Unlock instant, AI-driven research and patent intelligence for your innovation.

A method for homology analysis of malicious code based on cross-process behavior monitoring

A technology of homology analysis and malicious code, which is applied in the field of homology analysis of malicious code based on cross-process behavior monitoring, can solve the problems of decreased detection accuracy, low code coverage, and undetectability, and achieve the goal of reducing the number of logs Effect

Active Publication Date: 2021-09-28
HENAN GONGXING INFORMATION TECH
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, they all have certain shortcomings. In the face of new malicious programs that continue to appear, static detection methods use known malicious program features to match, and the false positive rate is high, and it is impossible to detect some programs that download malicious code at runtime. application
However, dynamic detection requires the execution of malicious programs, which has low code coverage and whether malicious behaviors can be triggered. For malicious applications that require certain conditions to be triggered, the behavior track cannot be accurately extracted, resulting in a decrease in detection accuracy.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method for homology analysis of malicious code based on cross-process behavior monitoring
  • A method for homology analysis of malicious code based on cross-process behavior monitoring
  • A method for homology analysis of malicious code based on cross-process behavior monitoring

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0029] By adopting the technical solution proposed by the present invention, an efficient, low-memory, method for homology analysis of malicious codes based on cross-process behavior monitoring can be realized. The present invention proposes a method for homology analysis of malicious code based on cross-process behavior monitoring. Figure 1-4 Describe in detail.

[0030] Such as figure 1 As shown, create a target process relationship tree, the target process relationship tree includes the target process and the child process of the target process, the association relationship of the grandson process, the target process, the child process, the grandson process Perform relationship tree monitoring. figure 1 It is a tree structure composed of the target process and its children and grandchildren processes created during the execution of an attack code. Wherein, the process relationship tree further includes an association relationship of the processes that execute code behav...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention proposes a method for homology analysis of malicious code based on cross-process behavior monitoring, by defining taint propagation rules, saving cross-process related log records, filtering, extracting, and comparing and analyzing log records, and tainting related operations judge. The present invention can not only record events directly and indirectly related to a certain file by creating different processes or inserting behaviors of remote threads; it can also record the program behaviors that are indirectly executed by exploiting loopholes, such as hijacking and executing by using dll ; At the same time, the number of recorded logs can be greatly reduced.

Description

technical field [0001] The invention relates to the technical field of computer applications, in particular to a method for homology analysis of malicious codes based on cross-process behavior monitoring. [0002] technical background [0003] The ever-increasing amount of malicious code poses a huge threat to the security of user equipment, privacy, and property. A large number of researchers have begun to focus on technologies such as malicious code detection, and have achieved certain results. Malicious code detection methods can be divided into two categories: static detection and dynamic detection. Static detection mostly uses reverse engineering techniques such as decompilation to extract application static features, such as signatures, functions, view structures, static data flow, control flow and other static features, combined with certain rule matching algorithms to detect malicious code; dynamic detection uses program The runtime behavior characteristics are the d...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
CPCG06F21/563G06F21/566
Inventor 侯毅潘晓东罗朋卫
Owner HENAN GONGXING INFORMATION TECH