Detection method and system for cross comparison of malicious code of interior and exterior view based on virtual machine

Abstract

The invention provides a detection method and system for cross comparison of malicious codes of an interior and exterior view based on a virtual machine.The method comprises the following steps that: a virtual machine controller starts a virtual machine detector, sends malicious codes of an analysis catalogue to the virtual machine detector and controls the virtual machine detector; the virtual machine detector monitors the memory change of the virtual machine while running the malicious codes, records the running trace, forms an original report, and then sends the report to a comprehensive analyzer after the original report generation is finished; and the comprehensive analyzer comprehensively analyzes the relation of behavior event attribute elements and behavior text relation of the malicious sequence behavior recorded by the reports to analyze the malicious behaviors of changing the malicious codes. The method and system can acquire operation behaviors of a virtual machine system by adopting a real-time multi-view dynamic behavior monitoring mode.

Description

technical field [0001] The invention relates to virtual machine technology, in particular to a method for detecting malicious code behavior based on cross-comparison of internal and external views of a virtual machine. Background technique [0002] Malicious code analysis and detection methods, for now, are mainly divided into two methods: static analysis and detection and dynamic analysis and detection. The static analysis detection method refers to the use of analysis tools to analyze the static characteristics and functional modules of malicious codes without running malicious codes, and find the characteristic strings of malicious codes, characteristic code segments of malicious codes, including communication characteristics, etc. [0003] Static analysis has certain limitations: (1) Static analysis mainly analyzes the structural information of the target file, but cannot fully obtain functional semantic information, such as those semantic information that includes multi...

AI Technical Summary

Problems solved by technology

[0003] Static analysis has certain limitations: (1) Static analysis mainly analyzes the structural information of the target file, but cannot fully obtain functional semantic information, such as those semantic information that includes multiple components working together. Runtime analysis can well capture the runtime (2) For code or data obfuscation methods, such as encryption, packing, polymorphism, etc., static analysis is often powerless, and runtime analysis can avoid dealing with these complicated obfuscation methods, because during dynamic execution, Taking encryption as an example, the process itself will decrypt the instruction execution

[0006] The dynamic tracking method is a technology to analyze the function of the malicious code by tracking the system functions and instruction characteristics used in the execution of the malicious code. At present, most of the mainstream security defense technol

Images