumps to a previously prepared memory code segment, executes the function that the developer wants it to perform, and then jumps back to the original segment address. . Among them, the above operands are related to the memory address. That is, modifying the operands can make the corresponding program of the software under test jump to the specified address and execute the prepared memory code segment. For example, "200H" in jmp 200H is the operand.
306、服务器根据执行轨迹和调用的系统资源确定待测软件是否存在恶意行为。306. The server determines whether the software under test has a malicious behavior according to the execution trace and the system resources invoked.
307、当待测软件存在恶意行为时,服务器确定待测软件为恶意软件,并输出待测软件对应的恶意行为。307. When the software under test has malicious behavior, the server determines that the software under test is malicious software, and outputs the malicious behavior corresponding to the software under test.
其中,步骤306-步骤307的具体实施方式可以参见上述实施例中步骤204-205的相关描述,此处不再赘述。For specific implementations of steps 306 to 307, reference may be made to related descriptions of steps 204 to 205 in the foregoing embodiment, and details are not described herein again.
在一个实施例中,服务器在对执行轨迹以及调用的系统资源进行分析时,由于一般恶意软件的攻击手法具有一定的模式的,有着严格的因果递进关系。如果通过分析待测软件的执行轨迹发现,与预设样本库中的样本恶意软件相比,该执行轨迹只是在某些步骤上发生更改,对照样本恶意软件的恶意行为造成的结果,确定出造成的结果相同但原因不同,则可以判断确定出了新的恶意行为。也即,可以判断待测软件为一种新的恶意软件,存在新的恶意行为。In one embodiment, when the server analyzes the execution trajectory and the system resources that are called, the server has a strict causal progressive relationship due to the general malicious software attack method. If you analyze the execution trajectory of the software under test, compared with the sample malware in the preset sample library, the execution trajectory is only changed in some steps. Based on the results of the malicious behavior of the sample malware, determine the cause. If the results are the same but the reasons are different, you can determine that a new malicious behavior has been determined. That is, it can be judged that the software under test is a new type of malware, and a new malicious behavior exists.
其中,在确定待测软件是否为新的恶意软件时,还可以比对待测软件的攻击手段和攻 击行为,或者分析待测软件的亲缘性,检测出待测软件是否是已知恶意软件的变种。Among them, when determining whether the software under test is new malware, the attack methods and behaviors of the software under test can also be compared, or the affinity of the software under test can be analyzed to detect whether the software under test is a variant of known malware. .
在一个实施例中,在确定出待测软件存在新恶意行为后,可以生成该新恶意行为对应的新检测规则,并将该新恶意行为以及新检测规则关联存储至服务器中,以便于后续分发给其他检测系统,实现对新变种或者新的恶意软件的云查杀,从而实现对零日漏洞的检测。In one embodiment, after it is determined that a new malicious behavior exists in the software to be tested, a new detection rule corresponding to the new malicious behavior may be generated, and the new malicious behavior and the new detection rule are associated and stored in the server for subsequent distribution. For other detection systems, cloud detection and killing of new variants or new malware can be achieved, so as to detect zero-day vulnerabilities.
在一个实施例中,服务器获取一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息之前,还可以获取样本软件的样本软件特征值,并将样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较,若样本软件特征值与恶意软件特征值匹配,则确定样本软件为恶意软件,并检测当前检测模式是否为预设检测模式,若当前检测模式为预设检测模式,则将该样本软件确定为待测软件,并触发获取一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤。其中,服务器在将样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较时,可以在样本软件特征值与任一恶意软件特征值的特征相似度大于或者等于预设特征相似度阈值时,确定样本软件特征值与该任一恶意软件特征值匹配。In one embodiment, before the server obtains the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested, it may also obtain sample software feature values of the sample software, and The feature value is compared with the malware feature value of the malware in the preset software library. If the sample software feature value matches the malware feature value, determine that the sample software is malware and detect whether the current detection mode is the preset detection mode. If the current detection mode is a preset detection mode, determine the sample software as the software to be tested, and trigger the acquisition of the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested. step. Wherein, when the server compares the sample software feature value with the malware feature value of the malware in the preset software library, the server may have a feature similarity between the sample software feature value and any malware feature value greater than or equal to the preset feature similarity. When the degree threshold value is determined, it is determined that the sample software characteristic value matches the characteristic value of any one of the malwares.
在一个实施例中,若服务器确定出样本软件特征值与恶意软件特征值不匹配,则确定样本软件为非恶意软件,并将样本软件确定为待测软件,并触发获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤。其中,服务器在将样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较时,可以在样本软件特征值与每一个恶意软件特征值的特征相似度小于预设特征相似度阈值时,确定样本软件特征值与该恶意软件特征值不匹配。In one embodiment, if the server determines that the sample software characteristic values do not match the malware characteristic values, it determines that the sample software is non-malware software, determines the sample software as the software to be tested, and triggers acquiring the one or more Steps of the first configuration information of each sandbox in the sandbox and the second configuration information of the software under test. When the server compares the sample software feature value with the malware feature value of the malware in the preset software library, the server can compare the feature similarity between the sample software feature value and each malware feature value to a preset feature similarity threshold. , It is determined that the sample software characteristic value does not match the malware characteristic value.
其中,该预设检测模式可以是用户根据自身的检测需求预先设置的。该预设检测模式例如可以为专家检测模式,该专家检测模式不仅可以检测出待测软件为恶意软件,还可以检测出该恶意软件存在的恶意行为。The preset detection mode may be preset by a user according to his own detection needs. The preset detection mode can be, for example, an expert detection mode. The expert detection mode can not only detect that the software to be tested is malicious software, but also detect malicious behaviors of the malicious software.
在一个实施例中,当服务器确定出样本软件为恶意软件,且当前检测模式不为预设检测模式时,可以直接结束本次检测并输出报警信息以便于后台运维人员执行后续操作。或者,服务器还可以直接删除该待测软件。In one embodiment, when the server determines that the sample software is malicious software and the current detection mode is not a preset detection mode, it can directly end the detection and output an alarm message so that the background operation and maintenance personnel can perform subsequent operations. Alternatively, the server may directly delete the software under test.
本申请实施例中,服务器可以对一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口,并将每个沙盒对应的目标系统接口和系统接口关联存储至该沙盒的系统接口库中。进一步地,调用目标沙盒对待测软件进行符号执行分析,以得到待测软件各功能各自对应的等价执行路径,调用目标沙盒执行目标等价执行路径,并记录待测软件执行目标等价执行路径对应的执行轨迹以及调用的系统资源,并根据执行轨迹和调用的系统资源确定待测软件是否存在恶意行为,当待测软件存在恶意行为时,确定待测软件为恶意软件,并输出待测软件对应的恶意行为,有利于提高恶意软件检测的细粒度。In the embodiment of the present application, the server may perform assembly instruction-level translation and fragmentation processing on the system interfaces callable by each sandbox in one or more sandboxes to obtain the target system interface after the translation and fragmentation processing, and The target system interface and system interface corresponding to each sandbox are associated and stored in the system interface library of the sandbox. Further, the target sandbox is called to perform symbolic execution analysis on the software to be tested to obtain the equivalent execution path corresponding to each function of the software under test, the target sandbox is called to execute the target equivalent execution path, and the software equivalent to the test is recorded The execution trajectory corresponding to the execution path and the system resources that are called, and whether the software under test has malicious behavior according to the execution trajectory and the system resources that are called. When the software under test has malicious behavior, it determines that the software under test is malicious software and outputs The malicious behavior corresponding to the detection software is helpful to improve the fine granularity of the malware detection.
本申请实施例还提供了一种恶意软件检测装置,该装置配置于预先部署有一个或者多个沙盒的服务器。该装置包括用于执行前述图2或者图3所述的方法的模块。具体地,参见图4,是本申请实施例提供的恶意软件检测装置的示意框图。本实施例的恶意软件检测装置包括:An embodiment of the present application further provides a malware detection device, which is configured on a server in which one or more sandboxes are deployed in advance. The apparatus includes a module for performing the method described in FIG. 2 or FIG. 3. Specifically, referring to FIG. 4, it is a schematic block diagram of a malware detection apparatus according to an embodiment of the present application. The malware detection apparatus of this embodiment includes:
获取模块40,用于获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息;An obtaining module 40, configured to obtain first configuration information of each sandbox in the one or more sandboxes and second configuration information of software to be tested;
确定模块41,用于根据所述获取模块获取到的所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;A determining module 41, configured to determine, in the one or more sandboxes, the software to be tested according to the first configuration information and the second configuration information of each sandbox obtained by the obtaining module; Matching target sandbox;
调用模块42,用于调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;An invoking module 42 for invoking the target sandbox to perform symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test;
所述调用模块42,还用于调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;The calling module 42 is further configured to call the target sandbox to execute the target equivalent execution path, and record the execution trajectory corresponding to the target equivalent execution path executed by the software under test and the system resources to be called. The equivalent execution path is one or more of equivalent execution paths corresponding to respective functions of the software under test;
所述确定模块41,还用于根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为,当确定出待测软件存在所述恶意行为,则确定所述待测软件为恶意软件;The determining module 41 is further configured to determine whether the software under test has a malicious behavior according to the execution trace and the invoked system resources. When it is determined that the software under test has the malicious behavior, determine the software under test. The software is malicious software;
输出模块43,用于当所述确定模块确定出所述待测软件为所述恶意软件时,输出所述待测软件对应的所述恶意行为。An output module 43 is configured to output the malicious behavior corresponding to the software to be tested when the determining module determines that the software to be tested is the malicious software.
在一个实施例中,所述装置还包括:In one embodiment, the apparatus further includes:
处理模快44,用于对所述一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口;A processing module 44 is configured to perform assembly instruction level translation and fragmentation processing on each of the sandbox callable system interfaces in the one or more sandboxes to obtain a target system interface after the translation and fragmentation processing;
存储模块45,用于将所述每个沙盒对应的所述目标系统接口和所述系统接口关联存储至该沙盒的系统接口库中。The storage module 45 is configured to store the target system interface and the system interface corresponding to each sandbox in a system interface library of the sandbox.
在一个实施例中,所述调用模块42,具体用于在调用所述目标沙盒对所述待测软件进行符号执行分析时,检测执行所述符号分析得到的功能的当前执行路径是否执行至调用所述目标沙盒的系统接口库中的任一所述系统接口;若执行所述符号分析得到的功能的当前执行路径执行至所述任一系统接口,则结束所述功能的当前执行路径,并生成所述功能的当前执行路径对应的等价执行路径。In one embodiment, the calling module 42 is specifically configured to detect whether the current execution path of the function obtained by executing the symbol analysis is executed to the target sandbox when the symbol execution analysis is performed on the software under test. Calling any of the system interfaces in the system interface library of the target sandbox; if the current execution path of the function obtained by performing the symbol analysis is executed to the any system interface, the current execution path of the function is ended And generate an equivalent execution path corresponding to the current execution path of the function.
在一个实施例中,所述调用模块42,具体用于将所述目标等价执行路径对应的输入值数组输入所述目标沙盒的样本程序中,得到所述目标等价执行路径的执行流;根据所述目标沙盒中预设的跳转指令对所述执行流进行切片处理,得到一个或者多个执行流片段;对切片处理后得到的所述一个或者多个执行流片段执行各自对应的预设操作。In one embodiment, the calling module 42 is specifically configured to input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox to obtain an execution flow of the target equivalent execution path. Slicing the execution stream according to a preset jump instruction in the target sandbox to obtain one or more execution stream fragments; performing respective correspondence on the one or more execution stream fragments obtained after the slice processing Preset actions.
在一个实施例中,所述装置还包括:插桩模块46,用于分别在所述一个或者多个执行流片段中的各个执行流片段中引入二进制插桩;In one embodiment, the apparatus further includes: an instrumentation module 46, configured to introduce binary instrumentation into each of the one or more execution flow segments;
其中,所述调用模块42,还具体用于调用所述二进制插桩记录对所述一个或者多个执行流片段执行各自对应的所述预设操作对应的执行轨迹,以及执行各自对应的所述预设操作所调用的系统资源。Wherein, the calling module 42 is further specifically configured to call the binary instrumentation record to execute the execution track corresponding to the preset operation corresponding to the one or more execution stream fragments, and to execute the corresponding corresponding track. System resources called by a preset operation.
在一个实施例中,所述获取模块40,还用于获取所述样本软件的样本软件特征值,并将所述样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较;In one embodiment, the obtaining module 40 is further configured to obtain a sample software feature value of the sample software, and compare the sample software feature value with a malware feature value of malware in a preset software library;
确定模块41,还用于若确定出所述样本软件特征值与所述恶意软件特征值匹配,则确定所述样本软件为恶意软件,则检测当前检测模式是否为预设检测模式,若当前检测模式为所述预设检测模式,则将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤;The determining module 41 is further configured to, if it is determined that the sample software characteristic value matches the malware characteristic value, determine that the sample software is malware, and then detect whether the current detection mode is a preset detection mode. If the mode is the preset detection mode, the sample software is determined as the software to be tested, and the obtaining of the first configuration information of each sandbox in the one or more sandboxes and the first Steps for configuring information;
确定模块41,还用于若确定出所述样本软件特征值与所述恶意软件特征值不匹配,则确定所述样本软件为非恶意软件;将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤。The determining module 41 is further configured to determine that the sample software is non-malware software if it is determined that the sample software characteristic value does not match the malware software characteristic value; determine the sample software as the software to be tested, and trigger The step of obtaining the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested.
在一个实施例中,所述确定模块41,还用于根据预设样本库中各恶意软件执行路径的历史执行频率,将所述各功能各自对应的等价执行路径中的一个或者多个等价执行路径确定为目标等价执行路径,所述目标等价执行路径的历史执行频率大于或者等于预设的执行频率阈值。In one embodiment, the determining module 41 is further configured to, according to the historical execution frequency of each malware execution path in the preset sample library, assign one or more of the equivalent execution paths corresponding to the functions to each other, etc. The price execution path is determined as a target equivalent execution path, and the historical execution frequency of the target equivalent execution path is greater than or equal to a preset execution frequency threshold.
需要说明的是,本申请实施例所描述的恶意软件检测装置的各功能模块的功能可根据图2或者图3所述的方法实施例中的方法具体实现,其具体实现过程可以参照图2或者图3的方法实施例的相关描述,此处不再赘述。It should be noted that the functions of the functional modules of the malware detection device described in the embodiments of this application may be specifically implemented according to the method in the method embodiment described in FIG. 2 or FIG. 3, and the specific implementation process may refer to FIG. 2 or The related description of the method embodiment in FIG. 3 is not repeated here.
请参见图5,图5是本申请实施例提供的一种服务器的示意性框图,该服务器预先部署有一个或者多个沙盒。如图5所示,该服务器包括,处理器501、存储器502和网络接口503。上述处理器501、存储器502和网络接口503可通过总线或其他方式连接,在本申请实施例所示图5中以通过总线连接为例。其中,网络接口503受所述处理器的控制用于收发消息,存储器502用于存储计算机程序,所述计算机程序包括程序指令,处理器501用于执行存储器502存储的程序指令。其中,处理器501被配置用于调用所述程序指令执行:获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为;当所述待测软件存在所述恶意行为时,确定所述待测软件为恶意软件,并输出所述待测软件对应的所述恶意行为。Please refer to FIG. 5, which is a schematic block diagram of a server provided by an embodiment of the present application, and the server is pre-deployed with one or more sandboxes. As shown in FIG. 5, the server includes a processor 501, a memory 502, and a network interface 503. The processor 501, the memory 502, and the network interface 503 may be connected through a bus or other manners. In FIG. 5 shown in the embodiment of the present application, connection through a bus is taken as an example. The network interface 503 is controlled by the processor to send and receive messages, the memory 502 is used to store a computer program, the computer program includes program instructions, and the processor 501 is used to execute the program instructions stored in the memory 502. Wherein, the processor 501 is configured to call the program instructions to execute: acquiring first configuration information of each sandbox in the one or more sandboxes and second configuration information of software to be tested, and according to the each The first configuration information and the second configuration information of each sandbox determine a target sandbox matching the software to be tested in the one or more sandboxes; calling the target sandbox to the target to be tested The software performs symbolic execution analysis to obtain the equivalent execution path corresponding to each function of the software under test; calls the target sandbox to execute the target equivalent execution path, and records that the software under test executes the target equivalent execution The execution trajectory corresponding to the path and the system resources called, the target equivalent execution path is one or more of the equivalent execution paths corresponding to the respective functions of the software under test; according to the execution trajectory and the called System resources determine whether the software under test has malicious behavior; when the software under test has malicious behavior, determine that the software under test is malicious software, and output the software under test Corresponding member of the malicious behavior.
应当理解,在本申请实施例中,所称处理器501可以是中央处理单元(Central Processing Unit,CPU),该处理器501还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present application, the processor 501 may be a central processing unit (CPU), and the processor 501 may also be another general-purpose processor or a digital signal processor (Digital Signal Processor, DSP). ), Application specific integrated circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
该存储器502可以包括只读存储器和随机存取存储器,并向处理器501提供指令和数据。存储器502的一部分还可以包括非易失性随机存取存储器。例如,存储器502还可以存储设备类型的信息。The memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may also store information of a device type.
具体实现中,本申请实施例中所描述的处理器501、存储器502和网络接口503可执行本申请实施例提供的图2或者图3所述的方法实施例所描述的实现方式,也可执行本申请实施例所描述的恶意软件检测装置的实现方式,在此不再赘述。In specific implementation, the processor 501, the memory 502, and the network interface 503 described in the embodiment of the present application may execute the implementation manner described in the method embodiment shown in FIG. 2 or FIG. 3 provided by the embodiment of the present application, and may also execute The implementation manner of the malware detection device described in the embodiment of the present application is not described herein again.
在本申请的另一实施例中提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令被处理器执行时实现:获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为;当所述待测软件存在所述恶意行为时,确定所述待测软件为恶意软件,并输出所述待测软件对应的所述恶意行为。In another embodiment of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program, where the computer program includes program instructions, and the program instructions are executed by a processor to implement: obtaining The first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested are based on the first configuration information of each sandbox and the second configuration information. A target sandbox matching the software under test is determined in the one or more sandboxes; calling the target sandbox to perform symbolic analysis on the software under test to obtain corresponding functions of the software under test The equivalent execution path of the target; calling the target sandbox to execute the target equivalent execution path, and recording the execution trajectory corresponding to the target equivalent execution path of the software under test and the system resources called, the target equivalent execution The path is one or more of equivalent execution paths corresponding to each function of the software under test; the path is determined according to the execution trajectory and the called system resources. The test software is malicious behavior; when the presence of the malicious behavior test software, the test software is determined as malware, malicious acts and the output corresponding to the software under test.
所述计算机可读存储介质可以是前述任一实施例所述的服务器的内部存储单元,例如服务器的硬盘或内存。所述计算机可读存储介质也可以是所述服务器的外部存储设备,例如所述服务器上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述计算机可读存储介质还可以既包括所述服务器的内部存储单元也包括外部存储设备。所述计算机可读存储介质用于存储所述计算机程序以及所述服务器所需的其他程序和数据。所述计算机可读存储介 质还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an internal storage unit of the server according to any one of the foregoing embodiments, such as a hard disk or a memory of the server. The computer-readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) card provided on the server. , Flash card (Flash card) and so on. Further, the computer-readable storage medium may further include both an internal storage unit of the server and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the server. The computer-readable storage medium may also be used to temporarily store data that has been or will be output.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the methods of the foregoing embodiments can be implemented by using a computer program to instruct related hardware. The program can be stored in a computer-readable storage medium. The program When executed, the processes of the embodiments of the methods described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random, Access Memory, RAM).
以上所揭露的仅为本申请的部分实施例而已,当然不能以此来限定本申请之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本申请权利要求所作的等同变化,仍属于发明所涵盖的范围。The above disclosure is only a part of the embodiments of this application, and of course, the scope of rights of this application cannot be limited by this. Those skilled in the art can understand all or part of the processes of implementing the above embodiments and make according to the claims of this application. The equivalent changes still fall within the scope of the invention.

Claims (20)

  1. 一种恶意软件检测方法,所述方法应用于预先部署有一个或者多个沙盒的服务器,其特征在于,包括:A method for detecting malware, which is applied to a server with one or more sandboxes deployed in advance, and is characterized in that it includes:
    获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;Acquiring the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software under test, and according to the first configuration information of each sandbox and the second configuration information in the A target sandbox matching the software to be tested is determined in the one or more sandboxes;
    调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;Calling the target sandbox to perform symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test;
    调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;Calling the target sandbox to execute the target equivalent execution path, and recording the execution trajectory corresponding to the target equivalent execution path executed by the software under test and the system resources called, where the target equivalent execution path is the target to be tested One or more of the equivalent execution paths corresponding to each function of the software;
    根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为;Determining whether a malicious behavior exists in the software under test according to the execution trace and the invoked system resources;
    当所述待测软件存在所述恶意行为时,确定所述待测软件为恶意软件,并输出所述待测软件对应的所述恶意行为。When the malicious behavior exists in the software under test, it is determined that the software under test is malicious software, and the malicious behavior corresponding to the software under test is output.
  2. 根据权利要求1所述的方法,其特征在于,所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息之前,所述方法还包括:The method according to claim 1, wherein before the acquiring the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of software to be tested, the method further comprises :
    对所述一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口;Perform assembly instruction level translation and fragmentation processing on each of the one or more sandbox callable system interfaces to obtain the target system interface after the translation and fragmentation processing;
    将所述每个沙盒对应的所述目标系统接口和所述系统接口关联存储至该沙盒的系统接口库中。Associate the target system interface and the system interface corresponding to each sandbox to a system interface library of the sandbox.
  3. 根据权利要求1或2所述的方法,其特征在于,所述调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件的功能的等价执行路径,包括:The method according to claim 1 or 2, wherein the invoking the target sandbox performs symbolic execution analysis on the software under test to obtain an equivalent execution path of a function of the software under test, comprising: :
    在调用所述目标沙盒对所述待测软件进行符号执行分析时,检测执行所述符号分析得到的功能的当前执行路径是否执行至调用所述目标沙盒的系统接口库中的任一所述系统接口;When the target sandbox is invoked to perform symbolic execution analysis on the software under test, it is detected whether the current execution path of the function obtained by executing the symbol analysis is executed to any of the system interface libraries in the target sandbox. Mentioned system interface;
    若执行所述符号分析得到的功能的当前执行路径执行至所述任一系统接口,则结束所述功能的当前执行路径,并生成所述功能的当前执行路径对应的等价执行路径。If the current execution path of the function obtained by performing the symbol analysis is executed to the any system interface, the current execution path of the function is ended, and an equivalent execution path corresponding to the current execution path of the function is generated.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述调用所述目标沙盒动态执行目标等价执行路径,包括:The method according to any one of claims 1-3, wherein the invoking the target sandbox to dynamically execute a target equivalent execution path comprises:
    将所述目标等价执行路径对应的输入值数组输入所述目标沙盒的样本程序中,以得到所述目标等价执行路径的执行流;Inputting an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox to obtain an execution flow of the target equivalent execution path;
    根据所述目标沙盒中预设的跳转指令对所述执行流进行切片处理,得到一个或者多个执行流片段;Slice the execution stream according to a preset jump instruction in the target sandbox to obtain one or more execution stream fragments;
    对切片处理后得到的所述一个或者多个执行流片段执行各自对应的预设操作。Perform respective preset operations on the one or more execution stream fragments obtained after the slice processing.
  5. 根据权利要求4所述的方法,其特征在于,所述根据所述目标沙盒当前系统预设的跳转指令对所述执行流进行切片处理,得到一个或者多个执行流片段之后,所述方法还包括:The method according to claim 4, wherein after slicing the execution stream according to a jump instruction preset by the current system of the target sandbox, after obtaining one or more execution stream fragments, the method The method also includes:
    分别在所述一个或者多个执行流片段中的各个执行流片段中引入二进制插桩;Introducing binary instrumentation into each of the one or more execution flow fragments;
    其中,所述记录所述待测软件执行所述等价执行路径对应的执行轨迹以及调用的系统资源,包括:Wherein, recording the execution trajectory and the system resources called corresponding to the equivalent execution path executed by the software under test includes:
    调用所述二进制插桩记录对所述一个或者多个执行流片段执行各自对应的所述预设操作对应的执行轨迹,以及执行各自对应的所述预设操作所调用的系统资源。Invoking the binary instrumentation records the execution trajectories corresponding to the preset operations corresponding to the one or more execution flow segments, and the system resources called to execute the corresponding corresponding preset operations.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein before the acquiring the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of software to be tested, The method further includes:
    获取所述样本软件的样本软件特征值,并将所述样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较;Obtaining a sample software characteristic value of the sample software, and comparing the sample software characteristic value with a malware characteristic value of malware in a preset software library;
    若所述样本软件特征值与所述恶意软件特征值匹配,则确定所述样本软件为恶意软件;检测当前检测模式是否为预设检测模式,若当前检测模式为所述预设检测模式,则将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤;If the sample software characteristic value matches the malware characteristic value, determine that the sample software is malware; detect whether the current detection mode is a preset detection mode, and if the current detection mode is the preset detection mode, then Determining the sample software as the software to be tested, and triggering the step of acquiring the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested;
    若所述样本软件特征值与所述恶意软件特征值不匹配,则确定所述样本软件为非恶意软件;将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤。If the sample software characteristic value does not match the malware characteristic value, determine the sample software as non-malware software; determine the sample software as the software to be tested, and trigger the acquiring the one or more Steps of the first configuration information of each sandbox in the sandbox and the second configuration information of the software under test.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述得到所述待测软件各功能各自对应的等价执行路径之后,所述方法还包括:The method according to any one of claims 1-6, wherein after the obtaining an equivalent execution path corresponding to each function of the software under test, the method further comprises:
    根据预设样本库中各恶意软件执行路径的历史执行频率,将所述各功能各自对应的等价执行路径中的一个或者多个等价执行路径确定为目标等价执行路径,所述目标等价执行路径的历史执行频率大于或者等于预设的执行频率阈值。According to the historical execution frequency of each malware execution path in the preset sample library, one or more equivalent execution paths in the equivalent execution paths corresponding to the respective functions are determined as target equivalent execution paths, the target, etc. The historical execution frequency of the price execution path is greater than or equal to a preset execution frequency threshold.
  8. 一种恶意软件检测装置,所述装置配置于预先部署有一个或者多个沙盒的服务器,其特征在于,包括:A malware detection device configured on a server with one or more sandboxes pre-deployed, and characterized in that it includes:
    获取模块,用于获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息;An acquisition module, configured to acquire first configuration information of each sandbox in the one or more sandboxes and second configuration information of software to be tested;
    确定模块,用于根据所述获取模块获取到的所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;A determining module, configured to determine that the one or more sandboxes match the software under test according to the first configuration information and the second configuration information of each sandbox obtained by the obtaining module Target sandbox
    调用模块,用于调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;An invoking module for invoking the target sandbox to perform symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test;
    所述调用模块,还用于调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;The calling module is further configured to call the target sandbox to execute the target equivalent execution path, and record the execution trajectory corresponding to the target equivalent execution path executed by the software under test and the system resources to be called, the target, etc. The price execution path is one or more of the equivalent execution paths corresponding to the respective functions of the software under test;
    所述确定模块,还用于根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为,当确定出待测软件存在所述恶意行为,则确定所述待测软件为恶意软件;The determining module is further configured to determine whether the software under test has malicious behavior according to the execution trace and the invoked system resources, and when it is determined that the software under test has the malicious behavior, determine the software under test Is malware
    输出模块,用于当所述确定模块确定出所述待测软件为所述恶意软件时,输出所述待测软件对应的所述恶意行为。An output module is configured to output the malicious behavior corresponding to the software to be tested when the determining module determines that the software to be tested is the malware.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括:The apparatus according to claim 8, further comprising:
    处理模快,用于对所述一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口;The processing module is fast and is used to perform assembly instruction level translation and fragmentation processing on the system interfaces that can be called by each sandbox in the one or more sandboxes to obtain the target system interface after the translation and fragmentation processing;
    存储模块,用于将所述每个沙盒对应的所述目标系统接口和所述系统接口关联存储至该沙盒的系统接口库中。A storage module, configured to associate the target system interface and the system interface corresponding to each sandbox to a system interface library of the sandbox;
  10. 根据权利要求8或9所述的装置,其特征在于,所述调用模块,具体用于在调用所述目标沙盒对所述待测软件进行符号执行分析时,检测执行所述符号分析得到的功能的当前执行路径是否执行至调用所述目标沙盒的系统接口库中的任一所述系统接口;若执行所述符号分析得到的功能的当前执行路径执行至所述任一系统接口,则结束所述功能的当前执行路径,并生成所述功能的当前执行路径对应的等价执行路径。The device according to claim 8 or 9, wherein the invoking module is specifically configured to detect, when the target sandbox is invoked to perform symbolic analysis on the software under test, the symbol analysis result obtained by performing the symbolic analysis. Whether the current execution path of the function is executed to any of the system interfaces in the system interface library that invokes the target sandbox; if the current execution path of the function obtained by performing the symbol analysis is executed to any of the system interfaces, End the current execution path of the function and generate an equivalent execution path corresponding to the current execution path of the function.
  11. 根据权利要求8-10任一项所述的装置,其特征在于,所述调用模块,具体用于将所述目标等价执行路径对应的输入值数组输入所述目标沙盒的样本程序中,得到所述目标等价执行路径的执行流;根据所述目标沙盒中预设的跳转指令对所述执行流进行切片处理, 得到一个或者多个执行流片段;对切片处理后得到的所述一个或者多个执行流片段执行各自对应的预设操作。The apparatus according to any one of claims 8 to 10, wherein the calling module is specifically configured to input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox, Obtaining the execution flow of the target equivalent execution path; slicing the execution flow according to a preset jump instruction in the target sandbox to obtain one or more execution flow fragments; The one or more execution stream segments perform respective preset operations.
  12. 根据权利要求11所述的装置,其特征在于,所述装置还包括:插桩模块,用于分别在所述一个或者多个执行流片段中的各个执行流片段中引入二进制插桩;其中,所述调用模块,还具体用于调用所述二进制插桩记录对所述一个或者多个执行流片段执行各自对应的所述预设操作对应的执行轨迹,以及执行各自对应的所述预设操作所调用的系统资源。The device according to claim 11, further comprising: an instrumentation module, configured to introduce binary instrumentation into each of the one or more execution flow fragments; wherein, The calling module is further specifically configured to call the binary instrumentation record to execute an execution track corresponding to the preset operation corresponding to the one or more execution stream fragments, and to execute the corresponding corresponding preset operation. System resources called.
  13. 根据权利要求8-12任一项所述的装置,其特征在于,所述获取模块,还用于获取所述样本软件的样本软件特征值,并将所述样本软件特征值与预设软件库中恶意软件的恶意软件特征值进行比较;The device according to any one of claims 8 to 12, wherein the obtaining module is further configured to obtain a sample software feature value of the sample software, and compare the sample software feature value with a preset software library. To compare malware characteristic values in malware;
    确定模块,还用于若确定出所述样本软件特征值与所述恶意软件特征值匹配,则确定所述样本软件为恶意软件,则检测当前检测模式是否为预设检测模式,若当前检测模式为所述预设检测模式,则将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤;The determining module is further configured to, if it is determined that the sample software characteristic value matches the malware characteristic value, determine that the sample software is malware, and then detect whether the current detection mode is a preset detection mode, and if the current detection mode is For the preset detection mode, the sample software is determined as the software to be tested, and the acquiring of the first configuration information of each sandbox in the one or more sandboxes and the second of the software to be tested is triggered. Steps to configure information;
    确定模块,还用于若确定出所述样本软件特征值与所述恶意软件特征值不匹配,则确定所述样本软件为非恶意软件;将所述样本软件确定为待测软件,并触发所述获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息的步骤。The determining module is further configured to determine that the sample software is non-malware software if it is determined that the sample software characteristic value does not match the malware software characteristic value; determine the sample software as the software to be tested, and trigger the The steps of obtaining the first configuration information of each sandbox in the one or more sandboxes and the second configuration information of the software to be tested are described.
  14. 根据权利要求8-13任一项所述的装置,其特征在于,所述确定模块,还用于根据预设样本库中各恶意软件执行路径的历史执行频率,将所述各功能各自对应的等价执行路径中的一个或者多个等价执行路径确定为目标等价执行路径,所述目标等价执行路径的历史执行频率大于或者等于预设的执行频率阈值。The device according to any one of claims 8-13, wherein the determining module is further configured to map each of the functions to a corresponding one according to a historical execution frequency of each malware execution path in a preset sample library. One or more equivalent execution paths in the equivalent execution paths are determined as target equivalent execution paths, and the historical execution frequency of the target equivalent execution paths is greater than or equal to a preset execution frequency threshold.
  15. 一种服务器,所述服务器预先部署有一个或者多个沙盒,其特征在于,包括处理器和存储器,所述处理器和所述存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令执行:获取所述一个或者多个沙盒中每个沙盒的第一配置信息和待测软件的第二配置信息,并根据所述每个沙盒的第一配置信息和所述第二配置信息在所述一个或者多个沙盒中确定出与所述待测软件匹配的目标沙盒;调用所述目标沙盒对所述待测软件进行符号执行分析,以得到所述待测软件各功能各自对应的等价执行路径;调用所述目标沙盒执行目标等价执行路径,并记录所述待测软件执行所述目标等价执行路径对应的执行轨迹以及调用的系统资源,所述目标等价执行路径为所述待测软件各功能各自对应的等价执行路径中的一个或者多个;根据所述执行轨迹和所述调用的系统资源确定所述待测软件是否存在恶意行为;当所述待测软件存在所述恶意行为时,确定所述待测软件为恶意软件,并输出所述待测软件对应的所述恶意行为。A server, in which one or more sandboxes are pre-deployed, is characterized in that it includes a processor and a memory, and the processor and the memory are connected to each other, wherein the memory is used to store a computer program, and The computer program includes program instructions, and the processor is configured to call the program instructions to execute: acquiring first configuration information of each sandbox in the one or more sandboxes and second configuration information of software under test And determining a target sandbox that matches the software under test in the one or more sandboxes according to the first configuration information and the second configuration information of each sandbox; calling the target sandbox The box performs symbolic execution analysis on the software under test to obtain an equivalent execution path corresponding to each function of the software under test; calls the target sandbox to execute the target equivalent execution path, and records the execution of the software under test The execution trajectory corresponding to the target equivalent execution path and the system resources to be called, and the target equivalent execution path is the equivalent of each function of the software under test. One or more of execution paths; determining whether the software under test has a malicious behavior according to the execution trajectory and the invoked system resources; determining the software under test when the software under test has the malicious behavior The software is malicious software and outputs the malicious behavior corresponding to the software under test.
  16. 根据权利要求15所述的服务器,其特征在于,所述处理器,还用于对所述一个或者多个沙盒中每个沙盒可调用的系统接口进行汇编指令级别的转译和分片处理,得到转译和分片处理后的目标系统接口;将所述每个沙盒对应的所述目标系统接口和所述系统接口关联存储至该沙盒的系统接口库中。The server according to claim 15, wherein the processor is further configured to perform assembly instruction level translation and fragment processing on a system interface callable by each sandbox in the one or more sandboxes. To obtain the target system interface after the translation and sharding processing; associate the target system interface and the system interface corresponding to each sandbox to the system interface library of the sandbox in association with each other.
  17. 根据权利要求15或16所述的服务器,其特征在于,所述处理器,还用于在调用所述目标沙盒对所述待测软件进行符号执行分析时,检测执行所述符号分析得到的功能的当前执行路径是否执行至调用所述目标沙盒的系统接口库中的任一所述系统接口;若执行所述符号分析得到的功能的当前执行路径执行至所述任一系统接口,则结束所述功能的当前执行路径,并生成所述功能的当前执行路径对应的等价执行路径。The server according to claim 15 or 16, wherein the processor is further configured to detect, when the target sandbox is invoked to perform symbolic analysis on the software under test, a symbol obtained by performing the symbolic analysis. Whether the current execution path of the function is executed to any of the system interfaces in the system interface library that invokes the target sandbox; if the current execution path of the function obtained by performing the symbol analysis is executed to any of the system interfaces, End the current execution path of the function and generate an equivalent execution path corresponding to the current execution path of the function.
  18. 根据权利要求15-17任一项所述的服务器,其特征在于,所述处理器,还用于将所述目标等价执行路径对应的输入值数组输入所述目标沙盒的样本程序中,以得到所述目标等价执行路径的执行流;根据所述目标沙盒中预设的跳转指令对所述执行流进行切片处 理,得到一个或者多个执行流片段;对切片处理后得到的所述一个或者多个执行流片段执行各自对应的预设操作。The server according to any one of claims 15-17, wherein the processor is further configured to input an input value array corresponding to the target equivalent execution path into a sample program of the target sandbox, To obtain the execution flow of the target equivalent execution path; slice the execution flow according to a preset jump instruction in the target sandbox to obtain one or more execution flow fragments; The one or more execution stream segments perform respective preset operations.
  19. 根据权利要求18所述的服务器,其特征在于,所述处理器,还用于分别在所述一个或者多个执行流片段中的各个执行流片段中引入二进制插桩;调用所述二进制插桩记录对所述一个或者多个执行流片段执行各自对应的所述预设操作对应的执行轨迹,以及执行各自对应的所述预设操作所调用的系统资源。The server according to claim 18, wherein the processor is further configured to introduce a binary instrumentation into each of the one or more execution flow fragments; call the binary instrumentation Record the execution trajectories corresponding to performing the respective corresponding preset operations on the one or more execution stream fragments, and the system resources called to execute the respective corresponding preset operations.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/108474 2018-07-27 2018-09-28 Malicious software detection method and related device WO2020019505A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810851519.9A CN109101815B (en) 2018-07-27 2018-07-27 Malicious software detection method and related equipment
CN201810851519.9 2018-07-27

Publications (1)

Publication Number Publication Date
WO2020019505A1 true WO2020019505A1 (en) 2020-01-30

Family

ID=64848078

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/108474 WO2020019505A1 (en) 2018-07-27 2018-09-28 Malicious software detection method and related device

Country Status (2)

Country Link
CN (1) CN109101815B (en)
WO (1) WO2020019505A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080061A (en) * 2022-06-28 2022-09-20 中国电信股份有限公司 Anti-serialization attack detection method, device, electronic equipment and medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110287700B (en) * 2019-05-14 2021-06-29 北京邮电大学 iOS application security analysis method and device
CN110245494A (en) * 2019-06-18 2019-09-17 平安科技(深圳)有限公司 Detection method, electronic device and the computer readable storage medium of Malware
CN111475808B (en) * 2020-04-08 2022-07-08 苏州浪潮智能科技有限公司 Software security analysis method, system, equipment and computer storage medium
CN111797393B (en) * 2020-06-23 2023-05-23 安天科技集团股份有限公司 Method and device for detecting malicious mining behavior based on GPU
CN116861418B (en) * 2023-09-05 2023-12-22 北京华云安信息技术有限公司 Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox
CN117521087B (en) * 2024-01-04 2024-03-15 江苏通付盾科技有限公司 Equipment risk behavior detection method, system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646213A (en) * 2013-09-26 2014-03-19 北京神州绿盟信息安全科技股份有限公司 Method and device for classifying malicious software
CN106055479A (en) * 2016-06-01 2016-10-26 中国科学院信息工程研究所 Android application software test method based on compulsory execution
CN106570394A (en) * 2016-11-10 2017-04-19 厦门安胜网络科技有限公司 Method for detecting rogue programs
CN107832105A (en) * 2017-11-24 2018-03-23 南昌黑鲨科技有限公司 A kind of application program launching method, starter and computer-readable recording medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102034050A (en) * 2011-01-25 2011-04-27 四川大学 Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
US9613209B2 (en) * 2011-12-22 2017-04-04 Microsoft Technology Licensing, Llc. Augmenting system restore with malware detection
CN102945347B (en) * 2012-09-29 2016-02-24 中兴通讯股份有限公司 A kind of method, system and equipment detecting Android malware

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646213A (en) * 2013-09-26 2014-03-19 北京神州绿盟信息安全科技股份有限公司 Method and device for classifying malicious software
CN106055479A (en) * 2016-06-01 2016-10-26 中国科学院信息工程研究所 Android application software test method based on compulsory execution
CN106570394A (en) * 2016-11-10 2017-04-19 厦门安胜网络科技有限公司 Method for detecting rogue programs
CN107832105A (en) * 2017-11-24 2018-03-23 南昌黑鲨科技有限公司 A kind of application program launching method, starter and computer-readable recording medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115080061A (en) * 2022-06-28 2022-09-20 中国电信股份有限公司 Anti-serialization attack detection method, device, electronic equipment and medium
CN115080061B (en) * 2022-06-28 2023-09-29 中国电信股份有限公司 Anti-serialization attack detection method and device, electronic equipment and medium

Also Published As

Publication number Publication date
CN109101815B (en) 2023-04-07
CN109101815A (en) 2018-12-28

Similar Documents

Publication Publication Date Title
WO2020019505A1 (en) Malicious software detection method and related device
US10887328B1 (en) System and method for detecting interpreter-based exploit attacks
US20210209225A1 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US10055585B2 (en) Hardware and software execution profiling
Yin et al. Panorama: capturing system-wide information flow for malware detection and analysis
Bläsing et al. An android application sandbox system for suspicious software detection
US9594904B1 (en) Detecting malware based on reflection
US8296848B1 (en) Control flow redirection and analysis for detecting vulnerability exploitation
US20200193031A1 (en) System and Method for an Automated Analysis of Operating System Samples, Crashes and Vulnerability Reproduction
US11409862B2 (en) Intrusion detection and prevention for unknown software vulnerabilities using live patching
US20200012793A1 (en) System and Method for An Automated Analysis of Operating System Samples
US9507933B2 (en) Program execution apparatus and program analysis apparatus
US9519789B2 (en) Identifying security vulnerabilities related to inter-process communications
US20220138314A1 (en) Automated generation of a sandbox configuration for malware detection
Tromer et al. Droiddisintegrator: Intra-application information flow control in android apps
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US20230376587A1 (en) Online command injection attacks identification
US20230141948A1 (en) Analysis and Testing of Embedded Code
US11283836B2 (en) Automatic decoy derivation through patch transformation
Maasmi Data Collection Probe with Applications State Identifier for ML Based Exfiltration Detection
CN116821904A (en) Mobile malicious program monitoring system based on big data
CN114510713A (en) Method and device for detecting malicious software, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927285

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11/05/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18927285

Country of ref document: EP

Kind code of ref document: A1