CN112580025A - Virtual machine-based poison reporting method and device, storage medium and computer equipment - Google Patents
Virtual machine-based poison reporting method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112580025A CN112580025A CN201910945353.1A CN201910945353A CN112580025A CN 112580025 A CN112580025 A CN 112580025A CN 201910945353 A CN201910945353 A CN 201910945353A CN 112580025 A CN112580025 A CN 112580025A
- Authority
- CN
- China
- Prior art keywords
- virus
- program
- target program
- reporting
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 239000002574 poison Substances 0.000 title description 3
- 231100000614 poison Toxicity 0.000 title description 3
- 241000700605 Viruses Species 0.000 claims abstract description 412
- 238000012544 monitoring process Methods 0.000 claims abstract description 124
- 238000001514 detection method Methods 0.000 claims abstract description 48
- 230000008569 process Effects 0.000 claims abstract description 33
- 238000004590 computer program Methods 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 abstract description 10
- 230000006399 behavior Effects 0.000 description 60
- 230000001988 toxicity Effects 0.000 description 5
- 231100000419 toxicity Toxicity 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000004445 quantitative analysis Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a virus reporting method and device based on a virtual machine, a storage medium and computer equipment, wherein the method comprises the following steps: executing a target program to be detected in the virtual machine; monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program; and judging whether the target program is a virus program or not according to the use condition of the target program on the virus reporting monitoring point. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for reporting a virus based on a virtual machine, a storage medium, and a computer device.
Background
With the continuous development of computer technology, computers are becoming indispensable partners of people in daily life and work, bring much convenience to work and life of people, but a discordant factor is computer virus.
Aiming at the problem of computer security caused by computer viruses, almost any enterprise or person uses antivirus software at present, but most of the antivirus software at present carries out virus searching and killing based on virus characteristics included in a virus library, namely if a certain program in a computer hits the virus characteristics in the virus library, the program is judged to be a virus program, and obviously, if a novel virus or a variant virus occurs, the virus library is difficult to deal with.
How to improve the virus killing rate of new viruses or variant viruses becomes an important problem in the field of computer security.
Disclosure of Invention
In view of this, the present application provides a virtual machine-based virus reporting method and apparatus, a storage medium, and a computer device.
According to one aspect of the application, a virus reporting method based on a virtual machine is provided, and comprises the following steps:
executing a target program to be detected in the virtual machine;
monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and judging whether the target program is a virus program or not according to the use condition of the target program on the virus reporting monitoring point.
Specifically, the determining, according to the usage of the target program to the virus reporting monitoring point, whether the target program is a virus program specifically includes:
calculating a virus detection value of the target program according to the use condition of the target program to the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and if the virus detection value of the target program is greater than or equal to a preset virus empirical value, determining that the target program is a virus program.
Specifically, the method further comprises:
and if the virus detection value of the target program is smaller than the preset virus empirical value, determining that the target program is not a virus program.
Specifically, before executing the target program to be detected in the virtual machine, the method further includes:
acquiring behavior characteristics corresponding to a plurality of virus samples;
and determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
Specifically, the determining the virus reporting monitoring point and the virus reporting experience value of the virus reporting monitoring point according to the behavior characteristics corresponding to the plurality of virus samples specifically includes:
analyzing virus reporting key behavior characteristics of the plurality of virus samples and key weights of the virus reporting key behavior characteristics according to behavior characteristics corresponding to the plurality of virus samples and preset safety program behavior characteristics;
and determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point, and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting experience value of the virus reporting monitoring point.
Specifically, after determining that the target program is a virus program, the method further includes:
and adding the target program into a virus program library.
Specifically, the method further comprises:
and when the number of the virus programs in the virus program library exceeds a preset number threshold, acquiring behavior characteristics corresponding to the virus programs in the virus program library, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
According to another aspect of the present application, there is provided a virtual machine-based poison reporting apparatus, including:
the target program execution module is used for executing a target program to be detected in the virtual machine;
the monitoring module is used for monitoring at least one virus reporting monitoring point in the execution process of the target program and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and the virus detection module is used for judging whether the target program is a virus program according to the use condition of the target program on the virus reporting monitoring point.
Specifically, the virus detection module specifically includes:
the detection value calculation unit is used for calculating the virus detection value of the target program according to the use condition of the target program on the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and the virus program detection unit is used for determining that the target program is a virus program if the virus detection value of the target program is greater than or equal to a preset virus empirical value.
Specifically, the apparatus further comprises:
and the safety program detection unit is used for determining that the target program is not the virus program if the virus detection value of the target program is smaller than the preset virus empirical value.
Specifically, the apparatus further comprises:
the behavior characteristic acquisition module is used for acquiring behavior characteristics corresponding to a plurality of virus samples before executing a target program to be detected in the virtual machine;
and the monitoring point determining module is used for determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
Specifically, the monitoring point determining module specifically includes:
the weight determining unit is used for analyzing the virus reporting key behavior characteristics of the plurality of virus samples and the key weight of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the plurality of virus samples and the preset safety program behavior characteristics;
and the empirical value determining unit is used for determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting empirical value of the virus reporting monitoring point.
Specifically, the apparatus further comprises:
and the virus library establishing module is used for adding the target program into the virus library after determining that the target program is the virus program.
Specifically, the apparatus further comprises:
and the monitoring point updating module is used for acquiring the behavior characteristics corresponding to the virus programs in the virus program library when the number of the virus programs in the virus program library exceeds a preset number threshold, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the virtual machine-based virus notification method described above.
According to yet another aspect of the present application, there is provided a computer device, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the virtual machine based virus notification method when executing the program.
By means of the technical scheme, the virtual machine based virus reporting method and device, the storage medium and the computer equipment record the use condition of the target program needing virus detection to the virus reporting monitoring point in the execution process by using the virtual machine technology, then perform heuristic virus checking and killing on the use condition of the virus reporting monitoring point according to the extracted target program, and detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 shows a schematic flowchart of a virtual machine-based virus reporting method according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another virtual machine-based virus notification method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating a virtual machine-based virus reporting apparatus according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another virtual machine-based virus reporting apparatus according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a virus reporting method based on a virtual machine is provided, as shown in fig. 1, the method includes:
102, monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and 103, judging whether the target program is a virus program according to the use condition of the target program to the virus reporting monitoring point.
In the prior art, a virus library established in advance is usually used, and virus feature matching is performed on features of a program to be detected according to virus features contained in a virus program stored in the virus library, and if the features of the program to be detected hit the virus library, the program is a virus-carrying program. If new viruses or variant viruses appear, the viruses are difficult to accurately detect by using the original virus library, and the defense on unknown viruses cannot be realized.
In order to solve the above-mentioned defects in the prior art, in the embodiment of the present application, heuristic virus checking is adopted, where heuristic virus checking refers to determining whether a program to be detected is a virus-carrying program by using an execution characteristic exhibited by the program in an execution process. Specifically, the general characteristics of the execution behaviors of the virus program are analyzed, and then virus detection is performed according to the general execution characteristics of the virus program. For example, a virus program writes a file into a system directory, reads and writes a boot area, writes a registry boot entry, opens another process, reads and writes another process, dynamically loads a DLL, and dynamically obtains an API address, and for a family virus, there may be a series of execution features that refer to the same library function, use the same icon, use a more unique import module, and so on.
In addition, in the existing method for acquiring the execution characteristics of the target program, a mode of injecting a DLL into the target process and monitoring a calling function in the DLL is generally adopted, and this mode mainly has two defects that the target process may have countermeasure means such as injection prevention and API hook prevention to prevent an execution sequence from being acquired, and the target process may have an influence on a real computer environment, and the computer system may be infected by a virus while the virus is found.
In order to overcome the defect of obtaining the execution characteristics, in the embodiment of the present application, a virtual machine technology is used, and an object program that needs to be subjected to virus detection is placed in a virtual machine for execution, because the virtual machine is a simulation of a real computer, if the object program calls a function when executed in the real computer, a stub function corresponding to the function is called when executed in the virtual machine, and therefore, an operation record of the object program when executed in the virtual machine can reflect an operation record of the object program when executed in the real computer. The running record of the virtual machine when the target program is executed can be effectively obtained, and the real computer environment cannot be influenced, so that the safety of the computer is protected.
With reference to the above description, in steps 101 to 103, first, an executable target program is allocated to a virtual machine, the virtual machine loads and runs the target program, and meanwhile, in an execution process of the target program, at least one pre-defined virus reporting monitoring point is monitored, where the virus reporting monitoring point is a unit in the virtual machine that is usually used in the execution process of the virus program, and specifically, the virus reporting monitoring point may be a stub function in the virtual machine, and if the virus reporting monitoring point is used in the execution process of the target program, the log is recorded, and then, according to a usage situation of the virus reporting monitoring point in the execution process of the virtual machine by the target program, whether the target program is a virus program is analyzed, for example, if a certain target program uses most of the pre-agreed virus reporting monitoring points in the execution process of the target program, the target program is likely to be a virus program, the virus detection based on the virtual machine is realized through the method.
By applying the technical scheme of the embodiment, the virtual machine technology is utilized to record the use condition of the virus reporting monitoring point in the execution process of the target program needing virus detection, and then the heuristic virus checking and killing is carried out on the use condition of the virus reporting monitoring point according to the extracted target program to detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of the embodiment, another virtual machine-based virus notification method is provided, as shown in fig. 2, the method includes:
step 202, determining a virus reporting monitoring point and a virus reporting experience value of the virus reporting monitoring point according to the behavior characteristics corresponding to the plurality of virus samples.
In step 201 and step 202, before virus program detection is performed, which positions in the virtual machine are to be monitored are determined, specifically, a large number of virus samples are analyzed, wherein a virus sample is an executable program containing a virus, behavior characteristics of the virus sample are extracted, the behavior characteristics may include functions called by the virus sample in an execution process and a sequence of calling functions, then the behavior characteristics of the virus sample are summarized, general behavior characteristics of the virus sample are extracted, characteristics with large differences between the virus sample and a security program are summarized, so that calling functions corresponding to the characteristics are determined according to the general behavior characteristics of the virus sample and the characteristics with large differences from the security program, the calling functions are virus reporting monitoring points, and the executable program suspected to contain the virus can be quickly locked through monitoring the virus reporting monitoring points, in addition, the importance degree of each monitoring point, namely the virus reporting experience value, is determined according to the general behavior characteristics of the virus sample and the safety program with larger difference, so that the behavior characteristics of the target program are quantified, and the virus program is locked by monitoring the virus reporting monitoring points more accurately.
The step 202 specifically includes:
2021, analyzing the virus reporting key behavior characteristics of the plurality of virus samples and the key weight of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the plurality of virus samples and the preset safety program behavior characteristics;
step 2022, determining a call function corresponding to the key behavior feature of the virus reporting as a virus reporting monitoring point, and determining the key weight of the key behavior feature of the virus reporting as a virus reporting experience value of the virus reporting monitoring point.
In step 2021 and step 2022, by analyzing and summarizing the behavior characteristics of a large number of virus samples and security samples, the general behavior characteristics of the virus samples and the behavior characteristics greatly different from the security samples are summarized, so that the behavior characteristics are used as the key behavior characteristics of virus detection, the structures related to the key behavior characteristics are used as virus reporting monitoring points, and statistical analysis is performed to quantify the importance degree of each key behavior characteristic, that is, the key weight of each virus reporting key behavior characteristic, so as to obtain the virus reporting experience value of each virus reporting monitoring point, thereby providing quantitative analysis rules for virus detection.
in step 206, if the virus detection value of the target program is greater than or equal to the preset virus empirical value, it is determined that the target program is a virus program.
In the above steps 203 to 207, a quantitative detection method of the virus program is defined. Specifically, in step 203 and step 204, when the target program is executed in the virtual machine, the preset virus reporting monitoring points are monitored, and the calling condition of the target program to each virus reporting monitoring point in the virtual machine is recorded, where the virus reporting monitoring points may be stub functions in the virtual machine, and the use condition of each virus reporting monitoring point formed in the execution process of the target program is utilized to provide an analysis basis for virus detection.
Next, in step 205 to step 207, a virus detection value of the target program is calculated according to a pre-established virus reporting experience value corresponding to each virus reporting monitoring point, where the virus detection value of the target program may be a sum of virus reporting experience values corresponding to each virus reporting monitoring point used by the target program, for example, the target program calls the virus reporting monitoring point A, B, C, D, the virus reporting experience values of the virus reporting monitoring point A, B, C, D are 1, 2, and 3, respectively, and then the virus reporting detection value of the target program is 1+1+2+3 ═ 7. And then judging the relation between the virus reporting empirical value of the target program and a preset virus empirical value to determine whether the target program is a virus program, wherein the preset virus empirical value is obtained by analyzing a large number of virus samples and safety samples, and the preset virus empirical value is used as a partition to maximally distinguish the virus reporting empirical value of the virus sample from the virus reporting empirical value of the safety sample. For example, if the preset virus experience value is 5, if the preset virus experience value is greater than or equal to 5, the target program is determined to be a virus program, and if the preset virus experience value is less than 5, the target program is not a virus program, and in the example of the target program, the target program may be considered to be a virus program.
After determining that the target program is a virus program, step 208, the target program is added to a virus program library.
In step 208 and step 209, in order to improve the accuracy of judging the virus program, it is necessary to continuously correct the virus reporting experience values of the virus reporting monitoring points and the virus reporting verification points and the preset virus experience values, specifically, a target program determined as a virus program may be used as a virus sample, and a target program determined as a safety program may be used as a safety sample, and the virus reporting experience values of the virus reporting monitoring points and the virus reporting monitoring points, and even the preset virus experience values, are continuously updated and corrected by using the methods in step 201 and step 202, so that the method is more suitable for detecting a continuously changing virus.
It should be noted that, by detecting the virus reporting monitoring points, the present application may also detect a virus program by using a calling feature of the target program to each of the virus reporting monitoring points, and the second virus detection method provided in the embodiment of the present application may specifically include:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, determining the execution characteristics of the target program according to the use condition of the target program on the virus reporting monitoring point, and inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In the above steps a1 to a6, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, the black list stores malicious execution features, which are presented when the virus program is called, in advance, and the white list stores security execution features, which are presented when the security program is called, in advance. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
In addition, if the target program is a suspicious program, the malicious program management system can be reported, so that whether the target program is infected or not is judged by the malicious program management system, and the virus reporting monitoring point, the virus reporting experience value of the virus reporting verification point and the preset virus experience value are corrected according to the judgment result of the malicious program management system, so that the accuracy and the efficiency of virus detection are improved.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides a virus reporting apparatus based on a virtual machine, and as shown in fig. 3, the apparatus includes: target program execution module 31, monitoring module 32, virus detection module 33.
An object program execution module 31, configured to execute an object program to be detected in a virtual machine;
the monitoring module 32 is configured to monitor at least one virus reporting monitoring point during the execution process of the target program, and record a use condition of the at least one virus reporting monitoring point during the execution process of the target program;
and the virus detection module 33 is configured to determine whether the target program is a virus program according to the use condition of the target program to the virus reporting monitoring point.
In a specific application scenario, as shown in fig. 4, the virus detection module 33 specifically includes: detection value calculation section 331 and virus program detection section 332.
The detection value calculation unit 331 is configured to calculate a virus detection value of the target program according to a usage situation of the virus reporting monitoring points by the target program and a virus reporting experience value of each virus reporting monitoring point;
the virus program detecting unit 332 is configured to determine that the target program is a virus program if the virus detection value of the target program is greater than or equal to the preset virus empirical value.
In a specific application scenario, as shown in fig. 4, the virus detection module 33 further includes: a security program detecting unit 333.
And the safety program detection unit 333 is configured to determine that the target program is not a virus program if the virus detection value of the target program is smaller than a preset virus empirical value.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a behavior characteristic obtaining module 34 and a monitoring point determining module 35.
A behavior feature obtaining module 34, configured to obtain behavior features corresponding to multiple virus samples before executing a target program to be detected in a virtual machine;
and the monitoring point determining module 35 is configured to determine a virus reporting monitoring point and a virus reporting experience value of the virus reporting monitoring point according to behavior characteristics corresponding to the plurality of virus samples.
In a specific application scenario, as shown in fig. 4, the monitoring point determining module 35 specifically includes: a weight determination unit 351 and an empirical value determination unit 352.
The weight determining unit 351 is configured to analyze the virus reporting key behavior characteristics of the multiple virus samples and the key weights of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the multiple virus samples and the preset security program behavior characteristics;
the empirical value determining unit 352 is configured to determine a call function corresponding to the toxicity reporting key behavior feature as a toxicity reporting monitoring point, and determine a key weight of the toxicity reporting key behavior feature as an toxicity reporting empirical value of the toxicity reporting monitoring point.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a virus library creation module 36.
And a virus library establishing module 36, configured to add the target program into the virus library after determining that the target program is a virus program.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a monitoring point update module 37.
And the monitoring point updating module 37 is configured to, when the number of the virus programs in the virus program library exceeds a preset number threshold, obtain behavior characteristics corresponding to the virus programs in the virus program library, and update the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
It should be noted that, the virus reporting device based on the virtual machine in the embodiment of the present application is further configured to:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, determining the execution characteristics of the target program according to the use condition of the target program on the virus reporting monitoring point, and inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In the above steps a1 to a6, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, the black list stores malicious execution features, which are presented when the virus program is called, in advance, and the white list stores security execution features, which are presented when the security program is called, in advance. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
In addition, if the target program is a suspicious program, the malicious program management system can be reported, so that whether the target program is infected or not is judged by the malicious program management system, and the virus reporting monitoring point, the virus reporting experience value of the virus reporting verification point and the preset virus experience value are corrected according to the judgment result of the malicious program management system, so that the accuracy and the efficiency of virus detection are improved.
It should be noted that other corresponding descriptions of the functional units related to the virus reporting device based on the virtual machine provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the virtual machine-based virus notification method shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the virtual machine based virus notification method as described above with reference to fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiment, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can be implemented by hardware, where the usage of the virus reporting monitoring point by the target program that needs to be virus-detected in the execution process is recorded by using a virtual machine technology, and then a heuristic virus check and kill is performed on the usage of the virus reporting monitoring point according to the extracted target program to detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A virus reporting method based on a virtual machine is characterized by comprising the following steps:
executing a target program to be detected in the virtual machine;
monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and judging whether the target program is a virus program or not according to the use condition of the target program on the virus reporting monitoring point.
2. The method according to claim 1, wherein the determining whether the target program is a virus program according to the usage of the virus reporting monitoring point by the target program specifically comprises:
calculating a virus detection value of the target program according to the use condition of the target program to the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and if the virus detection value of the target program is greater than or equal to a preset virus empirical value, determining that the target program is a virus program.
3. The method of claim 2, further comprising:
and if the virus detection value of the target program is smaller than the preset virus empirical value, determining that the target program is not a virus program.
4. The method according to claim 2 or 3, wherein before the target program to be detected is executed in the virtual machine, the method further comprises:
acquiring behavior characteristics corresponding to a plurality of virus samples;
and determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
5. The method according to claim 4, wherein the determining the virus reporting monitor point and the virus reporting experience value of the virus reporting monitor point according to the behavior characteristics corresponding to the plurality of virus samples specifically comprises:
analyzing virus reporting key behavior characteristics of the plurality of virus samples and key weights of the virus reporting key behavior characteristics according to behavior characteristics corresponding to the plurality of virus samples and preset safety program behavior characteristics;
and determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point, and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting experience value of the virus reporting monitoring point.
6. The method of claim 4 or 5, wherein after determining that the target program is a virus program, the method further comprises:
and adding the target program into a virus program library.
7. The method of claim 6, further comprising:
and when the number of the virus programs in the virus program library exceeds a preset number threshold, acquiring behavior characteristics corresponding to the virus programs in the virus program library, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
8. A virus reporting device based on a virtual machine is characterized by comprising:
the target program execution module is used for executing a target program to be detected in the virtual machine;
the monitoring module is used for monitoring at least one virus reporting monitoring point in the execution process of the target program and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and the virus detection module is used for judging whether the target program is a virus program according to the use condition of the target program on the virus reporting monitoring point.
9. A storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the virtual machine based virus notification method of any of claims 1 to 7.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the virtual machine based virus notification method of any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945353.1A CN112580025A (en) | 2019-09-30 | 2019-09-30 | Virtual machine-based poison reporting method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945353.1A CN112580025A (en) | 2019-09-30 | 2019-09-30 | Virtual machine-based poison reporting method and device, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112580025A true CN112580025A (en) | 2021-03-30 |
Family
ID=75117194
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910945353.1A Pending CN112580025A (en) | 2019-09-30 | 2019-09-30 | Virtual machine-based poison reporting method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580025A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116680696A (en) * | 2023-08-04 | 2023-09-01 | 深圳市科力锐科技有限公司 | Virus program detection method, device and system |
| CN117014211A (en) * | 2023-08-16 | 2023-11-07 | 华能信息技术有限公司 | Power plant network security dynamic defense method and system based on big data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| CN106682516A (en) * | 2016-12-23 | 2017-05-17 | 宇龙计算机通信科技(深圳)有限公司 | Detection method, detection device and server of application programs |
| CN106709343A (en) * | 2016-07-26 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Virus monitoring method and device |
| JP2017142744A (en) * | 2016-02-12 | 2017-08-17 | 日本電気株式会社 | Information processing apparatus, virus detection method, and program |
-
2019
- 2019-09-30 CN CN201910945353.1A patent/CN112580025A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN102682229A (en) * | 2011-03-11 | 2012-09-19 | 北京市国路安信息技术有限公司 | Malicious code behavior detection method based on virtualization technology |
| CN103793650A (en) * | 2013-12-02 | 2014-05-14 | 北京邮电大学 | Static analysis method and static analysis device for Android application program |
| JP2017142744A (en) * | 2016-02-12 | 2017-08-17 | 日本電気株式会社 | Information processing apparatus, virus detection method, and program |
| CN106709343A (en) * | 2016-07-26 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Virus monitoring method and device |
| CN106682516A (en) * | 2016-12-23 | 2017-05-17 | 宇龙计算机通信科技(深圳)有限公司 | Detection method, detection device and server of application programs |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116680696A (en) * | 2023-08-04 | 2023-09-01 | 深圳市科力锐科技有限公司 | Virus program detection method, device and system |
| CN116680696B (en) * | 2023-08-04 | 2024-02-13 | 深圳市科力锐科技有限公司 | Virus program detection method, device and system |
| CN117014211A (en) * | 2023-08-16 | 2023-11-07 | 华能信息技术有限公司 | Power plant network security dynamic defense method and system based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| JP5738283B2 (en) | False alarm detection for malware scanning | |
| US20080141376A1 (en) | Determining maliciousness of software | |
| CN106709325B (en) | Method and device for monitoring program | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| CN109600387B (en) | Attack event tracing method and device, storage medium and computer equipment | |
| CN112395597A (en) | Method and device for detecting website application vulnerability attack and storage medium | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN112580025A (en) | Virtual machine-based poison reporting method and device, storage medium and computer equipment | |
| CN112580041B (en) | Malicious program detection method and device, storage medium and computer equipment | |
| Dai et al. | Behavior-based malware detection on mobile phone | |
| CN109802955B (en) | Authority control method and device, storage medium and computer equipment | |
| CN113722712A (en) | Method and related device for detecting program malicious behavior based on HOOK | |
| CN112090087B (en) | Game plug-in detection method and device, storage medium and computer equipment | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN112580043B (en) | Virtual machine-based disinfection method and device, storage medium and computer equipment | |
| CN113646763B (en) | shellcode detection method and device | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN112580024A (en) | Virtual machine simulation method and device, storage medium and computer equipment | |
| CN112580034B (en) | Method and device for verifying unshelled file, storage medium and computer equipment | |
| CN112580035B (en) | Program shelling method and device, storage medium and computer equipment | |
| CN112395600A (en) | False alarm removing method, device and equipment for malicious behaviors | |
| CN114021134A (en) | Program processing method and device based on associated program tracking and storage medium | |
| CN113190869B (en) | TEE-based mandatory access control security enhancement framework performance evaluation method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210330 |