Malicious software detection method and system based on memory analysis

A malicious software and memory analysis technology, applied in the field of computer security, can solve problems such as virtual machine unavailability, detection tool detection, destruction, etc., to achieve high versatility and portability, high security, and reduce performance load.

Pending Publication Date: 2020-02-25
INST OF ELECTRONICS & INFORMATION ENG OF UESTC IN GUANGDONG +1
View PDF4 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] However, the applicant found that: regardless of static code analysis or dynamic tracking analysis, traditional malware detection methods have certain limitations in the cloud environment; the premise of static code analysis is the existence of binary executable files, but some malware files are The method of deleting or hidi

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious software detection method and system based on memory analysis
  • Malicious software detection method and system based on memory analysis
  • Malicious software detection method and system based on memory analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0032] Such as figure 1 As shown, a malware detection method based on memory analysis, including:

[0033] Step 1: Obtain the memory image of the virtual machine, analyze the kernel data structure in the memory image, and analyze the malware through the kernel data structure;

[0034] Among them, the process of obtaining the memory image of the virtual machine includes: the host submits malware samples to the Cuckoo sandbox; the Cuckoo sandbox restores the operation of the VirtualBox virtual machine through the pre-generated normal memory snapshot; the Cuckoo sandbox uploads the malware samples to the VirtualBox virtual machine. Inside the machine, run malware samples, and generate memory images inside the VirtualBox virtual machine, thereby automatically obtaining a large number of memory images during the running of malware, and realizing the collection of convolutional neural network model training samples.

[0035] Step 2: Obtain the executable code of the malware, export...

Embodiment 2

[0054] A malware detection system based on memory analysis, including:

[0055] The acquisition module is used to obtain the memory image of the virtual machine, parse the kernel data structure in the memory image, obtain the process name information and process memory mapping space information residing in the memory image, match the process name information and the malware sample name, and obtain malicious The process of the software, analyze the memory mapping space information of the process, obtain the executable code of the malware, export the executable code of the malware in the form of a binary file, and convert the binary file into a grayscale image;

[0056] The training module is used to receive the grayscale image, and transmit the grayscale image to the convolutional neural network for model training. After the available convolutional neural network model is generated, the convolutional neural network model can be transmitted to the monitoring module, so that the m...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention belongs to the technical field of computer security, and particularly relates to a malicious software detection method based on memory analysis. The method comprises the steps of obtaining a memory mirror image of a virtual machine, analyzing a kernel data structure in the memory mirror image, analyzing malicious software through the kernel data structure, obtaining an executable code of the malicious software, exporting the executable code of the malicious software in a binary file mode, and converting the binary file into a gray level image. The malicious software detection security is high, the method and system are suitable for detecting various types of malicious software and operating in different operating system versions, and the detection universality and portabilityare greatly improved. In addition, the invention further provides a malicious software detection system based on memory analysis.

Description

technical field [0001] The invention belongs to the technical field of computer security, and in particular relates to a malicious software detection method and detection system based on memory analysis. Background technique [0002] In cloud computing, malware has always been one of the threats to the cloud computing security environment. Malware running in virtual machines or containers can steal important information from cloud tenants; and, through malware and system backdoors, attackers can gain operating system privileges to remotely control virtual machines and further attack other uninfected virtual machines or container. Therefore, for cloud service providers and cloud tenants, malware detection is an integral part of cloud computing security. [0003] At present, malware detection methods can be roughly divided into two categories: static code analysis and dynamic tracking analysis. Static code analysis often implements malware detection by analyzing binary file...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56G06F21/53
CPCG06F21/562G06F21/53
Inventor 叶麟詹东阳余翔湛张宇刘立坤于海宁方滨兴蒋振韬郭新凯
Owner INST OF ELECTRONICS & INFORMATION ENG OF UESTC IN GUANGDONG
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap