Automatic malicious code homology judgment method and system based on calling behaviors

Automatic malicious code homology judgment method and system based on calling behaviors

The invention discloses an automatic malicious code homology judgment method and system based on calling behaviors. The method includes the steps that two samples are extracted to call a WinAPI intersection; the six kinds of WinAPI calling behaviors are extracted based on the WinAPI intersection, an...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: ZHANG YONGZHENG, QIAO YANCHEN, YUN XIAOCHUN
Format: Patent
Sprache:eng
Schlagworte:
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
PHYSICS
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The invention discloses an automatic malicious code homology judgment method and system based on calling behaviors. The method includes the steps that two samples are extracted to call a WinAPI intersection; the six kinds of WinAPI calling behaviors are extracted based on the WinAPI intersection, and by comparing the WinAPI calling behaviors, whether the two samples are homologous or not is judged. Compared with a manual homology judgment mode, the homology judgment efficiency is greatly improved on the premise of keeping the high accuracy, and the judgment method is suitable for the scene that on the basis of a certain specific sample which is concentrated in few samples or other malicious codes homologous with the sample are captured on line in real time, so that incidence relations between different attack events are found fast. The disclosed system can be deployed in a real-time malicious code detecting system and used for fast detecting other malicious code samples homologous with the specific malicious codes, so that novel malicious code propagation is effectively prevented, and harms and loss are reduced.