CN112580025A - Virtual machine-based poison reporting method and device, storage medium and computer equipment - Google Patents

Virtual machine-based poison reporting method and device, storage medium and computer equipment Download PDF

Info

Publication number
CN112580025A
CN112580025A CN201910945353.1A CN201910945353A CN112580025A CN 112580025 A CN112580025 A CN 112580025A CN 201910945353 A CN201910945353 A CN 201910945353A CN 112580025 A CN112580025 A CN 112580025A
Authority
CN
China
Prior art keywords
virus
program
target program
reporting
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910945353.1A
Other languages
Chinese (zh)
Inventor
胡彬
黄瀚
刘同豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Original Assignee
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Safety Technology Zhuhai Co Ltd, Qax Technology Group Inc filed Critical Qianxin Safety Technology Zhuhai Co Ltd
Priority to CN201910945353.1A priority Critical patent/CN112580025A/en
Publication of CN112580025A publication Critical patent/CN112580025A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本申请公开了一种基于虚拟机的报毒方法及装置、存储介质、计算机设备,该方法包括:在虚拟机中执行待检测的目标程序;在所述目标程序的执行过程中对至少一个报毒监控点进行监控,并记录所述目标程序执行过程中对至少一个所述报毒监控点的使用情况;根据所述目标程序对所述报毒监控点的使用情况,判断所述目标程序是否为病毒程序。本申请利用虚拟机技术,不仅可以有效的获取到目标程序在虚拟机中执行时的运行记录,而且不会对真实计算机环境造成影响保护了计算机的安全,同时,基于目标程序的运行记录进行启发式病毒检测,有助于提高对新型病毒、变种病毒等未知病毒的检测率。

Figure 201910945353

The present application discloses a virtual machine-based virus reporting method and device, storage medium, and computer equipment. The method includes: executing a target program to be detected in a virtual machine; Monitor the poison monitoring point, and record the use of at least one of the poison reporting monitoring points during the execution of the target program; according to the use of the poison reporting monitoring point by the target program, determine whether the target program is for virus programs. By using the virtual machine technology, the present application can not only effectively obtain the running record of the target program when it is executed in the virtual machine, but also protect the security of the computer without affecting the real computer environment. It is helpful to improve the detection rate of unknown viruses such as new viruses and variant viruses.

Figure 201910945353

Description

Virtual machine-based poison reporting method and device, storage medium and computer equipment
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for reporting a virus based on a virtual machine, a storage medium, and a computer device.
Background
With the continuous development of computer technology, computers are becoming indispensable partners of people in daily life and work, bring much convenience to work and life of people, but a discordant factor is computer virus.
Aiming at the problem of computer security caused by computer viruses, almost any enterprise or person uses antivirus software at present, but most of the antivirus software at present carries out virus searching and killing based on virus characteristics included in a virus library, namely if a certain program in a computer hits the virus characteristics in the virus library, the program is judged to be a virus program, and obviously, if a novel virus or a variant virus occurs, the virus library is difficult to deal with.
How to improve the virus killing rate of new viruses or variant viruses becomes an important problem in the field of computer security.
Disclosure of Invention
In view of this, the present application provides a virtual machine-based virus reporting method and apparatus, a storage medium, and a computer device.
According to one aspect of the application, a virus reporting method based on a virtual machine is provided, and comprises the following steps:
executing a target program to be detected in the virtual machine;
monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and judging whether the target program is a virus program or not according to the use condition of the target program on the virus reporting monitoring point.
Specifically, the determining, according to the usage of the target program to the virus reporting monitoring point, whether the target program is a virus program specifically includes:
calculating a virus detection value of the target program according to the use condition of the target program to the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and if the virus detection value of the target program is greater than or equal to a preset virus empirical value, determining that the target program is a virus program.
Specifically, the method further comprises:
and if the virus detection value of the target program is smaller than the preset virus empirical value, determining that the target program is not a virus program.
Specifically, before executing the target program to be detected in the virtual machine, the method further includes:
acquiring behavior characteristics corresponding to a plurality of virus samples;
and determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
Specifically, the determining the virus reporting monitoring point and the virus reporting experience value of the virus reporting monitoring point according to the behavior characteristics corresponding to the plurality of virus samples specifically includes:
analyzing virus reporting key behavior characteristics of the plurality of virus samples and key weights of the virus reporting key behavior characteristics according to behavior characteristics corresponding to the plurality of virus samples and preset safety program behavior characteristics;
and determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point, and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting experience value of the virus reporting monitoring point.
Specifically, after determining that the target program is a virus program, the method further includes:
and adding the target program into a virus program library.
Specifically, the method further comprises:
and when the number of the virus programs in the virus program library exceeds a preset number threshold, acquiring behavior characteristics corresponding to the virus programs in the virus program library, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
According to another aspect of the present application, there is provided a virtual machine-based poison reporting apparatus, including:
the target program execution module is used for executing a target program to be detected in the virtual machine;
the monitoring module is used for monitoring at least one virus reporting monitoring point in the execution process of the target program and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and the virus detection module is used for judging whether the target program is a virus program according to the use condition of the target program on the virus reporting monitoring point.
Specifically, the virus detection module specifically includes:
the detection value calculation unit is used for calculating the virus detection value of the target program according to the use condition of the target program on the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and the virus program detection unit is used for determining that the target program is a virus program if the virus detection value of the target program is greater than or equal to a preset virus empirical value.
Specifically, the apparatus further comprises:
and the safety program detection unit is used for determining that the target program is not the virus program if the virus detection value of the target program is smaller than the preset virus empirical value.
Specifically, the apparatus further comprises:
the behavior characteristic acquisition module is used for acquiring behavior characteristics corresponding to a plurality of virus samples before executing a target program to be detected in the virtual machine;
and the monitoring point determining module is used for determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
Specifically, the monitoring point determining module specifically includes:
the weight determining unit is used for analyzing the virus reporting key behavior characteristics of the plurality of virus samples and the key weight of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the plurality of virus samples and the preset safety program behavior characteristics;
and the empirical value determining unit is used for determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting empirical value of the virus reporting monitoring point.
Specifically, the apparatus further comprises:
and the virus library establishing module is used for adding the target program into the virus library after determining that the target program is the virus program.
Specifically, the apparatus further comprises:
and the monitoring point updating module is used for acquiring the behavior characteristics corresponding to the virus programs in the virus program library when the number of the virus programs in the virus program library exceeds a preset number threshold, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the virtual machine-based virus notification method described above.
According to yet another aspect of the present application, there is provided a computer device, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the virtual machine based virus notification method when executing the program.
By means of the technical scheme, the virtual machine based virus reporting method and device, the storage medium and the computer equipment record the use condition of the target program needing virus detection to the virus reporting monitoring point in the execution process by using the virtual machine technology, then perform heuristic virus checking and killing on the use condition of the virus reporting monitoring point according to the extracted target program, and detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 shows a schematic flowchart of a virtual machine-based virus reporting method according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another virtual machine-based virus notification method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating a virtual machine-based virus reporting apparatus according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another virtual machine-based virus reporting apparatus according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a virus reporting method based on a virtual machine is provided, as shown in fig. 1, the method includes:
step 101, executing a target program to be detected in a virtual machine;
102, monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and 103, judging whether the target program is a virus program according to the use condition of the target program to the virus reporting monitoring point.
In the prior art, a virus library established in advance is usually used, and virus feature matching is performed on features of a program to be detected according to virus features contained in a virus program stored in the virus library, and if the features of the program to be detected hit the virus library, the program is a virus-carrying program. If new viruses or variant viruses appear, the viruses are difficult to accurately detect by using the original virus library, and the defense on unknown viruses cannot be realized.
In order to solve the above-mentioned defects in the prior art, in the embodiment of the present application, heuristic virus checking is adopted, where heuristic virus checking refers to determining whether a program to be detected is a virus-carrying program by using an execution characteristic exhibited by the program in an execution process. Specifically, the general characteristics of the execution behaviors of the virus program are analyzed, and then virus detection is performed according to the general execution characteristics of the virus program. For example, a virus program writes a file into a system directory, reads and writes a boot area, writes a registry boot entry, opens another process, reads and writes another process, dynamically loads a DLL, and dynamically obtains an API address, and for a family virus, there may be a series of execution features that refer to the same library function, use the same icon, use a more unique import module, and so on.
In addition, in the existing method for acquiring the execution characteristics of the target program, a mode of injecting a DLL into the target process and monitoring a calling function in the DLL is generally adopted, and this mode mainly has two defects that the target process may have countermeasure means such as injection prevention and API hook prevention to prevent an execution sequence from being acquired, and the target process may have an influence on a real computer environment, and the computer system may be infected by a virus while the virus is found.
In order to overcome the defect of obtaining the execution characteristics, in the embodiment of the present application, a virtual machine technology is used, and an object program that needs to be subjected to virus detection is placed in a virtual machine for execution, because the virtual machine is a simulation of a real computer, if the object program calls a function when executed in the real computer, a stub function corresponding to the function is called when executed in the virtual machine, and therefore, an operation record of the object program when executed in the virtual machine can reflect an operation record of the object program when executed in the real computer. The running record of the virtual machine when the target program is executed can be effectively obtained, and the real computer environment cannot be influenced, so that the safety of the computer is protected.
With reference to the above description, in steps 101 to 103, first, an executable target program is allocated to a virtual machine, the virtual machine loads and runs the target program, and meanwhile, in an execution process of the target program, at least one pre-defined virus reporting monitoring point is monitored, where the virus reporting monitoring point is a unit in the virtual machine that is usually used in the execution process of the virus program, and specifically, the virus reporting monitoring point may be a stub function in the virtual machine, and if the virus reporting monitoring point is used in the execution process of the target program, the log is recorded, and then, according to a usage situation of the virus reporting monitoring point in the execution process of the virtual machine by the target program, whether the target program is a virus program is analyzed, for example, if a certain target program uses most of the pre-agreed virus reporting monitoring points in the execution process of the target program, the target program is likely to be a virus program, the virus detection based on the virtual machine is realized through the method.
By applying the technical scheme of the embodiment, the virtual machine technology is utilized to record the use condition of the virus reporting monitoring point in the execution process of the target program needing virus detection, and then the heuristic virus checking and killing is carried out on the use condition of the virus reporting monitoring point according to the extracted target program to detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of the embodiment, another virtual machine-based virus notification method is provided, as shown in fig. 2, the method includes:
step 201, acquiring behavior characteristics corresponding to a plurality of virus samples;
step 202, determining a virus reporting monitoring point and a virus reporting experience value of the virus reporting monitoring point according to the behavior characteristics corresponding to the plurality of virus samples.
In step 201 and step 202, before virus program detection is performed, which positions in the virtual machine are to be monitored are determined, specifically, a large number of virus samples are analyzed, wherein a virus sample is an executable program containing a virus, behavior characteristics of the virus sample are extracted, the behavior characteristics may include functions called by the virus sample in an execution process and a sequence of calling functions, then the behavior characteristics of the virus sample are summarized, general behavior characteristics of the virus sample are extracted, characteristics with large differences between the virus sample and a security program are summarized, so that calling functions corresponding to the characteristics are determined according to the general behavior characteristics of the virus sample and the characteristics with large differences from the security program, the calling functions are virus reporting monitoring points, and the executable program suspected to contain the virus can be quickly locked through monitoring the virus reporting monitoring points, in addition, the importance degree of each monitoring point, namely the virus reporting experience value, is determined according to the general behavior characteristics of the virus sample and the safety program with larger difference, so that the behavior characteristics of the target program are quantified, and the virus program is locked by monitoring the virus reporting monitoring points more accurately.
The step 202 specifically includes:
2021, analyzing the virus reporting key behavior characteristics of the plurality of virus samples and the key weight of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the plurality of virus samples and the preset safety program behavior characteristics;
step 2022, determining a call function corresponding to the key behavior feature of the virus reporting as a virus reporting monitoring point, and determining the key weight of the key behavior feature of the virus reporting as a virus reporting experience value of the virus reporting monitoring point.
In step 2021 and step 2022, by analyzing and summarizing the behavior characteristics of a large number of virus samples and security samples, the general behavior characteristics of the virus samples and the behavior characteristics greatly different from the security samples are summarized, so that the behavior characteristics are used as the key behavior characteristics of virus detection, the structures related to the key behavior characteristics are used as virus reporting monitoring points, and statistical analysis is performed to quantify the importance degree of each key behavior characteristic, that is, the key weight of each virus reporting key behavior characteristic, so as to obtain the virus reporting experience value of each virus reporting monitoring point, thereby providing quantitative analysis rules for virus detection.
Step 203, executing the target program to be detected in the virtual machine;
step 204, monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
step 205, calculating a virus detection value of the target program according to the use condition of the target program to the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
in step 206, if the virus detection value of the target program is greater than or equal to the preset virus empirical value, it is determined that the target program is a virus program.
Step 207, if the virus detection value of the target program is smaller than the preset virus empirical value, it is determined that the target program is not a virus program.
In the above steps 203 to 207, a quantitative detection method of the virus program is defined. Specifically, in step 203 and step 204, when the target program is executed in the virtual machine, the preset virus reporting monitoring points are monitored, and the calling condition of the target program to each virus reporting monitoring point in the virtual machine is recorded, where the virus reporting monitoring points may be stub functions in the virtual machine, and the use condition of each virus reporting monitoring point formed in the execution process of the target program is utilized to provide an analysis basis for virus detection.
Next, in step 205 to step 207, a virus detection value of the target program is calculated according to a pre-established virus reporting experience value corresponding to each virus reporting monitoring point, where the virus detection value of the target program may be a sum of virus reporting experience values corresponding to each virus reporting monitoring point used by the target program, for example, the target program calls the virus reporting monitoring point A, B, C, D, the virus reporting experience values of the virus reporting monitoring point A, B, C, D are 1, 2, and 3, respectively, and then the virus reporting detection value of the target program is 1+1+2+3 ═ 7. And then judging the relation between the virus reporting empirical value of the target program and a preset virus empirical value to determine whether the target program is a virus program, wherein the preset virus empirical value is obtained by analyzing a large number of virus samples and safety samples, and the preset virus empirical value is used as a partition to maximally distinguish the virus reporting empirical value of the virus sample from the virus reporting empirical value of the safety sample. For example, if the preset virus experience value is 5, if the preset virus experience value is greater than or equal to 5, the target program is determined to be a virus program, and if the preset virus experience value is less than 5, the target program is not a virus program, and in the example of the target program, the target program may be considered to be a virus program.
After determining that the target program is a virus program, step 208, the target program is added to a virus program library.
Step 209, when the number of the virus programs in the virus program library exceeds a preset number threshold, acquiring behavior characteristics corresponding to the virus programs in the virus program library, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
In step 208 and step 209, in order to improve the accuracy of judging the virus program, it is necessary to continuously correct the virus reporting experience values of the virus reporting monitoring points and the virus reporting verification points and the preset virus experience values, specifically, a target program determined as a virus program may be used as a virus sample, and a target program determined as a safety program may be used as a safety sample, and the virus reporting experience values of the virus reporting monitoring points and the virus reporting monitoring points, and even the preset virus experience values, are continuously updated and corrected by using the methods in step 201 and step 202, so that the method is more suitable for detecting a continuously changing virus.
It should be noted that, by detecting the virus reporting monitoring points, the present application may also detect a virus program by using a calling feature of the target program to each of the virus reporting monitoring points, and the second virus detection method provided in the embodiment of the present application may specifically include:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, determining the execution characteristics of the target program according to the use condition of the target program on the virus reporting monitoring point, and inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In the above steps a1 to a6, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, the black list stores malicious execution features, which are presented when the virus program is called, in advance, and the white list stores security execution features, which are presented when the security program is called, in advance. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
In addition, if the target program is a suspicious program, the malicious program management system can be reported, so that whether the target program is infected or not is judged by the malicious program management system, and the virus reporting monitoring point, the virus reporting experience value of the virus reporting verification point and the preset virus experience value are corrected according to the judgment result of the malicious program management system, so that the accuracy and the efficiency of virus detection are improved.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides a virus reporting apparatus based on a virtual machine, and as shown in fig. 3, the apparatus includes: target program execution module 31, monitoring module 32, virus detection module 33.
An object program execution module 31, configured to execute an object program to be detected in a virtual machine;
the monitoring module 32 is configured to monitor at least one virus reporting monitoring point during the execution process of the target program, and record a use condition of the at least one virus reporting monitoring point during the execution process of the target program;
and the virus detection module 33 is configured to determine whether the target program is a virus program according to the use condition of the target program to the virus reporting monitoring point.
In a specific application scenario, as shown in fig. 4, the virus detection module 33 specifically includes: detection value calculation section 331 and virus program detection section 332.
The detection value calculation unit 331 is configured to calculate a virus detection value of the target program according to a usage situation of the virus reporting monitoring points by the target program and a virus reporting experience value of each virus reporting monitoring point;
the virus program detecting unit 332 is configured to determine that the target program is a virus program if the virus detection value of the target program is greater than or equal to the preset virus empirical value.
In a specific application scenario, as shown in fig. 4, the virus detection module 33 further includes: a security program detecting unit 333.
And the safety program detection unit 333 is configured to determine that the target program is not a virus program if the virus detection value of the target program is smaller than a preset virus empirical value.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a behavior characteristic obtaining module 34 and a monitoring point determining module 35.
A behavior feature obtaining module 34, configured to obtain behavior features corresponding to multiple virus samples before executing a target program to be detected in a virtual machine;
and the monitoring point determining module 35 is configured to determine a virus reporting monitoring point and a virus reporting experience value of the virus reporting monitoring point according to behavior characteristics corresponding to the plurality of virus samples.
In a specific application scenario, as shown in fig. 4, the monitoring point determining module 35 specifically includes: a weight determination unit 351 and an empirical value determination unit 352.
The weight determining unit 351 is configured to analyze the virus reporting key behavior characteristics of the multiple virus samples and the key weights of the virus reporting key behavior characteristics according to the behavior characteristics corresponding to the multiple virus samples and the preset security program behavior characteristics;
the empirical value determining unit 352 is configured to determine a call function corresponding to the toxicity reporting key behavior feature as a toxicity reporting monitoring point, and determine a key weight of the toxicity reporting key behavior feature as an toxicity reporting empirical value of the toxicity reporting monitoring point.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a virus library creation module 36.
And a virus library establishing module 36, configured to add the target program into the virus library after determining that the target program is a virus program.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a monitoring point update module 37.
And the monitoring point updating module 37 is configured to, when the number of the virus programs in the virus program library exceeds a preset number threshold, obtain behavior characteristics corresponding to the virus programs in the virus program library, and update the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
It should be noted that, the virus reporting device based on the virtual machine in the embodiment of the present application is further configured to:
step A1, acquiring a preset execution characteristic list, wherein the preset execution characteristic list comprises a preset execution characteristic blacklist;
step A2, determining the execution characteristics of the target program according to the use condition of the target program on the virus reporting monitoring point, and inquiring whether the execution characteristics of the target program belong to malicious execution characteristics contained in a preset execution characteristic blacklist;
step a3, if the execution characteristic of the target program belongs to the malicious execution characteristic, determining that the target program contains a virus.
Step A4, if the execution characteristics of the target program do not belong to the malicious execution characteristics, querying whether the execution characteristics of the target program belong to the safe execution characteristics contained in the preset execution characteristic white list;
step a5, if the execution characteristic of the target program belongs to the safe execution characteristic, determining that the target program does not contain virus.
Step a6, if the execution characteristics of the target program do not belong to the security execution characteristics, the target program is marked as a suspicious program, and the execution characteristics corresponding to the suspicious program are reported to the virus management system, so as to analyze whether the suspicious program contains viruses or not by using the virus management system.
In the above steps a1 to a6, whether the target program is infected is determined by using a preset execution feature list, where the preset execution feature list includes a black list and a white list, the black list stores malicious execution features, which are presented when the virus program is called, in advance, and the white list stores security execution features, which are presented when the security program is called, in advance. And if the execution characteristics of the target program do not hit the blacklist or the white list, the program is judged to be a suspicious program, and the suspicious program is reported to a virus management system to further judge the program, wherein the virus management system can be specifically an expert system.
In addition, if the target program is a suspicious program, the malicious program management system can be reported, so that whether the target program is infected or not is judged by the malicious program management system, and the virus reporting monitoring point, the virus reporting experience value of the virus reporting verification point and the preset virus experience value are corrected according to the judgment result of the malicious program management system, so that the accuracy and the efficiency of virus detection are improved.
It should be noted that other corresponding descriptions of the functional units related to the virus reporting device based on the virtual machine provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the virtual machine-based virus notification method shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the virtual machine based virus notification method as described above with reference to fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiment, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can be implemented by hardware, where the usage of the virus reporting monitoring point by the target program that needs to be virus-detected in the execution process is recorded by using a virtual machine technology, and then a heuristic virus check and kill is performed on the usage of the virus reporting monitoring point according to the extracted target program to detect whether the target program is a virus program. The method and the system utilize the virtual machine technology, not only can effectively obtain the running record of the target program when the target program is executed in the virtual machine, but also can not influence the real computer environment to protect the safety of the computer, and simultaneously, heuristic virus detection is carried out based on the running record of the target program, so that the method and the system are helpful for improving the detection rate of unknown viruses such as novel viruses and variant viruses.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (10)

1. A virus reporting method based on a virtual machine is characterized by comprising the following steps:
executing a target program to be detected in the virtual machine;
monitoring at least one virus reporting monitoring point in the execution process of the target program, and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and judging whether the target program is a virus program or not according to the use condition of the target program on the virus reporting monitoring point.
2. The method according to claim 1, wherein the determining whether the target program is a virus program according to the usage of the virus reporting monitoring point by the target program specifically comprises:
calculating a virus detection value of the target program according to the use condition of the target program to the virus reporting monitoring points and the virus reporting experience value of each virus reporting monitoring point;
and if the virus detection value of the target program is greater than or equal to a preset virus empirical value, determining that the target program is a virus program.
3. The method of claim 2, further comprising:
and if the virus detection value of the target program is smaller than the preset virus empirical value, determining that the target program is not a virus program.
4. The method according to claim 2 or 3, wherein before the target program to be detected is executed in the virtual machine, the method further comprises:
acquiring behavior characteristics corresponding to a plurality of virus samples;
and determining the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics corresponding to the plurality of virus samples.
5. The method according to claim 4, wherein the determining the virus reporting monitor point and the virus reporting experience value of the virus reporting monitor point according to the behavior characteristics corresponding to the plurality of virus samples specifically comprises:
analyzing virus reporting key behavior characteristics of the plurality of virus samples and key weights of the virus reporting key behavior characteristics according to behavior characteristics corresponding to the plurality of virus samples and preset safety program behavior characteristics;
and determining a calling function corresponding to the key behavior characteristics of the virus reporting as the virus reporting monitoring point, and determining the key weight of the key behavior characteristics of the virus reporting as the virus reporting experience value of the virus reporting monitoring point.
6. The method of claim 4 or 5, wherein after determining that the target program is a virus program, the method further comprises:
and adding the target program into a virus program library.
7. The method of claim 6, further comprising:
and when the number of the virus programs in the virus program library exceeds a preset number threshold, acquiring behavior characteristics corresponding to the virus programs in the virus program library, and updating the virus reporting monitoring points and the virus reporting experience values of the virus reporting monitoring points according to the behavior characteristics.
8. A virus reporting device based on a virtual machine is characterized by comprising:
the target program execution module is used for executing a target program to be detected in the virtual machine;
the monitoring module is used for monitoring at least one virus reporting monitoring point in the execution process of the target program and recording the use condition of the at least one virus reporting monitoring point in the execution process of the target program;
and the virus detection module is used for judging whether the target program is a virus program according to the use condition of the target program on the virus reporting monitoring point.
9. A storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the virtual machine based virus notification method of any of claims 1 to 7.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the virtual machine based virus notification method of any one of claims 1 to 7 when executing the program.
CN201910945353.1A 2019-09-30 2019-09-30 Virtual machine-based poison reporting method and device, storage medium and computer equipment Pending CN112580025A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910945353.1A CN112580025A (en) 2019-09-30 2019-09-30 Virtual machine-based poison reporting method and device, storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910945353.1A CN112580025A (en) 2019-09-30 2019-09-30 Virtual machine-based poison reporting method and device, storage medium and computer equipment

Publications (1)

Publication Number Publication Date
CN112580025A true CN112580025A (en) 2021-03-30

Family

ID=75117194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910945353.1A Pending CN112580025A (en) 2019-09-30 2019-09-30 Virtual machine-based poison reporting method and device, storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN112580025A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116680696A (en) * 2023-08-04 2023-09-01 深圳市科力锐科技有限公司 Virus program detection method, device and system
CN117014211A (en) * 2023-08-16 2023-11-07 华能信息技术有限公司 A dynamic defense method and system for power plant network security based on big data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Active defense method based on cloud security
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and device for Android application program
CN106682516A (en) * 2016-12-23 2017-05-17 宇龙计算机通信科技(深圳)有限公司 Detection method, detection device and server of application programs
CN106709343A (en) * 2016-07-26 2017-05-24 腾讯科技(深圳)有限公司 Virus monitoring method and device
JP2017142744A (en) * 2016-02-12 2017-08-17 日本電気株式会社 Information processing apparatus, virus detection method, and program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Active defense method based on cloud security
CN102682229A (en) * 2011-03-11 2012-09-19 北京市国路安信息技术有限公司 Malicious code behavior detection method based on virtualization technology
CN103793650A (en) * 2013-12-02 2014-05-14 北京邮电大学 Static analysis method and device for Android application program
JP2017142744A (en) * 2016-02-12 2017-08-17 日本電気株式会社 Information processing apparatus, virus detection method, and program
CN106709343A (en) * 2016-07-26 2017-05-24 腾讯科技(深圳)有限公司 Virus monitoring method and device
CN106682516A (en) * 2016-12-23 2017-05-17 宇龙计算机通信科技(深圳)有限公司 Detection method, detection device and server of application programs

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116680696A (en) * 2023-08-04 2023-09-01 深圳市科力锐科技有限公司 Virus program detection method, device and system
CN116680696B (en) * 2023-08-04 2024-02-13 深圳市科力锐科技有限公司 Virus program detection method, device and system
CN117014211A (en) * 2023-08-16 2023-11-07 华能信息技术有限公司 A dynamic defense method and system for power plant network security based on big data

Similar Documents

Publication Publication Date Title
KR102307534B1 (en) Systems and methods for tracking malicious behavior across multiple software entities
JP5738283B2 (en) False alarm detection for malware scanning
US10372909B2 (en) Determining whether process is infected with malware
US10216934B2 (en) Inferential exploit attempt detection
US20130275981A1 (en) System, method, and computer program product for monitoring an execution flow of a function
TW201717086A (en) Detecting software attacks on processes in computing devices
CN112395597A (en) Method and device for detecting website application vulnerability attack and storage medium
CN112580041B (en) Malicious program detection method and device, storage medium, computer equipment
CN109815701B (en) Software security detection method, client, system and storage medium
CN112580025A (en) Virtual machine-based poison reporting method and device, storage medium and computer equipment
Sinha et al. Integrated malware analysis sandbox for static and dynamic analysis
Dai et al. Behavior-based malware detection on mobile phone
CN108197475B (en) Malicious so module detection method and related device
US10417414B2 (en) Baseline calculation for firewalling
CN111538986A (en) Device and method for dynamically measuring trusted state of computer based on call stack track
CN109802955B (en) Permission control method and device, storage medium, and computer equipment
CN109271787A (en) A kind of operating system security active defense method and operating system
CN112580024A (en) Virtual machine simulation method and device, storage medium and computer equipment
CN112580043B (en) Antivirus method and device, storage medium, and computer equipment based on virtual machine
CN112395600A (en) False alarm removing method, device and equipment for malicious behaviors
CN114021134B (en) Program processing method and device based on associated program tracking and storage medium
CN112398784A (en) Method and device for defending vulnerability attack, storage medium and computer equipment
CN112580034B (en) Method and device for verifying unshelled file, storage medium and computer equipment
CN112580033B (en) Anti-malicious program method and device, storage medium, computer equipment
CN112580042B (en) Method and device for combating malicious programs, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210330