CN104239801B - The recognition methods of 0day leaks and device - Google Patents

The recognition methods of 0day leaks and device Download PDF

Info

Publication number
CN104239801B
CN104239801B CN201410510459.6A CN201410510459A CN104239801B CN 104239801 B CN104239801 B CN 104239801B CN 201410510459 A CN201410510459 A CN 201410510459A CN 104239801 B CN104239801 B CN 104239801B
Authority
CN
China
Prior art keywords
file
leak
detected
database
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410510459.6A
Other languages
Chinese (zh)
Other versions
CN104239801A (en
Inventor
唐海
陈卓
邢超
杨康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410510459.6A priority Critical patent/CN104239801B/en
Publication of CN104239801A publication Critical patent/CN104239801A/en
Application granted granted Critical
Publication of CN104239801B publication Critical patent/CN104239801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of recognition methods of 0day leaks and device, it is related to information security field, main purpose is quickly and accurately to detect 0day leaks, so as to protect the safety of computer system.The present invention main technical schemes be:File to be detected is crossed into leak basic database, checks whether that leak number can be obtained;The leak basic database is known bugs database, file type, leak number and the leakd detection logic of file where every vulnerability information includes leak in database, and the leak number and leakd detection logic are unique and correspond;If not obtaining leak number, determine whether the file to be detected is malicious file according to the type of the file to be detected;If it is determined that the file to be detected is malicious file, it is determined that the leak in the file to be detected is 0day leaks.During recognizing 0day leaks.

Description

The recognition methods of 0day leaks and device
Technical field
The present invention relates to a kind of information security field, the recognition methods of more particularly to a kind of 0day leaks and device.
Background technology
With continuing to develop for social informatization, cyberspace vulnerability is also being continuously increased.When finding to have leak, need The leak is repaired by associated patch in time.Such has been found that and the issued leak for repairing patch is referred to as Known bugs;And have been found that but do not provide the leak that associated patch repaired to the leak also and be referred to as 0day leaks. Due to not repaired in time to 0day leaks, attacker can obtain the additional rights of computer system by 0day leaks, Attacker is set to be accessed in the case of unauthorized or destruction system, so as to endanger the safety of computer system.
The detection method of current 0day leaks is substantially judged that this kind of judgment mode can not be fast by the experience of people Speed, 0day leaks are accurately detected out, while the mode manually matched adds the False Rate to 0day leaks, so that calculating The safety of machine system is on the hazard.
The content of the invention
In view of this, the embodiment of the present invention provides recognition methods and the device of a kind of 0day leaks, and main purpose is 0day leaks are quickly and accurately detected, so as to protect the safety of computer system.
According to one aspect of the invention there is provided a kind of recognition methods of 0day leaks, including:
File to be detected is crossed into leak basic database, checks whether that leak number can be obtained;The basic number of the leak It is known bugs database according to storehouse, file type, the leak number of file where every vulnerability information includes leak in database And leakd detection logic, the leak number and leakd detection logic are unique and correspond;
If not obtaining leak number, according to the type of the file to be detected determine the file to be detected whether be Malicious file;
If it is determined that the file to be detected is malicious file, it is determined that the leak in the file to be detected leaks for 0day Hole.
According to another aspect of the present invention there is provided a kind of identifying device of 0day leaks, including:
Unit is checked, for file to be detected to be crossed into leak basic database, checks whether that leak number can be obtained;Institute Leak basic database is stated for known bugs database, the files classes of file where every vulnerability information includes leak in database Type, leak number and leakd detection logic, the leak number and leakd detection logic are unique and correspond;
First determining unit, for when checking that unit does not obtain leak number, according to the class of the file to be detected Type determines whether the file to be detected is malicious file;
Second determining unit, for when it is malicious file that the first determining unit, which determines the file to be detected, determining institute It is 0day leaks to state the leak in file to be detected.
A kind of recognition methods of the 0day leaks provided by above-mentioned technical proposal, the present invention and device, in identification It is to be carried out based on leak basic database during 0day leaks, the leak basic database is known bugs database, the known leakage Be stored with existing all known bugs in the database of hole, and each vulnerability information in vulnerability scan all corresponds to leak Unique detection logic, file to be detected is detected by the leakd detection logic in vulnerability scan, if can obtain Detection springs a leak, then the leak detected must be known bugs, if not detecting leak, but analyzes again later Leak, the then leak that the post analysis go out must be 0day leaks, and whole process is performed automatically according to regular flow, with prior art In artificial detection 0day leaks mode compared to quick and precisely.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the recognition methods of 0day leaks provided in an embodiment of the present invention;
Fig. 2 shows a kind of flow chart that file to be detected is crossed to leak basic database provided in an embodiment of the present invention;
Fig. 3 shows the identification of malicious file when a kind of type of file provided in an embodiment of the present invention is html files Method flow diagram;
Fig. 4 shows the identification of malicious file when a kind of type of file provided in an embodiment of the present invention is document files Method flow diagram;
Fig. 5 shows a kind of flow chart of the method for building up of leak basic database provided in an embodiment of the present invention;
Fig. 6 shows a kind of composition frame chart of the identifying device of 0day leaks provided in an embodiment of the present invention;
Fig. 7 shows the composition frame chart of the identifying device of another 0day leaks provided in an embodiment of the present invention;
Fig. 8 shows the composition frame chart of the identifying device of another 0day leaks provided in an embodiment of the present invention;
Fig. 9 shows the composition frame chart of the identifying device of another 0day leaks provided in an embodiment of the present invention;
Figure 10 shows the composition frame chart of the identifying device of another 0day leaks provided in an embodiment of the present invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
The recognition methods of a kind of 0day leaks provided in an embodiment of the present invention, as shown in figure 1, this method includes:
101st, file to be detected is crossed into leak basic database, checks whether that leak number can be obtained;The leak base Plinth database is file type of the every vulnerability information including file where leak, leak in known bugs database, database Numbering and leakd detection logic, the leak number and leakd detection logic are unique and correspond.
Wherein, the leak basic database is rule of thumb set, and have recorded in the leak basic database all known The information of leak, leak number is the numbering set when setting up leak basic database, and it uniquely identifies a leak; Leakd detection logic is detection and triggers the method that leak is threatened.
When file to be detected is matched with the leak in leak basic database, the class of file to be detected is obtained first Type, is detected by obtaining its corresponding leakd detection logic to file to be detected, when file to be detected triggers leak base During leak in plinth database, leak number is obtained according to leakd detection logic, so as to illustrate the leak type of file to be detected For known bugs type;When file to be detected can not trigger the leak in leak basic database, the file to be detected may It is normal file, it is also possible to be, with leaky file, specifically also to need to make file to be detected further detection.
If the 102, not obtaining leak number, determine that the file to be detected is according to the type of the file to be detected No is malicious file.
Often there are a variety of leaks in a type of file, but a kind of leak often only exists a type of file In, the difference of file type, it analyses whether that the method that there is leak is different, therefore, when file to be detected can not be triggered Lou Whether during leak in the basic database of hole, it is malice that the file to be detected can be determined according to the type of the file to be detected File.
103rd, if it is determined that the file to be detected is malicious file, it is determined that the leak in the file to be detected is 0day Leak.
When recognizing 0day leaks carried out based on leak basic database in the embodiment of the present invention, leak basis number It is known bugs database according to storehouse, be stored with the known bugs database existing all known bugs, and leak data Each vulnerability information in storehouse all corresponds to leak and uniquely detects logic, and file to be detected is passed through into the leakage in vulnerability scan Hole detection logic is detected, if can obtain detecting leak, then the leak detected must be known bugs, if not having Leak is detected, but analysis springed a leak again later, then the leak that the post analysis go out must be 0day leaks, and whole process is pressed Performed automatically according to regular flow, compared with the mode of artificial detection 0day leaks in the prior art quick and precisely.
Further, when file to be detected is crossed leak basic database by execution 101, the embodiment of the present invention can be used But following method is not limited to realize, this method as shown in Fig. 2 including:
201st, the type of the file to be detected is obtained.
In the embodiment of the present invention, when the leak having been found that is identified into storage, the text that often there is leak Part type and leak are identified and stored together, have been easy to the inquiry of follow-up leak.Therefore, with the presence or absence of leakage in detection file During hole, the type of file to be detected is first obtained, the type based on file goes to obtain other relevant informations again.
When obtaining the type of file to be detected, it can use but be not limited to the suffix information according to filename to be detected Obtain the type of file to be detected.In addition to this it is possible to using by file type identification tool by file eigenvalue come Recognize the type of file to be detected.It is, of course, also possible to the method that file type to be detected can be obtained using any one, specifically The embodiment of the present invention specific embodiment to this without limit, can be set according to the demand of user.
202nd, leak basic database is traveled through according to the type of the file to be detected and obtains the corresponding leakage of the type file Detect logic in hole.
When being detected to file to be detected, the type of file to be detected is obtained first, according to the file to be detected Type traversal leak basic database obtain the corresponding leakd detection logic of the type file.Wherein, leak basic database In include in different types of file, a type of file and include different types of vulnerability information, every leak letter Breath is all uniquely determined.For example, when the file type of acquired file to be detected is html types, the basic number of traversal leak According to storehouse, obtain file type and be html all vulnerability informations, and obtain the leakd detection logic in all vulnerability informations.
203rd, the file to be detected is detected according to the leakd detection logic of acquisition.
Leakd detection logic is detects and triggered the method that leak is threatened, and the leak of each type has a unique energy The method for enough triggering its threat.Gone to detect file according to the detection logic, determine if there is the threat of triggering leak, if energy Triggering, then determine the corresponding leak number of the leakd detection logic, so as to identify file to be detected according to leakd detection logic Leak type.
Further, after file to be detected is crossed into leak basic database, corresponding leak is not triggered, is represented known Leak be not present in the file to be detected, but the detection file be for normal file or with leaky file also not It can determine that, it is necessary to determine whether the file to be detected is malicious file according to the type of the file to be detected.As above It is described, different files determine file whether be malicious file method it is different, the embodiment of the present invention will have to this The description of body.
When the type for obtaining the file to be detected is html files, the embodiment of the present invention provides a kind of malicious file Recognition methods, as shown in figure 3, this method includes:
301st, detect and whether there is malice feature in the html files, if in the presence of malice feature, performing 302;If no In the presence of malice feature, then 303 are performed.
When whether detect html files is malicious file, first have to detect special with the presence or absence of malice in the html files Levy, the malice feature can include but is not limited to stack overflow, exception.In addition, the malice feature can also include Heap sprays.It is, of course, also possible to include the species of any malice feature, the specific embodiment of the present invention is to this without limit System.
302nd, it is malicious file to determine the html files.
It is malicious file to determine html files, that is, determines the presence leak of this document.The leak of the presence is in leak data Do not exist in storehouse, then leak present in the file to be detected must be 0day leaks.
303rd, it is normal file to determine the html files.
When the type for obtaining the file to be detected is document files, the embodiment of the present invention provides a kind of malicious file Recognition methods, as shown in figure 4, this method includes:
401st, instruction virtual machine is built.
The embodiment of the present invention, by filtering of the document files through leak basic database, if not returning to the basic number of leak According to the leak of existing leak number in storehouse, then also need by being trained detection to this article files, to determine if to exist Malicious act.This article files are trained with detection to treat by setting up instruction virtual machine, and then running this on instruction virtual machine What detection was realized.Instruction virtual machine build can by but be not limited to following method and realize, this method includes:
1), it is provided for reading the instruction read module of document files by byte;
2), it is provided for the explanation module explained to the document files that instruction read module is read;
3), build the simulated environment of instruction operation, the thread of the simulated environment including instruction operation, process, stack, heap, Coefficient data and built-in system API simulations;The built-in system API simulations include file, process, registration table, network AP I.
402nd, this article files are run by byte in the instruction virtual machine, records the behavior of the document running paper.
In order to ensure the malicious instructions in detection document files are not omitted, transported by document files on instruction virtual machine During row, document files is read in into the operation that instruction virtual machine is instructed using according to byte.For example, the instruction of document from 0 to 100, read when reading for the first time since 0, the content to reading is identified;Second of reading since 1 Take --- --, it is ensured that the combination of any instruction can be run.
403rd, the behavior of record is matched with the behavior in predefined malicious act rule base, if matching correspondence Behavior, perform 404;If being not matched to corresponding behavior, 405 are performed.
The malicious act rule base is rule of thumb set, and the malicious act rule includes:Download file, access line Journey environment block and process context block, attempt load dynamic base, try to system function address.The malicious act rule base Above-mentioned malicious act may be not only only included in actual applications, it is also possible to including any malice row of the prior art For the specific embodiment of the present invention is not limited to this.
404th, it is malicious file to determine the file to be detected.
The determination document files is malicious file, that is, determines the presence leak of this document.The leak of the presence is in leak Do not exist in database, then leak present in the file to be detected must be 0day leaks.
405th, it is normal file to determine the file to be detected.
The method of detection 0day leaks provided in an embodiment of the present invention, by building instruction virtual machine, document files is existed Run, and matched with the behavior in predefined malicious act rule base by byte in instruction virtual machine.With prior art In by searching for one section of malice condition code by force in internal memory, if in internal memory exist this malice condition code, for 0day leak phases Than the embodiment of the present invention with malicious act rule base by being matched automatically, and realization fast and automatically, is accurately identified 0day leaks.
In summary, the implementation of the embodiment of the present invention is firstly the need of setting up leak basic database.The embodiment of the present invention is carried For a kind of method for building up of leak basic database, as shown in figure 5, including:
501st, identified leak and the attribute information of the leak are obtained, the attribute information includes leak number, leakage File type and leakd detection logic that hole is present.
Wherein, can obtain leak or system automatically according to pre-defined algorithm when obtaining identified leak Guardian's experience accumulation during work is obtained, and the specific embodiment of the present invention is not limited to this.
502nd, it is stored in the form of each attribute information for having recognized leak is recorded with one in database and sets up leak Basic database.
The embodiment of the present invention, by constantly storing identified leak into leak basic database so that leak base Vulnerability information in plinth storehouse is in continuous renewal, when being matched with file to be detected, can be fast, accurately and comprehensively Recognize the type of the leak.
Wherein, it is stored in the form of each attribute information for having recognized leak is recorded with one in database and sets up leak Basic database, can by but be not limited to following mode and realize.Can for example adopt will manually recognize Vulnerability information respectively to leak number, leak exist file type and leakd detection logic store.It can also adopt It is stored in the form of each attribute information for having recognized leak is recorded with one with automated manner in database and sets up leak base Plinth database.The specific embodiment of the present invention is not limited.The embodiment of the present invention is preferred to use the mode stored automatically, the party The advantage of formula be can accurately, it is quick, exhaustively by each attribute information for having recognized leak in the form of one records It is stored in database and sets up leak basic database.
Further, when file to be detected triggers the leak in leak basic database, according to leakd detection logic only Leak in one determination file to be detected.Because the leak number that provides of the present invention and leakd detection logic are unique and one One correspondence, therefore, it is possible to be accurately detected the leak type of file to be detected, it is thus possible to quickly select corresponding reparation side Formula, protects the safety of computer system.
Based on above method embodiment, the embodiment of the present invention provides a kind of identifying device of 0day leaks, as shown in fig. 6, The device includes:
Unit 61 is checked, for file to be detected to be crossed into leak basic database, checks whether that leak number can be obtained; The leak basic database is known bugs database, the file of file where every vulnerability information includes leak in database Type, leak number and leakd detection logic, the leak number and leakd detection logic are unique and correspond;
First determining unit 62, for when checking that unit 61 does not obtain leak number, according to the file to be detected Type determine whether the file to be detected is malicious file;
Second determining unit 63, for when the first determining unit 62 determine the file to be detected be malicious file when, really Leak in the fixed file to be detected is 0day leaks.
Further, it is described to check that file to be detected is crossed leak basic database and is used for by unit 61:
Obtain the type of the file to be detected;Leak basic database is traveled through according to the type of the file to be detected to obtain Take the corresponding leakd detection logic of the type file;The file to be detected is carried out according to the leakd detection logic of acquisition Detection.
Further, as shown in fig. 7, when the file to be detected is html files, first determining unit 62 is wrapped Include:
Detection module 621, malice feature is whether there is for detecting in the html files;
First determining module 622, for when detection module 621 detects and there is malice feature in the html files, It is malicious file to determine the html files;
First determining module 622 is additionally operable to, and malice is not present in the html files when detection module 621 is detected During feature, it is normal file to determine the html files.
Further, as shown in figure 8, when the file to be detected is document files, first determining unit 62 is gone back Including:
Module 623 is built, for building instruction virtual machine;The structure module 623 builds instruction virtual machine and is specially:If Put the instruction read module for reading document files by byte;It is provided for entering the document files that instruction read module is read The explanation module that row is explained;Build the simulated environment of instruction operation, the thread of the simulated environment including instruction operation, process, Stack, heap, coefficient data and built-in system API simulations;The built-in system API simulations include file, process, registration table, network API。
Module 624 is run, for running this article files by byte in the instruction virtual machine;
Logging modle 625, the behavior for recording the document running paper;
Matching module 626, for the behavior of record to be matched with the behavior in predefined malicious act rule base;
Second determining module 627, for when matching module 626 matches corresponding behavior, determining the text to be detected Part is malicious file;
Second determining module 627 is additionally operable to, and when matching module 626 is not matched to corresponding behavior, determines institute File to be detected is stated for normal file.
Further, as shown in figure 9, the identifying device of the 0day leaks, in addition to:
Acquiring unit 64, for before file to be detected is crossed into leak basic database, obtain identified leak with And the attribute information of the leak, the attribute information include leak number, leak exist file type and Hole Detection patrol Volume;
Database unit 65, for being stored in the form of each attribute information for having recognized leak is recorded with one Leak basic database is set up in database.
Further, as shown in Figure 10, the identifying device of the 0day leaks, in addition to:
3rd determining unit 66, for when it is described check that unit 61 obtains leak number when, uniquely determine text to be detected Leak in part.
The embodiment of the present invention when recognizing 0day leaks is carried out based on leak basic database, the leak basic database For known bugs database, be stored with existing all known bugs in the known bugs database, and in vulnerability scan Each vulnerability information all correspond to leak and uniquely detect logic, file to be detected is examined by leak in vulnerability scan Survey logic to be detected, if can obtain detecting leak, then the leak detected must be known bugs, if not examining Leak is measured, but analysis springed a leak again later, then the leak that the post analysis go out must be 0day leaks, and whole process is according to rule Then flow is performed automatically, compared with the mode of artificial detection 0day leaks in the prior art quick and precisely.
In addition, the method for detection 0day leaks provided in an embodiment of the present invention, by building instruction virtual machine, by document text Part is run in instruction virtual machine by byte, and is matched with the behavior in predefined malicious act rule base.With it is existing By searching for one section of malice condition code by force in internal memory in technology, if there is this malice condition code in internal memory, leaked for 0day Hole is compared, and the embodiment of the present invention with malicious act rule base by being matched automatically, and realization fast and automatically, is accurately recognized Go out 0day leaks.
The embodiment of the present invention is deposited in the form of automated manner records each attribute information for having recognized leak with one Leak basic database is set up in storage in database, the advantage of which be can accurately, quickly, exhaustively will each Recognize that the attribute information of leak is stored in database in the form of being recorded with one and set up leak basic database.
Further, the leak number and leakd detection logic that the present invention is provided are unique and correspond, therefore energy Enough it is accurately detected the leak type of file to be detected, it is thus possible to quickly select corresponding repair mode, protects computer The safety of system.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself All as the separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention Within the scope of and form different embodiments.For example, in the following claims, times of embodiment claimed One of meaning mode can be used in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) come realize 0day leaks according to embodiments of the present invention recognition methods and The some or all functions of some or all parts in device.The present invention is also implemented as being used to perform being retouched here The some or all equipment or program of device (for example, computer program and computer program product) for the method stated. Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more signal Form.Such signal can be downloaded from internet website and obtained, either on carrier signal provide or with it is any its He provides form.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (12)

1. a kind of recognition methods of 0day leaks, it is characterised in that including:
File to be detected is crossed into leak basic database, checks whether that leak number can be obtained;The leak basic database For known bugs database, the file type of file where every vulnerability information includes leak in database, leak number and Leakd detection logic, the leak number and leakd detection logic are unique and correspond;
If not obtaining leak number, determine whether the file to be detected is malice according to the type of the file to be detected File, the file to be detected is html file or document files;
If it is determined that the file to be detected is malicious file, it is determined that the leak in the file to be detected is 0day leaks;
When the file to be detected is document files, determine that the file to be detected is according to the type of the file to be detected It is no to include for malicious file:Build instruction virtual machine;This article files are run by byte in the instruction virtual machine, record should The behavior of document files operation;The behavior of record is matched with the behavior in predefined malicious act rule base;If It is fitted on corresponding behavior, it is determined that the file to be detected is malicious file;If being not matched to corresponding behavior, it is determined that institute File to be detected is stated for normal file.
2. according to the method described in claim 1, it is characterised in that file to be detected is crossed into leak basic database includes:
Obtain the type of the file to be detected;
The corresponding Hole Detection of the type file is obtained according to the type of the file to be detected traversal leak basic database to patrol Volume;
The file to be detected is detected according to the leakd detection logic of acquisition.
3. according to the method described in claim 1, it is characterised in that when the file to be detected is html files, according to institute The type for stating file to be detected determines whether the file to be detected is that malicious file includes:
Detect and whether there is malice feature in the html files;
If in the presence of malice feature, it is determined that the html files are malicious file;
If in the absence of malice feature, it is determined that the html files are normal file.
4. according to the method described in claim 1, it is characterised in that the structure instruction virtual machine includes:
It is provided for reading the instruction read module of document files by byte;
It is provided for the explanation module explained to the document files that instruction read module is read;
The simulated environment of instruction operation is built, the simulated environment includes thread, process, stack, heap, the coefficient data of instruction operation With built-in system API simulations;The built-in system API simulations include file, process, registration table, network AP I.
5. the method according to any one of claim 1-4, it is characterised in that file to be detected is being crossed into the basic number of leak Also include according to before storehouse:
Identified leak and the attribute information of the leak are obtained, the attribute information includes what leak number, leak were present File type and leakd detection logic;
It is stored in the form of each attribute information for having recognized leak is recorded with one in database and sets up leak basic data Storehouse.
6. according to the method described in claim 1, it is characterised in that also include:
If obtaining leak number, the leak in file to be detected is uniquely determined.
7. a kind of identifying device of 0day leaks, it is characterised in that including:
Unit is checked, for file to be detected to be crossed into leak basic database, checks whether that leak number can be obtained;The leakage Hole basic database is known bugs database, the file type of file where every vulnerability information includes leak in database, Leak number and leakd detection logic, the leak number and leakd detection logic are unique and correspond;
First determining unit, it is true according to the type of the file to be detected for when checking that unit does not obtain leak number Whether the fixed file to be detected is malicious file, and the file to be detected is html file or document files;
Second determining unit, for when it is malicious file that the first determining unit, which determines the file to be detected, it is determined that described treat It is 0day leaks to detect the leak in file;
When the file to be detected is document files, first determining unit includes:Module is built, it is empty for building instruction Plan machine;Module is run, for running this article files by byte in the instruction virtual machine;Logging modle, for recording this The behavior of document files operation;Matching module, for by the behavior in the behavior of record and predefined malicious act rule base Matched;Second determining module, for when matching module matches corresponding behavior, determining that the file to be detected is evil Meaning file;Second determining module is additionally operable to, when matching module is not matched to corresponding behavior, is determined described to be detected File is normal file.
8. device according to claim 7, it is characterised in that described to check that file to be detected is crossed the basic number of leak by unit Include according to storehouse:
Obtain the type of the file to be detected;
The corresponding Hole Detection of the type file is obtained according to the type of the file to be detected traversal leak basic database to patrol Volume;
The file to be detected is detected according to the leakd detection logic of acquisition.
9. device according to claim 7, it is characterised in that when the file to be detected is html files, described the One determining unit includes:
Detection module, malice feature is whether there is for detecting in the html files;
First determining module, for when detection module detects and there is malice feature in the html files, it is determined that described Html files are malicious file;
First determining module is additionally operable to, when detection module is detected, and malice feature is not present in the html files, really The fixed html files are normal file.
10. device according to claim 7, it is characterised in that the structure module is used for:
It is provided for reading the instruction read module of document files by byte;
It is provided for the explanation module explained to the document files that instruction read module is read;
The simulated environment of instruction operation is built, the simulated environment includes thread, process, stack, heap, the coefficient data of instruction operation With built-in system API simulations;The built-in system API simulations include file, process, registration table, network AP I.
11. the device according to any one of claim 7-10, it is characterised in that also include:
Acquiring unit, for before file to be detected is crossed into leak basic database, obtaining identified leak and the leakage The attribute information in hole, the attribute information includes the file type and leakd detection logic that leak number, leak are present;
Database unit, for being stored in database in the form of each attribute information for having recognized leak is recorded with one In set up leak basic database.
12. device according to claim 7, it is characterised in that also include:
3rd determining unit, for when it is described check that unit obtains leak number when, uniquely determine the leakage in file to be detected Hole.
CN201410510459.6A 2014-09-28 2014-09-28 The recognition methods of 0day leaks and device Active CN104239801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410510459.6A CN104239801B (en) 2014-09-28 2014-09-28 The recognition methods of 0day leaks and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410510459.6A CN104239801B (en) 2014-09-28 2014-09-28 The recognition methods of 0day leaks and device

Publications (2)

Publication Number Publication Date
CN104239801A CN104239801A (en) 2014-12-24
CN104239801B true CN104239801B (en) 2017-10-24

Family

ID=52227843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410510459.6A Active CN104239801B (en) 2014-09-28 2014-09-28 The recognition methods of 0day leaks and device

Country Status (1)

Country Link
CN (1) CN104239801B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105718799B (en) * 2015-09-10 2020-07-14 哈尔滨安天科技集团股份有限公司 Method and system for identifying file overflow vulnerability
CN109829310B (en) * 2018-05-04 2021-04-27 360企业安全技术(珠海)有限公司 Similar attack defense method, device, system, storage medium and electronic device
CN111177727B (en) * 2019-09-23 2024-08-16 腾讯科技(深圳)有限公司 Vulnerability detection method and device
CN111611591B (en) * 2020-05-22 2024-05-07 中国电力科学研究院有限公司 Firmware bug detection method and device, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102521542A (en) * 2011-12-19 2012-06-27 北京大学 Method for capturing computer software vulnerability exploitation and system
CN103902914A (en) * 2013-09-17 2014-07-02 北京安天电子设备有限公司 Overflow vulnerability detection method and system for advanced persistent threat

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043919B (en) * 2010-12-27 2012-11-21 北京安天电子设备有限公司 Universal vulnerability detection method and system based on script virtual machine
US20130055369A1 (en) * 2011-08-24 2013-02-28 Mcafee, Inc. System and method for day-zero authentication of activex controls
CN103310150A (en) * 2012-03-13 2013-09-18 百度在线网络技术(北京)有限公司 Method and device for detecting portable document format (PDF) vulnerability

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102521542A (en) * 2011-12-19 2012-06-27 北京大学 Method for capturing computer software vulnerability exploitation and system
CN103902914A (en) * 2013-09-17 2014-07-02 北京安天电子设备有限公司 Overflow vulnerability detection method and system for advanced persistent threat

Also Published As

Publication number Publication date
CN104239801A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
CN104298923B (en) Leak type identification method and device
CN105320883B (en) File security loads implementation method and device
Jimenez et al. Vulnerability prediction models: A case study on the linux kernel
CN104537308B (en) System and method using security audit function is provided
CN109359468A (en) Leak detection method, device and equipment
CN104239801B (en) The recognition methods of 0day leaks and device
CN104462985A (en) Detecting method and device of bat loopholes
CN108009425A (en) File detects and threat level decision method, apparatus and system
CN107944278A (en) A kind of kernel leak detection method and device
US11036479B2 (en) Devices, systems, and methods of program identification, isolation, and profile attachment
Alenezi et al. Open source web application security: A static analysis approach
CN106446685A (en) Methods and devices for detecting malicious documents
CN109388946A (en) Malicious process detection method, device, electronic equipment and storage medium
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN109271789A (en) Malicious process detection method, device, electronic equipment and storage medium
Li et al. Large-scale third-party library detection in android markets
CN115391230A (en) Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium
CN113158197A (en) SQL injection vulnerability detection method and system based on active IAST
CN110309667A (en) A kind of dark chain detection method in website and device
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
KR101797485B1 (en) Method for providing personnal analysis service of patent document
CN107992402A (en) Blog management method and log management apparatus
CN104579819A (en) Network security detection method and device
CN106650439A (en) Suspicious application program detection method and device
CN106529287A (en) Method and device for automatically reinforcing application vulnerabilities

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210622

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Beijing Hongteng Intelligent Technology Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee before: Beijing Hongteng Intelligent Technology Co.,Ltd.