CN105791323B - The defence method and equipment of unknown malware - Google Patents
The defence method and equipment of unknown malware Download PDFInfo
- Publication number
- CN105791323B CN105791323B CN201610301012.7A CN201610301012A CN105791323B CN 105791323 B CN105791323 B CN 105791323B CN 201610301012 A CN201610301012 A CN 201610301012A CN 105791323 B CN105791323 B CN 105791323B
- Authority
- CN
- China
- Prior art keywords
- malware
- warning message
- library
- prestige library
- prestige
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000005516 engineering process Methods 0.000 claims abstract description 42
- 230000000694 effects Effects 0.000 claims abstract description 12
- 230000006399 behavior Effects 0.000 claims description 42
- 238000012545 processing Methods 0.000 claims description 23
- 238000001514 detection method Methods 0.000 claims description 18
- 230000002265 prevention Effects 0.000 claims description 18
- 230000007246 mechanism Effects 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 16
- 238000012546 transfer Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 7
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000004140 cleaning Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 description 15
- 230000001960 triggered effect Effects 0.000 description 7
- 230000006378 damage Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 3
- 238000009792 diffusion process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides the defence method of unknown malware and equipment, belong to network safety filed.Malware including using virtual identification technology to obtain the vulnerability exploit stage generates the first warning message, first warning message is added to the record in prestige library, based on the record stored in prestige library, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, generate the second warning message, according to the first warning message and the second warning message, already present Malware is cleared up.By using virtual identification technology and prestige library, the presence of Malware can be confirmed when using loophole, and the follow-up activities of Malware are tracked.Compared with the existing technology, the Malware for using novel attack pattern can be identified, has abandoned and has detected hysteresis quality using signature scheme bring, improve the defence capability to Malware, reduced and lost caused by Malware.
Description
Technical field
The invention belongs to network safety fileds, the in particular to defence method and equipment of unknown malware.
Background technique
With the rapid development of science and technology, internet has been deep into all trades and professions, mentions in every aspect for people's lives
Supply various conveniences.
But there is small part that there is the people compared with high-tech level, for the purpose for obtaining interests, make and use a variety of malice
Software obtains other people important, privacy information, for example including worm, wooden horse, distributed denial of service (Distributed
Denial of Service, DDoS) etc. virus or attack tool.Along with the progress of technology, above-mentioned virus or attack tool are
Through by guard key, for example, threaten within 1st, deformation and advanced escape technology, Multi-stage attack, the APT attack such as polymorphic etc. it is novel
Attack pattern has already appeared, and due to having used more new-type attack means, traditional security mechanism there is no above-mentioned attack pattern
Method is effectively detected and is defendd, therefore causes huge loss.
In the prior art, for virus or malicious attack often or use signature detection traditional approach, without
Method to non-traditional attack type virus or malicious attack mode effectively defendd.
Summary of the invention
In order to solve shortcoming and defect existing in the prior art, the present invention provides can to non-traditional attack pattern into
The defence method and equipment of the unknown malware of row defence.
In order to reach above-mentioned technical purpose, on the one hand, described anti-the present invention provides the defence method of unknown malware
Imperial method, comprising:
In threat analysis detection device, the Malware in vulnerability exploit stage is obtained by virtual identification technology, is generated
The warning message, is added to the record in prestige library by the first warning message of the address including source address and Managed Servers
In;
In intrusion prevention equipment, by the linkage with traditional intrusion prevention equipment, and it is based on storing in the prestige library
Record, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, and generates the second alarm signal
Breath, and track the follow-up activities of the Malware;
According to first warning message and second warning message, already present Malware is cleared up;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies the mesh
Mark software behavior whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology.
Optionally, the Malware that the vulnerability exploit stage is obtained by virtual identification technology, comprising:
Network protocol is monitored, the network protocol includes remote file transferring agreement, simple postal transport protocol, network text
Part server, User Datagram Protocol and hypertext transfer protocol;
Apocrypha is determined in the network protocol, by calling document analysis mould corresponding with the apocrypha
The apocrypha is reduced to document form from traffic form by block;
It runs the apocrypha under virtual machine environment, obtains calling situation that memory after operation instructs and to operation
The processing mode that system protection mechanism is taken;
If the calling situation has exceeded the calling range of normal file and/or adopts to the operating system protection mechanism
The processing mode to detour has been taken, then has determined the apocrypha for Malware.
Optionally, the prestige library, comprising:
Cloud prestige library and local prestige library;
The record of warning message is stored in cloud prestige library, local prestige library periodically passes through the cloud prestige
Library carries out record update;
The warning message that local network is got is stored in the local prestige library, the warning message includes malice
The source address of software and the address of Managed Servers.
Optionally, second warning message include the Malware download path and with the Managed Servers
Communication port.
Optionally, the defence method further include:
According to first warning message and second warning message, conversed analysis is carried out to the Malware, really
The attack process of the fixed Malware.
On the other hand, the present invention also provides the defensive equipment of unknown malware, the defensive equipments, comprising:
Processing module, for obtaining the vulnerability exploit stage by virtual identification technology in threat analysis detection device
Malware generates the first warning message of the address including source address and Managed Servers, the warning message is added
Into the record in prestige library;
Blocking module, for by the linkage with traditional intrusion prevention equipment, and being based on described in intrusion prevention equipment
The record stored in prestige library, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, raw
At the second warning message, and track the follow-up activities of the Malware;
Cleaning modul is used for according to first warning message and second warning message, soft to already present malice
Part is cleared up;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies the mesh
Mark software behavior whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology.
Optionally, the processing module, comprising:
Monitoring submodule, for monitoring network protocol, the network protocol includes remote file transferring agreement, simple postal service
Transport protocol, NetWare file server, User Datagram Protocol and hypertext transfer protocol;
Transform subblock, for determining apocrypha in the network protocol, by calling and the apocrypha pair
The apocrypha is reduced to document form from traffic form by the document analysis module answered;
Submodule is run, for running the apocrypha under virtual machine environment, obtains the tune of memory instruction after operation
With situation and the processing mode taken operating system protection mechanism;
Decision sub-module, if having exceeded the calling range of normal file and/or to the behaviour for the calling situation
The processing mode of detour is taken as system protection mechanism, then determines the apocrypha for Malware.
Optionally, the prestige library includes cloud prestige library and local prestige library;
The record of warning message is stored in cloud prestige library, local prestige library periodically passes through the cloud prestige
Library carries out record update;
The warning message that local network is got is stored in the local prestige library, the warning message includes malice
The source address of software and the address of Managed Servers.
Optionally, second warning message include the Malware download path and with the Managed Servers
Communication port.
Optionally, the defensive equipment further include:
Analysis module, for according to first warning message and second warning message, to the Malware into
Row conversed analysis determines the attack process of the Malware.
Technical solution provided by the invention has the benefit that
By using virtual identification technology and prestige library, the presence of Malware can be confirmed when using loophole, and
The follow-up activities of Malware are tracked.It compared with the existing technology, can be to the Malware for using novel attack pattern
It is identified, has abandoned and detected hysteresis quality using signature scheme bring, improved the defence capability to Malware.
Detailed description of the invention
It, below will be to attached drawing needed in embodiment description in order to illustrate more clearly of technical solution of the present invention
It is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, general for this field
For logical technical staff, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow diagram of the defence method of unknown malware provided by the invention;
Fig. 2 is the local flow diagram of the defence method of unknown malware provided by the invention;
Fig. 3 is another flow diagram of the defence method of unknown malware provided by the invention;
Fig. 4 is the structural schematic diagram of the defensive equipment of unknown malware provided by the invention;
Fig. 5 is the partial structural diagram of the defensive equipment of unknown malware provided by the invention;
Fig. 6 is another structural schematic diagram of the defensive equipment of unknown malware provided by the invention.
Specific embodiment
To keep structure and advantage of the invention clearer, structure of the invention is made further below in conjunction with attached drawing
Description.
Embodiment one
The present invention provides the defence methods of unknown malware, as shown in Figure 1, the defence method, comprising:
11, in threat analysis detection device, the Malware in vulnerability exploit stage is obtained by virtual identification technology, it is raw
At the first warning message of the address for including source address and Managed Servers, the warning message is added to the note in prestige library
In record.
Why threat analysis detection device is used in a step 11, be because passing through in traditional threat detection technology
It is often used the detection technique based on signature, when there is new threat, security firm needs to be found virus after a period of time,
Signature could be provided for it so that under anti-virus tools could have the killing ability to the virus.But with skill
The development of art, the attack pattern of similar " zero-day attacks " just have resulted in front of security firm finds virus or attack
Great harm, and the technologies such as polymorphic and deformation are used with caution in attacker, so that security firm can not be by being received based on sample
The mode of collection finds attack.Therefore, detection device is used in this application, is based on virtual identification technology, has been abandoned tradition
Signature mechanism, can to loophole in such a way that behavior detects, before Malware causes damages, discovery
The presence of Malware.
Based on threat analysis detection device and virtual identification technology, the stage energy of loophole can be utilized in Malware
It was found that the presence of Malware, while the address based on corresponding with the Malware source address and Managed Servers that get
The first warning message is sent, in order to carry out subsequent killing process.
The virtual identification technology used in threat analysis detection device, be under virtual environment to the behavior of target software into
Line trace, identify the behavior of target software it is no there are the movements of malicious sabotage, to differentiate whether target software is Malware
Technology, different from sandbox testing mechanism used in the prior art, particular technique details can be described below.
12, it in intrusion prevention equipment, by the linkage with traditional intrusion prevention equipment, and is based on depositing in the prestige library
The record of storage, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, and generate the second alarm
Information, and track the follow-up activities of the Malware.
In step 12 use intrusion prevention equipment, between firewall and the equipment of network, by data packet into
The side of row detection (check the data packet to network, determine the real purposes of data packet, then decide whether that it is allowed to enter Intranet)
Formula carries out Prevention-Security.In step 12, intrusion prevention equipment obtains and intercepts first Malware behavior from prestige library
Corresponding record, the behavior that Malware is downloaded the behavior of virus document and carried out telecommunication with Managed Servers carry out
Comprehensive interception, prevent Malware more virus documents are downloaded from internet or the local privacy information that will acquire to
Built-in Managed Servers are sent.While intercepting, the second warning message is generated at intrusion prevention equipment.
Since whether the uncertain Malware found will do it other behaviors, also need to after Malware
Continuous activity is tracked, and subsequent data theft or lasting penetration activity are prevented.
13, according to first warning message and second warning message, already present Malware is cleared up.
It is right according to the details in warning message at two after getting the first warning message and the second warning message
It has been acknowledged that existing Malware is cleared up, prevents Malware from carrying out subsequent destruction.;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies the mesh
Mark software behavior whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology
Optionally, as shown in Fig. 2, in step 11, the malice that the vulnerability exploit stage is obtained by virtual identification technology
Software, comprising:
101, network protocol is monitored, the network protocol includes remote file transferring agreement, simple postal transport protocol, net
Network file server, User Datagram Protocol and hypertext transfer protocol.
Here remote file transferring agreement (File Transfer Protocol, FTP) allows user by distance host
On file copy to the computer of oneself on.Simple postal service transport protocol (Simple Mail transfer Protocol,
SMTP) then it is used for transmission Email.NetWare file server (Network File Server, NFS) can make multiple stage computers
Pellucidly access mutual catalogue.(User Datagram Protocol, UDP are located at biography to User Datagram Protocol as TCP
Defeated layer and IP agreement are used cooperatively, and packet header are saved when transmitting data, but it cannot provide the re-transmission of data packet, so being suitble to
Transmit shorter file.Hypertext transfer protocol (Hypertext transfer protocol, HTTP) is simple and direct, fast due to its
The mode of speed is suitable for distributed Hypermedia Information System.The above-mentioned agreement enumerated belongs to the basic agreement in internet, nothing
Which kind of attack pattern is used by attacker, above-mentioned agreement can not be got around substantially, therefore, above-mentioned basic agreement is monitored, energy
Enough detection ranges expanded to Malware.
102, apocrypha is determined in the network protocol, by calling document analysis corresponding with the apocrypha
The apocrypha is reduced to document form from traffic form by module.
103, it runs the apocrypha under virtual environment, obtains calling situation that memory after operation instructs and to behaviour
The processing mode taken as system protection mechanism.
If 104, the calling situation has exceeded the calling range of normal file and/or protects machine to the operating system
System takes the processing mode of detour, then determines the apocrypha for Malware.
In order to make it easy to understand, step 102 to step 104 is described for this sentences common pdf document.
Firstly, detecting the entitled .pdf's of suffix in the flow of smtp protocol after the content for executing step 101
File calls document analysis module, this document is reduced to the form of file from the flow detected.
Secondly, reading tool in operating system different under multiple virtual machine environments using different PDF and attempting to open
File is got, why needs the combination using multiple and different environment, system and tool here, is because even can not
The loophole that confirmation this document utilizes is the combination for which kind of environment, which kind of system or tool.
Again, after this document is triggered, it is confirmed whether to exist by detecting the variation of memory instruction level to utilize leakage
The case where hole, if it is confirmed that the case where being utilized there are loophole, then suspicious determining this document is advanced Malware.Simultaneously
If the memory calling situation of this document has had exceeded the calling range of normal file, such as calling system kernel process is drawn
When fixed memory headroom or request are more than system more than half memory headrooms, suspicious judgements this document is Malware, or is to adopt
With the advanced Malware of novel attack pattern.If after detecting that file is triggered, to the protection mechanism of operating system (such as
Data execution protection data execution prevention-DEP, address space layout are randomized Address space
Layout randomization-ASLR) processing mode of taking detour, it is soft equally to can determine that this document belongs to advanced malice
Part.
In a step 11, Malware is detected by using the virtual identification technology based on virtual machine, and observed
The real behavior of software has abandoned traditional signature scheme, Malware can be found in the vulnerability exploit stage, due to determining
The reference called to memory is added in the process, prevents Malware that there is the escape technology to traditional approach such as sandboxs;And it is right
Subsequent attack process is tracked, so that the consummatory behavior activation record of Malware is obtained, it can be to the danger of Malware
The information such as evil degree, diffusion way carry out more detailed grasp.
Optionally, the prestige library, comprising:
Cloud prestige library and local prestige library;
The record of warning message is stored in cloud prestige library, local prestige library periodically passes through the cloud prestige
Library carries out record update;
The warning message that local network is got is stored in the local prestige library, the warning message includes malice
The source address of software and the address of Managed Servers.
In an implementation, since the time for attacking Main Stage in reality is shorter and shorter, often within a few hours even several seconds
It completes, it is unlikely if being completely dependent on human response within so short time, it needs to establish a kind of based on prestige system
The mode of the automation of system controls the development of threat, to directly block correlative flow.
As the concrete embodiment of credit system, prestige library is divided into cloud prestige library and local prestige library two parts.Local letter
The warning message of threat detection equipment disposed in local network is collected in reputation library, extracts the source address of Malware and controlled
The address of server and software signatures, and then the secure intelligence data repository by being integrally formed.And cloud prestige library can
The record content in all local prestige libraries being attached thereto of merger, and by way of multi-party cooperative, it is formed more comprehensively complete
Whole information data, and then all local prestige libraries being attached thereto are pushed to, in order to which intrusion prevention equipment is based on push more
The defence that new signature identification is automated.
Optionally, second warning message include the Malware download path and with the Managed Servers
Communication port.
In an implementation, Malware in a triggered, understands the networking of active to download newest virus base or to will acquire
To important information be sent to the Managed Servers of predeterminated position, at this time IPS by the download path of virus base or with controlled clothes
The communication port of business device carries out interception record, analyzes convenient for attack pattern of the later period to Malware.
Optionally, as shown in figure 3, the defence method further include:
14, according to first warning message and second warning message, conversed analysis is carried out to the Malware,
Determine the attack process of the Malware.
In an implementation, it is based on the first warning message and the second warning message, other than directly clearing up Malware,
Can also attack process to Malware, attack pattern record and analyze, determine the complete crawler behavior of the Malware
Record, convenient for having more comprehensive grasp in harm, diffusion way to Malware etc..
The embodiment of the invention provides the defence method of unknown malware, it is included in and obtains leakage using virtual identification technology
Hole generates the first warning message using the Malware in stage, and warning message is added to the record in prestige library, is based on prestige
The record stored in library, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, and generate the
Two warning messages clear up already present Malware according to the first warning message and the second warning message.By using
Virtual identification technology and prestige library can confirm the presence of Malware when using loophole, and to the subsequent of Malware
Activity is tracked.Compared with the existing technology, it can identify that having abandoned makes to the Malware for using novel attack pattern
Hysteresis quality is detected with signature scheme bring, improves the defence capability to Malware, reduces and is lost caused by Malware.
Embodiment two
The present invention also provides the defensive equipments 2 of unknown malware, as shown in figure 4, the defensive equipment 2, comprising:
Processing module 21, for obtaining the vulnerability exploit stage by virtual identification technology in threat analysis detection device
Malware, generate include source address and Managed Servers address the first warning message, the warning message is added
Add in the record in prestige library
Blocking module 22, for by the linkage with traditional intrusion prevention equipment, and being based on institute in intrusion prevention equipment
The record stored in prestige library is stated, downloading behavior to Malware and the behavior communicated with Managed Servers intercept,
The second warning message is generated, and tracks the follow-up activities of the Malware.
Cleaning modul 23 is used for according to first warning message and second warning message, to already present malice
Software is cleared up;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies the mesh
Mark software behavior whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology.
In an implementation, the present invention also provides the defensive equipments of unknown malware, including processing module 21, blocking module
22 and totally three components of cleaning modul 23, it is respectively used to execute 11,12 and 13 three steps in embodiment one, actually make
With in the process, processing module typically can be threat analysis detection device (Threat Analysis Center, TAC), energy
It is enough based on virtual identification technology, traditional signature mechanism has been abandoned, the side detected using behavior to loophole can be passed through
Formula finds the presence of Malware before Malware causes damages.Blocking module 22 can typically set for intrusion prevention
Standby (Intrusion Prevention System, IPS) carries out the data packet intercepted by from the record in prestige library
Detection, realizes the effect of defence.Processing module 21 and the specific process flow of blocking module 22 can be to walk in reference implementation example one
Rapid 11 and step 12 detailed content, no longer repeated herein.
Optionally, as shown in figure 5, the processing module 21, comprising:
Monitoring submodule 211, for monitoring network protocol, the network protocol includes remote file transferring agreement, simple
Postal transport protocol, NetWare file server, User Datagram Protocol and hypertext transfer protocol
Transform subblock 212, for determining apocrypha in the network protocol, by calling and the apocrypha
The apocrypha is reduced to document form from traffic form by corresponding document analysis module.
Submodule 213 is run, for running the apocrypha under virtual environment, obtains the tune of memory instruction after operation
With situation and the processing mode taken operating system protection mechanism.
Decision sub-module 214, if having exceeded the calling range of normal file and/or to described for the calling situation
Operating system protection mechanism takes the processing mode of detour, then determines the apocrypha for Malware.
In an implementation, monitoring submodule 211 is used for, and after the content for executing step 101, is examined in the flow of smtp protocol
The file for measuring an entitled .pdf of suffix calls document analysis module by transform subblock 212, by this document from detecting
Flow in be reduced to the form of file.
Submodule 213 is run, for being read in different operating system under multiple virtual environments using different PDF
Tool attempt open gets file, why need here be using the combination of multiple and different environment, system and tool
It is the combination for which kind of environment, which kind of system or tool because can not even confirm the loophole that this document utilizes.
Decision sub-module 214, for after this document is triggered, the variation by detecting memory instruction level is to confirm
It is no to there is the case where using loophole, if it is confirmed that the case where being utilized there are loophole, it is determined that this document is advanced Malware.
If the memory calling situation of this document has had exceeded the calling range of normal file, such as calling system kernel process simultaneously
When the memory headroom delimited or request are more than system more than half memory headrooms, suspicious judgement this document is Malware, or
For using the advanced Malware of novel attack pattern.If after detecting that file is triggered, to the protection mechanism of operating system
(such as data execution protection data execution prevention-DEP, address space layout are randomized Address
Space layout randomization-ASLR) processing mode of taking detour, it is advanced equally to can determine that this document belongs to
Malware.
Optionally, the prestige library, comprising:
Cloud prestige library and local prestige library;
The record of warning message is stored in cloud prestige library, local prestige library periodically passes through the cloud prestige
Library carries out record update;
The warning message that local network is got is stored in the local prestige library, the warning message includes malice
The source address of software and the address of Managed Servers.
In an implementation, Malware in a triggered, understands the networking of active to download newest virus base or to will acquire
To important information be sent to the Managed Servers of predeterminated position, at this time IPS by the download path of virus base or with controlled clothes
The communication port of business device carries out interception record, analyzes convenient for attack pattern of the later period to Malware.
Optionally, second warning message include the Malware download path and with the Managed Servers
Communication port.
In an implementation, Malware in a triggered, understands the networking of active to download newest virus base or to will acquire
To important information be sent to the Managed Servers of predeterminated position, at this time IPS by the download path of virus base or with controlled clothes
The communication port of business device carries out interception record, analyzes convenient for attack pattern of the later period to Malware.
Optionally, as shown in fig. 6, the defensive equipment 2 further include:
Analysis module 24 is used for according to first warning message and second warning message, to the Malware
Conversed analysis is carried out, determines the attack process of the Malware.
In an implementation, it is based on the first warning message and the second warning message, other than directly clearing up Malware,
Can also attack process to Malware, attack pattern record and analyze, determine the complete crawler behavior of the Malware
Record, convenient for having more comprehensive grasp in harm, diffusion way to Malware etc..
The embodiment of the invention provides unknown malware defensive equipment, it is included in and obtains loophole using virtual identification technology
The first warning message is generated using the Malware in stage, and warning message is added to the record in prestige library, is based on prestige library
The record of middle storage, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, and generate second
Warning message clears up already present Malware according to the first warning message and the second warning message.By using void
Quasi- identification technology and prestige library can confirm the presence of Malware, and the subsequent work to Malware when using loophole
It is dynamic to be tracked.Compared with the existing technology, the Malware for using novel attack pattern can be identified, has abandoned use
Signature scheme bring detects hysteresis quality, improves the defence capability to Malware, reduces and loses caused by Malware.
Each serial number in above-described embodiment is for illustration only, the assembling for not representing each component or the elder generation in use process
Sequence afterwards.
The above description is only an embodiment of the present invention, is not intended to limit the invention, all in the spirit and principles in the present invention
Within, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
Claims (8)
1. the defence method of unknown malware, which is characterized in that the defence method, comprising:
In threat analysis detection device, the Malware in vulnerability exploit stage is obtained by virtual identification technology, generation includes
First warning message of the address of source address and Managed Servers, the warning message is added in the record in prestige library;
In intrusion prevention equipment, by the linkage with traditional intrusion prevention equipment, and based on the note stored in the prestige library
Record, downloading behavior to Malware and behavior communicate with Managed Servers intercept, the second warning message of generation, and
Track the follow-up activities of the Malware;
According to first warning message and second warning message, already present Malware is cleared up;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies that the target is soft
The behavior of part whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology;
Second warning message includes the download path of the Malware and the communication port with the Managed Servers.
2. the defence method of unknown malware according to claim 1, which is characterized in that described by virtually identifying skill
The Malware in art acquisition vulnerability exploit stage, comprising:
Network protocol is monitored, the network protocol includes remote file transferring agreement, simple postal transport protocol, network file clothes
Business device, User Datagram Protocol and hypertext transfer protocol;
Apocrypha is determined in the network protocol, it, will by calling document analysis module corresponding with the apocrypha
The apocrypha is reduced to document form from traffic form;
The apocrypha is run under virtual environment, obtains memory instructs after running calling situation and protect to operating system
The processing mode that protection mechanism is taken;
If the calling situation has exceeded the calling range of normal file and/or takes to the operating system protection mechanism
The processing mode of detour then determines the apocrypha for Malware.
3. the defence method of unknown malware according to claim 1, which is characterized in that the prestige library, comprising:
Cloud prestige library and local prestige library;
Be stored with the record of warning message in cloud prestige library, local prestige library periodically by cloud prestige library into
Row record updates;
The warning message that local network is got is stored in the local prestige library, the warning message includes Malware
Source address and Managed Servers address.
4. the defence method of unknown malware according to claim 1, which is characterized in that the defence method also wraps
It includes:
According to first warning message and second warning message, conversed analysis is carried out to the Malware, determines institute
State the attack process of Malware.
5. the defence defensive equipment of unknown malware, which is characterized in that the defensive equipment, comprising:
Processing module, for obtaining the malice in vulnerability exploit stage by virtual identification technology in threat analysis detection device
Software generates the first warning message of the address including source address and Managed Servers, the warning message is added to letter
In the record for praising library;
Blocking module, for by the linkage with traditional intrusion prevention equipment, and being based on the prestige in intrusion prevention equipment
The record stored in library, downloading behavior to Malware and the behavior communicated with Managed Servers intercept, and generate the
Two warning messages, and track the follow-up activities of the Malware;
Cleaning modul, for according to first warning message and second warning message, to already present Malware into
Row cleaning;
Wherein, the virtual identification technology is to track under virtual environment to the behavior of target software, identifies that the target is soft
The behavior of part whether there is malicious sabotage movement, thus differentiate the target software whether be Malware technology;
Second warning message includes the download path of the Malware and the communication port with the Managed Servers.
6. the defence defensive equipment of unknown malware according to claim 5, which is characterized in that the processing module,
Include:
Monitoring submodule, for monitoring network protocol, the network protocol includes remote file transferring agreement, simple postal transmission
Agreement, NetWare file server, User Datagram Protocol and hypertext transfer protocol;
Transform subblock, it is corresponding with the apocrypha by calling for determining apocrypha in the network protocol
The apocrypha is reduced to document form from traffic form by document analysis module;
Submodule is run, for running the apocrypha under virtual environment, obtains the calling situation of memory instruction after operation
And to the processing mode that operating system protection mechanism is taken;
Decision sub-module, if having exceeded the calling range of normal file for the calling situation and/or being to the operation
Blanket insurance protection mechanism takes the processing mode of detour, then determines the apocrypha for Malware.
7. the defence defensive equipment of unknown malware according to claim 5, it is characterised in that:
The prestige library includes cloud prestige library and local prestige library;
Be stored with the record of warning message in cloud prestige library, local prestige library periodically by cloud prestige library into
Row record updates;
The warning message that local network is got is stored in the local prestige library, the warning message includes Malware
Source address and Managed Servers address.
8. the defence defensive equipment of unknown malware according to claim 5, which is characterized in that the defensive equipment is also
Include:
Analysis module, for being carried out to the Malware inverse according to first warning message and second warning message
To analysis, the attack process of the Malware is determined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610301012.7A CN105791323B (en) | 2016-05-09 | 2016-05-09 | The defence method and equipment of unknown malware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610301012.7A CN105791323B (en) | 2016-05-09 | 2016-05-09 | The defence method and equipment of unknown malware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105791323A CN105791323A (en) | 2016-07-20 |
| CN105791323B true CN105791323B (en) | 2019-02-26 |
Family
ID=56401960
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610301012.7A Active CN105791323B (en) | 2016-05-09 | 2016-05-09 | The defence method and equipment of unknown malware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791323B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11546768B2 (en) | 2017-01-22 | 2023-01-03 | Huawei Technologies Co., Ltd. | Application download monitoring method and device |
| CN108632225A (en) * | 2017-03-23 | 2018-10-09 | 中兴通讯股份有限公司 | A kind of method and system that defending against network threatens |
| CN109214190B (en) * | 2018-08-30 | 2022-05-20 | 腾讯科技(深圳)有限公司 | Method and device for determining sample files of exploit |
| CN109818984A (en) * | 2019-04-10 | 2019-05-28 | 吉林亿联银行股份有限公司 | The defence method and device of loophole |
| CN112152970A (en) * | 2019-06-28 | 2020-12-29 | 北京奇虎科技有限公司 | Method and apparatus for restricting malicious applications from using network, router and medium |
| CN111625828B (en) * | 2020-07-29 | 2021-02-26 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
| CN118381675B (en) * | 2024-06-24 | 2024-10-18 | 军工保密资格审查认证中心 | Data processing method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101959193A (en) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | Information safety detection method and a mobile terminal |
| CN102662873A (en) * | 2012-04-01 | 2012-09-12 | 珠海市泉道电子有限公司 | Device for realizing insulation blocking of storage carrier data |
| CN103810427A (en) * | 2014-02-20 | 2014-05-21 | 中国科学院信息工程研究所 | Mining method and system for malicious code hiding behaviors |
| CN104506495A (en) * | 2014-12-11 | 2015-04-08 | 国家电网公司 | Intelligent network APT attack threat analysis method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9047441B2 (en) * | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
| US20130067578A1 (en) * | 2011-09-08 | 2013-03-14 | Mcafee, Inc. | Malware Risk Scanner |
| CN103839003B (en) * | 2012-11-22 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103646213B (en) * | 2013-09-26 | 2016-06-01 | 北京神州绿盟信息安全科技股份有限公司 | The sorting technique of a kind of malice software and device |
| CN103793646A (en) * | 2014-02-14 | 2014-05-14 | 浪潮通信信息系统有限公司 | Virtual machine safety monitoring method based on behavior recognition |
-
2016
- 2016-05-09 CN CN201610301012.7A patent/CN105791323B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101959193A (en) * | 2010-09-26 | 2011-01-26 | 宇龙计算机通信科技(深圳)有限公司 | Information safety detection method and a mobile terminal |
| CN102662873A (en) * | 2012-04-01 | 2012-09-12 | 珠海市泉道电子有限公司 | Device for realizing insulation blocking of storage carrier data |
| CN103810427A (en) * | 2014-02-20 | 2014-05-21 | 中国科学院信息工程研究所 | Mining method and system for malicious code hiding behaviors |
| CN104506495A (en) * | 2014-12-11 | 2015-04-08 | 国家电网公司 | Intelligent network APT attack threat analysis method |
Non-Patent Citations (1)
| Title |
|---|
| "恶意代码云主动防御系统设计与实现";邹航 等;《重庆理工大学学报(自然科学版)》;20140531;第28卷(第5期);第84-92页 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105791323A (en) | 2016-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105791323B (en) | The defence method and equipment of unknown malware | |
| Rawat et al. | Association rule learning for threat analysis using traffic analysis and packet filtering approach | |
| Vukalović et al. | Advanced persistent threats-detection and defense | |
| Singh et al. | A framework for zero-day vulnerabilities detection and prioritization | |
| Caswell et al. | Snort intrusion detection and prevention toolkit | |
| RU2495486C1 (en) | Method of analysing and detecting malicious intermediate nodes in network | |
| Punithavathani et al. | Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| US20080098476A1 (en) | Method and Apparatus for Defending Against Zero-Day Worm-Based Attacks | |
| US9450974B2 (en) | Intrusion management | |
| US7810158B2 (en) | Methods and systems for deceptively trapping electronic worms | |
| Wang et al. | Detecting targeted attacks by multilayer deception | |
| Pandey et al. | A lifecycle based approach for malware analysis | |
| Gür et al. | Security analysis of computer networks: Key concepts and methodologies | |
| Dutta et al. | Intrusion detection systems fundamentals | |
| Hermanowski | Open source security information management system supporting it security audit | |
| Sherif et al. | Intrusion detection: methods and systems. Part II | |
| CN117544335A (en) | Bait activation method, device, equipment and storage medium | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Kishore et al. | Intrusion Detection System a Need | |
| AT&T | sample_cyber_security | |
| Sadhukhan et al. | Cyber Attack Thread: A control-flow based approach to deconstruct and mitigate cyber threats | |
| Sharma et al. | Detection and prevention of DoS and DDoS in IoT | |
| EP3595257B1 (en) | Detecting suspicious sources, e.g. for configuring a distributed denial of service mitigation device | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |