CN101593249B

Movatterモバイル変換

Info

Publication number: CN101593249B
Application number: CN 200810067552
Authority: CN
Inventors: 张增现
Original assignee: Huawei Symantec Technologies Co Ltd
Current assignee: Huawei Digital Technologies Chengdu Co Ltd
Priority date: 2008-05-30
Filing date: 2008-05-30
Publication date: 2011-08-03
Anticipated expiration: 2028-05-30
Also published as: WO2009143742A1; CN101593249A

Abstract

The embodiment of the invention provides a suspicious file analyzing method which comprises the following steps: obtaining one or more suspicious files according to a prestored configuration file, wherein the configuration file is information relevant to the suspicious file; selecting one of the suspicious files, transmitting the selected suspicious file to a virtual machine and running the selected suspicious file; recoding the behavior characteristics of the suspicious file in the virtual machine during running and storing the behavior characteristics into a log; and analyzing the suspicious file according to the recorded log and outputting an analyzing result. The embodiment of the invention also provides a suspicious file analyzing system. The embodiment of the invention automatically transmits one or more suspicious files to the virtual machine, automatically outputs the analyzing result by monitoring and analyzing the behavior characteristics of the suspicious file in the virtual machine during running and can automatically analyze the suspicious file and output the analyzing result, improve the analyzing efficiency and save the time and the manpower cost.

Description

A kind of apocrypha analytical approach and system

Technical field

The present invention relates to the computer security technique field, relate in particular to a kind of apocrypha analytical approach and system.

Background technology

Virtual machine (Virtual Machine) is a computing machine of fabricating out, realizes by the various computer functions of analogue simulation on real computing machine.Can on a computer (host), simulate one or more virtual computing machines (virtual machine) by software virtual machine, and every virtual machine can move independent operating system and not disturb mutually, promptly the computing machine that virtual machine is exactly a platform independent has independently operating system.Virtual machine uses CPU, part disk space and the internal memory of real system, and virtual machine carries out work just as real computing machine fully, for example can installing operating system, set up applications, accesses network resource etc.

Because the virtual machine biggest advantage is exactly convenient, fast, saving resource, so become the indispensable instrument of a lot of individuals or enterprise, especially information security industry, because the singularity of information security industry job specification, especially study or test the department of rogue program, when each rogue program of research, all need the operating system of one " totally ", because meeting phase mutual interference between the rogue program, may cause the operating system disorder, thereby the The Study of Interference personnel are to the judgement of its behavior.In order to obtain result accurately, the researchist must adopt the operating system of " totally ".If the researchist selects true host computer system to study rogue program, (refitting) system of recovery needs the long period, thereby the plenty of time can be wasted, software company must save this time, current popular in addition Malware big city can normally move in virtual machine, with operation result in true host operating system without any difference, can not influence researchist's judgment, so software information security firm has mostly selected virtual machine environment for use to the analysis of most of Malware (Malware) and test processes the time.

In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: need manual operation when using virtual machine, as to single object storage (Single Instance Storage, SIS) establishment, recover, deletion action and to the startup of VirtualMachine system, suspend, restart, operations such as shutdown all need artificial participation, analysis project teacher of software information security firm and Test Engineer just must reach the work purpose by the manual operation virtual machine when Malware is analyzed and tested, therefore, software information security firm is in this link cost lot of manpower and material resources.

Summary of the invention

In view of above content, be necessary to provide a kind of apocrypha analytical approach and system, can finish analysis automatically to apocrypha, improve the efficient of analyzing and testing apocrypha.

Embodiment of the present invention provides a kind of apocrypha analytical approach, comprising:

Read configuration file, described configuration file is the information relevant with apocrypha;

Obtain one or more apocryphas according to described configuration file;

Choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing;

Behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;

According to the described apocrypha of the log analysis of described record and export analysis result;

Judge whether other apocryphas in addition, be, then recover described virtual machine to original state if be judged as.

Embodiment of the present invention also provides a kind of apocrypha analytic system, comprising:

Profile module is used to store described configuration file,, described configuration file is the information relevant with apocrypha;

The file acquisition module is used for obtaining one or more apocryphas from described profile module, and described configuration file is the information relevant with apocrypha;

The virtual machine module is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record;

Analysis module is used for according to the described apocrypha of the log analysis of described record and exports analysis result;

Judge module, be used to judge whether described file acquisition module also has other apocryphas that do not transmit, if be judged as be, then notify described virtual machine module that described virtual machine is returned to original state, and notify described file acquisition module to transmit next apocrypha to described virtual machine.

The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, can analyze apocrypha automatically and export analysis result, improve analysis efficiency, saved time and human cost.

Description of drawings

In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of embodiment of the invention apocrypha analytical approach;

Fig. 2 is the structural representation of the embodiment of the invention one apocrypha analytic system;

Fig. 3 is the structural representation of the embodiment of the invention two apocrypha analytic systems.

Embodiment

In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and the embodiments.Should be appreciated that embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.

Please refer to Fig. 1, be the schematic flow sheet of embodiment of the invention apocrypha analytical approach, its step specifically comprises:

Step 10: read configuration file; Described configuration file is the information relevant with apocrypha of storage in advance, such as the path of apocrypha, be used for the custom rule information such as (step or the strategies that comprise the apocrypha analysis) that apocrypha is analyzed.Described configuration file can be made amendment according to actual needs, and the step that path position changes, apocrypha is analyzed of the apocrypha of placing such as reality or strategy need to adjust etc.

Step 12: obtain one or more apocryphas according to described configuration file, concrete, after reading described configuration file, according to the relevant information in the described configuration file, as the path of apocrypha, obtain one or more apocryphas from the path of apocrypha.During specific implementation, one or more apocryphas to be analyzed can be placed in advance the path position place of apocrypha in the described configuration file.

Step 14: choose an apocrypha and be sent to virtual machine and move the described apocrypha of choosing, but described virtual machine is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, the embodiment of the invention describes with the virtual machine instance of original state; Concrete, from the one or more apocryphas that obtain, choose an apocrypha by traversal or mode at random, be sent in the virtual machine that is in original state the described apocrypha of choosing and operation.The virtual machine that is in original state represents that promptly described virtual machine just has been created or initialization, is not infected by any rogue program, can create the virtual machine image of an original state during specific implementation.The virtual machine of described original state can be moved in advance, promptly move described apocrypha after sending etc. described apocrypha, after also can waiting described apocrypha to send, the virtual machine that starts described original state brings into operation, then move described apocrypha, the custom rule decision that the concrete steps order is analyzed by the apocrypha in the described configuration file by virtual machine.

Step 16: the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record; Concrete, the postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize malicious act features such as system vulnerability, long-range injection to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic is recorded as daily record, be kept in the logger module.

Step 18: according to the described apocrypha of the log analysis of described record and export analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copying system directory to, revised certain specific registration table, having discharged other file (derivant) and all give a mark, according to the comparative result output analysis result of score value and pre-set threshold to system directory etc.In the present embodiment, then be judged to be rogue program, promptly export the analysis result that described apocrypha is the rogue program file when score value reaches the threshold value that sets in advance; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module can be compared, according to comparative result output analysis result.In the present embodiment, if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.

Step 20: judge whether other apocryphas in addition, concrete, behind the analysis result of the described apocrypha of step 18 output, judge whether other apocryphas that do not transmit in addition, be that then execution instep 22 if be judged as; If be judged as not, then finish the apocrypha analysis.

Step 22: recover described virtual machine to original state; Concrete, by the mode of recovering virtual machine image described virtual machine being returned to original state, execution in step S14 is to carry out the analysis of another apocrypha.

The embodiment of the invention is sent to described virtual machine automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically, but the analysis apocrypha of automatic batch, improve analysis efficiency, saved time and human cost.

Please refer to Fig. 2, be the structural representation of the embodiment of the invention one apocrypha analytic system, described apocrypha analytic system comprisesprofile module 50,file acquisition module 52,virtual machine module 60,analysis module 54,virus database module 56 andjudge module 58.

Describedprofile module 50 is used for store configuration files, and described configuration file is the information relevant with apocrypha, as the path of apocrypha, be used for the custom rule information such as (comprising step or strategy that apocrypha is analyzed) that apocrypha is analyzed.

Describedfile acquisition module 52, be used for reading described configuration file from describedprofile module 50, obtain one or more apocryphas according to described configuration file, choose an apocrypha and be sent to the virtual machine in the describedvirtual machine module 60 and move the described apocrypha of choosing.Concrete, describedfile acquisition module 52 obtains prepositioned apocrypha according to the path of the apocrypha in the described configuration file, from the one or more apocryphas that obtain, choose an apocrypha by traversal or at random mode, the described apocrypha of choosing is sent in the describedvirtual machine module 60 one is in the virtual machine of original state and operation.

Describedvirtual machine module 60 is used to move the apocrypha of described transmission, and the behavioural characteristic when writing down described apocrypha and moving in described virtual machine also saves as daily record.The postrun behavioural characteristic of present rogue program mainly contains: revise registration table (purpose allow own start self-starting next time), find it oneself is not just oneself to be copied to system directory at system directory (also can delete oneself then, prevent that the user from suspecting), also comprise by hanging system's hook, utilize system vulnerability, long-range injection etc. to obtain user's keyboard operation, to collect user profile.Behavioural characteristic when the described apocrypha of described virtual machine module monitors moves in virtual machine, and described behavioural characteristic saved as daily record.

Describedvirus database module 56, behavioural characteristic when being used to store existing rogue program operation, as revise registration table, with self copy system directory to, hang system's hook, discharged drive or other file (derivant) to system directory, interception API (SSDT chain), ATTACH file (network, keyboard drive) etc.

Describedanalysis module 54 is used for according to the described apocrypha of the log analysis of described record and exports analysis result; Concrete, can analyze according to custom rule, such as the behavioural characteristic in the daily record of described record is given a mark, as rogue program with oneself copy system directory to, revised certain specific registration table, discharged drive or other file (derivant) to system directory, tackle API (SSDT chain), ATTACH file (network, keyboard drive) etc. and all give a mark, then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm; In addition, also the rogue program behavioural characteristic of storage in the daily record of described record and the describedvirus database module 56 can be compared, if the behavioural characteristic of the log record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meeting, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist, concrete analysis rule can be self-defined according to user's needs, also can be determined by the custom rule that the apocrypha in the described configuration file is analyzed.

Describedjudge module 58, be used to judge whether to also have other apocryphas, concrete, behind the analysis result of the described apocrypha of describedanalysis module 54 outputs, describedjudge module 58 judges whether describedfile acquisition module 52 also has other apocryphas that do not transmit, if be judged as be, then notify describedvirtual machine module 60 that described virtual machine is returned to original state, and notify describedfile acquisition module 52 to transmit next apocrypha to described virtual machine; If be judged as not, then finish the apocrypha analysis.Describedjudge module 58 is provided with separately in the present embodiment, also can integrate with describedfile acquisition module 52 in specific implementation.

Configuration file described in the embodiment of the invention can be stored in describedfile acquisition module 52 in advance, does not promptly need to be provided with in addition describedprofile module 50.

The embodiment of the invention is sent to describedvirtual machine module 60 by describedfile acquisition module 52 automatically with described one or more apocryphas, by monitoring and analyzing the behavioural characteristic of apocrypha when virtual machine moves and export analysis result automatically by describedanalysis module 54, improve analysis efficiency, saved time and human cost.

Please refer to Fig. 3, be the structural representation of the embodiment of the invention two apocrypha analytic systems, describedvirtual machine module 60 that the difference of itself and the embodiment of the invention one has been concrete refinement.Describedvirtual machine module 60 comprises thatvirtual machine 62,monitor module 64,logger module 66 and virtual machine recovermodule 68.

Describedvirtual machine 62 after being used to receive the apocrypha of describedfile acquisition module 52 transmission, moves described apocrypha.Concrete, but describedvirtual machine 62 is processor, the internal memory of a simulated real system,, and the part of the hard disk of real system is modeled to the analogue means of own hard disk, can make described apocrypha operation time image the same when real system moves.

Describedmonitor module 64 is used for monitoring the behavioural characteristic of described apocrypha whenvirtual machine 62 operations;

Describedlogger module 66, be used for writing down apocrypha that describedmonitor module 64 monitors when described virtual machine operation behavioural characteristic and save as daily record.

Described virtual machine recoversmodule 68, is used for after describedjudge module 58 judges that describedfile acquisition module 52 also has the apocrypha that does not transmit describedvirtual machine 62 being returned to original state.

In specific implementation, describedvirtual machine module 60 has other module combinations forms, as can with as described inmonitor module 64 and as described in the function oflogger module 66 gather together, realize monitoring and writing down the function of behavioural characteristic with a module, the embodiment of the invention just is used for illustrating, with explanation the present invention, and be not used in qualification the present invention.

One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and described storage medium is ROM/RAM, magnetic disc, CD etc.

The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims

1. apocrypha analytical approach comprises:

Obtain one or more apocryphas according to described configuration file;

2. the method for claim 1, it is characterized in that: described configuration file comprises the path of described apocrypha, obtains one or more apocryphas according to the configuration file of storing in advance and is specially: obtain prepositioned one or more apocrypha from the path of described apocrypha.

3. the method for claim 1, it is characterized in that: described step is recovered described virtual machine after original state, execution in step: choosing wherein, an apocrypha is sent to virtual machine and moves the described apocrypha of choosing.

4. the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the behavioural characteristic in the daily record of described record is given a mark, according to the comparative result output analysis result of score value and pre-set threshold.

5. method as claimed in claim 4 is characterized in that: then be judged to be rogue program when score value reaches the threshold value that sets in advance, promptly export the analysis result that described apocrypha is the rogue program file; If mark be zero or mark low then to export described apocrypha respectively be non-rogue program file or the analysis result that needs the slip-stick artist further to confirm.

6. the method for claim 1, it is characterized in that: described step is according to the described apocrypha of the log analysis of described record and export analysis result and comprise: the rogue program behavioural characteristic of storing in the daily record of described record and the rogue program database module is compared, according to comparative result output analysis result.

7. method as claimed in claim 6, it is characterized in that: if the behavioural characteristic in the daily record of described record all conforms to the rogue program behavioural characteristic of storing in the described rogue program database module, then export the analysis result that described apocrypha is the rogue program file, as if not meeting or partly meet, then exporting described apocrypha respectively is non-rogue program file or the analysis result that needs the further affirmation of slip-stick artist.

8. apocrypha analytic system comprises:

The file acquisition module is used for obtaining one or more apocryphas from described profile module;

9. system as claimed in claim 8 is characterized in that: also comprise profile module, be used to store described configuration file, described file acquisition module reads described configuration file from described profile module.

10. system as claimed in claim 8 is characterized in that: described virtual machine module comprises:

Virtual machine is used to receive the described apocrypha of operation behind the apocrypha that described file acquisition module transmits;

Monitor module is used for monitoring the behavioural characteristic of described apocrypha when described virtual machine moves;

Logger module, be used for writing down apocrypha that described monitor module monitors when described virtual machine operation behavioural characteristic and save as daily record;

Virtual machine recovers module, is used for after described judge module judges that described file acquisition module also has the apocrypha that does not transmit described virtual machine being returned to original state.

11. system as claimed in claim 8 is characterized in that: described analysis module is given a mark to the behavioural characteristic in the daily record of described record, according to the comparative result output analysis result of score value and pre-set threshold.

12. system as claimed in claim 8, it is characterized in that: also comprise the virus database module, behavioural characteristic when being used to store existing rogue program operation, described analysis module compares the rogue program behavioural characteristic of storing in the daily record of described record and the described virus database module, according to comparative result output analysis result.