Method and device for detecting malicious flash files

A file and malicious technology, applied in computer security devices, instruments, electronic digital data processing, etc., can solve the problems of low coverage, high maintenance costs, and the inability to detect malicious flash features in real time.

Inactive Publication Date: 2012-07-25
BEIJING BAIDU NETCOM SCI & TECH CO LTD
View PDF4 Cites 20 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] 1) It needs to be analyzed by a virus analyst to determine its maliciousness, that is, a huge virus database is manually maintained, and the maintenance cost is relatively high
[0006] 2) The detection rate of malicious flash files depends on the collection coverage o

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting malicious flash files
  • Method and device for detecting malicious flash files
  • Method and device for detecting malicious flash files

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0069] figure 1 The flow chart of the method for detecting malicious flash files using dynamic detection technology provided by Embodiment 1 of the present invention, such as figure 1 As shown, the method specifically includes the following steps:

[0070] Step 101: collect operation information for generating shellcode for the flash file to be detected through the function hook.

[0071] Before this step, there will be a preparation stage: create a new browser (IE) control process, and hang function hooks inside the flash analysis engine to take over the processing of some functions of the flash analysis engine. Shellcode is code or filling data that exploits a specific vulnerability. Generally, it is sent as data to the server to cause overflow. Here, some functions that may generate shellcode operations are hooked, including at least one of the following functions: Functions that generate memory read operations , such as date (Date) function and number (Number) function, ...

Embodiment 2

[0093] figure 2 The flow chart of the method for combining static detection technology and dynamic detection technology provided by Embodiment 2 of the present invention, as shown in figure 2 As shown, the method may include the following steps:

[0094] Step 201: Obtain the flash file to be detected, and match the flash file to be detected with the existing virus database. If they match, directly determine that the flash file to be detected is a malicious flash file, otherwise continue to step 202.

[0095] The existing virus database in the present invention may be a virus database established in an existing manner, or may be a virus database updated by using a malicious flash file detected in Embodiment 1 or Embodiment 2 of the present invention.

[0096] When matching the flash file to be detected with the existing virus database, hash calculation can be used, such as calculating the MD5HASH value of the flash file to be detected, and then using the calculated MD5HASH v...

Embodiment 3

[0116] image 3 A schematic structural diagram of the dynamic detection module provided by Embodiment 3 of the present invention, such as image 3 As shown, the dynamic detection module 300 may include: an operation information collection unit 301 , an information judgment unit 302 , a legality detection unit 303 and an injection characteristic detection unit 304 .

[0117] The operation information collecting unit 301 collects the operation information of generating shellcode for the flash file to be detected through the function hook. The operation for generating the shellcode may include at least one of the following functions: functions for generating memory read operations, such as Date function and Number function, and functions for generating memory write operations, such as ByteArray function and string function.

[0118] The information judging unit 302 is used to judge the collected operation information that generates shellcode, if it is the function operation info...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method and a device for detecting malicious flash files. The method for detecting malicious flash files includes: collecting operation information, generating shell codes, of flash files to be detected by hooking function hooks, executing different detection operations according to function operation information generating a memory reading operation and function operation information generating a memory writing operation; performing legality detection on parameter calling of the function operation information generating the memory reading operation, performing injection attach detection on effective memory space of the function generating the memory writing operation, and accordingly, determining whether the flash files to be detected are malicious or not. The malicious flash files can be detected automatically without manual involvement and maintenance of a virus base by the dynamic detection, maintenance cost is reduced greatly, and coverage rate is increased. Further, whether any flash files to be detected are malicious can be detected without depending on a pre-collected virus base, and the problem of lagging is solved.

Description

【Technical field】 [0001] The invention relates to the technical field of computer security, in particular to a method and device for detecting malicious flash files. 【Background technique】 [0002] With the continuous development of computer technology, computer network has become the main tool for people to obtain information, followed by the continuous improvement of the demand for computer security technology. Computer viruses, Trojan horses, spyware and malicious codes are the main security threats faced by computer networks in recent years. Among them, hanging horses in malicious flash files is a popular way of hanging horses recently, that is, spreading Trojans through flash files. [0003] The existing way to detect malicious flash files is to use static detection technology based on static features. Antivirus software manufacturers monitor the abnormal code execution of the browser through the client in advance, collect relevant suspicious flash files, and analyze an...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/00G06F21/56
Inventor 黄正
Owner BEIJING BAIDU NETCOM SCI & TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap