[go: up one dir, main page]

WO2016127037A1 - Procédé et dispositif permettant d'identifier des variantes de virus informatiques - Google Patents

Procédé et dispositif permettant d'identifier des variantes de virus informatiques Download PDF

Info

Publication number
WO2016127037A1
WO2016127037A1 PCT/US2016/016741 US2016016741W WO2016127037A1 WO 2016127037 A1 WO2016127037 A1 WO 2016127037A1 US 2016016741 W US2016016741 W US 2016016741W WO 2016127037 A1 WO2016127037 A1 WO 2016127037A1
Authority
WO
WIPO (PCT)
Prior art keywords
virus
api call
api
matching
call sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2016/016741
Other languages
English (en)
Inventor
Yuehua GUO
Honggang TANG
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201510065074.8A external-priority patent/CN105989283B/zh
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Publication of WO2016127037A1 publication Critical patent/WO2016127037A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • Embodiments relate to the field of Internet technology and, more particularly, to identifying virus variants.
  • the antivirus software under the Android platform usually uses the technique of identifying condition codes to detect and remove viruses.
  • those who develop and transmit viruses keep developing techniques to make viruses non-detectable. For example, they use mechanisms such as ProGuard, which mixes feature information of virus programs such as virus class names, function names, and constant strings, to mix the information carried by viruses and make the current antivirus software incapable of detecting and removing viruses and their variants.
  • Embodiments according to the disclosure provide the identifying of computer virus variants to improve the accuracy of detecting and removing viruses.
  • the present disclosure overcomes the deficiencies explained above by providing techniques for identifying virus variants by a dynamic detecting mechanism, which improves the accuracy of detecting virus variants, as well as enlarges the applicable range of the techniques for detecting and removing viruses. Regardless of whether or not the identity of the virus sample to be tested has been masked by technical means, virus variants may be accurately detected.
  • the dynamic detection mechanism vastly increases the application scope of virus identification and removal technology and greatly improves the virus recall ratio.
  • An embodiment of the present disclosure includes a process to identify virus variants, where the process runs or operates a virus sample to be tested and records an application program interface (API) call sequence produced during the running of the virus sample. Also, a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. The API call sequence produced by running the virus sample to be tested is matched with the plurality of characteristic API call sequences to obtain matching results. Based on the matching results, it is determined whether the virus sample is a type of virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
  • API application program interface
  • An embodiment of the present disclosure includes an apparatus for identifying virus variants, where the apparatus includes an execution unit, a matching unit, and a recognition unit.
  • the execution unit runs or operates the virus sample to be tested and records an API call sequence produced during the running of the virus sample.
  • the matching unit obtains a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
  • the matching unit matches the API call sequence of the virus sample with the plurality of characteristic API call sequences to obtain a matching result.
  • the recognition unit determines whether the virus sample is a virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
  • the present disclosure takes the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families as references to monitor the API calls during the running of the virus sample to be tested. As long as there is a match to some extent between the API call sequence of the virus sample and at least one of the plurality of characteristic
  • the virus sample to be tested may be or possibly be considered to be a virus variant.
  • This dynamic detecting mechanism provides accurate detection of virus variants and expands the applicable range of identification and detection techniques that improve the recall ratio of viruses and decrease the rate of virus manslaughters.
  • the detectable viruses that are referred to in the present disclosure include, but are not limited to, malwares, worms, Trojans, or botnets.
  • the applicable scope of the present disclosure includes, but is not limited to, virus variant techniques aimed at modifying a condition code of a virus.
  • FIG. 1 illustrates a flowchart of a method of identifying virus variants in accordance with an embodiment of the present disclosure.
  • FIG. 2 illustrates a block diagram of an apparatus for identifying virus variants in accordance with an embodiment of the present disclosure.
  • FIG. 3 illustrates a computer system in accordance with one embodiment of the present disclosure.
  • the present disclosure provides a method that identifies virus variants using simulation techniques. This method expands the applicable range for detecting and removing viruses, improves the detection rate, and decreases the rate of virus manslaughters.
  • a feature library of characteristic API call sequences for a plurality of virus families is established to provide information of characteristic API call sequences for identifying virus variants in subsequent stages, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
  • an Android simulation environment is called to pile and mark key APIs in a system.
  • APIs are a set of defined functions designed to provide access to a set of routines based on certain software or hardware, with no need to access the source code for an application program. APIs also assist in understanding the details of how components interact in a program.
  • Piling is performed to record key information of every key API at its spot, such as the calling party of an API, the API name, the API class name, etc. Since a virus or a virus variant usually calls a few key APIs during operation to implement the virus vandalism, the APIs that possess important impact may be marked as key APIs based on past development experience so that they can be used when
  • an Android simulator is created to pile and mark the APIs called by the system in the framework or the native layer of the Android system.
  • the Android simulator can record and call data such as the user identification of the program.
  • a feature library of characteristic API call sequences established by recording API types and API call orders called during the running of virus samples of the plurality of virus families to generate a characteristic API call sequence for each one of the virus families. It is appreciated that, in applications, the malicious behaviors of a certain virus family during operation are similar, which means that the behaviors of calling APIs are similar for the same virus family.
  • a virus family is composed of a series of viruses that share the same source. Therefore, based on a virus sample of a virus family, the same characteristic API call sequence that viruses in the same virus family call can be identified and extracted to generate a feature library of characteristic API call sequences that respectively correspond to the plurality of virus families.
  • the API call sequence a virus family shares will be referred to as the characteristic API call sequence of that virus family.
  • Android simulator may be modified to avoid the wait for the occurrence of a physical triggering event that activates the viruses in the virus family. Instead, the system periodically sends different kinds of simulated self-activated events that are used to trigger the running of the virus sample of the virus family. For example, if the physical triggering event that the virus family "A" depends on is "system activation,” then during the running process of the system, instead of restarting the system during its operation, the simulated self-activation will be programmed periodically to activate "system activation" to indicate to the virus sample of the virus family "A" that its triggering condition has been met and its operation may be initiated.
  • the user's operating environment such as a mobile phone operating environment and personal computer operating environment, may be simulated using "Monkey” and "UI
  • UI Automator modules. “Monkey” is a tool to test an Android application package on the Android system automatically. "UI Automator” is a framework that is used on the Android system to conduct automated tests. Users may use the logic of the framework “UI Automator” to write a test case of a certain Android application package. For example, assuming that there are virus variants al, a2, and a3 in virus family A, the virus variant al has called API1, API2, API3, and API4 during operation; the virus variant a2 has called API1, API3, API5, and API6; and the virus variant a3 has called API2, API3, API6, and API7.
  • the call rates of these three APIs exceed a preset threshold, if the preset threshold is assumed to be 50%. Then, the final choice of the characteristic API call sequence of virus family A may be determined as API1, API2, and API3.
  • the call order of the APIs may or may not be recorded depending on the application environment.
  • FIG. 1 illustrates a method 1000 of identifying virus variants in accordance with an embodiment of the present disclosure.
  • Step 100 a virus sample to be tested starts to run.
  • Step 110 an API call sequence produced by the virus sample during the running of the virus sample is recorded.
  • an API call sequence is generated in accordance with the API type and call order called during the operation of the virus sample to be tested.
  • the framework logic of the Android simulator may be modified in order to avoid the wait time for the occurrence of a certain physical triggering event that activates the virus sample during the operation of the virus sample. Instead, the system sends different kinds of simulated self-activated events periodically to automatically trigger the activation of viruses in the virus families to be tested.
  • the physical triggering event that activates the operating of viruses in the virus families to be tested relies on is "a user sends a text massage," during the operating of the system, instead of sending the text messages regularly, the system periodically simulates a self-activating event "sending text message.” This indicates to the virus sample to be tested that the requirements to trigger its activation have been met and the operating of the virus sample may be initiated.
  • the user operating environment such as a mobile phone environment and a personal computer environment, may be simulated by using "Monkey” and "UI Automator” modules.
  • Step 120 a characteristic API call sequence is obtained for each one of the virus families.
  • the feature library includes a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
  • Step 130 in a first matching procedure, the API call sequence produced by the virus sample to be tested during its operation is matched with the characteristic API call sequences of the virus families.
  • Step 140 the matching result is obtained.
  • the generated characteristic API call sequences that respectively correspond to each one of the virus families may be obtained from the feature library of the characteristic API call sequence that has been generated in the preprocessing stage. Then, the API call sequence of the virus sample may be matched with each one of the characteristic API call sequences of the virus families. [026] Since the API call sequence of the virus sample to be tested may require large amount of resources to accomplish the testing in some applications, in order to improve the efficiency of matching the API call sequence of the virus sample to be tested with the characteristic API call sequences of the virus families, a string matching algorithm may be adopted.
  • the string matching algorithm may be used to determine whether there is at least one API timing sequence in the API call sequence path of the virus sample that matches to an extent at least one of the characteristic API call sequences of the virus families. Depending on the extent of the match, the virus sample to be tested may be or possibly be considered to be a virus variant of the virus families.
  • String matching algorithm is an exemplary matching algorithm used in the present disclosure. For example, assuming a call path of a function has a series of virus features "P:plp2p3p4" and assuming a call path of a function "T:tlt2t3t4t5t6t7t8t9" is obtained after the operation of a virus sample. In order to compare these two call paths using the string matching algorithm, it may be determined whether there is a "plp2p3p4" call path in the call path
  • Examples of classic algorithms in the family of string matching algorithms include the Knuth-Morris-Pratt algorithm and the Boyer-Moore algorithm.
  • the operations that can be conducted include, but are not limited to the following operations: determining a first API type and API call order called when operating the characteristic API call sequence "1" of the virus family and determining a second API type and API call order called when operating the API call sequence of the virus sample to be tested.
  • the matching rate between the first and second API types and API call orders may be calculated using an algorithm including, but not limited to, a string matching algorithm. If the matching rate reaches a first set limit (e.g., 80%) for at least one of the characteristic API call sequences of virus families, it may be determined that the matching is complete and successful.
  • a key API call sequence " 1" that corresponds to the characteristic API call sequence " 1" of the virus family may be selected from the feature library of characteristic API call sequences configured in the preprocessing stage.
  • the key API call sequence "1" includes the key APIs that are appointed and selected from the characteristic API call sequence, which are also interpreted as the piled and marked APIs in the preprocessing stage.
  • the key API is appointed in advance and is able to influence the safe operation of the system.
  • the next step is to determine a third API type and API call order when operating the key API call sequence "1" and to calculate the matching rate between the second and third API types and API call orders. If the matching rate between the second and third API types and API call orders reaches a second set limit, it may be determined that the matching is complete and successful.
  • the API call sequence of the virus sample to be tested may also be matched with the key API call sequences of one or more of the characteristic API call sequences of the virus families. Alternatively, the matching result may be presented to a client or a user that sent the virus sample. Based on a feedback from the client or the user, it may be determined whether the matching is complete and successful.
  • a supplemental matching may be performed.
  • matching between the API call sequence of the virus sample and the key API call sequences of each one of the virus families is accomplished.
  • This supplemental matching may also be referred as approximate string matching or fuzzy string searching.
  • the matching rate between the API call sequence of the virus sample and the characteristic API call sequence of one of the virus families reaches a limit
  • a more accurate result may be obtained by returning the virus sample to the sender (e.g., administrator) with a notice that it is possible that the virus sample is a new type of virus variant and that a confirmation is requested.
  • the sender e.g., administrator
  • whether or not the virus sample is a new type of virus variant may be recorded in accordance with the instructions from the administrator.
  • Step 150 it is determined whether the matching between the API call sequence of the virus sample and the characteristic API call sequences of the virus families is complete and successful.
  • Step 160 it is determined that the matching is complete and successful.
  • the virus sample to be tested may be determined to be a virus variant depending on the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences of the virus families.
  • the API call sequence of this virus sample may be recorded and included in the feature library of characteristic API call sequences. Also, a key API call sequence for the virus sample (or new virus variant) is also selected from the API call sequence of this virus sample (or new virus variant) to be recorded in the feature library of characteristic API call sequences. In this way, the feature library of characteristic API sequences keeps updating according to the matching results of the continuous matching processes to ensure that its data is up to date and effective.
  • FIG. 2 illustrates an apparatus 2000 for identifying virus variants in accordance with an embodiment.
  • the apparatus 2000 includes an execution unit 20, a matching unit 21 coupled to the execution unit 20, and a recognition unit 22 coupled to the matching unit 21.
  • the execution unit 20, the matching unit 21, and the recognition unit 22 are
  • a computer e.g., 3000 FIG. 3
  • a computer e.g., 3000 FIG. 3
  • a processor e.g., 3000 FIG. 3
  • a GPU graphics processor unit
  • the recognition unit 22 are computer-executable instructions stored in the memory of a computer (e.g., 3000 FIG. 3), where the computer-executable instructions are executed by a processor and/or a GPU.
  • the execution unit 20 runs a virus sample to be tested and records an API call sequence produced during the running of the virus sample.
  • the matching unit 21 obtains a characteristic API call sequence of each one of the virus families and matches the API call sequence produced by the virus sample during running with each one of the characteristic API call sequences of each one of the virus families to obtain a matching result.
  • characteristic API call sequences that respectively correspond to the plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
  • the recognition unit 22 determines, based on the analysis of the matching result, whether the virus sample to be tested is virus variant by extent of a match between the API call sequence of the virus sample to be tested and any one of the characteristic API call sequences of any one of the virus families.
  • the execution unit 20 may further run a set of virus samples of the virus families and record API types and API call orders called during the running of the set of virus samples to generate the characteristic API call sequences for each one of the virus families in order to establish a feature library of characteristic API call sequences.
  • the execution unit 20 may also simulate a physical triggering event that activates the running of a virus according to a set interval during the process of running the virus sample to be tested and the running of the set of virus samples.
  • the matching unit 21 may further determine a first API type and API call order called when running any of the characteristic API call sequences of any of the virus families. Also, the matching unit 21 may further determine a second API type and API call order called for the sample virus based on the API call sequence. Then, the matching rate between the first and the second API types and API call orders may be calculated by the matching unit 21.
  • the recognition unit 22 may further determine whether the API call sequence of the virus sample to be tested matches any of the characteristic API call sequences of any of the virus families by the matching rate meeting a first set limit.
  • the matching unit 21 may further obtain a key API call sequence of any of the virus families and determine a third API type and API call order called based on the key API call sequence during running of the virus family when a notice is received from the recognition unit 22 carrying a message indicating that the matching rate of the first and second API types and API call orders does not meet the first set limit.
  • the key API call sequence includes the appointed key API selected from the characteristic API call sequences of any of the virus families.
  • the key API is preset and is able to influence the safe operation of the system. Then, a second matching rate between the second and third API types and API call orders may be calculated by the matching unit 21.
  • the recognition unit 22 may further determine whether the API call sequence of the virus sample matches the key API call sequence by determining whether the second matching rate meets a second set limit. The matching is between the second and the third API types and API call orders. Also, the recognition unit 22 may present the matching result to a client or a user that sent the virus sample and may determine whether the API call sequence of the virus sample matches the key API call sequence based on a feedback from the client or the user (or the sender). The calculation may be conducted using a string matching algorithm in an embodiment.
  • FIG. 3 shows a computer system 3000 in accordance with one embodiment of the present disclosure.
  • Computer system 3000 depicts the components of a basic computer system in accordance with embodiments of the present disclosure providing the execution platform for certain hardware-based and software-based functionality.
  • computer system 3000 comprises at least one CPU 101, a system memory 115, and at least one graphics processor unit (GPU) 180.
  • the CPU 101 can be coupled to the system memory 115 via a bridge component/memory controller (not shown) or can be directly coupled to the system memory 115 via a memory controller (not shown) internal to the CPU 101.
  • the GPU 180 is coupled to a display 112.
  • One or more additional GPUs can optionally be coupled to system 3000 to further increase its computational power.
  • System 3000 can be implemented as, for example, a desktop computer system or server computer system, having a powerful general- purpose CPU 101 coupled to a dedicated graphics rendering GPU 180. In such an embodiment, components can be included that add peripheral buses, specialized graphics memory, IO devices, and the like. Similarly, system 3000 can be implemented as a handheld device (e.g., cellphone, etc.) or a set-top video game console device.
  • the GPU 180 can be implemented as a discrete component, a discrete graphics card designed to couple to the computer system 3000 via a connector (e.g., AGP slot, PCI-Express slot, etc.), a discrete integrated circuit die (e.g., mounted directly on a motherboard), or as an integrated GPU included within the integrated circuit die of a computer system chipset component (not shown). Additionally, a local graphics memory 114 can be included for the GPU 180 for high bandwidth graphics data storage.
  • the call states of the characteristic API call sequences of the virus families are set as references to monitor the call states of the API call sequences produced during running of virus sample to be tested. Regardless of whether the identification of the vims sample is covered by certain techniques or not, as long as the call state of the API call sequence produced during running of the virus sample matches to an extent the call state of any of the characteristic API call sequences of any of the virus families, the virus sample may be or possibly be considered to be a virus variant in the virus family corresponding with that characteristic API call sequence to which it matches to an extent. Thus, the detection of a virus variant is more accurate. By using a dynamic detecting mechanism, the applicable range of the identification and detection techniques is expanded and the recall ratio is improved.
  • the detectable viruses include, but are not limited to, malwares, worms, Trojans, or botnets.
  • the applicable scope of the present disclosure includes, but is not limited to, virus variants techniques such as modifying condition codes, etc.
  • the present disclosure may be provided in the forms of methods, systems, or computer program products. Therefore, the present disclosure may be embodied as an entirely hardware embodiment, entirely software embodiment, or a combination of a hardware and software embodiment. Moreover, the present disclosure may be used in the forms of computer programmable products that adopt one or multiple computer usable storage mediums including, but not limited to, magnetic storage disks, CD-ROMs, or optical storage containing computer usable program codes.
  • the present disclosure is presented based on flow diagrams and/or block diagrams of methods, devices or systems, and computer program products of the embodiments of the present disclosure. It should be understood that each one of the steps and/or blocks in the flow diagrams and/or block diagrams as well as the combinations between each one of the steps/blocks in the flow and/or block diagrams may be embodied by computer program instructions.
  • the computer program instructions may be provided for by general purpose computers, dedicated computers, embedded matching units, or other matching units of programmable data processing devices to generate a device that embodies, by computers or matching units of other programmable data processing devices executing instructions, appointed functions in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
  • These computer instructions may also be stored in computer readable storage mediums that guide computers or other matching units of programmable data processing devices and work in a specified manner to have the instructions that are stored in the computer readable storage mediums produce results.
  • the devices implement functions in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
  • These computer program instructions may also be loaded to computers or other programmable data processing devices to produce computer embodied processing by executing a series of operations on computers or other programmable data processing devices to provide, on computers or other programmable data processing devices, steps to embody appointed functions that can be embodied in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
  • embodiments or operations have any such real relationship or order.
  • the terms “comprising,” “including,” or any other variation is intended to cover a non-exclusive inclusion such that a process, method, article, or device that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or device. Absent further limitation, elements recited by the phrase “comprising a” do not exclude a process, method, article, or device that comprises such elements from including other same elements.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé et un appareil d'identification de variantes de virus informatiques, qui sont destinés à rendre l'identification et l'élimination des virus plus précises, et qui peuvent se rapporter au domaine de la technologie d'Internet. Le procédé comprend l'exécution d'un échantillon de virus à tester, et l'enregistrement d'une séquence d'appels d'API produite pendant l'exécution de l'échantillon de virus. Le procédé inclut en outre l'obtention d'une séquence d'appels d'API caractéristique pour chaque famille de virus d'une pluralité de familles de virus, la mise en correspondance de la séquence d'appels d'API produite pendant l'exécution de l'échantillon de virus à tester avec les séquences d'appels d'API caractéristiques des familles de virus, et l'obtention d'un résultat concordant. Le procédé consiste également à déterminer que l'échantillon de virus à tester est une variante de virus grâce au degré de correspondance entre la séquence d'appels d'API produite par l'échantillon de virus et n'importe quelle séquence d'appels d'API caractéristique de l'une quelconque des familles de virus.
PCT/US2016/016741 2015-02-06 2016-02-05 Procédé et dispositif permettant d'identifier des variantes de virus informatiques Ceased WO2016127037A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201510065074.8 2015-02-06
CN201510065074.8A CN105989283B (zh) 2015-02-06 2015-02-06 一种识别病毒变种的方法及装置
US15/016,048 US10460106B2 (en) 2015-02-06 2016-02-04 Method and device for identifying computer virus variants
US15/016,048 2016-02-04

Publications (1)

Publication Number Publication Date
WO2016127037A1 true WO2016127037A1 (fr) 2016-08-11

Family

ID=56564734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/016741 Ceased WO2016127037A1 (fr) 2015-02-06 2016-02-05 Procédé et dispositif permettant d'identifier des variantes de virus informatiques

Country Status (1)

Country Link
WO (1) WO2016127037A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021802A (zh) * 2017-10-24 2018-05-11 努比亚技术有限公司 一种系统资源访问控制方法、终端及计算机可读存储介质
CN111310179A (zh) * 2020-01-22 2020-06-19 腾讯科技(深圳)有限公司 计算机病毒变种的分析方法、装置和计算机设备
CN113836534A (zh) * 2021-09-28 2021-12-24 深信服科技股份有限公司 一种病毒家族识别方法、系统、设备及计算机存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100115620A1 (en) * 2008-10-30 2010-05-06 Secure Computing Corporation Structural recognition of malicious code patterns
CN102930210A (zh) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 恶意程序行为自动化分析、检测与分类系统及方法
US20140283066A1 (en) * 2013-03-15 2014-09-18 John D. Teddy Server-assisted anti-malware client

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100115620A1 (en) * 2008-10-30 2010-05-06 Secure Computing Corporation Structural recognition of malicious code patterns
CN102930210A (zh) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 恶意程序行为自动化分析、检测与分类系统及方法
US20140283066A1 (en) * 2013-03-15 2014-09-18 John D. Teddy Server-assisted anti-malware client

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021802A (zh) * 2017-10-24 2018-05-11 努比亚技术有限公司 一种系统资源访问控制方法、终端及计算机可读存储介质
CN111310179A (zh) * 2020-01-22 2020-06-19 腾讯科技(深圳)有限公司 计算机病毒变种的分析方法、装置和计算机设备
CN113836534A (zh) * 2021-09-28 2021-12-24 深信服科技股份有限公司 一种病毒家族识别方法、系统、设备及计算机存储介质
CN113836534B (zh) * 2021-09-28 2024-04-12 深信服科技股份有限公司 一种病毒家族识别方法、系统、设备及计算机存储介质

Similar Documents

Publication Publication Date Title
US11126717B2 (en) Techniques for identifying computer virus variant
CN109586282B (zh) 一种电网未知威胁检测系统及方法
US9135443B2 (en) Identifying malicious threads
WO2020019484A1 (fr) Procédé de reconnaissance de simulateur, dispositif de reconnaissance et support lisible par ordinateur
WO2017049800A1 (fr) Procédé et appareil de détection de code échappatoire dans une application
CN102222199A (zh) 应用程序身份识别方法及系统
CN104361285B (zh) 移动设备应用程序的安全检测方法及装置
TW201220118A (en) A method and a system for automatically analyzing and classifying a malicious program
CN110929264A (zh) 漏洞检测方法、装置、电子设备及可读存储介质
WO2020019485A1 (fr) Procédé d'identification de simulateur, dispositif d'identification et support lisible par ordinateur
CN107103237A (zh) 一种恶意文件的检测方法及装置
US11809556B2 (en) System and method for detecting a malicious file
CN108898014B (zh) 一种病毒查杀方法、服务器及电子设备
CN106951782A (zh) 一种面向安卓应用的恶意代码检测方法
CN107330326A (zh) 一种恶意木马检测处理方法及装置
CN108090352B (zh) 检测系统及检测方法
WO2016127037A1 (fr) Procédé et dispositif permettant d'identifier des variantes de virus informatiques
CN109145589B (zh) 应用程序获取方法及装置
CN110414233A (zh) 恶意代码检测方法及装置
CN119357976B (zh) 一种漏洞评估方法、装置、电子设备及存储介质
CN118509220B (zh) 基于蜜罐的零日漏洞攻击捕获方法及电子设备
CN105447348B (zh) 一种显示窗口的隐藏方法、装置及用户终端
CN104008336B (zh) 一种ShellCode检测方法和装置
CN108563950B (zh) 基于SVM的Android恶意软件检测方法
JP2016122262A (ja) 特定装置、特定方法および特定プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16747323

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16747323

Country of ref document: EP

Kind code of ref document: A1