Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Escape behavior detection method based on multiple environments

A detection method and multi-environmental technology, applied in the field of information security, can solve problems such as fast recovery of difficult systems and improvement of analysis efficiency, and achieve the effects of low detection rate, high detection efficiency, and high reliability

Active Publication Date: 2020-07-28
CENT SOUTH UNIV
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, due to the use of physical machines, this method is difficult to achieve rapid system recovery. At the same time, it is difficult to improve the analysis efficiency by starting multiple analysis systems for the analysis of a large number of samples.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Escape behavior detection method based on multiple environments
  • Escape behavior detection method based on multiple environments
  • Escape behavior detection method based on multiple environments

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0097] This implementation provides specific examples of the evasion behavior detection process, which mainly includes:

[0098] S1: Extract the program 01c0cec525d49d24bb314e5a94f17f0e.exe to be analyzed, where 01c0cec525d49d24bb314e5a94f17f0e is the MD5 value of the program, which has an example of evading virtual machine evasion behavior;

[0099] S2: Use the multi-environment virtualization sandbox to analyze the program to be analyzed in S1. The specific environment includes three virtual machine environments built by VMware, VirtualBox and KVM, and WIN7 is used as the operating system of the virtual machine environment. Obtain the analysis reports of the samples in S1 in three environments, and extract the API call information in the three reports. By comparing the types and quantities of APIs, it is found that this sample generates more API calls in the VirtualBox environment, and more API calls are shown in Table 2.

[0100] Table 2 Different API calls

[0101] ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an escape behavior detection method based on multiple environments. The method comprises the steps of obtaining a to-be-analyzed program; analyzing the to-be-analyzed program by adopting a multi-environment virtualization sandbox; extracting an API call sequence of each sample in the behavior analysis report of each sandbox; converting the API calling sequence into an API character sequence; carrying out comparison detection on API character sequences of the same sample in different sandboxes based on a Smith-waterman algorithm; extracting a difference subsequence in the comparison detection result; and calculating the Levenshtein distance of the difference subsequence and comparing the API character sequences of the same sample in multiple environments in pairs soas to judge whether the to-be-analyzed program has an escape detection behavior or not. The method is high in reliability, good in practicability and high in detection efficiency.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a multi-environment-based evasion behavior detection method. Background technique [0002] With the development of economy and technology and the advent of the intelligent age, the importance of data security has received more and more attention. [0003] In modern malicious code detection, dynamic behavior detection is a relatively common method, that is, to determine whether there is malicious behavior by detecting the execution process of the code in the sandbox. In order to prolong the life cycle of malicious programs, malicious code providers will add environment detection codes to malicious programs, and stop executing malicious behaviors when the detected operating environment is a sandbox, thus avoiding malicious behavior detection. The behavior of evading detection leads to the wrong judgment of the dynamic analysis tool of malicious code, and t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/53G06F21/56
CPCG06F21/53G06F21/566Y02A10/40
Inventor 王伟平肖林宋虹王建新
Owner CENT SOUTH UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com