Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
The recognition methods of a kind of 0day leaks provided in an embodiment of the present invention, as shown in figure 1, this method includes:
101st, file to be detected is crossed into leak basic database, checks whether that leak number can be obtained;The leak base
Plinth database is file type of the every vulnerability information including file where leak, leak in known bugs database, database
Numbering and leakd detection logic, the leak number and leakd detection logic are unique and correspond.
Wherein, the leak basic database is rule of thumb set, and have recorded in the leak basic database all known
The information of leak, leak number is the numbering set when setting up leak basic database, and it uniquely identifies a leak;
Leakd detection logic is detection and triggers the method that leak is threatened.
When file to be detected is matched with the leak in leak basic database, the class of file to be detected is obtained first
Type, is detected by obtaining its corresponding leakd detection logic to file to be detected, when file to be detected triggers leak base
During leak in plinth database, leak number is obtained according to leakd detection logic, so as to illustrate the leak type of file to be detected
For known bugs type;When file to be detected can not trigger the leak in leak basic database, the file to be detected may
It is normal file, it is also possible to be, with leaky file, specifically also to need to make file to be detected further detection.
If the 102, not obtaining leak number, determine that the file to be detected is according to the type of the file to be detected
No is malicious file.
Often there are a variety of leaks in a type of file, but a kind of leak often only exists a type of file
In, the difference of file type, it analyses whether that the method that there is leak is different, therefore, when file to be detected can not be triggered Lou
Whether during leak in the basic database of hole, it is malice that the file to be detected can be determined according to the type of the file to be detected
File.
103rd, if it is determined that the file to be detected is malicious file, it is determined that the leak in the file to be detected is 0day
Leak.
When recognizing 0day leaks carried out based on leak basic database in the embodiment of the present invention, leak basis number
It is known bugs database according to storehouse, be stored with the known bugs database existing all known bugs, and leak data
Each vulnerability information in storehouse all corresponds to leak and uniquely detects logic, and file to be detected is passed through into the leakage in vulnerability scan
Hole detection logic is detected, if can obtain detecting leak, then the leak detected must be known bugs, if not having
Leak is detected, but analysis springed a leak again later, then the leak that the post analysis go out must be 0day leaks, and whole process is pressed
Performed automatically according to regular flow, compared with the mode of artificial detection 0day leaks in the prior art quick and precisely.
Further, when file to be detected is crossed leak basic database by execution 101, the embodiment of the present invention can be used
But following method is not limited to realize, this method as shown in Fig. 2 including:
201st, the type of the file to be detected is obtained.
In the embodiment of the present invention, when the leak having been found that is identified into storage, the text that often there is leak
Part type and leak are identified and stored together, have been easy to the inquiry of follow-up leak.Therefore, with the presence or absence of leakage in detection file
During hole, the type of file to be detected is first obtained, the type based on file goes to obtain other relevant informations again.
When obtaining the type of file to be detected, it can use but be not limited to the suffix information according to filename to be detected
Obtain the type of file to be detected.In addition to this it is possible to using by file type identification tool by file eigenvalue come
Recognize the type of file to be detected.It is, of course, also possible to the method that file type to be detected can be obtained using any one, specifically
The embodiment of the present invention specific embodiment to this without limit, can be set according to the demand of user.
202nd, leak basic database is traveled through according to the type of the file to be detected and obtains the corresponding leakage of the type file
Detect logic in hole.
When being detected to file to be detected, the type of file to be detected is obtained first, according to the file to be detected
Type traversal leak basic database obtain the corresponding leakd detection logic of the type file.Wherein, leak basic database
In include in different types of file, a type of file and include different types of vulnerability information, every leak letter
Breath is all uniquely determined.For example, when the file type of acquired file to be detected is html types, the basic number of traversal leak
According to storehouse, obtain file type and be html all vulnerability informations, and obtain the leakd detection logic in all vulnerability informations.
203rd, the file to be detected is detected according to the leakd detection logic of acquisition.
Leakd detection logic is detects and triggered the method that leak is threatened, and the leak of each type has a unique energy
The method for enough triggering its threat.Gone to detect file according to the detection logic, determine if there is the threat of triggering leak, if energy
Triggering, then determine the corresponding leak number of the leakd detection logic, so as to identify file to be detected according to leakd detection logic
Leak type.
Further, after file to be detected is crossed into leak basic database, corresponding leak is not triggered, is represented known
Leak be not present in the file to be detected, but the detection file be for normal file or with leaky file also not
It can determine that, it is necessary to determine whether the file to be detected is malicious file according to the type of the file to be detected.As above
It is described, different files determine file whether be malicious file method it is different, the embodiment of the present invention will have to this
The description of body.
When the type for obtaining the file to be detected is html files, the embodiment of the present invention provides a kind of malicious file
Recognition methods, as shown in figure 3, this method includes:
301st, detect and whether there is malice feature in the html files, if in the presence of malice feature, performing 302;If no
In the presence of malice feature, then 303 are performed.
When whether detect html files is malicious file, first have to detect special with the presence or absence of malice in the html files
Levy, the malice feature can include but is not limited to stack overflow, exception.In addition, the malice feature can also include
Heap sprays.It is, of course, also possible to include the species of any malice feature, the specific embodiment of the present invention is to this without limit
System.
302nd, it is malicious file to determine the html files.
It is malicious file to determine html files, that is, determines the presence leak of this document.The leak of the presence is in leak data
Do not exist in storehouse, then leak present in the file to be detected must be 0day leaks.
303rd, it is normal file to determine the html files.
When the type for obtaining the file to be detected is document files, the embodiment of the present invention provides a kind of malicious file
Recognition methods, as shown in figure 4, this method includes:
401st, instruction virtual machine is built.
The embodiment of the present invention, by filtering of the document files through leak basic database, if not returning to the basic number of leak
According to the leak of existing leak number in storehouse, then also need by being trained detection to this article files, to determine if to exist
Malicious act.This article files are trained with detection to treat by setting up instruction virtual machine, and then running this on instruction virtual machine
What detection was realized.Instruction virtual machine build can by but be not limited to following method and realize, this method includes:
1), it is provided for reading the instruction read module of document files by byte;
2), it is provided for the explanation module explained to the document files that instruction read module is read;
3), build the simulated environment of instruction operation, the thread of the simulated environment including instruction operation, process, stack, heap,
Coefficient data and built-in system API simulations;The built-in system API simulations include file, process, registration table, network AP I.
402nd, this article files are run by byte in the instruction virtual machine, records the behavior of the document running paper.
In order to ensure the malicious instructions in detection document files are not omitted, transported by document files on instruction virtual machine
During row, document files is read in into the operation that instruction virtual machine is instructed using according to byte.For example, the instruction of document from 0 to
100, read when reading for the first time since 0, the content to reading is identified;Second of reading since 1
Take --- --, it is ensured that the combination of any instruction can be run.
403rd, the behavior of record is matched with the behavior in predefined malicious act rule base, if matching correspondence
Behavior, perform 404;If being not matched to corresponding behavior, 405 are performed.
The malicious act rule base is rule of thumb set, and the malicious act rule includes:Download file, access line
Journey environment block and process context block, attempt load dynamic base, try to system function address.The malicious act rule base
Above-mentioned malicious act may be not only only included in actual applications, it is also possible to including any malice row of the prior art
For the specific embodiment of the present invention is not limited to this.
404th, it is malicious file to determine the file to be detected.
The determination document files is malicious file, that is, determines the presence leak of this document.The leak of the presence is in leak
Do not exist in database, then leak present in the file to be detected must be 0day leaks.
405th, it is normal file to determine the file to be detected.
The method of detection 0day leaks provided in an embodiment of the present invention, by building instruction virtual machine, document files is existed
Run, and matched with the behavior in predefined malicious act rule base by byte in instruction virtual machine.With prior art
In by searching for one section of malice condition code by force in internal memory, if in internal memory exist this malice condition code, for 0day leak phases
Than the embodiment of the present invention with malicious act rule base by being matched automatically, and realization fast and automatically, is accurately identified
0day leaks.
In summary, the implementation of the embodiment of the present invention is firstly the need of setting up leak basic database.The embodiment of the present invention is carried
For a kind of method for building up of leak basic database, as shown in figure 5, including:
501st, identified leak and the attribute information of the leak are obtained, the attribute information includes leak number, leakage
File type and leakd detection logic that hole is present.
Wherein, can obtain leak or system automatically according to pre-defined algorithm when obtaining identified leak
Guardian's experience accumulation during work is obtained, and the specific embodiment of the present invention is not limited to this.
502nd, it is stored in the form of each attribute information for having recognized leak is recorded with one in database and sets up leak
Basic database.
The embodiment of the present invention, by constantly storing identified leak into leak basic database so that leak base
Vulnerability information in plinth storehouse is in continuous renewal, when being matched with file to be detected, can be fast, accurately and comprehensively
Recognize the type of the leak.
Wherein, it is stored in the form of each attribute information for having recognized leak is recorded with one in database and sets up leak
Basic database, can by but be not limited to following mode and realize.Can for example adopt will manually recognize
Vulnerability information respectively to leak number, leak exist file type and leakd detection logic store.It can also adopt
It is stored in the form of each attribute information for having recognized leak is recorded with one with automated manner in database and sets up leak base
Plinth database.The specific embodiment of the present invention is not limited.The embodiment of the present invention is preferred to use the mode stored automatically, the party
The advantage of formula be can accurately, it is quick, exhaustively by each attribute information for having recognized leak in the form of one records
It is stored in database and sets up leak basic database.
Further, when file to be detected triggers the leak in leak basic database, according to leakd detection logic only
Leak in one determination file to be detected.Because the leak number that provides of the present invention and leakd detection logic are unique and one
One correspondence, therefore, it is possible to be accurately detected the leak type of file to be detected, it is thus possible to quickly select corresponding reparation side
Formula, protects the safety of computer system.
Based on above method embodiment, the embodiment of the present invention provides a kind of identifying device of 0day leaks, as shown in fig. 6,
The device includes:
Unit 61 is checked, for file to be detected to be crossed into leak basic database, checks whether that leak number can be obtained;
The leak basic database is known bugs database, the file of file where every vulnerability information includes leak in database
Type, leak number and leakd detection logic, the leak number and leakd detection logic are unique and correspond;
First determining unit 62, for when checking that unit 61 does not obtain leak number, according to the file to be detected
Type determine whether the file to be detected is malicious file;
Second determining unit 63, for when the first determining unit 62 determine the file to be detected be malicious file when, really
Leak in the fixed file to be detected is 0day leaks.
Further, it is described to check that file to be detected is crossed leak basic database and is used for by unit 61:
Obtain the type of the file to be detected;Leak basic database is traveled through according to the type of the file to be detected to obtain
Take the corresponding leakd detection logic of the type file;The file to be detected is carried out according to the leakd detection logic of acquisition
Detection.
Further, as shown in fig. 7, when the file to be detected is html files, first determining unit 62 is wrapped
Include:
Detection module 621, malice feature is whether there is for detecting in the html files;
First determining module 622, for when detection module 621 detects and there is malice feature in the html files,
It is malicious file to determine the html files;
First determining module 622 is additionally operable to, and malice is not present in the html files when detection module 621 is detected
During feature, it is normal file to determine the html files.
Further, as shown in figure 8, when the file to be detected is document files, first determining unit 62 is gone back
Including:
Module 623 is built, for building instruction virtual machine;The structure module 623 builds instruction virtual machine and is specially:If
Put the instruction read module for reading document files by byte;It is provided for entering the document files that instruction read module is read
The explanation module that row is explained;Build the simulated environment of instruction operation, the thread of the simulated environment including instruction operation, process,
Stack, heap, coefficient data and built-in system API simulations;The built-in system API simulations include file, process, registration table, network
API。
Module 624 is run, for running this article files by byte in the instruction virtual machine;
Logging modle 625, the behavior for recording the document running paper;
Matching module 626, for the behavior of record to be matched with the behavior in predefined malicious act rule base;
Second determining module 627, for when matching module 626 matches corresponding behavior, determining the text to be detected
Part is malicious file;
Second determining module 627 is additionally operable to, and when matching module 626 is not matched to corresponding behavior, determines institute
File to be detected is stated for normal file.
Further, as shown in figure 9, the identifying device of the 0day leaks, in addition to:
Acquiring unit 64, for before file to be detected is crossed into leak basic database, obtain identified leak with
And the attribute information of the leak, the attribute information include leak number, leak exist file type and Hole Detection patrol
Volume;
Database unit 65, for being stored in the form of each attribute information for having recognized leak is recorded with one
Leak basic database is set up in database.
Further, as shown in Figure 10, the identifying device of the 0day leaks, in addition to:
3rd determining unit 66, for when it is described check that unit 61 obtains leak number when, uniquely determine text to be detected
Leak in part.
The embodiment of the present invention when recognizing 0day leaks is carried out based on leak basic database, the leak basic database
For known bugs database, be stored with existing all known bugs in the known bugs database, and in vulnerability scan
Each vulnerability information all correspond to leak and uniquely detect logic, file to be detected is examined by leak in vulnerability scan
Survey logic to be detected, if can obtain detecting leak, then the leak detected must be known bugs, if not examining
Leak is measured, but analysis springed a leak again later, then the leak that the post analysis go out must be 0day leaks, and whole process is according to rule
Then flow is performed automatically, compared with the mode of artificial detection 0day leaks in the prior art quick and precisely.
In addition, the method for detection 0day leaks provided in an embodiment of the present invention, by building instruction virtual machine, by document text
Part is run in instruction virtual machine by byte, and is matched with the behavior in predefined malicious act rule base.With it is existing
By searching for one section of malice condition code by force in internal memory in technology, if there is this malice condition code in internal memory, leaked for 0day
Hole is compared, and the embodiment of the present invention with malicious act rule base by being matched automatically, and realization fast and automatically, is accurately recognized
Go out 0day leaks.
The embodiment of the present invention is deposited in the form of automated manner records each attribute information for having recognized leak with one
Leak basic database is set up in storage in database, the advantage of which be can accurately, quickly, exhaustively will each
Recognize that the attribute information of leak is stored in database in the form of being recorded with one and set up leak basic database.
Further, the leak number and leakd detection logic that the present invention is provided are unique and correspond, therefore energy
Enough it is accurately detected the leak type of file to be detected, it is thus possible to quickly select corresponding repair mode, protects computer
The safety of system.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
All as the separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation
Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention
Within the scope of and form different embodiments.For example, in the following claims, times of embodiment claimed
One of meaning mode can be used in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) come realize 0day leaks according to embodiments of the present invention recognition methods and
The some or all functions of some or all parts in device.The present invention is also implemented as being used to perform being retouched here
The some or all equipment or program of device (for example, computer program and computer program product) for the method stated.
Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more signal
Form.Such signal can be downloaded from internet website and obtained, either on carrier signal provide or with it is any its
He provides form.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.