Detecting malicious files

US 9,928,364 B2
Filed: 05/09/2016
Issued: 03/27/2018
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a candidate file from a client;

obtaining a basic information associated with the candidate file through analyzing the candidate file;

encrypting the candidate file;

storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server;

receiving a file checking task, wherein the file checking task comprises a storage address of the candidate file and the basic information associated with executing the candidate file;

sending the file checking task to a detection device, wherein the file checking task causes the detection device to;

use the storage address to acquire the candidate file from the file server;

execute the candidate file based at least in part on the basic information associated with the candidate file;

monitor the execution of the candidate file; and

generate a monitored action record corresponding to the execution of the candidate file;

receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;

a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;

determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and

determining whether the candidate file is a malicious file based at least in part on the determined set of actions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting malicious files is disclosed, including: receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to: use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; and receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions.

27 Citations

View as Search Results

15 Claims

1. A method, comprising:
- receiving a candidate file from a client;
  
  obtaining a basic information associated with the candidate file through analyzing the candidate file;
  
  encrypting the candidate file;
  
  storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server;
  
  receiving a file checking task, wherein the file checking task comprises a storage address of the candidate file and the basic information associated with executing the candidate file;
  
  sending the file checking task to a detection device, wherein the file checking task causes the detection device to;
  
  use the storage address to acquire the candidate file from the file server;
  
  execute the candidate file based at least in part on the basic information associated with the candidate file;
  
  monitor the execution of the candidate file; and
  
  generate a monitored action record corresponding to the execution of the candidate file;
  
  receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;
  
  a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;
  
  determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and
  
  determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises a plurality of malicious sample files and the second training sample set comprises a plurality of not malicious sample files;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and in the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises one or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises one or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set.
  - 3. The method of claim 1, further comprising generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises a plurality of malicious sample files and the second training sample set comprises a plurality of not malicious sample files;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and in the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises one or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises one or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set, wherein determining the preset malicious action set based at least in part on the first sample action set and the second sample action set comprises;
      
      performing a set intersection operation on the first sample action set and the second sample action set to obtain a third sample action set, wherein the third sample action set comprises one or more action types that are included in both the first sample action set and the second sample action set; and
      
      deleting one or more action types from the first sample action set that match an action type included in the third sample action set to obtain the preset malicious action set.
  - 4. The method of claim 1, wherein the candidate file is encrypted with an asymmetrical encryption technique.
  - 5. The method of claim 1, wherein determining whether the candidate file is the malicious file based at least in part on the determined set of actions comprises determining whether matching malicious actions included in the determined set of actions exceeds a preset malicious action threshold value.

6. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a candidate file from a client;
  
  obtaining a basic information associated with the candidate file through analyzing the candidate file;
  
  encrypting the candidate file;
  
  storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server;
  
  receiving a file checking task, wherein the file checking task comprises at least a storage address of the candidate file and the basic information associated with executing the candidate file;
  
  sending the file checking task to a detection device, wherein the file checking task causes the detection device to;
  
  use the storage address to acquire the candidate file from the file server;
  
  execute the candidate file based at least in part on the basic information associated with the candidate file;
  
  monitor the execution of the candidate file; and
  
  generate a monitored action record corresponding to the execution of the candidate file;
  
  receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;
  
  a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;
  
  determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and
  
  determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6, further comprising generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises a plurality of malicious sample files and the second training sample set comprises a plurality of not malicious sample files;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and in the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises one or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises one or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set.
  - 8. The computer program product of claim 6, further comprising generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises a plurality of malicious sample files and the second training sample set comprises a plurality of not malicious sample files;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and in the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises one or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises one or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set, wherein determining the preset malicious action set based at least in part on the first sample action set and the second sample action set comprises;
      
      performing a set intersection operation on the first sample action set and the second sample action set to obtain a third sample action set, wherein the third sample action set comprises one or more action types that are included in both the first sample action set and the second sample action set; and
      
      deleting one or more action types from the first sample action set that match an action type included in the third sample action set to obtain the preset malicious action set.
  - 9. The computer program product of claim 6, wherein the candidate file is encrypted with an asymmetrical encryption technique.
  - 10. The computer program product of claim 6, wherein determining whether the candidate file is the malicious file based at least in part on the determined set of actions comprises determining whether matching malicious actions included in the determined set of actions exceeds a preset malicious action threshold value.

11. A method, comprising:
- receiving a candidate file from a client;
  
  obtaining a basic information associated with the candidate file through analyzing the candidate file;
  
  encrypting the candidate file;
  
  storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server;
  
  receiving a file checking task from a file checking device, wherein the file checking task comprises at least a storage address of the candidate file and the basic information associated with executing the candidate file;
  
  obtaining the candidate file using the storage address associated with the candidate file;
  
  executing the candidate file based at least in part on the basic information associated with executing the candidate file;
  
  generating a monitored action record based at least in part on monitoring the execution of the candidate file, wherein the monitored action record comprises an action associated with one or more of the following;
  
  a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function; and
  
  sending the candidate file to the file checking device, wherein receipt of the candidate file causes the file checking device to;
  
  determine a determined set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and
  
  determine whether the candidate file is a malicious file based at least in part on the determined set of actions.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein generating the monitored action record based at least in part on monitoring the execution of the candidate file comprises:
    - executing the candidate file by at least two virtual machines based at least in part on the basic information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and
      
      invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file.
  - 13. The method of claim 11, wherein generating the monitored action record based at least in part on monitoring the execution of the candidate file comprises:
    - executing the candidate file by at least two virtual machines based at least in part on the basic information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file, wherein each virtual machine that corresponds to the candidate file comprises;
      
      determining a decryption technique for the candidate file that is encrypted;
      
      using the decryption technique to decrypt the candidate file;
      
      establishing virtual runtime environments in the at least two virtual machines according to the basic information associated with executing the candidate file; and
      
      executing the candidate file by each of the at least two virtual machines, wherein reading and writing operations generated during execution of the candidate file are reset to a corresponding address configured with each virtual machine; and
      
      invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file.
  - 14. The method of claim 11, wherein the candidate file is obtained from a file server that is identified at least in part by the storage address.
  - 15. The method of claim 11, wherein the candidate file is encrypted with an asymmetrical encryption technique.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Wang, Zhen
Primary Examiner(s)
Perungavoor, Venkat

Application Number

US15/149,938
Publication Number

US 20160342787A1
Time in Patent Office

687 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2218/12   Classification; Matching

Detecting malicious files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Detecting malicious files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others