Malicious program behavior feature library construction method and device
A technology for malicious programs and construction methods, applied in computer security devices, instruments, electronic digital data processing, etc., can solve the problems of inability to detect new malicious programs, low efficiency, and low frequency of false positives.
Active Publication Date: 2017-01-11
科来网络技术股份有限公司
View PDF3 Cites 3 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
This method runs fast and has low false alarm frequency, but it needs to continuously update and expand the feature words
At the same time, new malicious programs cannot be detected, and old malicious program variants can also avoid matching-based detection by adjusting instruction sequences and other methods.
As the mutation ability of malicious programs is increasing day by day, the generation of new malicious programs is accelerating, and the method of constructing the behavioral feature library of malicious programs by manual analysis is very inefficient.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0051] Embodiment 1: For example, 3 samples are collected, sample A and sample B are both malicious files, and sample C is a normal file. Put the sample set in the sandbox and run it to get the behavior operation list of each sample as follows:
[0052]Sample A Behavior Operation List 1:
[0053]
[0054] Sample B behavior operation list 2:
[0055]
[0056] Sample C Behavior Action List 3:
[0057]
[0058] Merge similar operation behaviors to get all operation behavior list 4 as follows:
[0059]
[0060] Count the sum of the total number of occurrences of all behavioral operations m=5
[0061] Calculate the maliciousness value for each behavioral action
[0062]
[0063] Sort according to the malicious degree value to get the following list of malicious behavior characteristics
[0064]
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more PUM
Login to view more Abstract
The invention relates to the field of computer security, and particularly relates to a malicious program behavior feature library construction method and device. Aiming at the problems in the prior art, the invention provides a malicious program behavior feature library construction method and device. According to the malicious program behavior feature library construction method and device provided by the invention, behaviors are automatically extracted by a machine, and according to a malicious value sequence of the behaviors, a malicious program behavior feature library is automatically constructed, so that behavior extraction efficiency of a malicious program can be greatly improved, and a manual participation degree is reduced. According to the malicious program behavior feature library construction method and device provided by the invention, behavior operations of n sample files in a sample file set are acquired; then the behavior operations of all the sample files are subjected to merging of similar behavior operations; a malicious value of each behavior, i.e. the malicious value is equal to tf*ldf*vf, is calculated, wherein tf represents a occurrence frequency of each behavior, ldf represents a reverse sample frequency of each behavior, and vf represents a malicious frequency number of the calculated behaviors; sorting is carried out according to the malicious values of the behaviors; malicious behavior features are determined; and the malicious program behavior feature library is constructed.
Description
technical field [0001] The invention relates to the field of computer security, in particular to a method and device for constructing a malicious program behavior feature library. Background technique [0002] With the widespread use of personal computers and mobile phones, information security has increasingly become an important research direction in modern society. The detection method of malicious programs has also developed from the simple detection of static characteristic values to the detection of dynamic behaviors of malicious programs. Malicious program dynamic detection mainly extracts the behavior of the program and compares it with the known malicious behavior signature database. At present, the construction of malicious behavior signature database mainly relies on manual analysis of malicious programs, mainly using feature string or feature keyword matching technology, by extracting key feature words to form a feature font library, and scanning the detected ...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more Application Information
Patent Timeline
Login to view more Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/566G06F2221/033
Inventor 罗鹰赵劲松林康
Owner 科来网络技术股份有限公司
Who we serve
- R&D Engineer
- R&D Manager
- IP Professional
Why Eureka
- Industry Leading Data Capabilities
- Powerful AI technology
- Patent DNA Extraction
Social media
Try Eureka
Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.
© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap