Unlock instant, AI-driven research and patent intelligence for your innovation.

Method for identifying suspicious attack codes based on sandbox dynamic behaviors

A sandbox and behavioral technology, applied in the fields of instruments, digital data processing, platform integrity maintenance, etc., can solve problems such as the inability to detect unknown virus intrusions, and achieve the effect of improving sensitivity and reducing harm.

Active Publication Date: 2019-08-16
ZHEJIANG UNIV OF TECH
View PDF5 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The feature-based static detection method has been deeply researched in the field of malicious code detection. Most anti-virus software us

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for identifying suspicious attack codes based on sandbox dynamic behaviors

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0020] With reference to accompanying drawing, further illustrate the present invention:

[0021] A method for identifying suspicious attack code based on sandbox dynamic behavior, comprising the following steps:

[0022] 1) Establish a sandbox. The sandbox system includes a sandbox system, a behavior acquisition system, a behavior analysis system, and a system interface.

[0023] 2) The construction of the attack tree model, analyzing a large number of malicious code behaviors, and constructing the feature library of the attack tree model according to the most commonly used API sequences of malicious code.

[0024] 3) Determine whether the PE file of the suspicious program has been packed, deformed, etc. If so, it can be introduced into the sandbox, and if not, the PE file can be statically analyzed to extract the API call sequence.

[0025] 4) Introduce codes with packing and deformed suspicious attack behaviors into the sandbox, simulate the execution of applications and s...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for identifying suspicious attack codes based on sandbox dynamic behaviors. The method comprises the following steps: establishing a sandbox system; constructing an attack tree model according to the API calling sequence of the common malicious program; judging whether the PE file of the suspicious program is shelled, deformed and the like; introducing the suspicious program with the packing deformation behavior into a sandbox, and analyzing an API calling sequence; and calculating a danger index of the suspicious code in the attack tree, and if the danger index reaches a specified threshold value, identifying an alarm. The method has the advantages that the program is introduced into the sandbox, the API behavior sequence of the unknown program is obtained, possible harm of the unknown program to a system is reduced, an attack tree model is built, whether the program is a malicious code or not is judged by calculating the static danger index of the program, and the sensitivity of unknown program detection is improved.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a method for identifying suspicious attack codes based on sandbox dynamic behavior. [0002] technical background [0003] Malicious code is a class of malicious programs, mainly including computer viruses, Trojan horses, network worms, email viruses, backdoor programs, malicious website scripts, etc. After years of evolution of malicious attack code, its destructiveness and infectivity have been greatly improved. The "2017 Android Malware Special Report" released by 360 Internet Security Center shows that in the four years from 2014 to 2017, the number of malware infections on the Android platform in my country has reached more than 200 million people, and the damage is very extensive. In addition, 7.573 million new Android malware were added in 2017, and the number of vulnerabilities increased by 61% year-on-year. Malicious codes have entered a period of high ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56
CPCG06F21/563
Inventor 赵澄倪闻清陈君新
Owner ZHEJIANG UNIV OF TECH