Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and system for judging homology of massive malicious samples

A determination method and homology technology, applied in the field of information security, can solve problems such as unreasonable, long work cycle, long analysis cycle, etc., to achieve the effect of improving accuracy, reducing calculation amount, and improving accuracy

Inactive Publication Date: 2016-10-05
WUHAN ANTIY MOBILE SECURITY
View PDF4 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the early detection methods were based on a large number of manual analysis, with low analysis efficiency and long work cycle; then, based on linguistics and computer reverse engineering technologies, the Charles River Analysis Company of the United States developed a malicious code analysis system, which traces code evolution. Discover the homology between malicious code samples, but this method is based on the intelligence analysis platform Palantir, which cannot meet the general application conditions
In 2012, Guan Qiang and Liu Xing respectively proposed homology automatic determination technology based on the static characteristics of malicious code, but their methods did not take into account the processing of packed malicious samples
In 2013, Mandiant Corporation of the United States proposed the method of using malicious code characteristics to track the source of the attack to analyze homology, but this analysis requires long-term tracking of the target first, and the analysis period is long
In 2015, Kang Fei proposed to analyze the homology of malicious code based on the similarity of behavior characteristics, but it did not consider the context of behavior characteristics. It is obviously unreasonable to regard the same behavior in different environments as having the same characteristics and purpose.
[0004] 1. The earlier homology analysis methods were all based on the in-depth manual analysis of the captured samples, so it required a lot of manpower and time;
[0005] 2. Packed samples are not considered, and the technology lacks versatility;
[0006] 3. Among the current methods, there is no technology suitable for homology determination of massive malicious code samples

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for judging homology of massive malicious samples
  • Method and system for judging homology of massive malicious samples

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0049] The present invention provides a method for judging homology of massive malicious samples and system embodiments, in order to enable those skilled in the art to better understand the technical solutions in the embodiments of the present invention, and to make the above-mentioned purposes, features and The advantages can be more obvious and easy to understand, and the technical solution in the present invention will be further described in detail below in conjunction with the accompanying drawings:

[0050] The present invention firstly provides an embodiment of a method for judging the homology of a large number of malicious samples, such as figure 1 shown, including:

[0051] S101 decompiles the malicious sample to obtain the smali file and extracts the class name and method name;

[0052] S102 calculates the simhash fingerprint of each malicious sample using the combination of class name and method name as a feature dimension; wherein, each malicious sample contains ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and system for judging homology of massive malicious samples. The method comprises the following steps: decompiling the malicious samples to obtain smali files and extracting class names and method names; calculating simhash fingerprints of the malicious samples by taking a combination of the class names and the method names as a characteristic dimensionality; calculating Hamming distances between the simhash fingerprints of the malicious samples on the basis of a MapReduce mode; and determining the malicious samples, the Hamming distances of which are less than or equal to a preset threshold value, as homological samples, wherein the class names are names of abstract objects in program codes and the method names are function names contained in the abstract objects in the program codes. According to the method and system disclosed in the invention, homology analysis can be carried out on massive samples, so that the processing time is shortened, and the correctness of homology judgement is improved.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a method and system for judging homology of massive malicious samples. Background technique [0002] As early as 2011, Kaspersky pointed out in its analysis report that based on the fact that the two attack viruses of Stuxnet and Poison Zone contained part of the same code, it was inferred that they came from the same author, and since then, the homology detection of malicious code has been opened. Prologue with Judgment. However, the early detection methods were based on a large number of manual analysis, with low analysis efficiency and long work cycle; then, based on linguistics and computer reverse engineering technologies, the Charles River Analysis Company of the United States developed a malicious code analysis system, which traces code evolution. Discover the homology between malicious code samples, but this method is based on the intelligence analysis platf...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 何源浩孙岩潘宣辰
Owner WUHAN ANTIY MOBILE SECURITY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com