Malicious program detection method based on function characteristics

A technology of malicious programs and detection methods, applied in the field of identification and detection of malicious programs, can solve the problems of no longer effective detection mechanism, false negatives, wrong detection results, etc.

Inactive Publication Date: 2014-07-09
NANJING UNIV
View PDF4 Cites 17 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Therefore, the API-based detection mechanism is no longer effective, resulting in false detection results and false positives

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious program detection method based on function characteristics
  • Malicious program detection method based on function characteristics
  • Malicious program detection method based on function characteristics

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] The present invention will be described in detail below in conjunction with the accompanying drawings.

[0021] figure 1 Shown is the overall flow and working principle of this method implementation. Malicious program samples are a collection of malicious program samples collected for training, and have been named and classified according to specifications. A pending program is an unknown application program that is pending determination. Select malicious program samples from the malicious program sample set, manually select function functions, extract function features from function functions, and add them to the feature library. After the training process is over, a malicious program feature library is established. For checked programs, extract all functions. After these functions are preprocessed, deobfuscated, conditional statement and loop statement processing, and nested call processing, their function feature set is obtained. Compare the function features of...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a malicious program detection method based on function characteristics. The malicious program detection method includes the steps of (1) selection of performance functions of malicious programs, namely selecting malicious program samples, carrying out disassembling and manual analysis and specifying functions closely related to malicious behaviors as the performance functions, (2) extraction of function characteristics, namely processing function body codes of the functions closely related to malicious behaviors, removing interference instructions, identifying conditional judgment statements and loop statements, and converting all the statements into equivalent expression forms as the function characteristics, (3) establishment of malicious program characteristic library, namely establishing a malicious program characteristic library as a malicious program model by using the function characteristics of the performance functions of all the malicious program samples and by using of a malicious program sample library; and (4) detection of malicious programs, namely analyzing a function characteristic set of all functions of a program to be detected by using the malicious program characteristic library, and determining whether the function characteristic set is consistent with a characteristic model in the malicious program characteristic library or not to identify whether the program to be detected is the malicious program or not.

Description

technical field [0001] The invention relates to identification and detection of malicious programs, in particular to a method for detecting malicious programs based on function semantic features. Background technique [0002] At present, most malicious program detection adopts behavior-based detection methods, which use API-related data flow and control flow relationships to identify malicious behaviors. However, Windows' DLL loading mechanism allows dynamic libraries to be easily replaced. Insufficient integrity verification of DLL files and the emergence of Hooking technology make it extremely easy to tamper with DLLs. Moreover, when a malicious program runs in the operating system kernel, it can tamper with the content of the function at will, even the implementation of the system call. Even without changing the calling rules, the code actually executed by the program has changed. Therefore, the API-based detection mechanism is no longer effective, resulting in false d...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/562
Inventor 曾庆凯董殿靖
Owner NANJING UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap