Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine

A malicious code and detection method technology, which is applied in the field of malicious code behavior detection based on the cross-comparison of inside and outside views of a virtual machine, can solve the problems of complex logical relationship of malicious code, low detection accuracy, and inability to fully obtain functional semantic information, etc., to achieve The effect of improving detection accuracy

Active Publication Date: 2012-10-24
NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
View PDF2 Cites 38 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Static analysis has certain limitations: (1) Static analysis mainly analyzes the structural information of the target file, but cannot fully obtain functional semantic information, such as those semantic information that includes multiple components working together. Runtime analysis can well capture the runtime (2) For code or data obfuscation methods, such as encryption, packing, polymorphism, etc., static analysis is often powerless, and runtime analysis can avoid dealing with these complicated obfuscation methods, because during dynamic execution, Taking encryption as an example, the process itself will decrypt the instruction execution
[0006] The dynamic tracking method is a technology to analyze the function of the malicious code by tracking the system functions and instruction characteristics used in the execution of the malicious code. At present, most of the mainstream security defense technologies mainly use the dynamic tracking method to realize the detection of malware, that is, The well-known active defense technology and the malware analysis technology for virtual machines were first studied abroad. At present, domestic research on this has gradually begun to rise. Most of the applications are based on the detection of malicious code in the virtual machine environment. Run, and then dynamically monitor and track the path of its code execution to determine whether it meets the conditions of its malware, that is, the commonly used dynamic tracking method to detect, cannot effectively detect kernel-level Rootkit malicious code, and the detection accuracy is not high
In addition, the design of malicious codes nowadays tends to be component-based, and the behavioral characteristics of malicious codes present complex logical relationships, and a single detection method also has certain limitations.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0047] Below, refer to the attached Figure 1~6 Describe in detail the malicious code behavior detection method based on the cross-comparison of the inside and outside views of the virtual machine of the present invention.

[0048] The technical solution of the present invention is: combining the existing malicious code detection technology and virtual machine technology, by using the dynamic tracking detection method inside the virtual machine, detecting the execution flow of malicious software, and recording the execution path, and then from the outside of the virtual machine , analyze the raw memory data of the virtual machine through the host system, extract all information about malware in the memory, and record the execution information. Then feed back the information collected from the internal and external environment to the detection and analysis engine to analyze the logical relationship of the behavioral data, and determine whether it is malicious code by comparing ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a detection method and system for cross comparison of malicious codes of an interior and exterior view based on a virtual machine.The method comprises the following steps that: a virtual machine controller starts a virtual machine detector, sends malicious codes of an analysis catalogue to the virtual machine detector and controls the virtual machine detector; the virtual machine detector monitors the memory change of the virtual machine while running the malicious codes, records the running trace, forms an original report, and then sends the report to a comprehensive analyzer after the original report generation is finished; and the comprehensive analyzer comprehensively analyzes the relation of behavior event attribute elements and behavior text relation of the malicious sequence behavior recorded by the reports to analyze the malicious behaviors of changing the malicious codes. The method and system can acquire operation behaviors of a virtual machine system by adopting a real-time multi-view dynamic behavior monitoring mode.

Description

technical field [0001] The invention relates to virtual machine technology, in particular to a method for detecting malicious code behavior based on cross-comparison of internal and external views of a virtual machine. Background technique [0002] Malicious code analysis and detection methods, for now, are mainly divided into two methods: static analysis and detection and dynamic analysis and detection. The static analysis detection method refers to the use of analysis tools to analyze the static characteristics and functional modules of malicious codes without running malicious codes, and find the characteristic strings of malicious codes, characteristic code segments of malicious codes, including communication characteristics, etc. [0003] Static analysis has certain limitations: (1) Static analysis mainly analyzes the structural information of the target file, but cannot fully obtain functional semantic information, such as those semantic information that includes multi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/00G06F9/455
Inventor 张文政周安明祝世雄刘嘉勇董新锋赵伟
Owner NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com