CN110336835B - Malicious behavior detection method, user equipment, storage medium and device - Google Patents

Malicious behavior detection method, user equipment, storage medium and device Download PDF

Info

Publication number
CN110336835B
CN110336835B CN201910720423.3A CN201910720423A CN110336835B CN 110336835 B CN110336835 B CN 110336835B CN 201910720423 A CN201910720423 A CN 201910720423A CN 110336835 B CN110336835 B CN 110336835B
Authority
CN
China
Prior art keywords
malicious
behavior
preset
flow
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910720423.3A
Other languages
Chinese (zh)
Other versions
CN110336835A (en
Inventor
蒲大峰
周运金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201910720423.3A priority Critical patent/CN110336835B/en
Publication of CN110336835A publication Critical patent/CN110336835A/en
Application granted granted Critical
Publication of CN110336835B publication Critical patent/CN110336835B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention relates to the technical field of network security, and discloses a malicious behavior detection method, user equipment, a storage medium and a device. In the invention, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, the invention analyzes whether the file downloading behavior contained in the flow to be monitored is the malicious file downloading behavior or not through the determined preset characteristic type by presetting the multidimensional preset characteristic type, improves the detection accuracy of detecting the malicious file downloading behavior, and solves the technical problem that the malicious file downloading behavior cannot be accurately detected.

Description

Malicious behavior detection method, user equipment, storage medium and device
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a user equipment, a storage medium, and an apparatus for detecting malicious behavior.
Background
In view of the increasing number of malicious attack behaviors, particularly, a malicious attacker often attacks a certain company server by using some security holes and obtains the execution authority of a certain execution command of the attacked server, and then, the attacked server executes a download command through the execution authority to download a prepared malicious program to the local part of the attacked server, thereby completing the malicious intrusion process.
In order to prevent the malicious intrusion process, corresponding protection means is often adopted, for example, the malicious intrusion process can be prevented by deploying an intranet sandbox, a virus-proof box, a firewall, antivirus software and the like. However, these protection measures do not perform well in terms of detection accuracy when detecting malicious file downloading behaviors, greatly reducing security.
Therefore, it is considered that there is a technical problem that the malicious file downloading behavior cannot be accurately detected.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, user equipment, a storage medium and a device for detecting malicious behaviors, and aims to solve the technical problem that the downloading behaviors of malicious files cannot be accurately detected.
In order to achieve the above object, the present invention provides a method for detecting a malicious behavior, which comprises the following steps:
acquiring the flow to be detected;
extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors;
and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model.
Preferably, before the flow to be detected is obtained, the method for detecting malicious behavior further includes:
acquiring a malicious access flow sample containing a malicious file downloading behavior;
extracting access features from the malicious access traffic sample;
and establishing a preset behavior detection model according to the access characteristics.
Preferably, after obtaining the malicious access traffic sample containing the malicious file downloading behavior, the method for detecting the malicious behavior further includes:
extracting hypertext transfer protocol (HTTP) traffic from the malicious access traffic sample;
the extracting access features from the malicious access flow sample specifically includes:
extracting access features from the HTTP traffic.
Preferably, the establishing a preset behavior detection model according to the access characteristics specifically includes:
and training a first preset decision tree algorithm through the access characteristics to obtain a preset behavior detection model.
Preferably, the detecting the malicious file downloading behavior of the traffic feature by using a preset behavior detection model specifically includes:
acquiring a preset traversal order of the flow characteristics;
traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
Preferably, before the preset traversal order of the traffic features is obtained, the method for detecting malicious behavior further includes:
determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm;
and forming a preset traversal order through the priority.
Preferably, the traversing the traffic features based on the preset traversal order, taking the traffic features with the feature type being the target feature type as traffic features to be processed, determining a behavior decision criterion corresponding to the target feature type, and performing detection on malicious file downloading behaviors of the traffic features to be processed based on the behavior decision criterion specifically includes:
reading sequentially ordered download file format types in the preset traversal order, and traversing the flow characteristics based on the preset traversal order;
and taking the flow characteristic with the characteristic type of the download file format type as a flow characteristic to be processed, determining a behavior judgment standard corresponding to the download file format type, and detecting the malicious file download behavior of the flow characteristic to be processed based on the behavior judgment standard.
In addition, in order to achieve the above object, the present invention further provides a user equipment, where the user equipment includes a memory, a processor, and a malicious behavior detection program stored in the memory and executable on the processor, and the malicious behavior detection program is configured to implement the steps of the malicious behavior detection method as described above.
In addition, to achieve the above object, the present invention further provides a storage medium, on which a malicious behavior detection program is stored, and when the malicious behavior detection program is executed by a processor, the steps of the malicious behavior detection method described above are implemented.
In addition, in order to achieve the above object, the present invention further provides a malicious behavior detection apparatus, including:
the flow detection module is used for acquiring the flow to be detected;
the characteristic extraction module is used for extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors;
and the behavior detection module is used for detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model.
In the invention, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, the invention analyzes whether the file downloading behavior contained in the flow to be monitored is the malicious file downloading behavior or not through the determined preset characteristic type by presetting the multidimensional preset characteristic type, improves the detection accuracy of detecting the malicious file downloading behavior, and solves the technical problem that the malicious file downloading behavior cannot be accurately detected.
Drawings
FIG. 1 is a schematic diagram of a user equipment architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for detecting malicious activities according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a malicious activity detection method according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a malicious activity detection method according to a third embodiment of the present invention;
FIG. 5 is a flow chart of behavior detection according to a third embodiment of the malicious behavior detection method of the present invention;
fig. 6 is a block diagram of a malicious activity detection apparatus according to a first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a user equipment in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the user equipment may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the architecture shown in fig. 1 does not constitute a limitation of the user equipment and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a malicious behavior detection program.
In the user equipment shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting peripheral equipment; the user equipment invokes, through the processor 1001, a malicious behavior detection program stored in the memory 1005, and performs the following operations:
acquiring the flow to be detected;
extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors;
and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
acquiring a malicious access flow sample containing a malicious file downloading behavior;
extracting access features from the malicious access traffic sample;
and establishing a preset behavior detection model according to the access characteristics.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
extracting hypertext transfer protocol (HTTP) traffic from the malicious access traffic sample;
accordingly, the following operations are also performed:
extracting access features from the HTTP traffic.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
and training a first preset decision tree algorithm through the access characteristics to obtain a preset behavior detection model.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
acquiring a preset traversal order of the flow characteristics;
traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm;
and forming a preset traversal order through the priority.
Further, the processor 1001 may call the malicious behavior detection program stored in the memory 1005, and further perform the following operations:
reading sequentially ordered download file format types in the preset traversal order, and traversing the flow characteristics based on the preset traversal order;
and taking the flow characteristic with the characteristic type of the download file format type as a flow characteristic to be processed, determining a behavior judgment standard corresponding to the download file format type, and detecting the malicious file download behavior of the flow characteristic to be processed based on the behavior judgment standard.
In the embodiment, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, in this embodiment, a multidimensional preset feature type is preset, and whether a file downloading behavior contained in the traffic to be monitored is a malicious file downloading behavior is analyzed through the determined preset feature type, so that the detection accuracy of detecting the malicious file downloading behavior is improved, and the technical problem that the malicious file downloading behavior cannot be accurately detected is solved.
Based on the hardware structure, the embodiment of the detection method for malicious behaviors is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for detecting malicious behavior according to a first embodiment of the present invention.
In a first embodiment, the method for detecting malicious behavior includes the following steps:
step S10: and acquiring the flow to be detected.
It should be understood that, the conventional protection means can be analyzed, for example, if the malicious intrusion process is prevented by deploying components such as an intranet sandbox, a virus-proof box, a firewall and the like, many files downloaded from the network are monitored, and then the monitored files are selectively searched and killed; if the way of deploying antivirus software is adopted to prevent the malicious invasion process, most malicious programs are downloaded to the local of the attacked server and then a direct searching and killing means is adopted. However, when a malicious program is searched and killed by the conventional protection means, the malicious program may be searched and killed by mistake or by omission, and part of viruses may have a function of anti-searching and killing, so that a high success rate of searching and killing cannot be achieved.
In a specific implementation, the detection accuracy of detecting the malicious file downloading behavior can be improved to ensure that the searching and killing success rate is maintained at a higher level, and meanwhile, the probability of mistaken searching and killing or missed searching and killing is also reduced.
It is understood that the execution subject of the embodiment is user equipment, and the user equipment may be a server or a personal computer. If the user equipment is the server a, the interaction information between the server a and the access network or other equipment may be intercepted, where the interaction information may be process information between a data request and a request feedback, and the interaction information is the traffic to be detected here.
Step S20: and extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors.
It can be understood that, after intercepting the traffic to be detected, the request type of the data request in the traffic to be detected may be a file download request, and as for the file download request, a file to be downloaded may be a malicious file or a normal file. The traffic to be detected may include the file to be downloaded or may not include the file to be downloaded.
In a specific implementation, in order to more accurately determine whether a malicious file downloading behavior exists in the flow to be detected, in other words, whether a data request for downloading a malicious file and a request feedback corresponding to the data request exist, a preset feature type may be predefined, and the preset feature type may effectively determine the malicious file downloading behavior. The preset feature types include at least one of a download file format type, a download file name length, a download path depth, the number of fields of a HyperText Transfer Protocol (HTTP) header, an Internet Protocol (IP) Address attribution, a download file name type, and an HTTP header reference (referrer) field.
It should be noted that, if the preset feature types at this time are the download file format type and the download file name length, the extracted traffic features will include the traffic features corresponding to the download file format type and the traffic features corresponding to the download file name length.
Step S30: and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model.
In a specific implementation, after the traffic characteristics are extracted, whether a file to be downloaded is a malicious file or a normal file in a file downloading behavior contained in the traffic characteristics can be judged through a preset behavior detection model. If the file is a malicious file, the file downloading behavior can be determined as malicious file downloading behavior; if the file is a normal file, the file downloading behavior can be determined to be a normal file downloading behavior.
In the embodiment, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, in this embodiment, a multidimensional preset feature type is preset, and whether a file downloading behavior contained in the traffic to be monitored is a malicious file downloading behavior is analyzed through the determined preset feature type, so that the detection accuracy of detecting the malicious file downloading behavior is improved, and the technical problem that the malicious file downloading behavior cannot be accurately detected is solved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for detecting malicious behavior according to a second embodiment of the present invention, and the method for detecting malicious behavior according to the second embodiment of the present invention is provided based on the first embodiment illustrated in fig. 2.
In the second embodiment, before the step S10, the method for detecting malicious behavior further includes:
step S01: and acquiring a malicious access flow sample containing the downloading behavior of the malicious file.
It can be understood that malicious access traffic samples can be prepared in advance, collected in advance, or automatically generated by test cases for model building.
Step S02: extracting access features from the malicious access traffic sample.
It should be understood that the access features respectively corresponding to the preset feature types may be extracted from the malicious access traffic sample determined to have malicious file downloading behaviors.
Step S03: and establishing a preset behavior detection model according to the access characteristics.
It can be understood that after the access characteristics actually included in the malicious access traffic sample are acquired, a preset behavior detection model capable of accurately judging whether the file downloading behavior is the malicious file downloading behavior or not can be established based on the access characteristics.
Further, after the step S01, the method for detecting malicious behavior further includes:
extracting HTTP traffic from the malicious access traffic sample;
the extracting access features from the malicious access flow sample specifically includes:
extracting access features from the HTTP traffic.
In a specific implementation, in order to improve the efficiency of model building, HTTP traffic may be screened from a malicious access traffic sample initiated by a malicious attacker, and access features used for model building are extracted from the HTTP traffic.
Further, the establishing a preset behavior detection model according to the access characteristics specifically includes:
and training a first preset decision tree algorithm through the access characteristics to obtain a preset behavior detection model.
It should be understood that the model building process for the preset behavior detection model will be implemented by a first preset Decision Tree algorithm, which is a Decision Tree (Decision Tree) algorithm for supervised learning. The first preset decision tree algorithm takes the access characteristics as input samples to train, induces regularity in the access characteristics, determines data characteristics when malicious file downloading behaviors occur, and the trained result is a usable model similar to a binary tree, namely the preset behavior detection model.
In a specific implementation, for example, if the preset feature type includes at least one of a download file format type, a download file name length, a download path depth, a number of HTTP header fields, a download IP address attribution, a download file name type, and a HTTP header referrer field, the preset behavior detection model includes a specified range of the preset feature types, and can determine whether each flow feature in the flow to be detected conforms to the specified range of the preset feature types one by one, and determine whether the file download behavior is a malicious file download behavior according to whether the flow feature conforms to the specified range of the preset feature types.
In this embodiment, a preset behavior detection model to be used is trained by using a decision tree algorithm, and malicious file downloading behavior is detected by using the trained preset behavior detection model, so that the accuracy of the determination result is greatly improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the malicious behavior detection method according to the present invention, which may be based on the first embodiment shown in fig. 2 or the second embodiment shown in fig. 3, where the third embodiment of the malicious behavior detection method according to the present invention is provided based on the first embodiment shown in fig. 2.
In the third embodiment, the step S30 specifically includes:
step S301: and acquiring a preset traversal order of the flow characteristics.
It is understood that the preset feature type includes at least one of a download file format type, a download file name length, a download path depth, a number of HTTP header fields, a download IP address attribution, a download file name type, and an HTTP header refer field, and the preset traversal order is composed of the preset feature type and is to be composed based on a certain arrangement order.
Step S302: traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
It should be understood that if the arrangement sequence of the preset feature types in the preset traversal order is respectively 'download file format type, download file name length, download path depth, HTTP header field number, download IP address attribution, download file name type and HTTP header refer field' from head to tail, and the download file format type can be the target feature type, the flow feature corresponding to the download file format type will be traversed first, the behavior determination standard corresponding to the download file format type is read, and whether the flow feature meets the behavior determination standard is determined; then, the traffic characteristic corresponding to the download filename length is traversed, the behavior judgment standard corresponding to the download filename length is read, and whether the traffic characteristic meets the behavior judgment standard or not is judged. A plurality of determinations are obtained based on which it can be determined whether malicious file download behavior exists.
In addition, the preset feature type includes at least one of a download file format type, a download file name length, a download path depth, a number of HTTP header fields, a download IP address attribution, a download file name type, and an HTTP header refer field.
In a specific implementation, the format type of the downloaded file refers to a format type of the downloaded file, and if the downloaded file is a malicious file, the downloaded file may also be referred to as a virus file, and the format type of the virus file is commonly a Portable Executable (PE) format and a script format; the download filename length refers to the filename length of the download file, for example, if the download file is "www.abcd.com/1. exe", the domain name in the filename of the download file may be removed first, that is, the filename after the domain name is removed is "1. exe", and the filename length may be considered to be 1; the download path depth refers to a path folder depth in the download path, for example, if there is a download path of "www.abcd.com/1. exe", the path folder depth may be 1 layer, and if there is a download path of "www.abcd.com/down/1. exe", the path folder depth may be 2 layers.
It can be understood that the detection operation of malicious file downloading behavior by introducing the number of fields in the HTTP header considers that the standard HTTP header contains more fields, and the malicious program downloads fewer fields. The reason for introducing the home location of the downloaded IP address is that the home location is suspicious abroad. The download filename type is "determine whether there is a word in the filename of the download file", for example, if the filename of the download file is "www.abcd.com/word.exe", it is found that there is a word ". The introduction of the refer field in the HTTP header is to consider that there is often no refer field in the script file downloaded maliciously.
Further, before the step S301, the method for detecting malicious behavior further includes:
determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm;
and forming a preset traversal order through the priority.
It should be noted that the second predetermined decision tree algorithm may be the same decision tree algorithm as the previous first predetermined decision tree algorithm.
It should be understood that the arrangement order of the preset feature types in the preset traversal order may be determined by the information gain. The entropy may represent the uncertainty of a random variable, the conditional entropy may represent the uncertainty of the random variable under a certain condition, and the information gain is the difference between the entropy and the conditional entropy and may represent the degree of reduction of the information uncertainty under a certain condition. As can be seen, the information gain may represent a direct influence degree or an indirect influence degree of a certain preset feature type on the detection result, so that the priority corresponding to the certain preset feature type may be determined according to the information gain of the certain preset feature type.
In a specific implementation, for example, if the information gain of the format type of the download file is large, the priority of the format type of the download file may be listed as one level, that is, the format type of the download file is listed as the first item in the preset traversal order; if the information of the download filename length is gained the second time, the priority of the download filename length can be ranked in two levels, i.e., the download filename length is ranked as the second item in the preset traversal order.
Further, the traversing the traffic features based on the preset traversal order, taking the traffic features with the feature type being the target feature type as traffic features to be processed, determining a behavior decision criterion corresponding to the target feature type, and performing detection on malicious file downloading behaviors of the traffic features to be processed based on the behavior decision criterion specifically includes:
reading sequentially ordered download file format types in the preset traversal order, and traversing the flow characteristics based on the preset traversal order;
and taking the flow characteristic with the characteristic type of the download file format type as a flow characteristic to be processed, determining a behavior judgment standard corresponding to the download file format type, and detecting the malicious file download behavior of the flow characteristic to be processed based on the behavior judgment standard.
In a specific implementation, if the first item in the preset traversal order is the download file format type, the flow characteristic corresponding to the download file format type may be traversed first, where the flow characteristic may be a "script format", and a standard format in the behavior determination standard corresponding to the download file format type does not include the "script format", and then the file download behavior corresponding to the flow to be detected may be regarded as a malicious file download behavior.
Of course, if the flow characteristic is "Word format", and the standard format in the corresponding behavior determination standard includes "Word format", the file downloading behavior corresponding to the flow to be detected can be regarded as the normal file downloading behavior.
Further, referring to fig. 5, fig. 5 shows a detection manner for comprehensively detecting file downloading behaviors through preset feature types of 7 dimensions. In fig. 5, the behavior determination criterion corresponding to the download file format type is denoted as a first behavior determination criterion, the behavior determination criterion corresponding to the download file name length is denoted as a second behavior determination criterion, the behavior determination criterion corresponding to the download path depth is denoted as a third behavior determination criterion, the behavior determination criterion corresponding to the HTTP header field number is denoted as a fourth behavior determination criterion, the behavior determination criterion corresponding to the download IP address attribution place is denoted as a fifth behavior determination criterion, the behavior determination criterion corresponding to the download file name type (i.e., whether the download file name is a word) is denoted as a sixth behavior determination criterion, and the behavior determination criterion corresponding to the HTTP header referrer field is denoted as a seventh behavior determination criterion.
If the flow characteristics corresponding to the format type of the downloaded file meet the first behavior judgment standard, determining the file downloading behavior corresponding to the flow to be detected as a normal file downloading behavior; if the flow characteristic corresponding to the format type of the download file does not accord with the first behavior judgment standard, whether the flow characteristic corresponding to the length of the download file name accords with the second behavior judgment standard or not is judged. If the flow characteristic corresponding to the length of the download file name meets the second behavior judgment standard, judging whether the flow characteristic corresponding to the depth of the download path meets the third behavior judgment standard or not; and if the flow characteristic corresponding to the length of the download file name does not accord with the second behavior judgment standard, judging whether the flow characteristic corresponding to the type of the download file name accords with a sixth behavior judgment standard or not. Wherein Y in fig. 5 indicates compliance, and N indicates non-compliance; "normal" in fig. 5 indicates a determination as to normal file download behavior, and "malicious" indicates a determination as to malicious file download behavior.
In this embodiment, the traversal priority of each preset feature type is determined based on the information gain, and the behavior detection is performed by using the traversal priority, so that the detection efficiency and the detection accuracy are further improved.
In addition, an embodiment of the present invention further provides a storage medium, where a malicious behavior detection program is stored on the storage medium, and when executed by a processor, the malicious behavior detection program implements the following operations:
acquiring the flow to be detected;
extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors;
and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
acquiring a malicious access flow sample containing a malicious file downloading behavior;
extracting access features from the malicious access traffic sample;
and establishing a preset behavior detection model according to the access characteristics.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
extracting hypertext transfer protocol (HTTP) traffic from the malicious access traffic sample;
accordingly, the following operations are also implemented:
extracting access features from the HTTP traffic.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
and training a first preset decision tree algorithm through the access characteristics to obtain a preset behavior detection model.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
acquiring a preset traversal order of the flow characteristics;
traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm;
and forming a preset traversal order through the priority.
Further, the malicious behavior detection program, when executed by the processor, further implements the following operations:
reading sequentially ordered download file format types in the preset traversal order, and traversing the flow characteristics based on the preset traversal order;
and taking the flow characteristic with the characteristic type of the download file format type as a flow characteristic to be processed, determining a behavior judgment standard corresponding to the download file format type, and detecting the malicious file download behavior of the flow characteristic to be processed based on the behavior judgment standard.
In the embodiment, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, in this embodiment, a multidimensional preset feature type is preset, and whether a file downloading behavior contained in the traffic to be monitored is a malicious file downloading behavior is analyzed through the determined preset feature type, so that the detection accuracy of detecting the malicious file downloading behavior is improved, and the technical problem that the malicious file downloading behavior cannot be accurately detected is solved.
In addition, referring to fig. 6, an embodiment of the present invention further provides a device for detecting a malicious behavior, where the device for detecting a malicious behavior includes:
and the flow detection module 10 is used for acquiring the flow to be detected.
It should be understood that, the conventional protection means can be analyzed, for example, if the malicious intrusion process is prevented by deploying components such as an intranet sandbox, a virus-proof box, a firewall and the like, many files downloaded from the network are monitored, and then the monitored files are selectively searched and killed; if the way of deploying antivirus software is adopted to prevent the malicious invasion process, most malicious programs are downloaded to the local of the attacked server and then a direct searching and killing means is adopted. However, when a malicious program is searched and killed by the conventional protection means, the malicious program may be searched and killed by mistake or by omission, and part of viruses may have a function of anti-searching and killing, so that a high success rate of searching and killing cannot be achieved.
In a specific implementation, the detection accuracy of detecting the malicious file downloading behavior can be improved to ensure that the searching and killing success rate is maintained at a higher level, and meanwhile, the probability of mistaken searching and killing or missed searching and killing is also reduced.
It is understood that the mutual information between the server and the access network or other devices, which may be the process information between the data request and the request feedback, may be intercepted first, and the mutual information is the traffic to be detected here.
And the feature extraction module 20 is configured to extract, from the flow to be detected, each flow feature corresponding to each preset feature type, where the preset feature type is a feature type corresponding to a malicious file downloading behavior.
It can be understood that, after intercepting the traffic to be detected, the request type of the data request in the traffic to be detected may be a file download request, and as for the file download request, a file to be downloaded may be a malicious file or a normal file. The traffic to be detected may include the file to be downloaded or may not include the file to be downloaded.
In a specific implementation, in order to more accurately determine whether a malicious file downloading behavior exists in the flow to be detected, in other words, whether a data request for downloading a malicious file and a request feedback corresponding to the data request exist, a preset feature type may be predefined, and the preset feature type may effectively determine the malicious file downloading behavior. The preset feature types include at least one of a download file format type, a download file name length, a download path depth, the number of fields of a HyperText Transfer Protocol (HTTP) header, an Internet Protocol (IP) Address attribution, a download file name type, and an HTTP header reference (referrer) field.
It should be noted that, if the preset feature types at this time are the download file format type and the download file name length, the extracted traffic features will include the traffic features corresponding to the download file format type and the traffic features corresponding to the download file name length.
And the behavior detection module 30 is configured to detect a malicious file downloading behavior of the traffic characteristic through a preset behavior detection model.
In a specific implementation, after the traffic characteristics are extracted, whether a file to be downloaded is a malicious file or a normal file in a file downloading behavior contained in the traffic characteristics can be judged through a preset behavior detection model. If the file is a malicious file, the file downloading behavior can be determined as malicious file downloading behavior; if the file is a normal file, the file downloading behavior can be determined to be a normal file downloading behavior.
In the embodiment, the flow to be detected is obtained; extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors; and the method is used for detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model. Obviously, in this embodiment, a multidimensional preset feature type is preset, and whether a file downloading behavior contained in the traffic to be monitored is a malicious file downloading behavior is analyzed through the determined preset feature type, so that the detection accuracy of detecting the malicious file downloading behavior is improved, and the technical problem that the malicious file downloading behavior cannot be accurately detected is solved.
In an embodiment, the apparatus for detecting malicious behavior further includes:
the model establishing module is used for acquiring a malicious access flow sample containing a malicious file downloading behavior; extracting access features from the malicious access traffic sample; and establishing a preset behavior detection model according to the access characteristics.
In an embodiment, the model building module is further configured to extract hypertext transfer protocol HTTP traffic from the malicious access traffic sample;
the model building module is also used for extracting access characteristics from the HTTP flow.
In an embodiment, the model building module is further configured to train a first preset decision tree algorithm through the access feature to obtain a preset behavior detection model.
In an embodiment, the behavior detection module 30 is further configured to obtain a preset traversal order of the traffic characteristics; traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
In an embodiment, the apparatus for detecting malicious behavior further includes:
the order establishing module is used for determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm; and forming a preset traversal order through the priority.
In an embodiment, the behavior detection module 30 is further configured to read sequentially ordered download file format types in the preset traversal order, and traverse the traffic characteristics based on the preset traversal order; and taking the flow characteristic with the characteristic type of the download file format type as a flow characteristic to be processed, determining a behavior judgment standard corresponding to the download file format type, and detecting the malicious file download behavior of the flow characteristic to be processed based on the behavior judgment standard.
Other embodiments or specific implementation manners of the detection apparatus for malicious behavior according to the present invention may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order, but rather the words first, second, third, etc. are to be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as a read-only memory, a RAM, a magnetic disk, and an optical disk), and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. A detection method for malicious behaviors is characterized by comprising the following steps:
acquiring the flow to be detected;
extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors, and the preset characteristic types comprise at least one of a downloading file format type, a downloading file name length, a downloading path depth, a hypertext transfer protocol header number field, a downloading internet protocol attribution, a downloading file name type and an HTTP header reference field;
detecting malicious file downloading behaviors of the flow characteristics through a preset behavior detection model;
the detecting of the malicious file downloading behavior of the traffic characteristics through a preset behavior detection model specifically includes:
acquiring each preset feature type sequentially ordered in a preset traversal order;
traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
2. The method for detecting malicious behavior according to claim 1, wherein before the flow to be detected is obtained, the method for detecting malicious behavior further comprises:
acquiring a malicious access flow sample containing a malicious file downloading behavior;
extracting access features from the malicious access flow sample, wherein the access features correspond to the preset feature types;
and establishing a preset behavior detection model according to the access characteristics.
3. The method for detecting malicious activities according to claim 2, wherein after the obtaining of the malicious access traffic sample containing the malicious file downloading behaviors, the method for detecting malicious behaviors further comprises:
extracting hypertext transfer protocol (HTTP) traffic from the malicious access traffic sample;
the extracting access features from the malicious access flow sample specifically includes:
extracting access features from the HTTP traffic.
4. The method for detecting malicious behavior according to claim 2, wherein the establishing of the preset behavior detection model according to the access characteristics specifically includes:
and training a first preset decision tree algorithm through the access characteristics to obtain a preset behavior detection model.
5. The method for detecting malicious behaviors as claimed in claim 1, wherein before the obtaining of the preset traversal order of the traffic characteristics, the method for detecting malicious behaviors further comprises:
determining the priority corresponding to the preset feature type according to the information gain corresponding to the preset feature type based on a second preset decision tree algorithm;
and forming a preset traversal order through the priority.
6. A user equipment, the user equipment comprising: memory, a processor and a detection program stored on the memory and operable on the processor for malicious behavior, the detection program for malicious behavior when executed by the processor implementing the steps of the detection method for malicious behavior according to any of claims 1 to 5.
7. A storage medium, characterized in that the storage medium has stored thereon a malicious behavior detection program, which when executed by a processor implements the steps of the malicious behavior detection method according to any one of claims 1 to 5.
8. An apparatus for detecting malicious behavior, comprising:
the flow detection module is used for acquiring the flow to be detected;
the characteristic extraction module is used for extracting each flow characteristic corresponding to each preset characteristic type from the flow to be detected, wherein the preset characteristic types are characteristic types corresponding to malicious file downloading behaviors, and each preset characteristic type comprises at least one of a downloading file format type, a downloading file name length, a downloading path depth, a hypertext transfer protocol header number field, a downloading internet protocol attribution, a downloading file name type and an HTTP header reference field;
the behavior detection module is used for detecting the malicious file downloading behavior of the flow characteristics through a preset behavior detection model;
the behavior detection module is further used for acquiring each preset feature type sequentially ordered in a preset traversal order; traversing the traffic features based on the preset traversal order, taking the traffic features with the feature types as target feature types as traffic features to be processed, determining behavior judgment criteria corresponding to the target feature types, and detecting malicious file downloading behaviors of the traffic features to be processed based on the behavior judgment criteria.
CN201910720423.3A 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device Active CN110336835B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910720423.3A CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910720423.3A CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Publications (2)

Publication Number Publication Date
CN110336835A CN110336835A (en) 2019-10-15
CN110336835B true CN110336835B (en) 2021-10-19

Family

ID=68148596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910720423.3A Active CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Country Status (1)

Country Link
CN (1) CN110336835B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110879885B (en) * 2019-11-05 2022-04-05 西安交通大学 Online file illegal downloading detection method and device
CN110995576B (en) * 2019-12-16 2022-04-29 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium
CN112887327B (en) * 2021-02-23 2022-11-22 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN116708008A (en) * 2023-07-18 2023-09-05 山东溯源安全科技有限公司 Method for determining malicious files in transformer substation system, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103577547A (en) * 2013-10-12 2014-02-12 优视科技有限公司 Webpage type identification method and device
CN105488413A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Malicious code detection method and system based on information gain
CN105894177A (en) * 2016-03-25 2016-08-24 国家电网公司 Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment
CN106485146A (en) * 2015-09-02 2017-03-08 腾讯科技(深圳)有限公司 A kind of information processing method and server
CN106960154A (en) * 2017-03-30 2017-07-18 兴华永恒(北京)科技有限责任公司 A kind of rogue program dynamic identifying method based on decision-tree model
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing
CN109800797A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 File black and white judgment method, device and equipment based on AI

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103577547A (en) * 2013-10-12 2014-02-12 优视科技有限公司 Webpage type identification method and device
CN105488413A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Malicious code detection method and system based on information gain
CN106485146A (en) * 2015-09-02 2017-03-08 腾讯科技(深圳)有限公司 A kind of information processing method and server
CN105894177A (en) * 2016-03-25 2016-08-24 国家电网公司 Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
CN106960154A (en) * 2017-03-30 2017-07-18 兴华永恒(北京)科技有限责任公司 A kind of rogue program dynamic identifying method based on decision-tree model
CN109800797A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 File black and white judgment method, device and equipment based on AI
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN110336835A (en) 2019-10-15

Similar Documents

Publication Publication Date Title
CN110336835B (en) Malicious behavior detection method, user equipment, storage medium and device
EP3251043B1 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US9973531B1 (en) Shellcode detection
CN107247902B (en) Malicious software classification system and method
CN110837640B (en) Malicious file searching and killing method, device, storage medium and device
CN111460445B (en) Sample program malicious degree automatic identification method and device
CN109586282B (en) Power grid unknown threat detection system and method
US9003314B2 (en) System, method, and computer program product for detecting unwanted data based on an analysis of an icon
CN107979581B (en) Detection method and device for zombie characteristics
US10038706B2 (en) Systems, devices, and methods for separating malware and background events
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN113014549B (en) HTTP-based malicious traffic classification method and related equipment
JP6050162B2 (en) Connection destination information extraction device, connection destination information extraction method, and connection destination information extraction program
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN111404949A (en) Flow detection method, device, equipment and storage medium
US8799450B2 (en) Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
JP2015127843A (en) Communication control device, communication control method, and communication control program
CN115442109A (en) Method, device, equipment and storage medium for determining network attack result
CN114124525A (en) Malicious IP (Internet protocol) blocking method, device, equipment and computer readable storage medium
CN107908961B (en) Malicious webpage detection method, equipment and storage medium based on virtualization
Le et al. A Basic Malware Analysis Process Based on FireEye Ecosystem.
CN111159111A (en) Information processing method, device, system and computer readable storage medium
KR102001814B1 (en) A method and apparatus for detecting malicious scripts based on mobile device
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium
US20230385415A1 (en) Arrangement and method of threat detection in a computer or computer network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant