CN1625121A - A Layered Cooperative Network Virus and Malicious Code Identification Method - Google Patents

Abstract

A layered coordinate network virus and vicious code recognizing method. The characteristics are: use strong self-protection mechanism of biological immunity for reference, correspond the network virus and vicious code recognizing method to the multi-level protective mechanism of biological immunity system, judge the dangerous degree of the stand-by detected script through statistically analyzing the word frequency of the key words, based on the point view of 'self-collection' of register form operation analyze and judge the exceptional behavior of the register form written in the form route, and recognize non-self the executing sequence of the programming interface of the applied program, at last send all the exceptional behavior information to the network control station through the network. It well solves the problem of the identification of the unknown network virus and vicious code, and has good capacity of identification, realizes the monitoring and management of the network virus and vicious code of single system and the whole sub-network.

Description

A Layered Cooperative Network Virus and Malicious Code Identification Method

Technical field:

The invention belongs to the technical field of computer network security, in particular to the identification technology of network viruses and malicious codes.

Background technique:

According to the Institute of Electrical and Electronics Engineers "Potential" magazine (IEEE POTENTIALS, October 2001, pp. 16-19) published in the United States, the existing computer anti-virus identification technologies can be roughly divided into the following types: ( 1) Scanning based on signatures, mainly for known viruses. (2) virtual machine technology, its basic idea is to place suspicious programs in a virtual machine environment to execute to determine whether it is a virus, but still faces many problems such as the effect of virtual machines and how to ensure the security of virtual machines. (3) The heuristic method, whose basic idea is to try to detect family viruses and unknown viruses through generalized signatures. This method often relies on feature code technology and virtual machine technology, and the current identification effect on unknown viruses needs to be improved. (4) Behavior analysis method, that is, a method of detecting viruses by monitoring the unique behavior of viruses. This method requires first summarizing the general behavior pattern of the virus, and then designing a finite state machine corresponding to the behavior pattern, the state transition corresponds to the behavior of the program, and the acceptance state is the detection of the virus. The problem with this method is that it is difficult to generalize a general behavior pattern for new viruses that emerge in an endless stream. (5) Checksum method. This method generates a verification information in the initial state of the machine and saves it, and then reports to the police when the verification information changes abnormally (verification failure). The main problem of this method is that the implementation cost is too large, and it also faces new applications. Problems such as program installation and version upgrades. Generally speaking, in the existing computer anti-virus technology, signature code scanning technology is mainly used to identify known viruses, and other identification technologies proposed for unknown viruses have their own shortcomings and limitations.

Since network viruses and malicious codes are network security incidents that have only become popular in recent years and have caused serious harm, a method for preventing computer virus infection proposed by Chinese Patent Application No. 96114050 can only prevent some early computer viruses. This kind of anti-virus card has completely faded out of the market; the firewall system proposed by Chinese Patent Application No. 96109573 is to carry out security checks on connections or information entering and leaving the internal network, and basically does not have the ability to identify network viruses and malicious codes. Therefore, these techniques are not suitable for the identification of network viruses and malicious codes.

Invention content:

Aiming at the deficiencies of existing network virus and malicious code identification technologies, the present invention proposes a layered and collaborative network virus and malicious code identification method to solve the problem of identifying abnormal behaviors of unknown network viruses and malicious codes, and to realize the identification of a single system and the entire system. Monitoring of unknown network viruses and malicious code abnormal behavior in the subnet.

The network virus and malicious code identification method of layered collaboration of the present invention, comprise: separate keyword from script file, obtain application programming interface (Application Programming Interface: API for short) executes the sequence and the registry entry entry path, and saves the registry entry entry entry path and the API sequence in the hard disk or memory; it is characterized in that:

Statistical analysis of keyword frequency of scripts and making abnormal judgments;

Self-identify the entry path written in the registry and make abnormal judgments;

Perform non-self identification on API sequences and make abnormal judgments;

Send abnormal behavior information to the web console;

Described script file refers to the script file written in Javascript language, the script file written in VBScript language and the script file embedded in Javascript or VBScript code;

Said injecting DLL to obtain API execution sequence and registry write table item path refers to, by injecting DLL in the target program (i.e. the program to be monitored) as remote thread, and then adopting replacement input address table (Import Address Table: IAT) The method intercepts the API execution sequence of the target program, and obtains the registry entry entry path from the parameter of the registry API function;

The keyword statistical analysis of the script and making an abnormal judgment refer to separating 29 keywords copyfile, Createobject, Delete, FolderDelete, RegWrite, Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, .save from the script file , startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write, and perform the following steps:

(1) Divide 29 keywords into three groups. The first group is the keyword for creating an object: Createobject; the second group is a keyword for its own safe operation: Virus, . execute, .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder, .run, document.write; the third group is keywords with possible destructive operations: copyfile, Delete, FolderDelete, RegWrite, .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;

(2) The expected value f _i of the word frequency that these 29 keywords occur in the statistical normal script, 1≤i≤29, the expected value f _i ' of the word frequency that these 29 keywords occur in the statistical abnormal script, 1≤i≤29, Calculate the normalized word frequency difference of 29 keywords in normal and abnormal scripts $e_i=(f_i-f_i^{\′})/\underset{i=1}{\overset{29}{\mathrm{\Σ}}}(f_i-f_i^{\′}),1\≤i\≤29;$

(3) Count the frequency m _i of the keywords appearing in the current script to be detected, 1≤i≤29, calculate the risk degree Risk of the script to be detected,

$\mathrm{<span\; class="notranslate">\; risk</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; G</span>}\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 1</span>}}{\overset{\mathrm{<span\; class="notranslate">\; 29</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}\mathrm{<span\; class="notranslate">\; P</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span>\mathrm{<span\; class="notranslate">\; f</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span>$

Where P(i), F(i) and G are respectively:

(4) Define the risk threshold TH as:

$\mathrm{<span\; class="notranslate">\; TH</span>}<span\; class="notranslate">\; =</span>\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 0</span>}}{\overset{\mathrm{<span\; class="notranslate">\; 29</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}\mathrm{<span\; class="notranslate">\; P</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; /</span>\mathrm{<span\; class="notranslate">\; 29</span>}$

When the risk degree Risk exceeds the threshold TH, an early warning message is sent to the network console;

The self-identification of the entry path written in the registry and making an abnormal judgment take the following steps:

(1) Collect the normal registry entry path of the target program (program to be monitored) in the normal state and store it in the database. Each normal registry entry entry path is called "self", and its collection is called "self-set";

(2) Read the path of the entry in the current registry, compare it with the original "self" operation in the database, if it is not in the "self set", send the abnormal behavior information to the network console;

The following steps are taken to identify the non-self of the API sequence and make an abnormal judgment:

(1) API selection operation:

(a) Intercept the API sequence of the target program under normal conditions, and cut it into a string set S ₀ whose length is L ₀ with a sliding step size of W ₀ ;

(b) intercepting the API sequence of the target program under the poisoned running state, and truncating it into a string set R ₀ whose length is L ₀ with a sliding step size of W ₀ ;

(c) compare the different sequences in the string sets _S0 and _R0 , extract the API functions that form these sequences, and use these API functions as the API function set to be monitored;

(2) According to the selected API function, intercept the API sequence of the target program in the normal state, and cut it into a string of length L with a sliding step size of W to generate a self-set S;

(3) Obtain the current API execution sequence of the target program, and cut it into a string of length L with a sliding step size of W, and read N API sequences each time to perform the following detection process:

(a) Generate an initial detector set D ₀ : randomly generate a pre-detector according to the selected API function, filter the self (that is, delete the API sequence that matches the self), and then obtain the initial detector set; the matching strategy here is part Matching strategy, that is, two sequences match if and only if the two strings are consistent in consecutive r positions;

(b) Compare the current AP execution sequence with any detector in the detector set: if a match is found, mark the sequence and add 1 to the total matching number. When the total matching number of the API sequence to be detected in real time reaches the threshold _Gn , Send abnormal behavior information to the network console;

(c) If the evolution algebra t exceeds the threshold _Ge or all API sequences have been marked, continue to read the next batch of API sequences and perform detection; otherwise, for unmatched API sequences, based on affinity variation, gene pool evolution, The randomly generated three subsets D _A , D _G , _DR and the memory set D _M together form the next generation detector set D _t = D _A +D _G +D _R +D _M , and D _A , D _G , D _R subset satisfies $\frac{{\mathrm{D.}}_A}{1}\&ap;\frac{{\mathrm{D.}}_G}{2}\&ap;\frac{{\mathrm{D.}}_m}{1};$

A subset _of detectors D _A is generated through affinity variation, which refers to generating N _c (N _c ≥ 1 ) offspring individuals;

The detector subset D _G is generated through the evolution of the gene pool. The evolution of the gene pool refers to increasing the selection probability of the APIs that form an effective detector, that is, P _api = P _api + ΔP; and when actually generating a detector, the API selection probability passes The roulette method generates a pre-detector, and finally filters the self-generated detector subset D _G ;

By randomly generating the detector subset D _R ;

Combining existing detectors that can match abnormal sequences into a memory set D _M ;

The network console refers to a network program used to receive abnormal information obtained by analyzing and processing scripts, registry entry paths and API sequences.

Compared with the prior art, the present invention has the advantages of:

1. The present invention obtains the normalized word frequency by counting the frequency of 29 keywords selected in normal scripts and abnormal scripts, and based on this, provides a calculation method for the degree of danger and the degree of danger threshold to judge the degree of danger of the script to be detected , which solves the problem of identifying malicious scripts.

2. The present invention judges and analyzes the abnormal behavior of the entry path written in the registry based on the "self-set" of the registry operation, and is applicable to various target programs.

3. The present invention combines four learning and memory modules including gene pool evolution, random generation, affinity variation and memory set with abnormal detection of API execution sequence, so that the abnormal detection effect of non-self recognition on API sequence Better, and suitable for a variety of target programs.

4. The present invention draws lessons from the powerful self-protection mechanism of biological immunity, and for the first time unifies the three aspects of statistical analysis of script keywords, self-identification of entry paths written in the registry, and non-self identification of API execution sequences. The abnormal behavior of the target program is monitored, making the identification of unknown network viruses and malicious codes better.

5. Adopting the present invention can automatically and detailedly record the registry entry entry path and API execution sequence of the program, providing first-hand information for further analysis of network viruses and malicious codes.

In summary, the present invention draws lessons from the powerful self-protection mechanism of biological immunity, and corresponds the network virus and malicious code identification technology with the multi-layer protection mechanism of the biological immune system. The three aspects of self-identification of the entry path and non-self identification of the API execution sequence better solve the problem of abnormal behavior identification of unknown network viruses and malicious codes, and thus solve the problem of virus variants and unknown viruses in the prior art. Problems that are difficult to identify not only realize the monitoring of abnormal behaviors of network viruses and malicious codes in a single system, but also enable administrators to monitor and manage the security situation of the entire subnet in real time through the network console.

Description of drawings:

Fig. 1 is a working flow diagram of network virus and malicious code identification for layered cooperation in the present invention.

Detailed ways:

The method of the present invention will be further specifically described below in conjunction with the accompanying drawings and examples.

Example 1:

1. Use several general-purpose micro-personal computers to connect to a network environment through switches

Specifically adopted in this embodiment are three Pentium IV microcomputers, and a Dell notebook, and an enterprise server, plus a Great Wall 24-port 10M/100M adaptive Ethernet switch GES-1125 switchboard, through which several microcomputers Three Pentium IV microcomputers, a Dell notebook and an enterprise server are connected into a network.

FIG. 1 shows the workflow of identifying network viruses and malicious codes for layered collaboration in this embodiment. The direction of the arrow indicates the sequence of the work flow, the tail of the arrow is the input of the next step, and the end of the arrow is the operation of the next step. One of the Pentium series microcomputers is used to run the network console 1, and the remaining two Pentium IV microcomputers, a Dell notebook, and an enterprise server are all used to execute the statistical analysis of the keyword frequency of the script. 2. Write to the registry The table item path performs self-identification 3 and performs non-self identification 4 on the API execution sequence, and sends the analysis results of these three aspects to the network console 1 .

2. Statistical analysis of script keywords and judgment of malicious code exceptions

As shown in Figure 1, perform keyword frequency statistical analysis 2 on the script, and specifically take the following steps:

(1) Collect a large number of normal script files and malicious script files. It is recommended that there are no less than 50 normal script files and malicious script files, and separate 29 keywords copyfile, Createobject, Delete, FolderDelete, RegWrite, Virus from the script files , .Write, GetSpecialFolder, keys, opentextfile, readall, .save, startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write:

(2) Divide the 29 keywords into three groups, the first group is the keyword for creating objects: Createobject, the second group is the keywords for self-safe operations: Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, startup, execute, .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder, .run, document.write, the third group is keywords with possible damage operations: copyfile, Delete, FolderDelete, RegWrite, .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;

(3) As shown in Figure 1, the normal script keyword word frequency statistics A1: the expected value f _i (1≤i≤29) of the word frequency occurrence of these 29 keywords in the statistical normal script;

(4) Abnormal script keyword frequency statistics A2 as shown in Figure 1: the expected value f _i '(1≤i≤29) of the word frequency occurrence of these 29 keywords in the statistical malicious script;

(5) Calculate the normalized word frequency A3 as shown in Figure 1: Calculate the normalized word frequency difference of 29 keywords in normal and abnormal scripts $e_i=(f_i-f_i^{\&prime;})/\underset{i=1}{\overset{29}{\mathrm{\&Sigma;}}}(f_i-f_i^{\&prime;})(1\&le;i\&le;29);$

(6) Analysis script A4 to be detected as shown in Figure 1: read the specified script file from the hard disk or read the script file that the browser is accessing from the temporary file directory of the browser (such as IExplore.exe), the statistics are in The frequency m _i of these 29 keywords appearing in the script;

(7) Risk calculation A5 as shown in Figure 1: Calculate the risk risk of the script to be detected,

$\mathrm{<span\; class="notranslate">\; risk</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; G</span>}\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 0</span>}}{\overset{\mathrm{<span\; class="notranslate">\; 29</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}\mathrm{<span\; class="notranslate">\; P</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span>\mathrm{<span\; class="notranslate">\; f</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span>$

Where P(i), F(i) and G are respectively:

(8) Calculating the risk threshold, the calculation method of the risk threshold TH is:

$\mathrm{<span\; class="notranslate">\; TH</span>}<span\; class="notranslate">\; =</span>\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 0</span>}}{\overset{\mathrm{<span\; class="notranslate">\; 29</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}\mathrm{<span\; class="notranslate">\; P</span>}<span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; /</span>\mathrm{<span\; class="notranslate">\; 29</span>}$

(9) Send early warning information A6 as shown in Figure 1: when the risk degree Risk exceeds the threshold value TH, send the early warning information to the network console 1 through the network (compile the corresponding sending and receiving program according to the Socket of the Windows operating system).

3. As shown in Figure 1, perform self-identification on the entry path written in the registry 3, perform self-identification on the entry path written in the registry and make an abnormal judgment, the following implementation steps can be taken:

(1) As shown in Figure 1, the interception registry is written into the entry path B1: inject the DLL that intercepts the registry API function into the target program, such as IExplore.exe and Outlook.exe, to obtain the execution status and parameters of the registry API function, And obtain the registry entry entry path from the parameters of the registry API function. The method of injecting DLL can use the remote thread injection method, the remote thread function can refer to CreateRemoteThread in MSDN, the method of replacing IAT (ImportAddress Table: input address table) in the injection DLL can intercept the API execution sequence of the target program, pay attention to the GetProcAddress and LoadLibraryA, LoadLibraryExA, LoadLibraryW, and LoadLibraryExW do special processing. For details, see "Programming Applications for Windows" published by Microsoft and written by Jeffrey Ritcher;

(2) Collecting self B2 among Fig. 1: run target program under normal state, as visit the webpage that does not contain malicious code with IExplore.exe or receive the letter that does not contain network virus and malicious code with Outlook.exe etc., collect Under normal conditions, the normal registry entry path of the target program (here IExplore.exe or Outlook.exe) is stored in the database, and each normal registry entry entry path is called "self". The collection is called the "self-set";

(3) As shown in Figure 1, collect the registry entry path B3 currently to be detected: during the operation of the target program, obtain the registry entry entry path of the target program in real time through the injected DLL, such as IExplore.exe Or the registry write operation of Outlook.exe, and save the registry entry path in the shared memory; at the same time, the registry detection module reads the current registry entry entry path from the shared memory, and the database Compared with the original "self" operation, see self-identification B4 in Figure 1; if it is not in the "self set", send abnormal behavior information to the network console, such as sending abnormal behavior information B5 in Figure 1.

4. As shown in Figure 1, perform non-self identification on the API execution sequence 4, perform non-self identification on the API sequence and make an abnormal judgment, the following implementation steps can be taken.

It should be noted that if the speed is not considered, you can directly use all API functions without running steps (1) and (2); or directly select from all API functions without running step (1).

(1) First renumber all API functions, and determine the total set of API functions used by the target program, such as the used API set C1 in Figure 1:

(a) Since there are too many API functions, about 3,000, the API functions can be divided into 20 groups, each group has about 150, and corresponding injection DLLs are generated for each group of API functions;

(b) Inject these DLLs into the target program, such as IExplore.exe or Outlook.exe, run the target program under normal and poisonous conditions, and obtain a list of API functions used by the target program from the recorded file;

(2) API selection operation, such as API selection C2 in Figure 1:

L₀的取值可以为大于8的整数，建议取8、16、32或64；(a) Intercept the API sequence of the target program in the normal state, and cut it into a string set S ₀ of length L ₀ with a sliding step size of W ₀ , where the value of W ₀ can be between 1 and L ₀ Any integer of , it is recommended to take

The value of L ₀ can be an integer greater than 8, it is recommended to take 8, 16, 32 or 64;

(b) intercepting the API sequence of the target program under the poisoned running state, and truncating it into a string set R ₀ whose length is L ₀ with a sliding step size of W ₀ ;

(c) compare the different sequences in the string sets _S0 and _R0 , extract the API functions that form these sequences, and use these API functions as the API function set to be monitored;

(3) API renumbering C3 in Figure 1: renumbering the selected API functions to facilitate the representation of the API sequence;

(4) Collecting self C4 in Figure 1: according to the selected API function, intercept the API sequence of the target program under normal conditions, and cut it into a string of length L with a sliding step size W to generate self-set S, The value of W ₀ can be any integer between 1 and L ₀ , it is recommended to take The value of L ₀ can be an integer greater than 8, it is recommended to take 8, 16, 32 or 64;

(5) Obtain the current API execution sequence of the target program, read N API sequences each time and perform the following detection process, such as IExplore.exe or Outlook.exe, it is recommended that the value of N be 128, as shown in Figure 1 to obtain the target program Current API execution sequence C5:

(a) Start the detection as shown in Figure 1 and judge whether the end condition meets C7, and generate the initial detector set D ₀ : randomly generate the pre-detector according to the selected API function, and filter the self (that is, delete the API sequence matching the self ), and then obtain the initial detector set; the matching strategy here is a partial matching strategy, that is, two sequences match if and only if the two strings are consistent in consecutive r positions;

(b) Match C6 in Figure 1, compare the current API execution sequence with any detector in the detector set: if a match is found, mark the sequence and add 1 to the total number of matches, when the total number of API sequences to be detected acquired in real time When the number of matches reaches the threshold _Gn , the abnormal behavior information is sent to the network console, such as sending abnormal behavior information C8 among Fig. 1;

(c) As shown in Figure 1, start the detection and judge whether the end condition meets C7, if the evolution algebra t exceeds the threshold _Ge or all API sequences have been marked, continue to detect the next batch of API sequences;

(d) For unmatched API sequences, three subsets D _A , D _G , _DR and memory set D M are randomly generated based on affinity variation, gene pool evolution, and memory set D _M to form a next-generation detector set D _t =D _A +D _G +D _R +D _M , and the subsets of D _A , D _G , and _DR satisfy $\frac{{\mathrm{D.}}_A}{1}\&ap;\frac{{\mathrm{D.}}_G}{2}\&ap;\frac{{\mathrm{D.}}_m}{1};$

(e) As shown in Figure 1, the affinity variation C9, the detector subset D _A is generated by the affinity variation, and the affinity variation refers to when the matching degree between the API sequence and any detector in the detector set exceeds the affinity threshold G When _f , generate N _c (N _c ≥ 1) offspring individuals through mutation;

A suggested specific mutation method can be as follows: if the current API execution sequence matches any detector with more than the affinity mutation threshold, randomly generate a number a of [1, L], and the number a of the detector is A mutation occurs to obtain a descendant detector; this cycle is repeated 4 times, and 4 descendant detectors are generated for each detector that needs to be mutated.

(f) Gene pool evolution C10 as shown in Figure 1: The detector subset D _G is generated by gene pool evolution, and gene pool evolution refers to increasing the selection probability of APIs that make up effective detectors, so that when the pre-detection is generated by the roulette method When the device is used, the API has a higher selection probability, that is, P _api =P _api +ΔP. It should be pointed out that the selection probabilities of all APIs are consistent at the beginning, with the same selection probability P _api ; and in order to avoid local optimum, the step size of each gene pool evolution is very small, that is, the API selection probability The increment ΔP of is very small, and for all APIs, ΔP is the same here;

The code of the API selection probability improvement part in gene pool evolution can be abbreviated as:

for (Each gene Gene of effective detector)

Begin

The selection probability of the gene Gene is P[Gene]=P[Gene]+ΔP.

end

Where ΔP is a small constant. If for any Gene, the initial P[Gene] is 100, ΔP can be set to 0.1 or 0.01.

(g) Randomly generate C11 as shown in Figure 1, the detector subset D _R is randomly generated, and randomly generating detectors means that a certain proportion of detectors in each generation of detector sets comes from random generation, which is for maintain detector diversity;

(h) Memory set C12 in Figure 1: memory set D _M is composed of detectors that can match abnormal sequences, it can be generated offline before starting real-time detection, and can detect abnormalities during the actual monitoring process The detector of the sequence is added to the memory set;

5. The network console 1 is a program with the function of receiving network datagrams. It can be written with visual programming tools, such as VC++ or Delphi. It has a visual interface and can receive network datagrams and read and write databases; the database can use Microsoft SQL Server database . Administrators can use the web console to obtain abnormal behavior information obtained by analyzing and processing scripts, registry write entry paths, and API sequences.

6. According to the above method, including statistical analysis of keyword frequency of scripts 2, self-identification of registry entry entry path 3 and non-self identification of API execution sequence 4, the following lists 75 kinds of Email viruses, The detection result of Email worm virus and malicious code shows that the present invention has good effect on network virus and malicious code. serial number name type Whether to report the virus is 1 Bloodhound.vbs.worm Email, worm 2 VB.Bloodhound.vbs.worm.worm Email, worm yes 3 vbs. mesut email yes 4 jesus Email, worm yes 5 Vbs.jadra email yes 6 Vbs.infi email yes 7 Vbs.hatred.b email yes 8 Vbs.godog email yes 9 Vbs.hard Email, worm yes 10 Vbs.gascript Email, Trojan yes 11 I-Worm.CIAN email yes 12 Vbs.vbswg.qen Email, worm yes 13 I-Worm. doublet Email, worm yes 14 white house Email, worm yes 15 I-Worm.chu email yes 16 Love letter Email, worm yes 17 free link Email, worm yes 18 Mbop.d Email, worm yes 19 Kounikewa Email, worm yes 20 json888 Malicious code yes twenty one gator[1] Malicious code yes twenty two overkill2 Malicious code yes twenty three red lof Malicious code yes twenty four script. unrealer Malicious code yes 25 vbs.both Malicious code yes 26 VBS.kremp Malicious code yes 27 script.exploit Malicious code no 28 script. happytime Malicious code yes 29 vbs.godog Malicious code yes 30 I-worm. doublet Malicious code yes 31 I-worm.chu Malicious code yes 32 vbs.baby Malicious code yes 33 vbs.gascript Malicious code yes 34 vbs. jesus Malicious code yes 35 vbs.mbop.d Malicious code yes 36 vbs.fasan Malicious code yes 37 vbs.hard.vbs Malicious code yes 38 vbs.infi Malicious code yes 39 vbs.jadra Malicious code yes 40 LOVE-LETTER-FOR-YOU Malicious code yes 41 vbs. mesut Malicious code yes 42 JS.Exception.Exploit1 Malicious code yes 43 JS.Exception.Exploit2 Malicious code yes 44 Self-made Writefile Malicious code yes 45 Variant of Writefile Malicious code yes 46 IRC.salim Malicious code yes 47 Vbs.vbswg.qen Malicious code yes 48 Bloodhound.vbs.3 Malicious code yes 49 Bloodhound.vbs.3 variant 1 Malicious code yes 50 Bloodhound.vbs.3 variant 2 Malicious code yes 51 Bloodhound.vbs.3 variant 3 Malicious code yes 52 Bloodhound.vbs.3 variant 4 Malicious code yes 53 Bloodhound.vbs.3 variant 5 Malicious code yes 54 Bloodhound.vbs.3 variant 6 Malicious code yes 55 Bloodhound.vbs.3 variant 7 Malicious code yes 56 Bloodhound.vbs.3 variant 8 Malicious code yes 57 Bloodhound.vbs.3 variant 9 Malicious code yes 58 Vbs.bound Malicious code yes 59 Vbs.charl Malicious code yes 60 VBS. Phram. D (vbs. cheese) Malicious code yes 61 Vbs.entice Malicious code yes 62 Vbs.ave.a Malicious code yes 63 Vbs.exposed Malicious code yes 64 Vbs.annod(vbs.jadra) Malicious code yes 65 Vbs.nomekop Malicious code yes 66 Html. reality (vbs. reality) Malicious code yes 67 Bloodhound.vbs.3 Malicious code yes 68 Bloodhound.vbs.3 variant 1 Malicious code yes 69 Bloodhound.vbs.3 variant 2 Malicious code yes 70 Bloodhound.vbs.3 variant 3 Malicious code yes 71 Bloodhound.vbs.3 variant 4 Malicious code yes 72 Bloodhound.vbs.3 variant 5 Malicious code yes 73 Bloodhound.vbs.3 variant 6 Malicious code yes 74 Bloodhound.vbs.3 variant 7 Malicious code yes 75 Bloodhound.vbs.3 variant 8 Malicious code yes

Claims (1)

1, a kind of internet worm of layered cooperative and malicious code recognition methods comprise:

From script file, isolate keyword, obtain by the method for injecting dynamic link library (being called for short DLL) that application programming interface (being called for short API) is carried out sequence and registration table writes the list item path, registration table is write the list item path and the API sequence is kept in hard disk or the internal memory; It is characterized in that:

To the keyword word frequency statistics analysis of script and make unusual judgement;

Registration table is write the list item path to carry out oneself's identification and makes unusual judgement;

The API sequence is carried out nonego identification and made unusual judgement;

Abnormal behaviour information is sent to net control station;

The script file that described script file is meant the script file write with the Javascript language, write with the VBScript language and embedded Javascript or the script file of VBScript code;

Described injection DLL acquisition API execution sequence and registration table write the list item path and are meant, by DLL is injected in the target program as remote thread, the API execution sequence of the method intercepting target program of Import Address Table (being called for short IAT) is replaced in employing then, and writes the list item path from the parameter acquisition registration table of registration table api function;

Described to script the keyword statistical analysis and make unusual judgement and be meant and from script file, isolate 29 keyword copyfile, Createobject, Delete, FolderDelete, RegWrite, Virus, .Write, GetSpecialFolder, keys, opentextfile, readall, .save, startup, execute, .add, buildpath, copyfolder, createfolder, createtextfile, deletefile, fileexists, folderexists, getfile, getfolder, getparentfolder, format, .run, do copy, document.write, and carry out following steps:

(1) 29 keywords are divided into three groups, first group for creating object keyword: Createobject; Second group is no risky operation keyword itself: Virus .Write, GetSpecialFolder, keys, opentextfile, readall, startup, execute .add, buildpath, fileexists, folderexists, getfile, getfolder, getparentfolder .run, document.write; The 3rd group is to have the keyword that possibility is destroyed operation: copyfile, Delete, FolderDelete, RegWrite .save, copyfolder, createfolder, createtextfile, deletefile, format, do copy;

(2) the desired value f of the word frequency that these 29 keywords occur in the normal script of statistics _i, the desired value f of the word frequency that these 29 keywords occur in the unusual script is added up in 1≤i≤29 _i', 1≤i≤29, it is poor to calculate the normalization word frequency of 29 keywords in normal and unusual script $e_i=(f_i-f_i^{\&prime;})/\underset{i=1}{\overset{29}{\mathrm{\&Sigma;}}}(f_i-f_i^{\&prime;}),$ 1≤i≤29：

(3) the statistics word frequency m that keyword occurs in current script to be detected _i, the risk factor Risk of script to be detected is calculated in 1≤i≤29,

$\mathrm{Risk}=G\underset{i=1}{\overset{29}{\mathrm{\&Sigma;}}}P\left(i\right)F\left(i\right)$

Wherein P (i), F (i) and G are respectively:

(4) risk factor threshold value TH is defined as:

$\mathrm{TH}=\underset{i=0}{\overset{29}{\mathrm{\&Sigma;}}}P\left(i\right)/29$

When risk factor Risk surpasses threshold value TH, send early warning information to net control station;

Describedly registration table is write the list item path carry out oneself identification and make unusual judgement and take following steps:

(1) the normal registration table of target program writes the list item path under the collection normal condition, and deposits in the database, and each normal registration table writes the list item path and is called " oneself ", and its set is called " oneself's collection ";

(2) read current registration table and write the list item path, compare, if not in " oneself's collection ", then send abnormal behaviour information to net control station with original in the database " oneself " operation;

Described the API sequence carried out nonego identification and made unusual judgement and take following steps:

(1) API selection operation:

(a) the API sequence of target program under the intercepting normal condition, and be W with the sliding step ₀Mode it is cut into length is L ₀Trail S ₀

(b) the API sequence of target program under the intercepting operation with virus state, and be W with the sliding step ₀Mode it is cut into length is L ₀Trail R ₀

(c) compare trail S ₀And R ₀In different sequences, extract the api function that constitutes these sequences, with these api functions as api function collection to be monitored;

(2) according to selected api function, the API sequence of target program under the intercepting normal condition, and be that W is cut into the string that length is L with it with the sliding step, generate oneself's collection S;

(3) the current API that obtains target program carries out sequence, and is that W is cut into the string that length is L with it with the sliding step, reads N API sequence at every turn and carries out following testing process:

(a) produce initial detector collection D ₀: produce pre-detector at random according to selected api function, filter the oneself, and then obtain the initial detector collection; The matching strategy here is the part matching strategy, and promptly two sequences match and if only if these two character strings are in r position consistency continuously;

(b) more current AP carries out arbitrary detector that sequence and detector are concentrated: if find to mate then this sequence of mark and total matching number added 1, when the total matching number of API sequence to be detected that obtains in real time reaches threshold value G _nThe time, send out abnormal behaviour information to net control station;

(c) if evolutionary generation t surpasses threshold value G _eOr all the API sequences are labeled, continue to read next group API sequence and detect; Otherwise, for unmatched API sequence, then according to the variation of affinity degree, gene library evolution, three subset D producing at random _A, D _G, D _RWith memory collection D _MCommon composition detector collection D of future generation _i=D _A+ D _G+ D _R+ D _M, and D _A, D _G, D _RSubclass satisfies $\frac{D_A}{1}\&ap;\frac{D_G}{2}\&ap;\frac{D_M}{1};$

Produce the detector subset D by the variation of affinity degree _A, affinity degree variation is meant that the matching degree of arbitrary detector of concentrating when API sequence and detector is above affinity degree threshold value G _fThe time, produce N by variation _c(N _c〉=1) individual filial generation individuality;

Produce the detector subset D by gene library evolution _G, gene library evolution is meant the selection probability that improves the API that forms valid detector, i.e. P _Api=P _Api+ Δ P; And when reality generates detector, select probability to generate pre-detector by the roulette wheel method according to API, filter the oneself at last and generate the detector subset D _G

By producing the detector subset D at random _R

The existing detector that can mate unusual sequence is formed memory collection D _M

Described net control station is meant to be used for receiving script, registration table is write the network program that list item path and API sequence are carried out the abnormal information that analyzing and processing obtained.