公开(公告)号：US09465941B2

公开(公告)日：2016-10-11

申请号：US14162139

申请日：2014-01-23

Applicant: Huawei Technologies Co., Ltd.

Inventor： Peng Wang ,  Peng Yun

IPC: G06F21/53 ,  G06F21/56

CPC classification number: G06F21/566

Abstract: A method, a system, and an apparatus for detecting malicious code to solve the problem that detection efficiency is low and that more resources are occupied. The method includes: monitoring execution of an instruction in a virtual machine supervisor of a host computer, where the instruction is generated in escape mode when a read-write request generated during execution of program code in a virtual machine of the host computer is delivered to the virtual machine supervisor; obtaining execution characteristics of the program code according to execution of the instruction; and comparing the obtained execution characteristics with pre-stored execution characteristics of known malicious code, and determining that the program code is malicious code when the obtained execution characteristics and the pre-stored execution characteristics are the same. This improves the detection efficiency, and saves the storage resources and the processing resources in the host computer.

Abstract translation: 一种用于检测恶意代码以解决检测效率低且占用更多资源的问题的方法，系统和装置。 该方法包括：监视在主计算机的虚拟机主管中的指令的执行，其中当在主计算机的虚拟机中执行程序代码期间产生的读写请求被传送到主计算机的虚拟机中时，以转义模式生成指令 虚拟机主管; 根据指令的执行获得程序代码的执行特性; 以及将所获得的执行特性与已知恶意代码的预先存储的执行特性进行比较，并且当获得的执行特性和预存的执行特性相同时，确定程序代码是恶意代码。 这提高了检测效率，并节省了主机中的存储资源和处理资源。

公开(公告)号：US20140137255A1

公开(公告)日：2014-05-15

申请号：US14162139

申请日：2014-01-23

Applicant: Huawei Technologies Co., Ltd.

Inventor： Peng Wang ,  Peng Yun

IPC: G06F21/56

CPC classification number: G06F21/566

Abstract: A method, a system, and an apparatus for detecting malicious code to solve the problem that detection efficiency is low and that more resources are occupied. The method includes: monitoring execution of an instruction in a virtual machine supervisor of a host computer, where the instruction is generated in escape mode when a read-write request generated during execution of program code in a virtual machine of the host computer is delivered to the virtual machine supervisor; obtaining execution characteristics of the program code according to execution of the instruction; and comparing the obtained execution characteristics with pre-stored execution characteristics of known malicious code, and determining that the program code is malicious code when the obtained execution characteristics and the pre-stored execution characteristics are the same. This improves the detection efficiency, and saves the storage resources and the processing resources in the host computer.

Abstract translation: 一种用于检测恶意代码以解决检测效率低且占用更多资源的问题的方法，系统和装置。 该方法包括：监视在主计算机的虚拟机主管中的指令的执行，其中当在主计算机的虚拟机中执行程序代码期间产生的读写请求被传送到主计算机的虚拟机中时，以转义模式生成指令 虚拟机主管; 根据指令的执行获得程序代码的执行特性; 以及将所获得的执行特性与已知恶意代码的预先存储的执行特性进行比较，并且当获得的执行特性和预存的执行特性相同时，确定程序代码是恶意代码。 这提高了检测效率，并节省了主机中的存储资源和处理资源。