Flash malicious file detection method and flash malicious file detection device

A malicious file and detection method technology, applied in the field of data security, can solve the problems of low detection efficiency and precision of flash files, achieve accurate identification and detection, improve accuracy and efficiency, and improve accuracy

Active Publication Date: 2012-07-18
BEIJING QIHOO TECH CO LTD
View PDF3 Cites 24 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The technical problem to be solved in this application is to provide a flash malicious file detection method and device, which can solve the problem of low efficiency and low precision of flash file detection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Flash malicious file detection method and flash malicious file detection device
  • Flash malicious file detection method and flash malicious file detection device
  • Flash malicious file detection method and flash malicious file detection device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0051] refer to figure 1 , showing the first embodiment of the flash malicious file detection method of the present application, comprising the following steps:

[0052] Step 101, analyze the flash file, and extract the bytecode of the virtual machine therein.

[0053]The flash file is composed according to the tag structure, and a frame in the flash is composed of some tags containing graphic data and some tags containing audio data, as well as tags containing ActionScript code. ActionScript is a programming language for the Adobe Flash Player runtime environment that follows the fourth edition of ECMAscript. It implements interactivity, data processing, and other functions in flash content and applications. Adobe Flash Player has a built-in AVM virtual machine, and the AVM virtual machine converts the ActionScript bytecode (ActionScript Bytecode) in the flash file into corresponding instructions according to different platforms before running.

[0054] When parsing the fla...

example 1

[0069] Example 1: Assume that the pre-analysis shows that the int type "0x90909090" characteristic bytecode basically does not exist in normal flash files, but this characteristic appears in malicious flash files due to special code writing requirements The number of bytecodes is very high, so you can use "0x90909090" as a parameter at this time, and set the threshold for the number of occurrences, and write the following judgment function:

[0070]

[0071] This section of source code counts the number of occurrences of int type parameters of 0x90909090 in the virtual machine bytecode of a flash file to be detected. When such parameters appear more than a threshold value, it will match a virtual machine bytecode feature, and it is considered The flash file to be detected is a malicious file.

example 2

[0072] Example 2, the key string in the malicious flash file is often encrypted by XOR (exclusive OR) encryption, then the encryption method can be added to the judgment function to realize the judgment. The specific judgment function written is as follows:

[0073]

[0074]

[0075] This piece of source code converts a string that executes malicious commands into 256 sets of XOR (exclusive OR) encrypted strings, which can intelligently match encrypted malicious commands that often appear in malicious flash files, as long as the malicious command meets 256 sets of strings Any one of them, then it can be judged that the flash file is a malicious file, which improves the accuracy of the detection result. There will be no misjudgment due to encryption or not. At the same time, one judgment function can be realized without adding multiple functions for multiple judgments, which can save detection time and space.

[0076] refer to figure 2 , shows Embodiment 1 of an apparat...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a flash malicious file detection method, which includes the steps: analyzing a flash file, and extracting virtual machine byte codes from the flash file; and matching the virtual machine byte codes with characteristic byte codes, making statistics on occurrence times of the virtual machine byte codes if the virtual machine byte codes can be matched with characteristic byte codes, and determining the flash file as a malicious file if the times exceed a threshold value. The invention further provides a flash malicious file detection device for implementing the method. By the aid of the flash malicious file detection method and the flash malicious file detection device, high detection efficiency and high detection precision are achieved.

Description

technical field [0001] The present application relates to the technical field of data security, in particular to a method and device for detecting flash malicious files. Background technique [0002] Adobe flash player can play various image files such as short and fast multimedia animations, interactive animations, and flying signs, and is widely used in browsers in operating systems and some mobile devices. Therefore, Adobe flash player is also exploited by some malicious program publishers to add malicious files to flash files by exploiting its own loopholes. When users play these flash files, they will automatically download executable malicious files, and then actively connect to the Internet Download other malicious programs such as viruses, Trojan horses, etc., and eventually cause the computer system to be completely controlled, seriously threatening the system and information security of computer users. [0003] At present, a common antivirus method for flash files...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/00G06F21/56
Inventor 宋申雷张聪
Owner BEIJING QIHOO TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap