CN104123494A - Early warning method and device for malicious software dynamic behavior analysis system - Google Patents
Early warning method and device for malicious software dynamic behavior analysis system Download PDFInfo
- Publication number
- CN104123494A CN104123494A CN201310146238.0A CN201310146238A CN104123494A CN 104123494 A CN104123494 A CN 104123494A CN 201310146238 A CN201310146238 A CN 201310146238A CN 104123494 A CN104123494 A CN 104123494A
- Authority
- CN
- China
- Prior art keywords
- malware
- sample
- node
- duration
- dynamic behaviour
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides an early warning method and an early warning device for a malicious software dynamic behavior analysis system, wherein the method comprises the following steps: counting the processing information of the malicious software dynamic behavior analysis system on the malicious software sample in a past period of time, and learning the processing rule of the malicious software dynamic behavior analysis system on the malicious software sample; and acquiring the current processing state of the malicious software dynamic behavior analysis system on the malicious software sample, and sending out early warning when the current processing state is not matched with the processing rule. The invention can find the abnormality in the system in time and alarm.
Description
Technical field
The present invention relates to network security technology field, be specifically related to a kind of method for early warning and device of Malware dynamic behaviour analytic system.
Background technology
Malware dynamic behaviour analytic system, Malware to be placed in to virtual machine environment move, the cover system that the dynamic behaviour of its run duration is monitored and analyzed, the sample that is input as Malware of this system, is output as the dynamic behaviour analysis report for this sample.This system has generally included central schedule server and multiple distributed virtual machine processing node.Wherein, central schedule server is the server for storing, dispatch pending sample, distributed virtual machine processing node refers to the processing node for the treatment of Malware sample in system, this node can be registered in system by the mode of carry, so just can obtain Malware sample from central dispatch server and process.At present, virtual platform has the monitoring for virtual machine conventionally, comprise CPU(Central Processing Unit, central processing unit) occupancy and the information such as machine of whether delaying, although these measures can provide the complete monitoring to virtual machine itself, but for Malware dynamic behaviour analytic system, it does not accomplish in the system level on upper strata, system operation situation to be monitored and early warning, for example, in some cases, the Malware sample moving in virtual machine can destroy the software environment of virtual machine, the for example interference to network service etc., these may cause the communication disruption of our Malware behavioural analysis system, but do not cause the too high or machine of delaying of virtual machine CPU usage, in this case, the own supervisory system of virtual machine platform can point out virtual machine operation conditions good, but there is the problems such as obstruction in the treatment scheme of upper system, modal is exactly that to process sample overtime, now just need to rely on monitoring early-warning system provides the action of corresponding feedback and subsequent treatment (multiple samples as continuous in same virtual machine occurs overtime, inactive this virtual machine).
Exception monitoring and the early warning of Malware dynamic behaviour analytic system, refer to system running state is monitored, the abnormal conditions that occur are given the alarm, and concrete alarm form has varied, for example, can warn by the mode such as text prompt or email notification.
For common circulation operation system, processing links generally has a lot of.For ensureing that overall Business Stream waterline normally works, just require links to run well, need to be found as early as possible once go wrong, and as much as possible automatically recover, do not recover by manual intervention.Therefore, need to carry out condition monitoring to pinpoint the problems to overall flow and each subring joint, conventionally need to be in system level, and need the corresponding monitoring mechanism of subring ganglionic layer face administration of monitoring, reach early warning object with this.
Malware dynamic behaviour analytic system, in its operational process, is put in virtual machine environment operation by Malware sample and captures its log recording and resolve and finally draw analysis report owing to relating to.For the monitoring of system running state, normally dispose as the function such as log recording, condition monitoring in the link that may go wrong in advance, that comes to occur in discovery system is abnormal.
Can find out, traditional method for early warning needs in advance the link that may go wrong all to be expected, could prevent to the full extent missing control point.In fact, in advance the link likely ging wrong is all considered to be more difficult, and it is also unrealistic in all some deploy monitoring, therefore be easy to omit some control point, cause system to go wrong in actual motion and can not note abnormalities in time, thereby the integral cycle that causes follow-up and repair is elongated, can produce larger impact to overall business.
Summary of the invention
In view of this, the object of this invention is to provide a kind of method for early warning and device of Malware dynamic behaviour analytic system, abnormal in discovery system in time also carries out alarm.
For solving the problems of the technologies described above, the invention provides scheme as follows:
A method for early warning for Malware dynamic behaviour analytic system, comprising:
The statistics Malware dynamic behaviour analytic system interior process information to Malware sample of a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample;
Obtain the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and send early warning in the time that current treatment state does not mate with described processing rule.
Further, in such scheme, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.
Further, in such scheme, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and comprise:
Obtain each node in Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
If the difference between the conversion duration of the busy-idle condition in the current time cycle and described average conversion duration is greater than default the first thresholding, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node.
Further, in such scheme, also comprise:
Reach predetermined first threshold if produce continuously the number of times of described node warning information for a node, send system management alarm, and stop the processing of corresponding node to Malware sample.
Further, in such scheme, described process information also comprises: the processing quantity of Malware sample, described processing rule also comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.
Further, in such scheme, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and also comprise:
Obtain the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information.
Further, in such scheme, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and also comprise:
Reach predetermined Second Threshold if send continuously the number of times of described ALM information, send system management alarm.
Further, in such scheme, further the number of nodes in system remains unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle, sends described ALM information.
The embodiment of the present invention also provides a kind of prior-warning device of Malware dynamic behaviour analytic system, comprising:
Statistical learning module, for adding up the Malware dynamic behaviour analytic system process information to Malware sample in a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample;
Warning processing module for obtaining the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and is sent early warning in the time that current treatment state does not mate with described processing rule.
Further, in such scheme, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.
Further, in such scheme, described warning processing module comprises:
The first acquiring unit, for obtaining each node of Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
The first Alarm Unit, if be greater than default the first thresholding for the difference between conversion duration and the described average conversion duration of the busy-idle condition in the current time cycle, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node.
Further, in such scheme, described warning processing module also comprises:
The second Alarm Unit, if reach predetermined first threshold for the number of times that produces continuously described node warning information for a node, sends system management alarm, and stops the processing of corresponding node to Malware sample.
Further, in such scheme, described process information also comprises: the processing quantity of Malware sample, described processing rule also comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.
Further, in such scheme, described warning processing module also comprises:
Second acquisition unit, for obtaining the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The 3rd Alarm Unit, for the mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information.
Further, in such scheme, described warning processing module also comprises:
The 4th Alarm Unit, if reach predetermined Second Threshold for sending continuously the number of times of described ALM information, sends system management alarm.
Further, in such scheme, described the 3rd Alarm Unit, be further used for that number of nodes in system remains unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle, send described ALM information.
Can find out from the above, method for early warning and the device of Malware dynamic behaviour analytic system provided by the invention, system based in the past period and node operating index, ruuning situation to current system and node is monitored, the monitoring of system state is become to the variable index of dynamic learning from fixed index, make monitoring more flexible, monitoring result is more accurate.And the historical record of the embodiment of the present invention based on each node monitored node, improved monitoring accuracy, thereby the processing node that can note abnormalities is in time issued in time warning, and can be forbidden this node to avoid the expansion of anomalous effects.
Brief description of the drawings
Fig. 1 is the structural representation of system described in the embodiment of the present invention;
Fig. 2 provides the schematic flow sheet of exception monitoring and method for early warning for the embodiment of the present invention;
Fig. 3 provides the structural representation of exception monitoring and prior-warning device for the embodiment of the present invention;
Fig. 4 is node exception monitoring in the embodiment of the present invention and an example schematic diagram of method for early warning.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
The embodiment of the present invention provides a kind of method for early warning and device of Malware dynamic behaviour analytic system, and abnormal in discovery system in time also carries out alarm, reduces the adverse effect of abnormal conditions to system.
The embodiment of the present invention provides exception monitoring and method for early warning, be applied in a Malware dynamic behaviour analytic system, as shown in Figure 1, this system comprises central schedule server 11 for storing and dispatch pending Malware sample 13, multiple for obtain the distributed virtual machine processing node 12 that Malware sample is processed from central dispatch server.Multiple nodes 12 are registered in system by the mode of carry, obtain Malware sample process from central dispatch server 11.The method of operation of this system is as follows:
1) after Malware sample 13 enters central schedule server 11, first stored by central schedule server 11, and central schedule server 11 can also indicate the type of sample, need sample to be processed and then process so that each virtual machine processing node 12 obtains it according to type;
2) each virtual machine processing node 12(VM Server) periodically send oneself state information to central schedule server 11, and this process can not stop, be similar to " heartbeat " and maintain, notify 11 nodes of central schedule server in active state;
3) virtual machine machine node 12 is according to self performance, and timing is to central schedule server 11 application tasks; After 11 checkings of central schedule server, be about to need the sample task of analyzing to send to virtual machine processing node 12;
4) because the performance of each virtual machine processing node 12 may be different, so the status information of each virtual machine processing node 12 is carried out to record at central schedule server 11, during for subsequent analysis, use.
The exception monitoring that the embodiment of the present invention provides and method for early warning, be applied to system shown in Figure 1, please refer to Fig. 2, and the method comprises:
Step 21, the statistics Malware dynamic behaviour analytic system interior process information to Malware sample of a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample.
Step 22, obtains the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and sends early warning in the time that current treatment state does not mate with described processing rule.
As a kind of preferred implementation, the present embodiment can be for the each node in system, its processing rule to Malware sample of statistical learning respectively, and then the current treatment state that judges this node whether with process rule and match, if do not mate, produce early warning.Now, in above-mentioned steps 21, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.22 of above-mentioned steps specifically comprise:
Obtain each node in Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
If the difference between the conversion duration of the busy-idle condition in the current time cycle and described average conversion duration is greater than default the first thresholding, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node, to point out managerial personnel's node that abnormal conditions may occur.
Further, if reach predetermined first threshold for the continuous number of times that produces described node warning information of a node, send system management alarm, and stop the processing of corresponding node to Malware sample.
As another preferred implementation, the present embodiment can be for entire system, the processing rule of statistical learning whole system to Malware sample, and then judge that whether the current treatment state of this system matches with processing rule, if do not mate, produces early warning.Now, in above-mentioned steps 21, described process information comprises: the processing quantity of Malware sample, described processing rule comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.22 of above-mentioned steps specifically comprise:
Obtain the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information, in order to point out managerial personnel's current system may have abnormal conditions.Consider the node state in system, the embodiment of the present invention can the number of nodes in system remains unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle, sends described ALM information.
Further, reach predetermined Second Threshold if send continuously the number of times of described ALM information, send system management alarm, thereby can point out managerial personnel artificial treatment abnormal conditions etc. where necessary.
Above-mentioned each thresholding and threshold value, can arrange according to running situation and monitoring demand.For example, in hope, early warning is when the various abnormal conditions as far as possible, and that above-mentioned threshold value can be established is less; Otherwise when if wish, early warning wrong report situation is less, what above-mentioned threshold value can be arranged is larger.Again for example, can, according to the system process information record of entire system and node when the abnormal conditions in operational process in the past, thresholding and threshold value be adjusted, its judged result and historical record are matched.
Based on said method, the present embodiment also provides a kind of prior-warning device of Malware dynamic behaviour analytic system, here, described system comprises central schedule server for storing and dispatch pending Malware sample, multiple for obtain the distributed virtual machine processing node that Malware sample is processed from central dispatch server, as shown in Figure 3, described device comprises:
Statistical learning module, for adding up the Malware dynamic behaviour analytic system process information to Malware sample in a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample;
Warning processing module for obtaining the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and is sent early warning in the time that current treatment state does not mate with described processing rule.
Concrete, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.Now, described warning processing module comprises:
The first acquiring unit, for obtaining each node of Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
The first Alarm Unit, if be greater than default the first thresholding for the difference between conversion duration and the described average conversion duration of the busy-idle condition in the current time cycle, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node.
Further, described warning processing module also comprises:
The second Alarm Unit, if reach predetermined first threshold for the number of times that produces continuously described node warning information for a node, sends system management alarm, and stops the processing of corresponding node to Malware sample.
Concrete, described process information also comprises: the processing quantity of Malware sample, described processing rule also comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.Now, described warning processing module also comprises:
Second acquisition unit, for obtaining the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The 3rd Alarm Unit, for the mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information.
Further, described the 3rd Alarm Unit, can also be used for remaining unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle at the number of nodes of system, send described ALM information.
Further, described warning processing module also comprises:
The 4th Alarm Unit, if reach predetermined Second Threshold for sending continuously the number of times of described ALM information, sends system management alarm.
Can find out from the above, the embodiment of the present invention is monitored by the task treatment state in the distributed structure/architecture of Malware dynamic behaviour analytic system, in result aspect, the study that treatment capacity to entire system and treatment state carry out a period of time sums up corresponding processing rule, comprise treatment effeciency (for the handling duration of single sample), treatment capacity, duty conversion rule (the average conversion duration of busy-idle condition) etc., can find in time that the processing of entire system is abnormal and send early warning according to the current treatment state of system follow-up; And, the present embodiment can also periodically be learnt and monitor the processing rule of the each processing node in distributed system, for each node, obtain its rule by gathering the disposition of this node in a period of time, thereby can judge the current treatment state of this node, the processing node that can note abnormalities in time, issues warning in time, and can forbid this node to avoid the expansion of impact.
Again in conjunction with an example more specifically, the embodiment of the present invention is further described below.
Please refer to Fig. 4, this example has provided the flow process of node exception monitoring.In this example, the performance of considering each virtual machine node may there are differences, therefore in the time that its state is carried out to exception monitoring, analyze the information such as its performance, efficiency according to the historical state data of each virtual machine processing node, these information can retrieve from the database of central dispatch server, and observation process comprises:
Step 41, the information such as state variation and treatment effeciency of each virtual machine processing node in retrieval a period of time.
Conventionally, described a period of time can be adjusted as the case may be, for example, to existing system, can be set to week age.Here, state variation can refer to the information of node busy-idle condition conversion, and for example, node occurred once by busy condition to the required time of idle condition; Treatment effeciency can characterize the handling duration of single sample with node.
Step 42, analyzes the data that retrieve, and draws the monitoring criteria value of a state variation and treatment effeciency.
Here, taking the past period as basis, obtain the reference value of state variation, for example, be transformed into the average consuming time etc. of idle condition from busy condition, and, obtain treatment effeciency reference value, for example process the average duration of a sample etc.
Step 43, monitors the current ruuning situation of virtual machine processing node, reaches certain default thresholding if exceed said reference value, sends the node alarm line item of going forward side by side.
Step 44, if continuous alarm of sending for certain virtual machine processing node for three times, give notice to central schedule server, so that described central schedule server stops this virtual machine processing server, and send corresponding system alarm, to point out corresponding node may exist abnormal conditions to need artificial treatment.
Step 45, judges whether to exit monitoring flow process, for example, if be provided with in advance monitoring periods, can process ends in the time that monitoring periods finishes, if monitoring periods not yet finishes, return to step 43, continue the ruuning situation of monitoring node.
When node is carried out to above-mentioned monitoring, this example can also be carried out exception monitoring and early warning for entire system ruuning situation.In this example, the monitoring of entire system ruuning situation and abnormal prerequisite are, distributed virtual machine node in this system does not increase or reduces, and the number of nodes that in system, node alarm relates to (does not for example exceed predetermined threshold value, this threshold values can be determined according to 10% of total virtual machine number of nodes), under above-mentioned prerequisite, this example is being carried out system monitoring in such a way:
First, acquisition system is the deal with data in cycle (can be unit according to week) for the previous period, comprise that sample process completes sum (or successfully processing sample size) etc., and can be according to the shorter time interval, deal with data in each time interval in cycle is for the previous period carried out to segmentation statistics, for example:
1), with Zhou Weiyi time cycle, add up the sample process quantity in each time interval (every day);
2) even, can also segment the data of every day, obtain the processing quantity of each hour according to statistics of little period (being divided into 24 time periods for, one day);
Then, according to above-mentioned statistics, the running status that monitoring system is current, for example, if difference is greater than the situation of certain thresholding between the processing quantity that the processing quantity in generation current time interval and statistics obtain, and this situation recurs number of times and reaches pre-determined number, now sends system management alarm.For example, the deal with data amount in continuous 3 hours is obviously greater than the more than 20% of above-mentioned statistics, now sends system management alarm.
To sum up, system and the node operating index of the embodiment of the present invention based in the past period, monitors the ruuning situation of current system and node, and the monitoring of system state is become to the variable index of dynamic learning from fixed index, make monitoring more flexible, monitoring result is more accurate.And the embodiment of the present invention, for the monitoring of distributed virtual machine processing node, can be considered according to the performance of node itself, thereby monitoring accuracy is higher.
It should be noted that, " first " in the first thresholding described in the present invention is only as attribute, for modified word is distinguished, do not play any order restriction effect, correspondingly, other similar descriptions are also for modified word is distinguished, and do not play any order restriction effect.
Many functional parts described in this instructions are all called as module, to emphasize more especially the independence of its implementation.
In the embodiment of the present invention, module can realize with software, to carried out by various types of processors.For instance, the executable code module of a mark can comprise one or more physics or the logical block of computer instruction, and for instance, it can be built as object, process or function.However, the executable code of institute's identification module is without being physically located in together, but can comprise the different instruction on being stored in coordination not, in the time combining in these command logics, and its composition module and realize the regulation object of this module.
In fact, executable code module can be individual instructions or many instructions, and even can be distributed on multiple different code segments, is distributed in the middle of distinct program, and crosses over multiple memory devices distributions.Similarly, service data can be identified in module, and can realize and be organized in the data structure of any suitable type according to any suitable form.Described service data can be used as individual data collection and is collected, or can be distributed on diverse location and (be included in different storage device), and can only be present on system or network as electronic signal at least in part.
In the time that module can utilize software to realize, consider the level of existing hardware technique, so module that can realize with software, in the situation that not considering cost, those skilled in the art can build corresponding hardware circuit and realize corresponding function, and described hardware circuit comprises conventional ultra-large integrated (VLSI) circuit or gate array and the existing semiconductor such as logic chip, transistor or other discrete element.Module can also be used programmable hardware device, realizations such as field programmable gate array, programmable logic array, programmable logic device.
The above is only embodiments of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (16)
1. a method for early warning for Malware dynamic behaviour analytic system, is characterized in that, described method comprises:
The statistics Malware dynamic behaviour analytic system interior process information to Malware sample of a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample;
Obtain the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and send early warning in the time that current treatment state does not mate with described processing rule.
2. the method for claim 1, is characterized in that, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.
3. method as claimed in claim 2, is characterized in that, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and comprise:
Obtain each node in Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
If the difference between the conversion duration of the busy-idle condition in the current time cycle and described average conversion duration is greater than default the first thresholding, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node.
4. method as claimed in claim 3, is characterized in that, also comprises:
Reach predetermined first threshold if produce continuously the number of times of described node warning information for a node, send system management alarm, and stop the processing of corresponding node to Malware sample.
5. method as claimed in claim 3, is characterized in that, described process information also comprises: the processing quantity of Malware sample, described processing rule also comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.
6. method as claimed in claim 5, is characterized in that, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and also comprise:
Obtain the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information.
7. method as claimed in claim 6, is characterized in that, described in obtain the current treatment state of Malware dynamic behaviour analytic system, and in the time that current treatment state does not mate with described processing rule, send early warning and also comprise:
Reach predetermined Second Threshold if send continuously the number of times of described ALM information, send system management alarm.
8. method as claimed in claim 6, it is characterized in that, further the number of nodes in system remains unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle, sends described ALM information.
9. a prior-warning device for Malware dynamic behaviour analytic system, is characterized in that, described device comprises:
Statistical learning module, for adding up the Malware dynamic behaviour analytic system process information to Malware sample in a period of time in the past, the processing rule of study Malware dynamic behaviour analytic system to Malware sample;
Warning processing module for obtaining the current treatment state of Malware dynamic behaviour analytic system to Malware sample, and is sent early warning in the time that current treatment state does not mate with described processing rule.
10. device as claimed in claim 9, is characterized in that, described process information comprises the conversion duration of each node busy-idle condition and the handling duration for single sample; Described processing rule comprises the average conversion duration of the busy-idle condition of each node within described the past period and the average treatment duration for single sample.
11. devices as claimed in claim 10, is characterized in that, described warning processing module comprises:
The first acquiring unit, for obtaining each node of Malware dynamic behaviour analytic system, the conversion duration of the busy-idle condition within the time cycle of predetermined length and the handling duration for single sample;
The first Alarm Unit, if be greater than default the first thresholding for the difference between conversion duration and the described average conversion duration of the busy-idle condition in the current time cycle, or, in the current time cycle, be greater than default the second thresholding for the difference between handling duration and the described average treatment duration of single sample, produce the node warning information of corresponding node.
12. devices as claimed in claim 11, is characterized in that, described warning processing module also comprises:
The second Alarm Unit, if reach predetermined first threshold for the number of times that produces continuously described node warning information for a node, sends system management alarm, and stops the processing of corresponding node to Malware sample.
13. devices as claimed in claim 11, is characterized in that, described process information also comprises: the processing quantity of Malware sample, described processing rule also comprises: the reference mean value of the processing quantity of Malware sample in the time cycle of predetermined length.
14. devices as claimed in claim 13, is characterized in that, described warning processing module also comprises:
Second acquisition unit, for obtaining the mean value of the sample process total quantity of Malware dynamic behaviour analytic system within the current time cycle;
The 3rd Alarm Unit, for the mean value of the sample process total quantity within the current time cycle and described while being greater than default the 3rd thresholding with reference to the difference between mean value, sends ALM information.
15. devices as claimed in claim 14, is characterized in that, described warning processing module also comprises:
The 4th Alarm Unit, if reach predetermined Second Threshold for sending continuously the number of times of described ALM information, sends system management alarm.
16. devices as claimed in claim 14, it is characterized in that, described the 3rd Alarm Unit, be further used for that number of nodes in system remains unchanged and the number of nodes that produces described node warning information is greater than while presetting the 3rd thresholding with reference to the difference between mean value with described lower than the mean value of default the 3rd threshold value and the sample process total quantity within the current time cycle, send described ALM information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310146238.0A CN104123494B (en) | 2013-04-24 | 2013-04-24 | Early warning method and device for malicious software dynamic behavior analysis system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310146238.0A CN104123494B (en) | 2013-04-24 | 2013-04-24 | Early warning method and device for malicious software dynamic behavior analysis system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104123494A true CN104123494A (en) | 2014-10-29 |
| CN104123494B CN104123494B (en) | 2017-12-29 |
Family
ID=51768903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310146238.0A Active CN104123494B (en) | 2013-04-24 | 2013-04-24 | Early warning method and device for malicious software dynamic behavior analysis system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104123494B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317799A (en) * | 2017-05-26 | 2017-11-03 | 北京金山安全管理系统技术有限公司 | Viral early-warning processing method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Active defense method based on cloud security |
| US20110023118A1 (en) * | 2009-07-21 | 2011-01-27 | Wright Clifford C | Behavioral-based host intrusion prevention system |
| CN101986324A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Asynchronous processing of events for malware detection |
| US8171545B1 (en) * | 2007-02-14 | 2012-05-01 | Symantec Corporation | Process profiling for behavioral anomaly detection |
| CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Network virus protection method and system |
| US20120304244A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Malware analysis system |
-
2013
- 2013-04-24 CN CN201310146238.0A patent/CN104123494B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8171545B1 (en) * | 2007-02-14 | 2012-05-01 | Symantec Corporation | Process profiling for behavioral anomaly detection |
| US20110023118A1 (en) * | 2009-07-21 | 2011-01-27 | Wright Clifford C | Behavioral-based host intrusion prevention system |
| CN101986324A (en) * | 2009-10-01 | 2011-03-16 | 卡巴斯基实验室封闭式股份公司 | Asynchronous processing of events for malware detection |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Active defense method based on cloud security |
| CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Network virus protection method and system |
| US20120304244A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Malware analysis system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317799A (en) * | 2017-05-26 | 2017-11-03 | 北京金山安全管理系统技术有限公司 | Viral early-warning processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104123494B (en) | 2017-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7467067B2 (en) | Self-learning integrity management system and related methods | |
| CN109388210B (en) | Distributed chassis, and management method and device of distributed chassis | |
| CN108600012A (en) | Micro services framework monitoring system | |
| US20140365638A1 (en) | Systems and methods for monitoring system performance and availability. | |
| CN105637432A (en) | Identifying anomalous behavior of a monitored entity | |
| Bhaduri et al. | Detecting abnormal machine characteristics in cloud infrastructures | |
| CN117453137A (en) | Cloud intelligent operation and maintenance system data management system | |
| CN113487182B (en) | Device health state evaluation method, device, computer device and medium | |
| CN105763395A (en) | Method and system for monitoring and managing virtual machine and container in cloud environment | |
| KR20140036375A (en) | Intelligent failure asset management system for railway car | |
| CN115848463A (en) | Intelligent operation and maintenance system and method | |
| Demirbaga et al. | Autodiagn: An automated real-time diagnosis framework for big data systems | |
| CN117974098A (en) | Maintenance scheme generation method, device, equipment and medium based on maintenance time | |
| CN115794588A (en) | Memory fault prediction method, device and system and monitoring server | |
| TWM622216U (en) | Apparatuses for service anomaly detection and alerting | |
| CN108055152B (en) | Anomaly detection method of communication network information system based on distributed service log | |
| US20170257304A1 (en) | Systems and methods for monitoring system performance and availability | |
| CN116755964A (en) | Fault prediction and health management system for reinforcement server | |
| WO2023122034A1 (en) | Online monitoring of clinical data drifts | |
| CN119988168A (en) | A web page performance monitoring and analysis method, system, device and storage medium | |
| CN119512859A (en) | A method, device, equipment and medium for monitoring operation log of intelligent instrument | |
| CN113869618B (en) | Abnormal movement detection method, device and electronic equipment | |
| CN104123494A (en) | Early warning method and device for malicious software dynamic behavior analysis system | |
| CN113780933A (en) | Full life cycle management system for production management of all equipment staff | |
| CN118860771A (en) | Method, device, computer equipment, readable storage medium and program product based on microservice instance number and call chain inspection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100041 room 3, 3 West well road, Badachu hi tech park, Shijingshan District, Beijing, 1100A Patentee after: Beijing Cheetah Mobile Technology Co.,Ltd. Patentee after: Beijing Cheetah Network Technology Co.,Ltd. Patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Patentee after: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd. Patentee after: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd. Address before: 100041 room 3, 3 West well road, Badachu hi tech park, Shijingshan District, Beijing, 1100A Patentee before: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY Co.,Ltd. Patentee before: BEIJING KINGSOFT NETWORK TECHNOLOGY Co.,Ltd. Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Patentee before: ZHUHAI JUNTIAN ELECTRONIC TECHNOLOGY Co.,Ltd. Patentee before: CONEW NETWORK TECHNOLOGY (BEIJING) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |