FIELD: information technology.
SUBSTANCE: method of malicious files detecting, executed by means of the stack-based virtual machine in which all the executed functions operands are placed in only one data structure, which is the stack of the virtual machine, in which: a) data is extracted from at least one file, executed using the stack-based virtual machine. As the data extracted from the file, executed by means of the stack-based virtual machine, are at least: the file section parameters, acting as at least: the section code, the section name, the section header type, the offset to the section data, the section data size; the parameters of the function, performed by the stack-based virtual machine, which are at least: the function body index, the position and length of the function code in the section, the index of the function descriptor, the maximum depth of the stack in the function execution, the number of the local variables used by function, the name of the function, the number of operands, the return data type; b) provide the search in the safe files cluster base according to the data selected in the step a), of at least one cluster, which contains: the value of one of the file section parameters, exceeding the specified threshold; the value of one of the function parameters, performed by the stack-based virtual machine, exceeding the specified threshold; c) at each found in the step b) cluster the data is extracted. Acting as the data, at least: the file section parameters, such as: the section code, the section name, the section header type, the offset to the section data, the section data size; the parameters of the function, performed by the stack-based virtual machine, such as: the body index of the function, the position and length of the function code in the section, the function descriptor index, the maximum depth of the stack during the function execution, the number of local variables used by function, the name of the function, the number of operands, the return data type; c) create, using the clustering rules at least one cluster from the data, selected in step a), except the data, that corresponds to the data, extracted in the step c); d) calculate the checksum of at least one created cluster; e) provide the search of the calculated checksum in the clusters check sums base of malicious files; f) make the verdict on the detection of at least one malicious file in case of detection as a result of the search, performed at the step e), in the calculated checksums malicious files clusters checksums base.
EFFECT: detection of the malicious files, executed by the stack-based virtual machine, operating at the computer system by creating and using the clusters of the analyzed files data, using the data from the clusters, found in the safe files clusters base to ensure the computer system security.
3 cl, 3 dwg
| Title | Year | Author | Number |
|---|---|---|---|
| SYSTEM AND METHOD OF DETECTING MALICIOUS FILES ACCOMPANIED WITH USING THE STATIC ANALYSIS ELEMENTS | 2017 |
|
RU2654146C1 |
| METHOD AND SYSTEM FOR CLUSTERING EXECUTABLE FILES | 2021 |
|
RU2778979C1 |
| SYSTEM AND METHOD OF CLASSIFICATION OF OBJECTS | 2017 |
|
RU2679785C1 |
| METHOD AND SYSTEM FOR DETECTING MALICIOUS FILES IN A NON-ISOLATED MEDIUM | 2020 |
|
RU2722692C1 |
| SYSTEM AND METHOD FOR TRAINING HARMFUL CONTAINER DETECTION MODEL | 2018 |
|
RU2697955C2 |
| SYSTEM AND METHOD OF MACHINE TRAINING MODEL OF DETECTING MALICIOUS FILES | 2017 |
|
RU2673708C1 |
| SYSTEM AND METHOD OF DETECTION OF MALICIOUS FILES USING A TRAINED MALWARE DETECTION PATTERN | 2017 |
|
RU2654151C1 |
| SYSTEM AND METHOD OF MANAGING COMPUTING RESOURCES FOR DETECTING MALICIOUS FILES | 2017 |
|
RU2659737C1 |
| SYSTEM AND METHOD OF DETECTING A MALICIOUS FILE | 2018 |
|
RU2739865C2 |
| SYSTEM AND METHOD OF SELECTING MEANS OF DETECTING MALICIOUS FILES | 2019 |
|
RU2739830C1 |
