CN104978525A - Heuristic script detection method and system based on structured exception - Google Patents
Heuristic script detection method and system based on structured exception Download PDFInfo
- Publication number
- CN104978525A CN104978525A CN201410657009.XA CN201410657009A CN104978525A CN 104978525 A CN104978525 A CN 104978525A CN 201410657009 A CN201410657009 A CN 201410657009A CN 104978525 A CN104978525 A CN 104978525A
- Authority
- CN
- China
- Prior art keywords
- code
- detected
- script
- structuring
- exception
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a heuristic script detection method and system based on structured exception. The method comprises the following steps: reading a script code to be detected; carrying out structured scanning on the script code, and determining a code structure of the script code; according to a structured exception rule, matching the code structure of the script code, confirming that the code structure of the script code to be detected is exceptional if the code structure is successfully matched, and giving an alarm; and otherwise, confirming that the code structure of the script code to be detected is normal. The invention also provides a corresponding detection system. Through the method and the system provided by the invention, the scripts subjected to the structured exception can be quickly and effectively found, and a user can be given an alarm. The scheme can effectively make up deficiencies in a traditional detection method, and detects the scripts subjected to malicious deformation or the codes subjected to the structured exception.
Description
Technical field
The present invention relates to computer network security technology field, particularly a kind of heuristic script detection method of structure based exception and system.
Background technology
The usual feature based code of traditional script detection method detects, and by malicious code part as feature, carries out matching detection.And malicious code authors adopts the coded system of structuring exception to escape the detection of anti-virus worker usually, the malicious code that tradition script detection method is out of shape for some, the scripted code of structuring exception, as code layout is abnormal, inactive elements etc., have very weak detectability usually.
Summary of the invention
The present invention is directed to the script Heuristic detection method that the problems referred to above form a set of structure based exception.By the inventive method, can solve in prior art cannot the problem of the abnormal script of detection architectureization, for script file code structure, identifies its abnormal layout and inactive elements, judges script whether as maliciously.
A heuristic script detection method for structure based exception, comprising:
Read scripted code to be detected;
Structuring scanning is carried out to scripted code, determines the code structure of scripted code; Can adopt according to different rules line by line scan, elemental scan etc.;
According to structuring exception rules, the code structure of scripted code is mated, if the match is successful, then confirm described scripted code textural anomaly to be detected, and carry out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
In described method, described structuring exception rules includes but not limited to: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
Decision rule is exemplified below:
Code line starts to occur a large amount of blank character continuously, exceedes observable scope.Usual malicious code authors adopts such method to escape the detection of anti-virus worker.
Code line continues to exceed the blank line of threshold value.
Inactive elements, such as the wide height of frame framework is 0; Other malicious script is quoted by URL.
The present invention is by carrying out structuring scanning to script file, and structure based decision rule, carries out heuristic detection to script.
A heuristic script detection system for structure based exception, comprising:
Read module, for reading scripted code to be detected;
Scan module, for carrying out structuring scanning to scripted code, determines the code structure of scripted code;
Matching module, for according to structuring exception rules, mates the code structure of scripted code, if the match is successful, then confirms described scripted code textural anomaly to be detected, and carries out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
In described system, described structuring exception rules comprises: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
Advantage of the present invention is, can form the script Heuristic detection method of a set of structure based exception, effectively can detect the anomaly sxtructure of script file code.
The invention provides a kind of heuristic script detection method and system of structure based exception, described method comprises: read scripted code to be detected; Structuring scanning is carried out to scripted code, determines the code structure of scripted code; According to structuring exception rules, the code structure of scripted code is mated, if the match is successful, then confirm described scripted code textural anomaly to be detected, and carry out alarm; Otherwise confirm that described scripted code structure to be detected is normal.Present invention also offers corresponding detection system.By method and system provided by the invention, the script of those structuring exceptions can be found fast and effectively, and alarm is carried out to user.This programme effectively can make up the deficiency of traditional detection method, detects the script of malice distortion or the code of framework exception.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the heuristic script detection method process flow diagram of a kind of structure based of the present invention exception;
Fig. 2 is the heuristic script detection system structural drawing of a kind of structure based of the present invention exception.
Embodiment
In order to make those skilled in the art person understand technical scheme in the embodiment of the present invention better, and enable above-mentioned purpose of the present invention, feature and advantage become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
The present invention is directed to the script Heuristic detection method that the problems referred to above form a set of structure based exception.By the inventive method, can solve in prior art cannot the problem of the abnormal script of detection architectureization, for script file code structure, identifies its abnormal layout and inactive elements, judges script whether as maliciously.
A heuristic script detection method for structure based exception, as shown in Figure 1, comprising:
S101: read scripted code to be detected;
S102: carry out structuring scanning to scripted code, determines the code structure of scripted code; Can adopt according to different rules line by line scan, elemental scan etc.;
S103: according to structuring exception rules, mates the code structure of scripted code, if the match is successful, then confirms described scripted code textural anomaly to be detected, and carries out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
In described method, described structuring exception rules includes but not limited to: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
Decision rule is exemplified below:
Code line starts to occur a large amount of blank character continuously, exceedes observable scope.Usual malicious code authors adopts such method to escape the detection of anti-virus worker.
Code line continues to exceed the blank line of threshold value.
Inactive elements, such as the wide height of frame framework is 0; Other malicious script is quoted by URL.
The present invention is by carrying out structuring scanning to script file, and structure based decision rule, carries out heuristic detection to script.
A heuristic script detection system for structure based exception, as shown in Figure 2, comprising:
Read module 201, for reading scripted code to be detected;
Scan module 202, for carrying out structuring scanning to scripted code, determines the code structure of scripted code;
Matching module 203, for according to structuring exception rules, mates the code structure of scripted code, if the match is successful, then confirms described scripted code textural anomaly to be detected, and carries out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
In described system, described structuring exception rules comprises: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
Advantage of the present invention is, can form the script Heuristic detection method of a set of structure based exception, effectively can detect the anomaly sxtructure of script file code.
The invention provides a kind of heuristic script detection method and system of structure based exception, described method comprises: read scripted code to be detected; Structuring scanning is carried out to scripted code, determines the code structure of scripted code; According to structuring exception rules, the code structure of scripted code is mated, if the match is successful, then confirm described scripted code textural anomaly to be detected, and carry out alarm; Otherwise confirm that described scripted code structure to be detected is normal.Present invention also offers corresponding detection system.By method and system provided by the invention, the script of those structuring exceptions can be found fast and effectively, and alarm is carried out to user.This programme effectively can make up the deficiency of traditional detection method, detects the script of malice distortion or the code of framework exception.
Although depict the present invention by embodiment, those of ordinary skill in the art know, the present invention has many distortion and change and do not depart from spirit of the present invention, and the claim appended by wishing comprises these distortion and change and do not depart from spirit of the present invention.
Claims (4)
1. a heuristic script detection method for structure based exception, is characterized in that:
Read scripted code to be detected;
Structuring scanning is carried out to scripted code, determines the code structure of scripted code;
According to structuring exception rules, the code structure of scripted code is mated, if the match is successful, then confirm described scripted code textural anomaly to be detected, and carry out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
2. the method for claim 1, is characterized in that, described structuring exception rules comprises: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
3. a heuristic script detection system for structure based exception, is characterized in that:
Read module, for reading scripted code to be detected;
Scan module, for carrying out structuring scanning to scripted code, determines the code structure of scripted code;
Matching module, for according to structuring exception rules, mates the code structure of scripted code, if the match is successful, then confirms described scripted code textural anomaly to be detected, and carries out alarm; Otherwise confirm that described scripted code structure to be detected is normal.
4. system as claimed in claim 3, it is characterized in that, described structuring exception rules comprises: there is the continuous blank character exceeding number of thresholds in code structure, or there is the continuous blank line exceeding number of thresholds in code structure, or inactive elements.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410657009.XA CN104978525A (en) | 2014-11-18 | 2014-11-18 | Heuristic script detection method and system based on structured exception |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410657009.XA CN104978525A (en) | 2014-11-18 | 2014-11-18 | Heuristic script detection method and system based on structured exception |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104978525A true CN104978525A (en) | 2015-10-14 |
Family
ID=54275019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410657009.XA Pending CN104978525A (en) | 2014-11-18 | 2014-11-18 | Heuristic script detection method and system based on structured exception |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104978525A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650450A (en) * | 2016-12-29 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Malicious script heuristic detection method and system based on code fingerprint identification |
| CN110765455A (en) * | 2018-09-04 | 2020-02-07 | 哈尔滨安天科技集团股份有限公司 | Malicious document detection method, device and system based on attribute domain abnormal calling |
| US20200387499A1 (en) * | 2017-10-23 | 2020-12-10 | Google Llc | Verifying Structured Data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110258616A1 (en) * | 2010-04-19 | 2011-10-20 | Microsoft Corporation | Intermediate language support for change resilience |
| CN102339252A (en) * | 2011-07-25 | 2012-02-01 | 大连理工大学 | Static state detecting system based on XML (Extensive Makeup Language) middle model and defect mode matching |
| CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
| CN104091100A (en) * | 2014-07-15 | 2014-10-08 | 电子科技大学 | Software protection method based on intermediate result compiling |
-
2014
- 2014-11-18 CN CN201410657009.XA patent/CN104978525A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110258616A1 (en) * | 2010-04-19 | 2011-10-20 | Microsoft Corporation | Intermediate language support for change resilience |
| CN102339252A (en) * | 2011-07-25 | 2012-02-01 | 大连理工大学 | Static state detecting system based on XML (Extensive Makeup Language) middle model and defect mode matching |
| CN103425931A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Abnormal web script detection method and system |
| CN104091100A (en) * | 2014-07-15 | 2014-10-08 | 电子科技大学 | Software protection method based on intermediate result compiling |
Non-Patent Citations (1)
| Title |
|---|
| 魏文晗: "网页篡改检测系统的研究与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650450A (en) * | 2016-12-29 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Malicious script heuristic detection method and system based on code fingerprint identification |
| US20200387499A1 (en) * | 2017-10-23 | 2020-12-10 | Google Llc | Verifying Structured Data |
| US11748331B2 (en) * | 2017-10-23 | 2023-09-05 | Google Llc | Verifying structured data |
| CN110765455A (en) * | 2018-09-04 | 2020-02-07 | 哈尔滨安天科技集团股份有限公司 | Malicious document detection method, device and system based on attribute domain abnormal calling |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018113665A1 (en) | Two-dimensional code recognition method and apparatus | |
| CN104252620A (en) | Character-touching graph verification code recognition method | |
| CN103440458B (en) | A kind of method of heuristic static identification Android system malicious code | |
| CN104978525A (en) | Heuristic script detection method and system based on structured exception | |
| CN105743877A (en) | Network security threat information processing method and system | |
| CN113918376A (en) | Fault detection method, device, equipment and computer readable storage medium | |
| CN205038674U (en) | Logistics management system based on computer | |
| KR20230012651A (en) | Method for generating table information based on the image | |
| CN104007895A (en) | Method and device for determining whether terminal is in full-screen mode or not | |
| CN103984697A (en) | Barcode information processing method, device and system | |
| CN105488414A (en) | Method and system for preventing malicious codes from detecting virtual environments | |
| KR20140077405A (en) | Method and apparatus for detecting cyber target attack | |
| US20160179168A1 (en) | Electronic device and method for detecting power usage of electronic device | |
| CN105592087A (en) | DNP abnormity detection method based on vector machine learning | |
| CN103500311A (en) | Software testing method and system | |
| CN110520806B (en) | Identification of deviation engineering modifications to programmable logic controllers | |
| CN103577318A (en) | Code detection method and device | |
| CN112669302A (en) | Dropper defect detection method and device, electronic equipment and storage medium | |
| CN106599947A (en) | Manhole cover management system based on two-dimensional barcode | |
| TW201329766A (en) | Method and system for extracting digital fingerprint of malicious document files | |
| US20210058408A1 (en) | Dynamic fraudulent user blacklist to detect fraudulent user activity with near real-time capabilities | |
| CN103268443A (en) | Symbol-based Android malicious code detection method and system | |
| CN104966019B (en) | A kind of heuristic document threat detection method and system | |
| CN115314322A (en) | Vulnerability detection confirmation method, device, equipment and storage medium based on flow | |
| CN102222179A (en) | Anti-keylogging technology based on Windows kernel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151014 |