CN117235714A

CN117235714A - File-free attack detection method, device, equipment and storage medium

Info

Publication number: CN117235714A
Application number: CN202310986733.6A
Authority: CN
Inventors: 张宇; 曹磊
Original assignee: Shenzhen Shenxinfu Information Security Co ltd
Current assignee: Shenzhen Shenxinfu Information Security Co ltd
Priority date: 2023-08-07
Filing date: 2023-08-07
Publication date: 2023-12-15

Abstract

The application discloses a method, a device, equipment and a storage medium for detecting file-free attack. Wherein the method comprises the following steps: acquiring behavior data appearing during the activity of a terminal to be detected; detecting the behavior data by adopting a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior; determining a target process corresponding to the abnormal behavior when the abnormal behavior is determined to exist based on the first detection result; and scanning the memory data of the target process to obtain a second detection result of whether the file attack exists in the target process. Therefore, the memory scanning can be triggered based on abnormal behaviors, so that the consumption of the memory scanning to system resources can be reduced, the time of the memory scanning can be reasonably determined, the timeliness of the memory scanning detection is improved, and the detection rate of the file-free attack is improved on the basis of guaranteeing the system performance.

Description

File-free attack detection method, device, equipment and storage medium

Technical Field

The present application relates to the field of network security, and in particular, to a method, apparatus, device, and storage medium for detecting a file-free attack.

Background

With the upgrade of attack and defense technology, file-free attack gradually becomes a common attack means, and the method is characterized in that few or no files fall to the ground in the whole process, and file detection of traditional security software can be avoided. The memory backdoor (also called a memory horse) is a file-free attack means, and mainly achieves the purpose of controlling a target aircraft by writing malicious codes into a memory, and executing and residing.

For malicious code residing in the process memory, detection can generally be performed by scanning the target process memory. Traditional memory scan schemes often detect malicious code residing in memory by scanning all processes of the host, which has the following drawbacks:

1. memory scanning for all processes can occupy more system resources: usually, a terminal (including but not limited to a desktop, a notebook, a server, a mobile phone, a PAD, etc.) has several hundred to several thousand running processes, the memory to be scanned in the memory scanning is usually of GB level, and compared with the data of KB or MB level faced by the file scanning, the memory scanning needs to occupy more system resources, which is likely to cause the terminal to respond slowly or to get stuck due to more system resources, thus affecting the normal use of users;

2. it is difficult to determine the best opportunity for memory scanning, missing the opportunity to find intrusion events at the first time: during operation of the terminal, the memory data is changed from time to time, so that it is difficult to determine when to scan. Furthermore, the memory feature itself may only appear stable at certain moments, and may lead to false negatives if the scan time is too early or too late. And with the countermeasure of attack and defense, some malicious programs can avoid scanning by encrypting memory data, and only decrypt the data at specific time to implement attack, which also increases the difficulty of determining the scanning time. Based on the above, the memory scan often cannot effectively detect malicious codes in the memory; even if detected, it may be several hours after the fact, which is detrimental to response and disposal.

In summary, the conventional memory scan has the problems of high system resource occupation and easy influence on system performance; in addition, the conventional memory scanning is difficult to determine the time of the memory scanning, so that the problem of low detection rate is caused.

Disclosure of Invention

In view of this, the embodiments of the present application provide a method, an apparatus, a device, and a storage medium for detecting a file-free attack, which aim to save system resource consumption and improve the detection rate of the file-free attack.

The technical scheme of the embodiment of the application is realized as follows:

in a first aspect, an embodiment of the present application provides a method for detecting a file-free attack, including:

acquiring behavior data appearing during the activity of a terminal to be detected;

performing behavior detection on the behavior data by adopting a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior;

determining a target process corresponding to the abnormal behavior when the abnormal behavior is determined to exist based on the first detection result;

and scanning the memory data of the target process to obtain a second detection result of whether file attack exists in the target process.

In the above scheme, the acquiring the behavior data occurring during the activity of the terminal to be detected includes:

and acquiring behavior data of any process during the activity of the terminal to be detected.

In the above scheme, the performing behavior detection on the behavior data by using a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior includes:

inputting the acquired behavior data into a pre-trained behavior recognition model to obtain an initial detection result representing a behavior class to which the behavior data belong;

comparing the initial detection result with a set triggering condition for triggering memory scanning, and if the initial detection result belongs to the set triggering condition, determining the behavior data to be abnormal behavior.

In the above scheme, the setting triggering condition includes at least one of the following:

executing suspicious commands by the network service process;

actively initiating a process of a network request;

a process of unsigned dynamic link library (Dynamic Link Library, DLL) under the current directory is loaded.

In the above scheme, the method further comprises:

if the behavior data is determined to belong to the set exposed surface process, continuously scanning the memory data of the monitored exposed surface process based on a polling scanning mechanism to obtain a third detection result of whether the monitored exposed surface process has file-free attack or not;

wherein the exposed surface process is a process potentially utilized by a file-less attack.

In the above scheme, the scanning the memory data of the monitored exposed surface process based on the polling scanning mechanism includes:

and controlling the rate of occupying processor resources by the process or thread executing the polling scanning mechanism to be smaller than or equal to the set rate, and continuously performing polling scanning on the memory data of the monitored exposed surface process.

In the above scheme, the method further comprises:

and generating alarm information and/or isolating malicious codes corresponding to the file-free attack if the file-free attack is determined to exist based on the second detection result and/or the third detection result.

In a second aspect, an embodiment of the present application provides a file attack-free detection apparatus, including:

the acquisition module is used for acquiring behavior data occurring during the activity period of the terminal to be detected;

the behavior recognition module is used for detecting the behavior of the behavior data by adopting a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior or not;

the determining module is used for determining a target process corresponding to the abnormal behavior when the abnormal behavior is determined to exist based on the first detection result;

and the memory scanning module is used for scanning the memory data of the target process to obtain a second detection result of whether file-free attack exists in the target process.

In a third aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is adapted to perform the steps of the method according to the first aspect of the embodiment of the application when the computer program is run.

In a fourth aspect, embodiments of the present application provide a computer storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing the steps of the method according to the first aspect of the embodiments of the present application.

According to the technical scheme provided by the embodiment of the application, behavior data occurring during the activity period of the terminal to be detected is obtained; detecting the behavior data by adopting a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior; determining a target process corresponding to the abnormal behavior when the abnormal behavior is determined to exist based on the first detection result; and scanning the memory data of the target process to obtain a second detection result of whether the file attack exists in the target process. Therefore, the memory scanning can be triggered based on abnormal behaviors, so that the consumption of the memory scanning to system resources can be reduced, the time of the memory scanning can be reasonably determined, the timeliness of the memory scanning detection is improved, and the detection rate of the file-free attack is improved on the basis of guaranteeing the system performance.

Drawings

FIG. 1 is a flow chart of a method for detecting no-file attack according to an embodiment of the present application;

FIG. 2 is a flow chart of a method for detecting no-file attack in an application example of the present application;

FIG. 3 is a schematic diagram of a device for detecting a file-free attack according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the application.

Detailed Description

The present application will be described in further detail with reference to the accompanying drawings and examples.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.

Before describing embodiments of the present application in further detail, the terms and terminology involved in the embodiments of the present application will be described, and the terms and terminology involved in the embodiments of the present application are suitable for the following explanation:

memory horse (MemShell): memory horses are a common means of file-free attacks, a backdoor program that resides in the process memory under test, and is therefore also referred to as a memory backdoor.

Scanning a memory: memory scanning is typically used to detect the presence of malware or viruses based on the process of examining and analyzing data in a computer memory based on the characteristics of known attacks. Memory scanning can help discover malicious code that is hidden in the computer memory, which can bypass the detection of conventional security software.

File-free attack (file): is an advanced network attack approach that does not rely on traditional malware (such as viruses or trojans) to infect target systems. In contrast, file-free attacks utilize the legal tools and resources of the system itself (e.g., scripts, memory, and registries) to perform malicious activities, bypassing traditional anti-virus and security precautions.

And (3) behavior detection: by monitoring and analyzing various behaviors in the computer system, potential security threats and attack behaviors are detected, so that the security of the system is improved.

Advanced Threat (Advanced thread): generally refers to those network attacks that are highly covert, complex, and targeted, typically initiated by highly specialized hackers or hacking organizations, aimed at stealing sensitive information, breaking critical systems, or doing other malicious activities. Advanced threat attackers often have powerful technical capabilities and resources that can be hidden inside the target system for long periods of time, performing continuous monitoring and attack, resulting in significant losses and impact.

Aiming at the problems of high system resource occupation and easy influence on system performance in the memory scanning in the related technology; and the memory scanning is difficult to determine the time of the memory scanning, so that the problem of low detection rate is solved.

The embodiment of the application provides a method for detecting a file-free attack, which is shown in fig. 1 and comprises the following steps:

and step 101, acquiring behavior data appearing during the activity of the terminal to be detected.

Here, the terminal may include, but is not limited to: notebook computers, desktop computers, server devices, portable electronic devices, and the like. The file-free attack detection method can be operated by the terminal.

Illustratively, taking a Windows system as an example, behavior data that occurs during terminal activity may be obtained based on ETW (Event Tracing for Windows) provided by the Windows system. The ETW provides a trace recording mechanism for event objects created by user layer applications and kernel layer drivers. A quick, reliable, universal set of event tracking features is provided for the developer.

Illustratively, the acquiring behavior data occurring during the activity of the terminal to be detected includes:

Here, the behavior data of any process during the terminal activity may be collected by monitoring system call, network traffic, etc., and the behavior data includes, but is not limited to, at least one of the following: process creation, file reading and writing, network connection, etc.

And 102, performing behavior detection on the behavior data by adopting a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior.

It will be appreciated that behavior detection is the monitoring and analysis of behavior data to identify potential security threats and attack behaviors. Based on this, a behavior recognition model for behavior detection may be pre-trained, e.g., AI training may be performed based on known attack behaviors and corresponding behavior information to obtain a behavior recognition model, which may include, but is not limited to: event models based on process tree structures. In addition, the behavior recognition model can be updated based on the newly recognized attack behaviors and corresponding behavior information, so that iterative optimization is continuously performed, and the generalization capability is enhanced.

And step 103, determining a target process corresponding to the abnormal behavior when the abnormal behavior is determined to exist based on the first detection result.

Here, the abnormal behavior may be suspicious behavior such as command execution, file operation, process injection, etc. based on the memory backdoor. If the abnormal behavior exists based on the first detection result, determining a target process corresponding to the abnormal behavior, and further determining a target process needing to perform memory scanning, so that consumption of system resources by the memory scanning can be reduced, and timeliness of the memory scanning can be improved.

Step 104, scanning the memory data of the target process to obtain a second detection result of whether the target process has file attack or not.

Illustratively, scanning the memory data of the target process may include: analyzing the memory data of the target process based on a memory analyzer to obtain an analyzed suspicious memory block; matching the suspicious memory blocks based on a preset rule base, if the matching is successful, judging that the suspicious memory blocks are memory blocks of the back door file, and determining that no-file attack exists in the target process; if the matching is unsuccessful, judging that the suspicious memory block is not the memory block of the back door file, and determining that no file-free attack exists in the target process.

It can be understood that the method of the embodiment of the application can trigger the memory scanning based on the abnormal behavior, thereby not only reducing the consumption of the memory scanning to the system resource, but also reasonably determining the time of the memory scanning, improving the timeliness of the memory scanning detection, and further improving the detection rate of the file-free attack on the basis of guaranteeing the system performance.

It should be noted that, in the related art, there is MSSQL based process behavior data, and when determining that the process behavior data has an Assembly Load behavior, performing memory scanning on the process behavior data to obtain a scheme of a back door detection result. Wherein, MSSQL is a SQL Server database Server, because the MSSQL is a NET program, which runs in CLR environment, the MSSQL program must be composed of Assemble. In other words, the file-free backdoor is intended to be executable and necessarily needs to exist in the memory space in the form of Assembly. Based on the method, the MSSQL process behavior data can be obtained by monitoring the MSSQL process, and when the process behavior data is determined to have an Assembly Load behavior, the process behavior data is subjected to memory scanning, so that a back door detection result is obtained. However, the scheme can only be applied to a file-free backdoor detection scene of MSSQL, and cannot realize omnibearing file-free attack detection of the terminal.

The embodiment of the application can acquire the behavior data of each process during the terminal activity period, classify the behavior data based on the behavior recognition model, further determine the target process corresponding to the abnormal behavior when the abnormal behavior exists, and scan the memory data of the target process to obtain the second detection result of whether the file-free attack exists in the target process.

It should be noted that, even on the basis of the above-mentioned file-free backdoor detection scheme of MSSQL, those skilled in the art think of realizing the detection of the file-free attack as comprehensively as possible, the more easily think scheme is to know the name and suspicious behaviors of the suspicious process more comprehensively, and then detect based on the suspicious behaviors of the suspicious process to determine whether the file-free attack exists. However, according to the method of the embodiment of the application, behavior data of any process can be detected based on the behavior recognition model, and when abnormal behaviors are determined to exist, comprehensive detection of file-free attacks is realized based on memory scanning of the abnormal behaviors, and obviously, the method of the embodiment of the application does not need to know which suspicious processes exist in advance, but directly recognizes the abnormal behaviors appearing in the terminal, further determines the target process corresponding to the abnormal behaviors, and scans the memory data of the target process to obtain a second detection result of whether file-free attacks exist in the target process. The method of the embodiment of the application triggers the memory scanning based on the abnormal behavior, not only can reduce the consumption of the memory scanning to the system resource, but also can reasonably determine the time of the memory scanning, improve the timeliness of the memory scanning detection, and further improve the detection rate of the file-free attack on the basis of guaranteeing the system performance.

The performing behavior detection on the behavior data by using a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior, which includes:

Here, the set trigger condition can be preset based on expert experience, so that the efficiency of identifying abnormal behaviors can be improved, and based on reasonable filtering of the set trigger condition, the consumption of memory scanning on system resources can be reduced, and the running performance of the system is further optimized.

Illustratively, the set trigger condition includes at least one of:

executing suspicious commands by the network service process;

actively initiating a process of a network request;

In an application example, the network service process executes the suspicious command, which may be a java or NET process executes at least one of the following: ipconfig, ifconfig, whoami, etc.

In an application example, the process of actively initiating a network request may include at least one of: tcp, udp, scvhost, notpad. Exe, explorer. Exe, powershell process, csscript. Exe, etc.

It should be noted that, for some advanced threats, such as APT (Advanced Persistent Threat ) organizations, the attack method is novel, and the condition of triggering the memory scan may be bypassed, that is, the foregoing set triggering condition may be bypassed, which results in missed detection of the file-free attack. Based on this, in some embodiments, the method for detecting a file attack-free according to the embodiments of the present application may further include:

if the behavior data is determined to belong to the set exposed surface process, continuously scanning the memory data of the monitored exposed surface process based on a polling scanning mechanism to obtain a third detection result of whether the monitored exposed surface process has file-free attack or not; wherein the exposed surface process is a process potentially utilized by a file-less attack.

Here, the set exposure surface process can be predetermined based on expert experience, so that a polling scanning-based spam mechanism can be provided, the defect that the memory scanning triggered based on abnormal behaviors causes missed detection can be effectively overcome, and the comprehensive protection of the terminal from file-free attacks can be further effectively ensured.

Illustratively, the set exposure surface course may include, but is not limited to: web service processes, system resident processes, and the like are processes that are readily utilized by attackers.

Illustratively, the polling-based scanning mechanism continuously scans memory data of the monitored exposed surface course, including:

It should be noted that the foregoing triggered memory scan and persistent memory scan based on the polling scan mechanism may be implemented by two different threads or processes, respectively. The process is a process of sequentially and dynamically executing programs with a certain independent function on a data set, and the process is an example of the executing program and comprises a program counter, a register and the current value of a program variable; threads are designed into an execution path of a process, the threads in the same process share the resources of the process, and the cost required by the system for scheduling the threads is far less than that of the process.

By way of example, the rate of occupying processor resources by the process or thread executing the polling scanning mechanism is controlled to be less than or equal to 1%, so that the high-risk process which is easy to be utilized by an attacker can be used for polling the spam memory on the basis of not affecting the running performance of the system, and the false alarm can be effectively prevented.

Illustratively, the method further comprises:

It can be understood that, based on triggering memory scanning and/or polling spam memory scanning, when malicious codes such as a memory back door exist, alarm information can be generated, malicious codes corresponding to the file-free attack are further isolated, and the running safety and reliability of the terminal are ensured.

The application is described in further detail below in connection with an application example.

Fig. 2 shows a flow chart of a file-free attack detection method in the present application example. As shown in fig. 2, the present application example includes two memory scanning schemes, namely, an exception-behavior-triggered memory scanning performed by a triggered memory scanning thread and a polling-based spam scanning performed by a polling memory scanning thread.

Illustratively, the memory scan triggered based on the abnormal behavior includes: when an attacker performs suspicious operations such as command execution, file operation, process injection and the like by using a memory backdoor, suspicious behaviors can be captured by a behavior recognition model (also called a behavior detection engine) and the set trigger condition is hit, and a memory scanning engine performs memory scanning on a process for executing dangerous operations in a targeted manner based on a trigger type memory scanning thread, so that file-free attack detection is realized.

Illustratively, the polling-based spam scan includes: some attack behaviors may not hit the set trigger condition and thus not trigger the memory scanning triggered based on the abnormal behavior, and for the monitored exposed surface process, the memory scanning engine can continuously poll the exposed surface process (including but not limited to a web process, a system resident service and the like) which is easy to be utilized by an attacker with a low system resource occupancy rate based on a polling memory scanning thread, so as to effectively avoid the condition of missed detection caused by incomplete coverage of the set trigger condition and further realize comprehensive protection of the terminal against file-free attack.

In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a file-free attack detection device, where the file-free attack detection device corresponds to the file-free attack detection method, and each step in the embodiment of the file-free attack detection method is also completely applicable to the embodiment of the file-free attack detection device.

As shown in fig. 3, the file-free attack detection device includes: the system comprises an acquisition module 301, a behavior recognition module 302, a determination module 303 and a memory scanning module 304. The acquiring module 301 is configured to acquire behavior data that occurs during an activity of a terminal to be detected; the behavior recognition module 302 is configured to perform behavior detection on the behavior data by using a pre-trained behavior recognition model, so as to obtain a first detection result of whether the behavior data is abnormal behavior; the determining module 303 is configured to determine, when determining that an abnormal behavior exists based on the first detection result, a target process corresponding to the abnormal behavior; the memory scanning module 304 is configured to scan the memory data of the target process to obtain a second detection result of whether a file-free attack exists in the target process.

In some embodiments, the obtaining module 301 is specifically configured to:

In some embodiments, behavior recognition module 302 is specifically configured to:

In some embodiments, the set trigger condition includes at least one of:

executing suspicious commands by the network service process;

actively initiating a process of a network request;

and loading the process of the unsigned DLL under the current directory.

In some embodiments, the memory scan module 304 is further configured to:

In some embodiments, the polling-based scanning mechanism continuously scans memory data of the monitored exposed surface course, including:

In some embodiments, the file-free attack detection apparatus further includes: and the response module 305 is configured to generate alarm information and/or isolate malicious codes corresponding to the file-free attack if it is determined that the file-free attack exists based on the second detection result and/or the third detection result.

In practical application, the acquiring module 301, the behavior identifying module 302, the determining module 303, the memory scanning module 304 and the responding module 305 may be implemented by a processor in the file-free attack detecting device. Of course, the processor needs to run a computer program in memory to implement its functions.

It should be noted that: in the file-free attack detection device provided in the above embodiment, only the division of each program module is used for illustration, and in practical application, the processing allocation may be performed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the embodiments of the present application provide a file-free attack detection device and a file-free attack detection method, which belong to the same concept, and detailed implementation procedures of the file-free attack detection device and the file-free attack detection method are detailed in the method embodiments, and are not repeated here.

Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides an electronic device. The electronic device may include, but is not limited to: notebook computers, desktop computers, server devices, portable electronic devices, and the like. Fig. 4 shows only an exemplary structure of the electronic device, not all of which may be implemented as needed.

As shown in fig. 4, an electronic device 400 provided in an embodiment of the present application includes: at least one processor 401, a memory 402, a user interface 403 and at least one network interface 404. The various components in electronic device 400 are coupled together by bus system 405. It is understood that the bus system 405 is used to enable connected communications between these components. The bus system 405 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 405 in fig. 4.

The user interface 403 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.

The memory 402 in embodiments of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.

The method for detecting the file-free attack disclosed by the embodiment of the application can be applied to the processor 401 or can be realized by the processor 401. The processor 401 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the file-free attack detection method may be performed by integrated logic circuits of hardware in the processor 401 or by instructions in the form of software. The processor 401 described above may be a general purpose processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 401 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software module may be located in a storage medium, where the storage medium is located in the memory 402, and the processor 401 reads information in the memory 402, and combines with hardware to implement the steps of the file-free attack detection method provided by the embodiment of the present application.

In an exemplary embodiment, the electronic device may be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field programmable gate arrays (FPGA, field Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic components for performing the aforementioned methods.

It is to be appreciated that memory 402 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory described by embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

In an exemplary embodiment, the present application further provides a computer storage medium, which may be a computer readable storage medium, for example, including a memory 402 storing a computer program, where the computer program may be executed by the processor 401 of the electronic device to perform the steps described in the method of the embodiment of the present application. The computer readable storage medium may be ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

It should be noted that: "first," "second," etc. are used to distinguish similar objects and not necessarily to describe a particular order or sequence.

In addition, the embodiments of the present application may be arbitrarily combined without any collision.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims

1. A method for detecting a file-free attack, comprising:

2. The method according to claim 1, wherein the obtaining behavior data occurring during the activity of the terminal to be detected comprises:

3. The method of claim 1, wherein performing behavior detection on the behavior data using a pre-trained behavior recognition model to obtain a first detection result of whether the behavior data is abnormal behavior comprises:

4. A method according to claim 3, wherein the set trigger condition comprises at least one of:

executing suspicious commands by the network service process;

actively initiating a process of a network request;

and loading the process of the unsigned dynamic link library DLL under the current directory.

5. The method according to claim 1, wherein the method further comprises:

6. The method of claim 5, wherein the polling-based scanning mechanism continues to scan memory data for the monitored exposure surface course, comprising:

7. The method of claim 5, wherein the method further comprises:

8. A file-less attack detection device, comprising:

9. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor, wherein,

the processor being adapted to perform the steps of the method of any of claims 1 to 7 when the computer program is run.

10. A computer storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method according to any of claims 1 to 7.