Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine

A malicious code and detection method technology, which is applied in the field of malicious code behavior detection based on the cross-comparison of inside and outside views of a virtual machine, can solve the problems of complex logical relationship of malicious code, low detection accuracy, and inability to fully obtain functional semantic information, etc., to achieve The effect of improving detection accuracy

A malicious code and detection method technology, which is applied in the field of malicious code behavior detection based on the cross-comparison of inside and outside views of a virtual machine, can solve the problems of complex logical relationship of malicious code, low detection accuracy, and inability to fully obtain functional semantic information, etc., to achieve The effect of improving detection accuracy

CN102750475AActive Publication Date: 2012-10-24NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
2 Cites 38 Cited by

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine
  • Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0047] Below, refer to the attached Figure 1~6 Describe in detail the malicious code behavior detection method based on the cross-comparison of the inside and outside views of the virtual machine of the present invention.

[0048] The technical solution of the present invention is: combining the existing malicious code detection technology and virtual machine technology, by using the dynamic tracking detection method inside the virtual machine, detecting the execution flow of malicious software, and recording the execution path, and then from the outside of the virtual machine , analyze the raw memory data of the virtual machine through the host system, extract all information about malware in the memory, and record the execution information. Then feed back the information collected from the internal and external environment to the detection and analysis engine to analyze the logical relationship of the behavioral data, and determine whether it is malicious code by comparing ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a detection method and system for cross comparison of malicious codes of an interior and exterior view based on a virtual machine.The method comprises the following steps that: a virtual machine controller starts a virtual machine detector, sends malicious codes of an analysis catalogue to the virtual machine detector and controls the virtual machine detector; the virtual machine detector monitors the memory change of the virtual machine while running the malicious codes, records the running trace, forms an original report, and then sends the report to a comprehensive analyzer after the original report generation is finished; and the comprehensive analyzer comprehensively analyzes the relation of behavior event attribute elements and behavior text relation of the malicious sequence behavior recorded by the reports to analyze the malicious behaviors of changing the malicious codes. The method and system can acquire operation behaviors of a virtual machine system by adopting a real-time multi-view dynamic behavior monitoring mode.

Description

technical field [0001] The invention relates to virtual machine technology, in particular to a method for detecting malicious code behavior based on cross-comparison of internal and external views of a virtual machine. Background technique [0002] Malicious code analysis and detection methods, for now, are mainly divided into two methods: static analysis and detection and dynamic analysis and detection. The static analysis detection method refers to the use of analysis tools to analyze the static characteristics and functional modules of malicious codes without running malicious codes, and find the characteristic strings of malicious codes, characteristic code segments of malicious codes, including communication characteristics, etc. [0003] Static analysis has certain limitations: (1) Static analysis mainly analyzes the structural information of the target file, but cannot fully obtain functional semantic information, such as those semantic information that includes multi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
24 Oct 2012
Publication
CN102750475A
IPC
G06F21/00; G06F9/455
Inventors
张文政; 周安明