Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception

A malware and dynamic detection technology, applied in computer security devices, instruments, electronic digital data processing, etc., can solve the problems of low false alarm rate and false alarm rate, static detection method is difficult to detect malware, and the accuracy rate is reduced. , to achieve the effect of high detection accuracy

Inactive Publication Date: 2011-04-27
SICHUAN UNIV
View PDF6 Cites 70 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] First, the static detection method has fast detection speed, low false alarm rate and false alarm rate, but is easily affected by evasion techniques such as polymorphism, deformation, confusion, and packing.
The binary code and disassembled code of the packed malware have changed a lot, and the features used to detect it have also changed, which makes the detection accuracy drop. If the malware is detected after unpacking , the detection time of each file will be lengthened, and under the influence of anti-packing technology, general-purpose unpacking software cannot automatically unpack all malicious software.
Malware that uses polymorphism and deformation technology dynamically and randomly changes the binary code every time it spreads, and has no fixed characteristics. Static detection methods are difficult to detect this kind of malware
[0006] Second, the heuristic detection method based on code emulation is not affected by evasion techniques such as polymorphism, deformation, obfuscation, and packing. It was a relatively effective malware detection method in the early days, but with the evolution of malware technology , many malware already have anti-virtualization, anti-debugging, and anti-tracking capabilities. If the malware detects that it is running in an emulation environment, it will hide its malicious behavior, which makes the accuracy of heuristic detection based on code emulation not high. and take longer
[0007] Third, the heuristic-based method utilizes some rules and patterns. As malware developers become familiar with these rules and patterns, newly emerging malware will have some countermeasures, making the heuristic method unable to detect these malware

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
  • Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception
  • Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0032] Detection model and basic idea:

[0033] The idea on which the present invention is based is that malicious software must have some special functions, which makes the behavior of malicious software different from ordinary programs. Therefore, the behavior of the monitoring program can be used as a feasible method to judge whether the program is malicious software. Malware differs from normal programs mainly in that it performs some special actions to spread and damage the system. Whether it is binary executable virus, script virus or macro virus, they are all programs, which need to call various functions provided by the operating system to achieve the purpose of propagating itself and destroying the system. Various malicious behaviors of malware are manifested as various API calls in the implementation code. If the API calls corresponding to these behaviors can be detected, the corresponding dynamic behaviors have been detected. Therefore, it is an effective method t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a dynamic malicious software detection method based on a virtual machine and sensitive Native application programming interface (API) calling perception. The method consists of three parts, namely a Xen secondary development-based analysis and detection environment, a monitoring control program, and a training learning and detection program of a malicious software classifier. A detection model is divided into a training stage and a detection stage, wherein the training stage comprises the following steps of: executing a sample set file in a clean analysis environment for fixed length time, acquiring Native API calling frequencies of process behavior, privilege behavior, memory behavior, registry behavior, file behavior and network behavior of the sample set file, and training the classifier by using the data; and the detection stage comprises the following steps of: executing files to be checked, counting the Native API calling frequencies of six sensitive behaviors in the fixed length time, and classifying the detected files by using the trained classifier to obtain classification results which are malicious software or normal files. The method is still effective for the malicious software with anti-virtual, anti-debugging and anti-tracking capabilities.

Description

technical field [0001] The invention relates to a malicious software detection method in information security, which can detect known and unknown malicious software after being trained by a limited training set. Background technique [0002] According to the monitoring data of Kingsoft Internet Security Global Anti-Virus Monitoring Center, as of June 30, 2008, in the first half of 2008, Kingsoft Antivirus intercepted 1,242,244 new viruses and Trojan horses, an increase of 338% compared with the total number of viruses and Trojan horses in 2007. . The number of computer malicious software has increased sharply, its transmission channels are diversified, and its ability to resist anti-virus software is strong. Computer malicious software has become the biggest security threat to the Internet and the majority of computer users. [0003] Traditional malware detection is mainly based on signature scanning detection technology. It uses characteristic byte sequences (such as stri...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F21/53
Inventor 王俊峰白金荣黄敏桓唐剑佘春东
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com