CN101593249A - A kind of apocrypha analytical approach and system - Google Patents
A kind of apocrypha analytical approach and systemDownload PDFInfo
- Publication number
- CN101593249A CN101593249ACN 200810067552CN200810067552ACN101593249ACN 101593249 ACN101593249 ACN 101593249ACN 200810067552CN200810067552CN 200810067552CN 200810067552 ACN200810067552 ACN 200810067552ACN 101593249 ACN101593249 ACN 101593249A
- Authority
- CN
- China
- Prior art keywords
- apocrypha
- virtual machine
- module
- analysis result
- rogue program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of apocrypha analytical approach and system.
Background technology
Virtual machine (Virtual Machine) is a computing machine of fabricating out, realizes by the various computer functions of analogue simulation on real computing machine.Can on a computer (host), simulate one or more virtual computing machines (virtual machine) by software virtual machine, and every virtual machine can move independent operating system and not disturb mutually, promptly the computing machine that virtual machine is exactly a platform independent has independently operating system.Virtual machine uses CPU, part disk space and the internal memory of real system, and virtual machine carries out work just as real computing machine fully, for example can installing operating system, set up applications, accesses network resource etc.
Because the virtual machine biggest advantage is exactly convenient, fast, saving resource, so become the indispensable instrument of a lot of individuals or enterprise, especially information security industry, because the singularity of information security industry job specification, especially study or test the department of rogue program, when each rogue program of research, all need the operating system of one " totally ", because meeting phase mutual interference between the rogue program, may cause the operating system disorder, thereby the The Study of Interference personnel are to the judgement of its behavior.In order to obtain result accurately, the researchist must adopt the operating system of " totally ".If the researchist selects true host computer system to study rogue program, (refitting) system of recovery needs the long period, thereby the plenty of time can be wasted, software company must save this time, current popular in addition Malware big city can normally move in virtual machine, with operation result in true host operating system without any difference, can not influence researchist's judgment, so software information security firm has mostly selected virtual machine environment for use to the analysis of most of Malware (Malware) and test processes the time.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: need manual operation when using virtual machine, as to single object storage (Single Instance Storage, SIS) establishment, recover, deletion action and to the startup of VirtualMachine system, suspend, restart, operations such as shutdown all need artificial participation, analysis project teacher of software information security firm and Test Engineer just must reach the work purpose by the manual operation virtual machine when Malware is analyzed and tested, therefore, software information security firm is in this link cost lot of manpower and material resources.
Summary of the invention
In view of above content, be necessary to provide a kind of apocrypha analytical approach and system, can finish analysis automatically to apocrypha, improve the efficient of analyzing and testing apocrypha.
Embodiment of the present invention provides a kind of apocrypha analytical approach, comprising:
Configuration file according to storage in advance obtains one or more apocryphas, and described configuration file is the information relevant with apocrypha;
Choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing;
Behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
According to the described apocrypha of the log analysis of described record and export analysis result.
Embodiment of the present invention also provides a kind of apocrypha analytic system, comprising:
The file acquisition module is used for obtaining one or more apocryphas according to the configuration file of storage in advance, and described configuration file is the information relevant with apocrypha;
The virtual machine module is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
Analysis module is used for according to the described apocrypha of the log analysis of described record and exports analysis result.
The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, can analyze apocrypha automatically and export analysis result, improve analysis efficiency, saved time and human cost.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of embodiment of the invention apocrypha analytical approach;
Fig. 2 is the structural representation of the embodiment of the invention one apocrypha analytic system;
Fig. 3 is the structural representation of the embodiment of the invention two apocrypha analytic systems.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and the embodiments.Should be appreciated that embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Please refer to Fig. 1, be the schematic flow sheet of embodiment of the invention apocrypha analytical approach, its step specifically comprises:
Step S10: read configuration file; Described configuration file is the information relevant with apocrypha of storage in advance, such as the path of apocrypha, be used for the custom rule information such as (step or the strategies that comprise the apocrypha analysis) that apocrypha is analyzed.Described configuration file can be made amendment according to actual needs, and the step that path position changes, apocrypha is analyzed of the apocrypha of placing such as reality or strategy need to adjust etc.
Step S12: obtain one or more apocryphas according to described configuration file, concrete, after reading described configuration file, according to the relevant information in the described configuration file, as the path of apocrypha, obtain one or more apocryphas from the path of apocrypha.During specific implementation, one or more apocryphas to be analyzed can be placed in advance the path position place of apocrypha in the described configuration file.
Step S14: choose an apocrypha and be sent to virtual machine and move the described apocrypha of choosing, but described virtual machine is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, the embodiment of the invention describes with the virtual machine instance of original state; Concrete, from the one or more apocryphas that obtain, choose an apocrypha by traversal or mode at random, be sent in the virtual machine that is in original state the described apocrypha of choosing and operation.The virtual machine that is in original state represents that promptly described virtual machine just has been created or initialization, is not infected by any rogue program, can create the virtual machine image of an original state during specific implementation.The virtual machine of described original state can be moved in advance, promptly move described apocrypha after sending etc. described apocrypha, after also can waiting described apocrypha to send, the virtual machine that starts described original state brings into operation, then move described apocrypha, the custom rule decision that the concrete steps order is analyzed by the apocrypha in the described configuration file by virtual machine.
Step S16: the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record; Concrete, the postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize malicious act features such as system vulnerability, long-range injection to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic is recorded as daily record, be kept in the logger module.
Step S18: according to the described apocrypha of the log analysis of described record and export analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copying system directory to, revised certain specific registration table, having discharged other file (derivant) and all give a mark, according to the comparative result output analysis result of score value and pre-set threshold to system directory etc.In the present embodiment, then be judged to be rogue program, promptly export the analysis result that described apocrypha is the rogue program file when score value reaches the threshold value that sets in advance; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module can be compared, according to comparative result output analysis result.In the present embodiment, if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.
Step S20: judge whether in addition other apocryphas, concrete, export the analysis result of described apocrypha at step S18 after, judge whether other apocryphas that do not transmit in addition, if be judged as be, then execution in step S22; If be judged as not, then finish the apocrypha analysis.
Step S22: recover described virtual machine to original state; Concrete, by the mode of recovering virtual machine image described virtual machine being returned to original state, execution in step S14 is to carry out the analysis of another apocrypha.
The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, but the analysis apocrypha of automatic batch, improve analysis efficiency, saved time and human cost.
Please refer to Fig. 2, be the structural representation of the embodiment of the invention one apocrypha analytic system, described apocrypha analytic system comprisesprofile module 50,file acquisition module 52,virtual machine module 60,analysis module 54, rogueprogram database module 56 andjudge module 58.
Describedprofile module 50 is used for store configuration files, and described configuration file is the information relevant with apocrypha, as the path of apocrypha, be used for the custom rule information such as (comprising step or strategy that apocrypha is analyzed) that apocrypha is analyzed.
Describedfile acquisition module 52, be used for reading described configuration file from describedprofile module 50, obtain one or more apocryphas according to described configuration file, choose an apocrypha and be sent to the virtual machine in the describedvirtual machine module 60 and move the described apocrypha of choosing.Concrete, describedfile acquisition module 52 obtains prepositioned apocrypha according to the path of the apocrypha in the described configuration file, from the one or more apocryphas that obtain, choose an apocrypha by traversal or at random mode, the described apocrypha of choosing is sent in the describedvirtual machine module 60 one is in the virtual machine of original state and operation.
Describedvirtual machine module 60 is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record.The postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize system vulnerability, long-range injection etc. to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic saved as daily record.
Described rogueprogram database module 56, behavioural characteristic when being used to store existing rogue program operation, as revise registration table, with self copy system directory to, hang system's hook, discharged drive or other file (derivant) to system directory, interception API (SSDT chain), ATTACH file (network, keyboard drive) etc.
Describedanalysis module 54 is used for according to the described apocrypha of the log analysis of described record and exports analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copy system directory to, revised certain specific registration table, discharged drive or other file (derivant) to system directory, tackle API (SSDT chain), ATTACH file (network, keyboard drive) etc. and all give a mark, then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storage in the daily record of described record and the described rogueprogram database module 56 can be compared, if the behavioural characteristic of the log record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.
Describedjudge module 58, be used to judge whether to also have other apocryphas, concrete, behind the analysis result of the described apocrypha of describedanalysis module 54 outputs, describedjudge module 58 judges whether describedfile acquisition module 52 also has other apocryphas that do not transmit, if be judged as be, then notify describedvirtual machine module 60 that described virtual machine is returned to original state, and notify describedfile acquisition module 52 to transmit next apocrypha to described virtual machine; If be judged as not, then finish the apocrypha analysis.Describedjudge module 58 is provided with separately in the present embodiment, also can integrate with describedfile acquisition module 52 in specific implementation.
Configuration file described in the embodiment of the invention can be stored in describedfile acquisition module 52 in advance, does not promptly need to be provided with in addition describedprofile module 50.
The embodiment of the invention is sent to describedvirtual machine module 60 by describedfile acquisition module 52 automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically by describedanalysis module 54, improve analysis efficiency, saved time and human cost.
Please refer to Fig. 3, be the structural representation of the embodiment of the invention two apocrypha analytic systems, describedvirtual machine module 60 that the difference of itself and the embodiment of the invention one has been concrete refinement.Describedvirtual machine module 60 comprises that virtual machine 62, monitor module 64, logger module 66 and virtual machine recover module 68.
Described virtual machine 62 after being used to receive the apocrypha of describedfile acquisition module 52 transmission, moves described apocrypha.Concrete, but described virtual machine 62 is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, can make described apocrypha operation time image the same when real system moves.
Described monitor module 64 is used for monitoring the behavioural characteristic of described apocrypha when virtual machine 62 operations;
Described logger module 66, be used for writing down apocrypha that described monitor module 64 monitors when described virtual machine operation behavioural characteristic and save as daily record.
Described virtual machine recovers module 68, is used for after describedjudge module 58 judges that describedfile acquisition module 52 also has the apocrypha that does not transmit described virtual machine 62 being returned to original state.
In specific implementation, describedvirtual machine module 60 has other module combinations forms, as can with as described in monitor module 64 and as described in the function of logger module 66 gather together, realize monitoring and writing down the function of behavioural characteristic with a module, the embodiment of the invention just is used for illustrating, with explanation the present invention, and be not used in qualification the present invention.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and described storage medium is ROM/RAM, magnetic disc, CD etc.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (15)
1, a kind of apocrypha analytical approach comprises:
Configuration file according to storage in advance obtains one or more apocryphas, and described configuration file is the information relevant with apocrypha;
Choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing;
Behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
According to the described apocrypha of the log analysis of described record and export analysis result.
2, the method for claim 1, it is characterized in that: described configuration file comprises the path of described apocrypha, obtains one or more apocryphas according to the configuration file of storing in advance and is specially: obtain prepositioned one or more apocrypha from the path of described apocrypha.
3, the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and after exporting analysis result, also comprise step: judge whether other apocryphas in addition, be, then recover described virtual machine to original state if be judged as.
4, method as claimed in claim 3 is characterized in that: described step is recovered described virtual machine after original state, execution in step: choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing.
5, the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the behavioural characteristic in the daily record of described record is given a mark, according to the comparative result output analysis result of score value and pre-set threshold.
6, method as claimed in claim 5 is characterized in that: then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm.
7, the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module is compared, according to comparative result output analysis result.
8, method as claimed in claim 7, it is characterized in that: if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meet, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist.
9, a kind of apocrypha analytic system comprises:
The file acquisition module is used for obtaining one or more apocryphas according to the configuration file of storage in advance, and described configuration file is the information relevant with apocrypha;
The virtual machine module is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;
Analysis module is used for according to the described apocrypha of the log analysis of described record and exports analysis result.
10, system as claimed in claim 9 is characterized in that: also comprise profile module, be used to store described configuration file, described file acquisition module reads described configuration file from described profile module.
11, system as claimed in claim 9 is characterized in that: described virtual machine module comprises:
Virtual machine is used to receive the described apocrypha of operation behind the apocrypha that described file acquisition module transmits;
Monitor module is used for monitoring the behavioural characteristic of described apocrypha when described virtual machine moves;
Logger module, be used for writing down apocrypha that described monitor module monitors when described virtual machine operation behavioural characteristic and save as daily record.
12, system as claimed in claim 11, it is characterized in that: also comprise judge module, be used to judge whether described file acquisition module also has other apocryphas that do not transmit, if be judged as be, then notify described virtual machine module that described virtual machine is returned to original state, and notify described file acquisition module to transmit next apocrypha to described virtual machine.
13, system as claimed in claim 12, it is characterized in that: described virtual machine module comprises that also virtual machine recovers module, be used for after described judge module judges that described file acquisition module also has the apocrypha that does not transmit, described virtual machine being returned to original state.
14, system as claimed in claim 9 is characterized in that: described analysis module is given a mark to the behavioural characteristic in the daily record of described record, according to the comparative result output analysis result of score value and pre-set threshold.
15, system as claimed in claim 9, it is characterized in that: also comprise the rogue program database module, behavioural characteristic when being used to store existing rogue program operation, described analysis module compares the rogue program behavioural characteristic of storing in the daily record of described record and the described rogue program database module, according to comparative result output analysis result.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810067552CN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
| PCT/CN2009/071759WO2009143742A1 (en) | 2008-05-30 | 2009-05-12 | Analysis method and system for suspicious file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810067552CN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101593249Atrue CN101593249A (en) | 2009-12-02 |
| CN101593249B CN101593249B (en) | 2011-08-03 |
Family
ID=41376597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810067552Expired - Fee RelatedCN101593249B (en) | 2008-05-30 | 2008-05-30 | Suspicious file analyzing method and suspicious file analyzing system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101593249B (en) |
| WO (1) | WO2009143742A1 (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102754073A (en)* | 2010-02-05 | 2012-10-24 | 微软公司 | Extension point declarative registration for virtualization |
| CN102957667A (en)* | 2011-08-23 | 2013-03-06 | 潘燕辉 | Method for intelligently replacing files on basis of cloud computation |
| CN103106364A (en)* | 2011-11-15 | 2013-05-15 | 株式会社日立制作所 | Program analyzing system and method |
| CN103150506A (en)* | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
| CN103839003A (en)* | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103902886A (en)* | 2014-03-04 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for detecting third-party application |
| CN103905417A (en)* | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Device and method for authentication of network device files |
| CN104504331A (en)* | 2014-12-19 | 2015-04-08 | 北京奇虎科技有限公司 | Virtualization security detection method and system |
| CN105809035A (en)* | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN106228067A (en)* | 2016-07-15 | 2016-12-14 | 江苏博智软件科技有限公司 | Malicious code dynamic testing method and device |
| CN106572122A (en)* | 2016-12-09 | 2017-04-19 | 哈尔滨安天科技股份有限公司 | Host security evaluation method and system based on network behavior feature correlation analysis |
| CN107004089A (en)* | 2014-08-11 | 2017-08-01 | 森蒂内尔实验室以色列有限公司 | Malware detection method and its system |
| CN108038375A (en)* | 2017-12-21 | 2018-05-15 | 北京星河星云信息技术有限公司 | A kind of malicious file detection method and device |
| CN109960928A (en)* | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The processing method and processing system of apocrypha |
| CN110837639A (en)* | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
| CN114244599A (en)* | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | A way to interfere with malicious programs |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105978911B (en)* | 2016-07-15 | 2019-05-21 | 江苏博智软件科技有限公司 | Malicious code detecting method and device based on virtual execution technology |
| CN110889113A (en)* | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN111092895B (en)* | 2019-12-23 | 2022-09-23 | 和元达信息科技有限公司 | Internet sensitive data safety protection system and method |
| CN114547603B (en)* | 2020-11-25 | 2025-07-15 | 腾讯科技(深圳)有限公司 | Supply chain attack detection method, device and related equipment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707383A (en)* | 2004-06-10 | 2005-12-14 | 陈朝晖 | Method for analysing and blocking computer virus through process and system trace |
| US7908653B2 (en)* | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
| CN100547513C (en)* | 2005-02-07 | 2009-10-07 | 福建东方微点信息安全有限责任公司 | Computer Protection Method Based on Program Behavior Analysis |
| CN100374972C (en)* | 2005-08-03 | 2008-03-12 | 珠海金山软件股份有限公司 | A system and method for detecting and defending computer malicious programs |
| CN100595778C (en)* | 2007-07-16 | 2010-03-24 | 珠海金山软件股份有限公司 | Method and device for identifying virus files |
| CN101154258A (en)* | 2007-08-14 | 2008-04-02 | 电子科技大学 | Malicious program dynamic behavior automatic analysis system and method |
- 2008
- 2008-05-30CNCN 200810067552patent/CN101593249B/ennot_activeExpired - Fee Related
- 2009
- 2009-05-12WOPCT/CN2009/071759patent/WO2009143742A1/enactiveApplication Filing
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102754073A (en)* | 2010-02-05 | 2012-10-24 | 微软公司 | Extension point declarative registration for virtualization |
| US10331466B2 (en) | 2010-02-05 | 2019-06-25 | Microsoft Technology Licensing, Llc | Extension point declarative registration for virtualization |
| US9262187B2 (en) | 2010-02-05 | 2016-02-16 | Microsoft Technology Licensing, Llc | Extension point declarative registration for virtualization |
| CN102957667A (en)* | 2011-08-23 | 2013-03-06 | 潘燕辉 | Method for intelligently replacing files on basis of cloud computation |
| CN103106364A (en)* | 2011-11-15 | 2013-05-15 | 株式会社日立制作所 | Program analyzing system and method |
| CN103839003B (en)* | 2012-11-22 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103839003A (en)* | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103150506A (en)* | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
| CN103150506B (en)* | 2013-02-17 | 2016-03-30 | 北京奇虎科技有限公司 | The method and apparatus that a kind of rogue program detects |
| CN103905417A (en)* | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Device and method for authentication of network device files |
| CN103902886A (en)* | 2014-03-04 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for detecting third-party application |
| CN107004089A (en)* | 2014-08-11 | 2017-08-01 | 森蒂内尔实验室以色列有限公司 | Malware detection method and its system |
| CN104504331B (en)* | 2014-12-19 | 2017-12-08 | 北京奇安信科技有限公司 | Virtualize safety detection method and system |
| CN104504331A (en)* | 2014-12-19 | 2015-04-08 | 北京奇虎科技有限公司 | Virtualization security detection method and system |
| CN105809035A (en)* | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN105809035B (en)* | 2016-03-07 | 2018-11-09 | 南京邮电大学 | The malware detection method and system of real-time behavior is applied based on Android |
| CN106228067A (en)* | 2016-07-15 | 2016-12-14 | 江苏博智软件科技有限公司 | Malicious code dynamic testing method and device |
| CN106572122A (en)* | 2016-12-09 | 2017-04-19 | 哈尔滨安天科技股份有限公司 | Host security evaluation method and system based on network behavior feature correlation analysis |
| CN108038375A (en)* | 2017-12-21 | 2018-05-15 | 北京星河星云信息技术有限公司 | A kind of malicious file detection method and device |
| CN109960928A (en)* | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | The processing method and processing system of apocrypha |
| CN110837639A (en)* | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
| CN114244599A (en)* | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | A way to interfere with malicious programs |
| CN114244599B (en)* | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | A way to interfere with malicious programs |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101593249B (en) | 2011-08-03 |
| WO2009143742A1 (en) | 2009-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101593249B (en) | Suspicious file analyzing method and suspicious file analyzing system | |
| CN104200161B (en) | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method | |
| CN103970585B (en) | Create the method and device of virtual machine | |
| CN104685476B (en) | For restoring the method, system and product of virtual machine | |
| CN102480494B (en) | File updating method, device and system | |
| CN102611745B (en) | On-line file moving method, device and system | |
| US20070250302A1 (en) | Simulated storage area network | |
| JP2021018799A (en) | System and method of inspecting plural archive slices for malware | |
| US20140222761A1 (en) | Terminal Backup and Recovery Method | |
| CN104268473A (en) | Method and device for detecting application programs | |
| CN106445643A (en) | Method and device for cloning and updating virtual machine | |
| CN105868056A (en) | Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines | |
| CN104346194A (en) | Method, device and electronic equipment for starting file loading | |
| CN113515457B (en) | Internet of things equipment firmware security detection method and device | |
| CN115576600A (en) | Code change-based difference processing method and device, terminal and storage medium | |
| CN103400602B (en) | A kind of bad track of hard disk self-repairing method and equipment | |
| CN104346570A (en) | Trojan horse decision system based on dynamic code sequence tracking analysis | |
| CN103279334A (en) | Android software rapid dynamic detection device and method | |
| US9946853B1 (en) | Techniques for application code obfuscation | |
| CN107220146A (en) | A kind of file scan restoration methods and device | |
| CN115565609B (en) | Automatic analysis method for DNA sequencing data | |
| US9088604B1 (en) | Systems and methods for treating locally created files as trustworthy | |
| CN103699838A (en) | Identification method and equipment of viruses | |
| CN106126487A (en) | A kind of journal file method for splitting and device | |
| JP2002312210A5 (en) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | Owner name:HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text:FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. | |
| CP01 | Change in the name or title of a patent holder | Address after:611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after:HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before:611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before:CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. | |
| CF01 | Termination of patent right due to non-payment of annual fee | Granted publication date:20110803 | |
| CF01 | Termination of patent right due to non-payment of annual fee |