Mining method and system for malicious code hiding behaviors

Abstract

The invention relates to a mining method and system for malicious code hiding behaviors. The method includes the steps that malicious codes are operated in a virtual environment; whether related instructions and functions related with hiding behavior routes are included in instruction information and function information executed by the malicious codes or not is judged; if execution information related with time delay hiding is detected, the malicious codes are made to continuously execute follow-up instructions and functions through ending corresponding time delay behaviors; if execution information related with conditional judgment hiding is detected, the execution information is classified according to conditional judgment, and possible execution routes of the malicious codes are mined through meeting execution conditions of different routes; analyzed various behavior route information executed by the malicious codes is used for generating a malicious code behavior route tree. The malicious code hiding behaviors avoiding analyzing in the modes of time delay hiding and conditional judgment hiding can be effectively mined, the various hiding behavior routes possibly existing are effectively found out, and the capacity for analyzing and mining the malicious code hiding behaviors is improved.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a method and system for mining malicious code hiding behaviors. Background technique [0002] With the continuous advancement of informatization and the continuous development of technology, malicious code technology, one of its important threats, is also constantly improving. In order to avoid analysis and detection, the hiding ability, deformation ability and survivability of malicious code are constantly increasing. Malicious code hides some of its own harmful behaviors through various technical means, so that ordinary analysis and detection tools cannot detect its malicious behaviors in time, thereby causing damage and threatening the security of the Internet and computer systems when necessary. [0003] At present, the means of hiding malicious codes mainly include: (1) hiding its traces in the system, such as process information and so on. (2) It conta...

AI Technical Summary

Problems solved by technology

The main problems in the current malicious code hiding behavior analysis methods are: dynamic analysis only analyzes the behavior of malicious code execution within a period of time, and it is easy to miss some delayed hidden behaviors; the dynamic analysis process can only analyze the currently executed behavior, and cannot The hidden malicious behavior path that appears only under certain conditions can be effectively analyzed, and the malicious code that detects the operating environment and conditions to hide the malicious behavior cannot be effectively analyzed; most of the dynamic analysis is tracking passive analysis, which lacks effective and active exploration of hidden malicious code. method of behavior

Images