共查询到20条相似文献,搜索用时 187 毫秒
1.
代码迷惑是一种以增加理解难度为目的的代码变换技术,主要来保护软件免遭逆向分析。恶意代码的作者为了躲避检测经常采用代码迷惑技术对程序进行转换。但是商用反病毒软件采用基于特征码的模式匹配技术而忽略了恶意代码的语义,因此最容易受到代码迷惑或病毒变种的攻击。文章中提出一种基于语义匹配的检测算法,能准确的检测出经过代码迷惑处理的恶意代码。该方法应用数据流分析技术,以变量定义使用链为单元检测每个模板及程序节点。最后通过部分实验展示了原型系统的检测效果。 相似文献
2.
《每周电脑报》2001,(37)
熊猫国际反病毒公司推出《熊猫卫士》钛金版(Titanium)防病毒软件,这款软件是熊猫公司在中国区推出的第二款单机版产品。该产品的反病毒内核代码和系统性能均比上一版本有所提高。它采用“UltraFast100%”超高速反病毒扫描引擎,整个病毒扫描程序的的运行速度因此而提高了30%。钛金版采用了 SmartClean 技术,这是一种针对计算机病毒和有害程序代码的系统修复技术,可以清除病毒并修复被病毒、木马、蠕虫破坏过的计算机系统,使之恢复为原先的配置;还可以通过“执行详尽的启发式扫描”检测出未知病毒或潜在的危险病毒,其中包括病毒代码库中还没有的病毒。它是全球第一个该领域内的国 相似文献
3.
4.
5.
6.
《每周电脑报》1999,(30)
7月26日,NAI 宣布其用于 Exchange 的新版本 GmupShield 软件开始发售,可用来抗击 Email 携带病毒.作为反病毒群件产品,现在 GroupShield 使用具有ViruLogic 功能的“双重启发”式技术,对于 Exchange 可以查出过去不认识的病毒。大多数反病毒程序使用传统的病毒特征文件匹配技术,单启发式扫描根据类似病毒行为的特征来发现新的未知的病毒。由于启发式扫描会因为虚假警报而增加用户负担,这种检测常被禁止,而使得系统留下新病毒可乘之机。使用ViruLogic 技术,用于 Exchange 的GroupShield 提供了“双重启发式”扫描技术,消除了这种虚假警报,从而提高了检测新病毒的精确度。 相似文献
7.
9月17日,北京瑞星科技股份有限公司正式宣布推出其最新版本杀毒软件——《瑞星杀毒软件2002版》。此产品采用了一种被称作“病毒行为判断分析”的专利技术,能在病毒爆发前确定其是否有害并采取相应的防范措施。这一天对于我国反病毒市场来说无疑是一个值得记住的日子,因为“病毒行为判断分析”技术不同于传统的病毒扫描技术,此技术可以自动对新出现病毒的行为方式进行分析判断,一改反病毒软件滞后于病毒传播的现状。相对于目前依赖病毒特征代码比对进行病毒查杀的传统病毒防范措施来说,“病毒行为判断分析”的专利技术无疑是一种超越。可以说反病毒技术已经进入了 相似文献
8.
朱俚治 《网络安全技术与应用》2014,(9):80-81
当今的病毒是多种多样的,为了有效应对这些众多的病毒,计算机病毒检测安全人员必须使得病毒检测算法具有智能性.病毒特征代码算法是一种常用的病毒检测算法,但该算法缺乏一定的智能性,因此本文将一些智能性算法在其算法上进行应用.MMTD算法和模拟退火算法是两种智能性算法,这两种算法将进一步增强病毒特征代码算法的智能性,因此本文提出的算法能够进一步提高目前病毒的检测的智能性. 相似文献
9.
刘正宏 《网络安全技术与应用》2009,(5):19-20
变形病毒给传统的特征值匹配反病毒技术带来巨大的挑战,本文重点对变形病毒的原理及技术进行深入的分析,并提出了基于虚拟机的动态码扫描技术来检测变形病毒,可以有效防止这类病毒的蔓延,更好地保护网络及信息的安全。 相似文献
10.
特征代码检测方法是一种严谨的病毒检测解决方法,在病毒防杀领域应用很广泛,具有较大的研究价值.对几种病毒检测技术分析研究,并且以文件过滤驱动的方法对特征代码检测方法进行了实现,针对这种方法的缺点提出了优化方案,添加专门的内核线程负责处理规则匹配.经过测试表明,优化方案比原有的方法处理速度更快. 相似文献
11.
Yanfang Ye Dingding Wang Tao Li Dongyi Ye Qingshan Jiang 《Journal in Computer Virology》2008,4(4):323-334
The proliferation of malware has presented a serious threat to the security of computer systems. Traditional signature-based
anti-virus systems fail to detect polymorphic/metamorphic and new, previously unseen malicious executables. Data mining methods
such as Naive Bayes and Decision Tree have been studied on small collections of executables. In this paper, resting on the
analysis of Windows APIs called by PE files, we develop the Intelligent Malware Detection System (IMDS) using Objective-Oriented
Association (OOA) mining based classification. IMDS is an integrated system consisting of three major modules: PE parser,
OOA rule generator, and rule based classifier. An OOA_Fast_FP-Growth algorithm is adapted to efficiently generate OOA rules
for classification. A comprehensive experimental study on a large collection of PE files obtained from the anti-virus laboratory
of KingSoft Corporation is performed to compare various malware detection approaches. Promising experimental results demonstrate
that the accuracy and efficiency of our IMDS system outperform popular anti-virus software such as Norton AntiVirus and McAfee
VirusScan, as well as previous data mining based detection systems which employed Naive Bayes, Support Vector Machine (SVM)
and Decision Tree techniques. Our system has already been incorporated into the scanning tool of KingSoft’s Anti-Virus software.
A short version of the paper is appeared in [33]. The work is partially supported by NSF IIS-0546280 and an IBM Faculty Research
Award. The authors would also like to thank the members in the anti-virus laboratory at KingSoft Corporation for their helpful
discussions and suggestions. 相似文献
12.
A non-signature-based virus detection approach using Self-Organizing Maps (SOMs) is presented in this paper. Unlike classical virus detection techniques using virus signatures, this SOM-based approach can detect virus-infected files without any prior knowledge of virus signatures. Exploiting the fact that virus code is inserted into a complete file which was built using a certain compiler, an untrained SOM can be trained in one go with a single virus-infected file and will then present an area of high density data, identifying the virus code through SOM projection. The virus detection approach presented in this paper has been tested on 790 different virus-infected files, including polymorphic and encrypted viruses. It detects viruses without any prior knowledge – e.g. without knowledge of virus signatures or similar features – and is therefore assumed to be highly applicable to the detection of new, unknown viruses. This non-signature-based virus detection approach was capable of detecting 84% of the virus-infected files in the sample set which included, as already mentioned, polymorphic and encrypted viruses. The false positive rate was 30%. The combination of the classical virus detection technique for known viruses and this SOM-based technique for unknown viruses can help systems be even more secure. 相似文献
13.
在恶意代码自动分析系统中,对恶意样本进行文件格式检查,并判断其是否被加壳是对其进行自动分析的第一步。为了对加壳PE可执行文件实现更加准确的识别,提出一个基于文件头和部分文件内容的PE文件加壳检测规则(NFPS)。通过提取PE文件中5个方面的特征值,并按照NFPS规则进行计算,即可判定PE文件是否被加壳。经测试,其检测率高达95%以上,并支持多层壳的循环检测。 相似文献
14.
自从第一例计算机病毒被发现以来,特征码法一直是病毒检测的基本方法。但是,病毒的复杂化和变形病毒的出现,限制了该法的有效应用。本文提出一种基于支持SVM的通用病毒智能检测方法,通过支持SVM算法的应用,使得检测系统在小样本的情形下仍具有良好的泛化能力。然后,以系统API函数调用执行迹为例,测试了该法的检测性能,并
将实验结果与其他检测方法进行了比较。实验表明,API函数调用序列在区分正常与恶意PE格式程序文件上有很好的辨别力,发现基于支持SVM的病毒检测系统所需要的先验知
知识小于其他方法。而且,当检测性能相当时,系统的训练时间将会缩短。 相似文献
将实验结果与其他检测方法进行了比较。实验表明,API函数调用序列在区分正常与恶意PE格式程序文件上有很好的辨别力,发现基于支持SVM的病毒检测系统所需要的先验知
知识小于其他方法。而且,当检测性能相当时,系统的训练时间将会缩短。 相似文献
15.
16.
传统的文件相似性检测技术是基于源代码的,针对源代码难以获取的情况,二进制文件比对技术被提出并受到越来越多的关注。总结和分析了四种二进制文件相似性检测技术和主流的检测工具。在提出了二进制文件克隆比对的评价方法的基础上进行了实验测试。该方法针对二进制文件克隆的分类方式,设计了实验流程和相似度的计算标准。结果表明对于连续克隆,不影响调用关系的分割克隆,不影响基本块数量和调用关系的等价替换克隆,采用二进制文件相似性检测比采用基于token的源代码文件相似性检测能得到更准确的检测结果。 相似文献
17.
可执行文件病毒是计算机病毒家族中最重要的类型之一。这类病毒的特点是只感染和侵袭可执行文件(.exe,.com,.sys等)。如何对付该类病毒,本文提出了一种基于信息隐藏技术的防范该类病毒的新方法。该方法利用该类病毒只侵袭可执行文件,而不攻击数据文件的特性,将可执行文件隐藏于数据文件之中,达到保护可执行文件的目的。文中给出了将可执行文件隐藏于图像和从图像中取出的算法。实验验证了该方法的可行性。文中还分析了该方法的长处和不足。和其它防病毒方法相比,该方法的最大长处在于它不但能防范已知的可执行文件类计算机病毒,也能防范未知和未来的该类计算机病毒。 相似文献
18.
Ivan Sorokin 《Journal in Computer Virology》2011,7(4):259-265
One of the main trends in the modern anti-virus industry is the development of algorithms that help estimate the similarity
of files. Since malware writers tend to use increasingly complex techniques to protect their code such as obfuscation and
polymorphism, anti-virus software vendors face problems of the increasing difficulty of file scanning, the considerable growth
of anti-virus databases, and file storages overgrowth. For solving such problems, a static analysis of files appears to be
of some interest. Its use helps determine those file characteristics that are necessary for their comparison without executing
malware samples within a protected environment. The solution provided in this article is based on the assumption that different
samples of the same malicious program have a similar order of code and data areas. Each such file area may be characterized
not only by its length, but also by its homogeneity. In other words, the file may be characterized by the complexity of its
data order. Our approach consists of using wavelet analysis for the segmentation of files into segments of different entropy
levels and using edit distance between sequence segments to determine the similarity of the files. The proposed solution has
a number of advantages that help detect malicious programs efficiently on personal computers. First, this comparison does
not take into account the functionality of analysed files and is based solely on determining the similarity in code and data
area positions which makes the algorithm effective against many ways of protecting executable code. On the other hand, such
a comparison may result in false alarms. Therefore, our solution is useful as a preliminary test that triggers the running
of additional checks. Second, the method is relatively easy to implement and does not require code disassembly or emulation.
And, third, the method makes the malicious file record compact which is significant when compiling anti-virus databases. 相似文献
19.
Yanfang Ye Lifei Chen Dingding Wang Tao Li Qingshan Jiang Min Zhao 《Journal in Computer Virology》2009,5(4):283-293
Malicious executables are programs designed to infiltrate or damage a computer system without the owner’s consent, which have
become a serious threat to the security of computer systems. There is an urgent need for effective techniques to detect polymorphic,
metamorphic and previously unseen malicious executables of which detection fails in most of the commercial anti-virus software.
In this paper, we develop interpretable string based malware detection system (SBMDS), which is based on interpretable string
analysis and uses support vector machine (SVM) ensemble with Bagging to classify the file samples and predict the exact types
of the malware. Interpretable strings contain both application programming interface (API) execution calls and important semantic
strings reflecting an attacker’s intent and goal. Our SBMDS is carried out with four major steps: (1) first constructing the
interpretable strings by developing a feature parser; (2) performing feature selection to select informative strings related
to different types of malware; (3) followed by using SVM ensemble with bagging to construct the classifier; (4) and finally
conducting the malware detector, which not only can detect whether a program is malicious or not, but also can predict the
exact type of the malware. Our case study on the large collection of file samples collected by Kingsoft Anti-virus lab illustrate
that: (1) The accuracy and efficiency of our SBMDS outperform several popular anti-virus software; (2) Based on the signatures
of interpretable strings, our SBMDS outperforms data mining based detection systems which employ single SVM, Naive Bayes with
bagging, Decision Trees with bagging; (3) Compared with the IMDS which utilizes the objective-oriented association (OOA) based
classification on API calls, our SBMDS achieves better performance. Our SBMDS system has already been incorporated into the
scanning tool of a commercial anti-virus software. 相似文献