Detecting malicious files
First Claim
Patent Images
1. A method, comprising:
- receiving information associated with executing a candidate file;
executing the candidate file;
monitoring the execution of the candidate file;
generating a monitored action record corresponding to the execution of the candidate file including by;
executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and
invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file;
determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and
determining that the candidate file is a malicious file.
0 Assignments
0 Petitions
Accused Products
Abstract
Detecting malicious files is disclosed, including: executing a candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file.
44 Citations
20 Claims
-
1. A method, comprising:
-
receiving information associated with executing a candidate file; executing the candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file including by; executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving information associated with executing a candidate file; executing the candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file including by; executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system, comprising:
-
one or more processors configured to; receive information associated with executing a candidate file; execute the candidate file; monitor the execution of the candidate file; generate a monitored action record corresponding to the execution of the candidate file, including to; execute the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and invoke one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file; determine that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determine that the candidate file is a malicious file; and one or more memories coupled to the one or more processors, configured to provide the one or more processors with instructions.
-
-
20. A method, comprising:
-
executing a candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file; generating a preset malicious action set, including by; creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file; executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record; determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record; generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and determining the preset malicious action set based at least in part on the first sample action set and the second sample action set; determining that at least one malicious action included in the monitored action record is included in the preset malicious action set; and determining that the candidate file is a malicious file.
-
Specification