CN1983295A - Method and device for recognizing virus - Google Patents
Method and device for recognizing virus Download PDFInfo
- Publication number
- CN1983295A CN1983295A CNA2006101059760A CN200610105976A CN1983295A CN 1983295 A CN1983295 A CN 1983295A CN A2006101059760 A CNA2006101059760 A CN A2006101059760A CN 200610105976 A CN200610105976 A CN 200610105976A CN 1983295 A CN1983295 A CN 1983295A
- Authority
- CN
- China
- Prior art keywords
- virus
- execution contexts
- analysis
- system call
- grammar property
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 141
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004458 analytical method Methods 0.000 claims abstract description 102
- 239000000284 extract Substances 0.000 claims description 16
- 238000012795 verification Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims 1
- 230000003247 decreasing effect Effects 0.000 abstract 1
- 230000006870 function Effects 0.000 description 37
- 230000003542 behavioural effect Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 230000035772 mutation Effects 0.000 description 10
- 230000008878 coupling Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 239000002574 poison Substances 0.000 description 5
- 231100000614 poison Toxicity 0.000 description 5
- 241000726445 Viroids Species 0.000 description 4
- 150000001875 compounds Chemical class 0.000 description 4
- 230000003612 virological effect Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000002203 pretreatment Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000005194 fractionation Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010224 classification analysis Methods 0.000 description 1
- 230000001351 cycling effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
Images
Landscapes
- Stored Programmes (AREA)
Abstract
A method for identifying virus includes carrying out lexial analysis on executable text to obtain word sequence array of text, carrying out syntax analysis on generated word sequence to obtain syntax tree and to pick up syntax character of syntax tree, carrying out virus decision by matching with syntax character of known virus character base, judging whether system-call utilized by virus is contained in executable text or not and confirming that virus is not contained in the file if it is not for decreasing error-report rate.
Description
Technical field
The present invention relates to a kind of device of discerning the method for computer virus and realizing this method, and relate in particular to the method and apparatus of identification script class computer virus.
Background technology
The fast development of computing machine and network technology has greatly promoted information interaction.But meanwhile, computer virus is also followed the development of technology and is constantly developed and upgrade, and plays from the mischief at initial stage and develops into today, and the normal use of people to computing machine arrived in computer virus serious threat.Thus, how to take precautions against virus attack and become the focus that people pay close attention to already.
An important step of taking precautions against virus attack is to identify the file that has virus before the virus operation, promptly looks into poison, thereby takes appropriate measures its infringement computer system of containment.The malicious method of looking into that present antivirus software generally uses is matching characteristic string method.That is to say, utilize the feature string (binary code stream that one or more snippets is specific) that from Virus Sample, extracts to be looked into and carry out match search in the file at quilt.This method can identify the virus with fixed character string more effectively, but the virus that is easy to change for those feature strings, promptly is easy to the virus of mutation, thisly looks into malicious method and then is close to illusoryly, can not play expected effect.
A kind of so just virus that is easy to mutation of the script virus that immediate development is got up, it is big with destructive power, and appeal is strong, and spread scope is big, and duplicity becomes an important branch of computer virus now by force.Script virus is write with script and is formed, and follows alternative document together to be sent in the computing machine usually, and the interpreter at script that is had by computer operating system self is explained execution again, thus the infringement computer system.Thereby the source code of script virus is highly susceptible to obtaining, and its source code readability is very strong.Usually, only need change the structure of script virus source code a little, perhaps revising, its eigenwert just can generate the new virus mutation with different characteristic string.Like this, the various mutation of the script virus virus checking of conventional matching characteristic string of just can out-tricking easily.In addition, because script virus is write simply, occurred a lot of so-called virus production machines now even also, it can generate various script virus according to user's wish.Thus, the malicious method of looking into of Chang Gui matching characteristic string is difficult to identify various script virus effectively according to the characteristics (feature string) of the script virus text that is generated itself.
Therefore, press for a kind of viral recognition methods of searching and identify this be easy to mutation and the extremely strong virus of infringement power, for example script viroid rapidly and accurately.
Summary of the invention
The object of the present invention is to provide a kind of method of discerning various viruses and mutation thereof quickly and efficiently.
According to an aspect of the present invention, proposed a kind of method that is used to discern virus, may further comprise the steps:
(a) text of being looked into file is carried out pre-service, but to extract execution contexts;
(b) but described execution contexts is carried out grammatical analysis, but to obtain the grammar property of described execution contexts;
(c) grammar property with virus in described grammar property that obtains and the virus characteristic storehouse mates, and whether comprises described virus to judge described file.
The invention allows for the hardware unit of realizing said method and the computer system that comprises this module.
Because the method that the present invention proposes can be according to the behavioural characteristic of virus, and be not that the feature of the viral text that generates itself is discerned virus, thereby can identify the virus that belongs to same family rapidly and accurately.This method that the present invention proposes is particularly useful for discerning adopting and explains the virus of carrying out such as the script class.
With reference to below in conjunction with the description of the drawings book and claims, will more fully understand the present invention, and these and other characteristics of the present invention will become more apparent.
Description of drawings:
Describe the present invention below with reference to the drawings and specific embodiments, wherein:
Fig. 1 is the overview flow chart that is used to realize script virus identification according to an embodiment of the invention;
Fig. 2 is the particular flow sheet of pre-treatment step according to an embodiment of the invention;
Fig. 3 is the particular flow sheet of lexical analysis step according to an embodiment of the invention;
Fig. 4 is the particular flow sheet of syntax analysis step according to an embodiment of the invention;
Fig. 5 is a structured flowchart of discerning viral device according to an embodiment of the invention.
Embodiment
According to above overall introduction to the script viroid as can be known, an important feature of script virus is that the readability of source code is very strong, and normally on object computer the source code to virus explained execution.In view of script virus is explained these characteristics of execution, the method of this viroid of identification that the present invention proposes, the ultimate principle of copying compiler, but the execution contexts in the file is carried out grammatical analysis, but, promptly analyze its behavioral characteristic so that analyze the function that this execution contexts will be realized.This behavioral characteristic is presented as the resulting grammar property of grammatical analysis, cycle index for example, the calling or the like of specific function.The script virus of the same family that those generate by mutation, its behavioral characteristic, just grammar property is normally changeless.Therefore, the grammar property of being looked into file by coupling can detect the mutation of various viruses effectively.
1-4 below with reference to accompanying drawings is the concrete steps that example is described the method for the identification virus that the present invention proposes in detail with the identification script virus.Here it may be noted that the method for identification virus proposed by the invention can also be applied to have with the script viroid other viruses of similar characteristics, and be not limited in script virus itself.
Fig. 1 shows the overview flow chart of the method that is used to discern script virus in the one embodiment of the invention.
As shown in Figure 1, in step 1001, begin to carry out the script virus scanning sequence.Because present embodiment is to be example with the identification script virus, thereby the virus scanning program here only scans the script type file.If the method that the present invention is proposed is used to discern the Virus Type that other explain execution, then correspondingly the type file is scanned.
At first, in step 1002, the script file that scans is carried out pre-service, but to extract execution contexts wherein.Then, in step 1003, but judge whether that success has extracted execution contexts, if success then continues lexical analysis in the execution in step 1004, otherwise execution in step 1009 reporting errors and finish this virus scan.But the pretreatment operation here can comprise in order to extract the required institute of execution contexts in steps, for example the text of encrypting is decrypted etc.The specific descriptions of this pre-treatment step will 2 be introduced in the back in conjunction with the accompanying drawings in detail.
In step 1004, but the execution contexts that generates through pre-service is carried out lexical analysis, to extract the word sequence array.According to Fundamentals of Compiling, but lexical analysis is the word that for example extracts from the execution contexts that occurs as continuous character string as variable, function name etc., so that obtain the logical relation between these words in grammatical analysis.In the present invention, be that characteristics according to script design to the extraction of word in the lexical analysis.In addition, in order to add fast scan speed and reliability, in the present invention, but the lexical analysis step also comprises whether having comprised the system call (step 1005) that can be utilized by virus in the execution contexts that check extracts.If do not comprise these system calls, then can abandon this virus scan (advancing to step 1010), but think that this execution contexts that extracts can not cause the infringement to computer system.Otherwise, continue the grammatical analysis in the execution in step 1006.Concrete lexical analysis step will 3 be described in detail in the back in conjunction with the accompanying drawings.
In step 1006, the word sequence array that lexical analysis generates is carried out grammatical analysis, the generative grammar tree is extracted grammar property.Here said grammar property for example calls or the like for maximum cycle, loop statement number, the conditional statement number of plies, conditional statement number, function call number of times, function parameter number and type, function call rreturn value, system function.Here it may be noted that, but owing to the objective of the invention is to go out script virus according to the behavioral characteristic quick identification of execution contexts, thereby the syntax analysis step among the present invention is different from the processing in traditional compilation process, and it is more paid attention to more embodying the analysis of the function body of behavioral characteristic.In addition, speed and the accuracy in order to accelerate grammatical analysis adopted classification analysis in the grammatical analysis process in the present invention, and the thought of parsing table is set up in classification, and particular content will 4 be introduced in the back in conjunction with the accompanying drawings in detail.
But after obtaining the grammar property of execution contexts, in step 1007, grammar property known or unknown virus in the grammar property that extracts and the virus characteristic storehouse is mated, and judge whether the two mates.If coupling, then execution in step 1008, the Virus Type that reports the file of looking into to contain, Virus Name, characteristic quantities such as virus method; Otherwise represent that this file does not comprise known script virus, directly execution in step 1010.At last, in step 1010, finish the work of this scanning.
In the method that is used for discerning virus that above-mentioned the present invention who describes in conjunction with Fig. 1 proposes, thought of the present invention is mainly reflected in pretreatment operation, lexical analysis and three parts of grammatical analysis.The concrete operations of these three parts are described below successively.
Pre-service
Fig. 2 shows the particular flow sheet of pre-treatment step shown in Figure 1.As shown in Figure 2, in step 2001, begin pretreatment operation to script file.In step 2002, but filter out in the script file, for example notes content etc. the part of execution contexts without any influence.In step 2003, but judge whether remaining execution contexts is encrypted,, analyze ciphertext, take corresponding decryption method to be decrypted, but otherwise execution in step 2006 is directly extracted execution contexts if encrypt then execution in step 2004.In step 2004, for example, know that it has adopted the public encryption algorithm by analyzing the text of encrypting, then adopt the text after corresponding decipherment algorithm obtains deciphering.Perhaps, if ciphertext itself has comprised decryption step, can obtain corresponding decipherment algorithm by analysis so.Moreover, can also adopt the mode of virtual execution, but in internal memory, generate the interim execution contexts after the deciphering, thereby obtain the text after the deciphering.After the deciphering, in step 2005, judge whether deciphering is successful, if successful then execution in step 2006 is extracted executable text, otherwise execution in step 2007 report pre-service are failed.In step 2006, extract executable text, use for follow-up lexical analysis.At last, in step 2008, finish this script file pretreatment operation.
Lexical analysis
But after obtaining execution contexts, carry out lexical analysis.Fig. 3 shows the particular flow sheet of this step.
In step 3001, the beginning lexical analysis.In step 3002, adopt canonical formula syntax analysis, by a cover operator operational code and a compound statement operational code among the present invention, extract word.This cover operator operational code and compound statement operational code are that the characteristics according to script design, be convenient to from script text, extract the feature string, call this operator operational code and compound statement operational code at every turn and will obtain a mark (token) feature string (need to indicate, operator operational code and compound statement operational code can be designed according to the characteristics of token feature string) here.Then, in step 3003, the token feature string that generates in the accumulative total step 3002 is to form the word sequence array.In the present invention, the token feature string that extracts will judge in step 3004 that all whether this token feature string is complementary with a certain system call,, judges whether to belong to system call that is.If, then execution in step 3005 its verifications of statistics and, otherwise execution in step 3006.In step 3005, the Keyword List in the reference system, obtain this system call verification and and call verification and accumulative total with the other system that obtains before, thereby obtain the verification of a statistics and.Then, in step 3006, judge whether text runs through, repeated execution of steps 3002 obtains next token feature string if do not run through then, and so circulation is up to running through all texts.
But after running through all execution contexts, in step 3007, carry out the system call coupling.In the present embodiment, in advance by the analytic system characteristics, drawing may be by the system call of virus utilization, and in other words, virus must comprise these system calls at least, just might encroach on system.Then, calculate these system calls the statistics verification and, in order in step 3007, carrying out system call coupling.In the step 3007 of lexical analysis, the statistics verification that will in step 3005, obtain and with the verification of the system call that may be utilized by virus that precomputes with mate, and judge whether to mate (step 3008) then.In the present embodiment, if the system call verification that current text comprised that obtains through lexical analysis and greater than this verification that calculates in advance and, show that then system call mates, promptly current text comprises the system call that can be utilized by virus.Report the lexical analysis success this moment, but need carry out further grammatical analysis current execution contexts.If do not match, then report the lexical analysis failure, thereby withdraw from this scanning process, think that promptly current file does not have virus (step 3009).The advantage of doing like this is, the script misidentification that does not carry out any system call can not carried the file of virus, thereby can improve the accuracy of looking into poison, reduces the probability of wrong report, can also accelerate virus scan speed simultaneously.At last, in step 3010, finish this lexical analysis operation.
In the present embodiment, but only provided the method whether above a kind of judgement execution contexts comprises the system call that can be utilized by virus.In actual applications, can also adopt several different methods to realize this judgement, be not limited to this.In addition, according to the needs of practical application, the determining step of this system call coupling also not all is necessary.
Above 3 lexical analysis processes of describing in conjunction with the accompanying drawings, but for the execution contexts that great majority are write by program language, normally necessary.But the language of also not getting rid of some particular type adopts extremely simple definition and structure, thereby can only directly carry out grammatical analysis by simple processing, and this will decide on practical application.
Grammatical analysis
After above lexical analysis completed successfully, it also was complex grammar analytic process that the present invention will carry out most critical.
The present invention has done following fractionation according to the characteristics of script virus with grammatical analysis:
1, the source program after the whole lexical analysis is regarded as a definition chain, this part is called the analysis of global variable and function definition.2, in function definition, the definition of parameter-definition and function body branched away and carry out grammatical analysis respectively.3, in the analysis of function body, again separate analysis is separated in the definition of parameter-definition and expression formula.
Whole grammatical analysis process adopts SLR (1) to analyze and adds the conflict analysis of shift-in stipulations, has adopted the operation precedence analytic approach when expression parsing.
Fig. 4 is the process flow diagram of this step.In step 4001, the beginning grammatical analysis.In step 4002, determine the type of the current grammatical analysis that will carry out, promptly define the type of grammatical analysis.In the present embodiment, according to the characteristics of script, grammatical analysis is divided into five types: expression formula, function, parameter, global variable and system function analysis.For example, but when beginning that just execution contexts carried out grammatical analysis, can be the global variable analysis with its type definition by analyzing.Then, in step 4003, the kind of judging grammatical analysis is to carry out corresponding operating: if global variable then in step 4007, adds global variable to symbol table.Certainly, at the beginning of grammatical analysis, the type definition also may be other types, perhaps along with grammatical analysis progressively deeply, the type definition also can be other types.For example: if expression formula then enters in the step 4004, carry out expression parsing, what wherein adopt is the operation precedence analytic approach; If function then in step 4005, carries out the function parameter analysis to function parameters; And in step 4006, function body itself is carried out the function body analysis; If system function then in step 4008, adds system function to symbol table.
In each grammatical analysis class, proceed further analysis respectively then.For example, after expression parsing (step 4004), in step 4009, further the function call in the expression formula is analyzed; And in function body analysis (step 4006) step 4010 afterwards, further local variable in the function body is analyzed; And in step 4011, local variable is added in the symbol table.
No matter be above-mentioned which kind of grammatical analysis that exemplifies, it all will enter in the step 4012, and according to grammatical norm, whether discriminatory analysis operation is correct, if correct execution in step 4013 then, otherwise execution in step 4014 error exits.In step 4013, whether discriminatory analysis is finished subsequently, and execution in step 4015 finishes to analyze if finished then, otherwise execution in step 4002 continues to analyze.For example, in the branch of function body class, after step 4012 is judged local variable analysis correctly, in step 4013, find to analyze not finish as yet.For example, need the expression formula in the analytic function body then, then flow process is circulated to step 4002, determines that the type of grammatical analysis next time is expression parsing, and through the differentiation of step 4003, the branch that flow process advances to expression parsing proceeds then.The flow process of the execution graph that circulates according to the method 4 is up to finishing all analysis operations (step 4015).
Owing to the objective of the invention is to analyze the behavioral characteristic of script file, thereby the analysis of function body is a key of the present invention.Usually the grammatical analysis of function body is very complicated, thereby in the present invention, the grammatical analysis of function body analysis and other types is separated carry out, and construct a parsing table separately, like this, can be convenient to upgrading and renewal.
After grammatical analysis shown in Figure 4 finishes, can obtain syntax tree, it has reflected the logical relation between each variable, the expression formula etc.Get back to Fig. 1 below, in flow process shown in Figure 1, but obtain maximum cycle in the execution contexts according to the syntax tree that obtains, the loop statement number, the conditional statement number of plies, conditional statement number, the function call number of times, function parameter number and type, the function call rreturn value, system function calls a series of grammar properties such as feature.Next be exactly and the virus characteristic storehouse in viral grammar property mate, judge whether to contain virus.For example, in the grammar property that scanning obtains, system function calls, the cycling jump number of times, the rreturn value of function call number of times and function call just and these grammar properties of certain script virus be complementary, show that then this script may contain virus, therefore report virus also provides corresponding virus method.
Here need explanation, can store the grammar property of known viruse and/or the grammar property of unknown virus in the virus characteristic storehouse.Wherein, known viruse is meant the virus that has recorded information such as clear and definite title, sign in current virus base, and unknown virus then is meant and does not record the clear and definite title or the virus of sign as yet.Usually, the grammar property of unknown virus is the behavioral characteristic according to known viruse, the grammar property that is enough to constitute virus behavior of inferring.This grammar property of the unknown virus of definition voluntarily can obtain by the learning functionality of antivirus software, thereby can realize the purpose of pre-anti-virus to a certain extent.
Below 1-4 has described the method for the identification virus that the present invention proposes in conjunction with the accompanying drawings.The method that the present invention proposes can be realized that also can be realized by hardware, the mode that perhaps adopts software and hardware to combine realizes by computer software.
Below exemplarily provide the hardware configuration of the method that a kind of the present invention of realization proposes, as shown in Figure 5.
As shown in Figure 5, the device 500 of the identification virus method that is used to realize that the present invention proposes, comprising: pretreatment unit 510, analysis and processing unit 520, recognition unit 530, wherein analysis and processing unit 510 comprises lexical analysis unit 522 and parsing unit 526.
Particularly, pretreatment unit 510 be used for to the text of being looked into file carry out pre-service (deciphering) but to extract execution contexts.Analysis and processing unit 520 is used for but described execution contexts is carried out grammatical analysis, but to obtain the grammar property of described execution contexts.This analysis and processing unit 520 specifically comprises and is used for but described execution contexts is carried out the lexical analysis unit 522 of lexical analysis with the extraction word sequence, and the parsing unit 526 that is used for the described word sequence that described lexical analysis unit extracts is carried out grammatical analysis.The grammar property of virus mates in grammar property that recognition unit 530 will be obtained by parsing unit and the virus characteristic storehouse, whether comprises virus to judge described file.Described lexical analysis unit 522 comprises that also a judging unit 523 is used for according to the described word sequence that extracts, judges whether to comprise the system call (determination methods is same as shown in Figure 3) that can be utilized by virus; And, judge that then described file does not comprise virus if do not comprise the system call that can be utilized by script virus.
Below in conjunction with the accompanying drawings 1-5 with the script virus be example describe that the present invention proposes in detail pass through to analyze the method that the behavioral characteristic of being looked into file is discerned virus.This method not only goes for script virus, can also be used for poison is looked in the analysis of other sound code files.
Useful number fruit
The method of the above identification virus that proposes for the present invention in conjunction with the embodiment of the invention is described in detail.The method that the present invention proposes obtains to be looked into the grammar property of file by grammatical analysis, utilizes the matching result of this grammar property that obtains and the grammar property of virus again, determines that this quilt looks into file and whether comprise this virus.
Compare with the method for merely carrying out search matched according to the character string of extracting in the Virus Sample, because the method that the present invention proposes is that the behavioral characteristic with virus is that poison is looked on the basis, thereby improved the accuracy of virus scan greatly, and can add fast scan speed, avoid the wasting of resources.Because the multiple mutation body of virus has fixing behavioral characteristic usually, i.e. the method that the present invention of grammar property, thereby employing proposes can effectively tackle the different mutation of same virus family.In addition, the method that the present invention proposes has very strong dirigibility, for example by the fractionation with grammatical analysis, makes only need the grammatical analysis of change function body partly just can finish to the expansion and the upgrading of grammatical analysis future.Moreover the present invention formats unformatted file by pre-service and lexical analysis, supports the ordering of virus, can significantly improve killing poison speed.
It will be appreciated by those skilled in the art that the disclosed method and apparatus that is used to discern virus of the invention described above, can also on the basis that does not break away from content of the present invention, make various improvement.Therefore, protection scope of the present invention should be determined by the content of appending claims.
Claims (16)
1, a kind of method that is used to discern virus may further comprise the steps:
(a) text of being looked into file is carried out pre-service, but to extract execution contexts;
(b) but the described execution contexts that extracts is carried out grammatical analysis, but to obtain the grammar property of described execution contexts;
(c) grammar property with virus in described grammar property that obtains and the virus characteristic storehouse mates, and whether comprises virus to judge described file.
2, the method for claim 1, wherein step (b) also comprises:
(b1) but described execution contexts is carried out lexical analysis, to extract word sequence.
3, method as claimed in claim 2, wherein step (b) also comprises:
(b2) the described described word sequence that extracts is carried out grammatical analysis, but obtaining the syntax tree of described execution contexts, thereby but obtain the described grammar property of described execution contexts.
4, method as claimed in claim 3, wherein, but described grammar property comprises one or more in calling of maximum cycle in the described execution contexts, loop statement number, the conditional statement number of plies, conditional statement number, function call number of times, function parameter number and type, function call rreturn value, system function.
5, method as claimed in claim 2, wherein step (b1) also comprises:
(b11), judge whether to comprise the system call that can be utilized by virus according to the described word sequence that extracts;
(b12) if do not comprise the system call that can be utilized by script virus, judge that then described file does not comprise virus.
6, method as claimed in claim 5, wherein step (b11) comprising:
Described word sequence according to proposing judges whether to comprise system call;
If comprise system call, then the computing system verification of calling and;
With the described system call verification that calculates with the system call verification that can be utilized by virus with compare, to judge whether to comprise the available system call of described virus.
7, the method for claim 1 is decrypted but wherein said pre-service also comprises the execution contexts to encrypting, but to obtain the execution contexts after the deciphering.
8, the method for claim 1, virus is script virus shown in it, but described execution contexts is a script text.
9, the method for claim 1, wherein said virus characteristic stock contains the grammar property of known viruse and/or the grammar property of unknown virus.
10, a kind of device of discerning virus comprises:
Pretreatment unit is used for the text of being looked into file is carried out pre-service, but to extract execution contexts;
Analysis and processing unit, but be used for described execution contexts is carried out grammatical analysis, but to obtain the grammar property of described execution contexts;
Recognition unit is used for the grammar property of described grammar property that obtains and virus characteristic storehouse virus is mated, and whether comprises virus to judge described file.
11, device as claimed in claim 10, wherein said analysis and processing unit also comprises:
The lexical analysis unit, but be used for described execution contexts is carried out lexical analysis, to extract word sequence; And
Parsing unit is used for the described word sequence that described lexical analysis unit extracts is carried out grammatical analysis, but obtaining the syntax tree of described execution contexts, thereby but obtain the described grammar property of described execution contexts.
12, device as claimed in claim 11, wherein said parsing unit is to global variable, function definition, parameter-definition and function body definition carrying out respectively grammatical analysis.
13, device as claimed in claim 11, wherein said lexical analysis unit also comprises:
Judging unit is used for according to the described word sequence that extracts, judges whether to comprise the system call that can be utilized by virus; And, judge that then described file does not comprise virus if do not comprise the system call that can be utilized by script virus.
14, device as claimed in claim 13, wherein said judging unit judges whether to comprise system call according to the described word sequence that proposes; If comprise system call, then the computing system verification of calling and; With the described system call verification that calculates with the system call verification that can be utilized by virus with compare, to judge whether to comprise the available system call of described virus.
15, a kind of computer system comprises the device as the described identification virus of claim 10-14.
16, a kind of computer program comprises the computer-readable code that is used to realize as method as described in the claim 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101059760A CN100483434C (en) | 2005-12-12 | 2006-07-21 | Method and device for recognizing virus |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510131435.0 | 2005-12-12 | ||
| CN200510131435 | 2005-12-12 | ||
| CNB2006101059760A CN100483434C (en) | 2005-12-12 | 2006-07-21 | Method and device for recognizing virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1983295A true CN1983295A (en) | 2007-06-20 |
| CN100483434C CN100483434C (en) | 2009-04-29 |
Family
ID=38165814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101059760A Active CN100483434C (en) | 2005-12-12 | 2006-07-21 | Method and device for recognizing virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100483434C (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102592078A (en) * | 2011-12-23 | 2012-07-18 | 中国人民解放军国防科学技术大学 | Method for identifying self-propagation of malicious software by extracting function call sequence chacteristics |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN102799806A (en) * | 2012-06-14 | 2012-11-28 | 中国人民解放军信息工程大学 | Tree structure-based cryptographic algorithm logical expression identification method |
| CN102819698A (en) * | 2011-12-27 | 2012-12-12 | 腾讯科技(深圳)有限公司 | Method and device for detecting malicious code in webpage |
| CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN103559447A (en) * | 2013-11-15 | 2014-02-05 | 北京奇虎科技有限公司 | Detection method, detection device and detection system based on virus sample characteristics |
| CN104253797A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Identification method and device for worm virus |
| CN104252593A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script monitoring method and device |
| CN104252596A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script virus monitoring method and device |
| CN104537306A (en) * | 2015-01-13 | 2015-04-22 | 百度在线网络技术(北京)有限公司 | Method and device for recognizing virus file |
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| CN106295342A (en) * | 2016-08-19 | 2017-01-04 | 北京金山安全管理系统技术有限公司 | The method and device of infection type virus in detection and removing Portable executable file |
| CN106355092A (en) * | 2015-10-22 | 2017-01-25 | 卡巴斯基实验室股份公司 | Systems and methods for optimizing antivirus determinations |
| CN106909843A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | The detection method and device of a kind of computer virus |
| CN112307478A (en) * | 2020-11-30 | 2021-02-02 | 深信服科技股份有限公司 | Script virus detection method, system, electronic equipment and storage medium |
| CN112989345A (en) * | 2021-03-17 | 2021-06-18 | 北京安天网络安全技术有限公司 | Threat handling method and framework |
-
2006
- 2006-07-21 CN CNB2006101059760A patent/CN100483434C/en active Active
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN102592078B (en) * | 2011-12-23 | 2014-04-16 | 中国人民解放军国防科学技术大学 | Method for identifying self-propagation of malicious software by extracting function call sequence chacteristics |
| CN102592078A (en) * | 2011-12-23 | 2012-07-18 | 中国人民解放军国防科学技术大学 | Method for identifying self-propagation of malicious software by extracting function call sequence chacteristics |
| CN102819698A (en) * | 2011-12-27 | 2012-12-12 | 腾讯科技(深圳)有限公司 | Method and device for detecting malicious code in webpage |
| CN102819698B (en) * | 2011-12-27 | 2015-05-20 | 腾讯科技(深圳)有限公司 | Method and device for detecting malicious code in webpage |
| CN102799806A (en) * | 2012-06-14 | 2012-11-28 | 中国人民解放军信息工程大学 | Tree structure-based cryptographic algorithm logical expression identification method |
| CN102799806B (en) * | 2012-06-14 | 2015-02-25 | 中国人民解放军信息工程大学 | Tree structure-based cryptographic algorithm logical expression identification method |
| CN102867144B (en) * | 2012-09-06 | 2015-08-19 | 北京奇虎科技有限公司 | A kind of for detecting the method and apparatus with dump virus |
| CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
| CN103258163A (en) * | 2013-05-15 | 2013-08-21 | 腾讯科技(深圳)有限公司 | Script virus identifying method, script virus identifying device and script virus identifying system |
| CN103258163B (en) * | 2013-05-15 | 2015-08-26 | 腾讯科技(深圳)有限公司 | A kind of script virus recognition methods, Apparatus and system |
| CN104252593A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script monitoring method and device |
| CN104252593B (en) * | 2013-06-27 | 2019-07-30 | 贝壳网际(北京)安全技术有限公司 | Script monitoring method and device |
| CN104253797A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Identification method and device for worm virus |
| CN104252596B (en) * | 2013-06-28 | 2019-01-25 | 贝壳网际(北京)安全技术有限公司 | Script virus monitoring method and device |
| CN104252596A (en) * | 2013-06-28 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Script virus monitoring method and device |
| CN103559447A (en) * | 2013-11-15 | 2014-02-05 | 北京奇虎科技有限公司 | Detection method, detection device and detection system based on virus sample characteristics |
| CN103559447B (en) * | 2013-11-15 | 2016-05-25 | 北京奇虎科技有限公司 | A kind of detection method, checkout gear and detection system based on Virus Sample feature |
| CN105488399A (en) * | 2014-12-08 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Script virus detection method and system based on program keyword calling sequence |
| CN104537306A (en) * | 2015-01-13 | 2015-04-22 | 百度在线网络技术(北京)有限公司 | Method and device for recognizing virus file |
| CN106355092B (en) * | 2015-10-22 | 2019-05-03 | 卡巴斯基实验室股份公司 | System and method for optimizing anti-virus measurement |
| CN106355092A (en) * | 2015-10-22 | 2017-01-25 | 卡巴斯基实验室股份公司 | Systems and methods for optimizing antivirus determinations |
| CN106909843A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | The detection method and device of a kind of computer virus |
| CN106295342B (en) * | 2016-08-19 | 2019-02-01 | 北京金山安全管理系统技术有限公司 | Detection and the method and device for removing infection type virus in Portable executable file |
| CN106295342A (en) * | 2016-08-19 | 2017-01-04 | 北京金山安全管理系统技术有限公司 | The method and device of infection type virus in detection and removing Portable executable file |
| CN112307478A (en) * | 2020-11-30 | 2021-02-02 | 深信服科技股份有限公司 | Script virus detection method, system, electronic equipment and storage medium |
| CN112989345A (en) * | 2021-03-17 | 2021-06-18 | 北京安天网络安全技术有限公司 | Threat handling method and framework |
| CN112989345B (en) * | 2021-03-17 | 2024-04-12 | 北京安天网络安全技术有限公司 | Threat handling method and framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100483434C (en) | 2009-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100483434C (en) | Method and device for recognizing virus | |
| Yu et al. | Deescvhunter: A deep learning-based framework for smart contract vulnerability detection | |
| US7636945B2 (en) | Detection of polymorphic script language viruses by data driven lexical analysis | |
| US8549635B2 (en) | Malware detection using external call characteristics | |
| US7409718B1 (en) | Method of decrypting and analyzing encrypted malicious scripts | |
| CN101661543B (en) | Method and device for detecting security flaws of software source codes | |
| US20040049768A1 (en) | Method and program for compiling processing, and computer-readable medium recoding the program thereof | |
| CN106843840B (en) | Source code version evolution annotation multiplexing method based on similarity analysis | |
| CN110225029B (en) | Injection attack detection method, device, server and storage medium | |
| CN114077741B (en) | Software supply chain safety detection method and device, electronic equipment and storage medium | |
| US20070157183A1 (en) | Computer program code comparison using lexemes | |
| CN113987517B (en) | Vulnerability discovery method, device, equipment and storage medium based on Internet of things firmware | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| KR101645019B1 (en) | Rule description language for software vulnerability detection | |
| CN114911711A (en) | Code defect analysis method and device, electronic equipment and storage medium | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| Chen et al. | Malware classification using static disassembly and machine learning | |
| Feichtner et al. | Obfuscation-resilient code recognition in Android apps | |
| EP1830253A2 (en) | Method, computer program and apparatus for analysing symbols in a computer system | |
| Li et al. | GTFuzz: Guard token directed grey-box fuzzing | |
| CN114546836A (en) | Public component library automatic testing method and device based on push-down automaton guidance | |
| Zhao et al. | {UVSCAN}: Detecting {Third-Party} Component Usage Violations in {IoT} Firmware | |
| CN114035794A (en) | Binary code multiplexing open source component version identification method and device | |
| Alrabaee et al. | Compiler provenance attribution | |
| Ouairy et al. | Normalization of Java source codes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING RISING INTERNATIONAL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING RISING INTERNATIONAL SOFTWARE CO., LTD. Effective date: 20100413 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 NO.1302, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, BEIJING CITY TO: 100190 ROOM 1301, ZHONGKE BUILDING, NO.22, ZHONGGUANCUN AVENUE, HAIDIAN DISTRICT, BEIJING CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100413 Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd. Address before: 100080, No. 22, Zhongguancun Avenue, 1302, Beijing Patentee before: Beijing Rising International Software Co., Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing Rising Information Technology Co., Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee after: Beijing net an Technology Limited by Share Ltd Address before: 100190 Beijing City, Haidian District Zhongguancun Street Branch No. 22 building, room 1301 Patentee before: Beijing Rising Information Technology Co., Ltd |
|
| CP01 | Change in the name or title of a patent holder |