A kind of shell adding code of knowledge based driving returns detection method and system
Technical field
The present invention relates to computer network security field, more particularly to a kind of shell adding code of knowledge based driving returns inspection
Survey method and system.
Background technology
With the popularization of development and the application of computer technology, computer network also develops rapidly therewith, malicious code number
Exponentially grade is measured to increase.The malicious code of early stage is there is no excessive self-protective mechanism is used, all with fixed condition code.
Therefore anti-viral software can utilize virus signature to match, it is easy to detect hide Virus in systems, but
With the development of technology, malicious code is one after another using the detection of self-protective technique confrontation Anti- Virus Engine, such as to malicious code
Shell adding(Encrypt), traditional detection mode accuracy rate is made to decline to a great extent.
Use unification detection mode for the detection of shell adding code at present, such as more:Normalizing directly is extracted to encrypted cipher text
Change feature detection, but testing result is not accurate;Decompression detection is carried out for the code of known compression algorithms, but testing result is not complete
Face;Key instruction detection is chosen using dynamic virtual machine executive mode, but detection efficiency is not high.
The content of the invention
Based on the above problem, the present invention proposes a kind of shell adding code of knowledge based driving and returns detection method and be
System by the cooperation detection of ciphertext and plaintext knowledge base, has reached the balance of accurate, comprehensive, efficient three, finally using recurrence
Mode constantly update detection knowledge base, to adapt to detection code and detection mode continuous variation.
First, the present invention proposes that a kind of shell adding code of knowledge based driving returns detection method, including:
Characteristic synthetic database is established, obtains shell adding sample to be detected;
The decompression code of shell adding sample to be detected is put into sample interpreter and carries out short characteristic matching, if successful match,
According to short feature in inference machine corresponding decipherment algorithm, shell adding sample to be detected is decrypted, and by the data after decryption
Extract short feature, typing plaintext knowledge base;
Otherwise, by inference machine directly to shell adding sample extraction feature to be detected, typing ciphertext knowledge base.
In the method, the characteristic synthetic database is made of plaintext knowledge base and ciphertext knowledge base.
In the method, the short feature includes feature and algorithm key position information.
In the method, it is described according to short feature in inference machine corresponding decipherment algorithm, to shell adding sample to be detected
It is decrypted, specifically, feature and algorithm key position information in short feature, match corresponding decipherment algorithm and carry out
Decryption.
In the method, by inference machine directly to shell adding sample extraction feature to be detected, it is specially:
According to known behavioral characteristics and static nature, in shell adding sample acquisition corresponding data to be detected, and point of each feature is set
Value;
According to entropy weight information law, the TOP SCORES of behavioral characteristics and static nature is calculated respectively;
Using the complex analysis method measured based on poicare, comprehensive assessment is carried out to the TOP SCORES of behavioral characteristics and static nature,
It determines to choose behavioral characteristics or static nature;
Using the behavioral characteristics of selection or static nature as the feature of shell adding sample to be detected, typing ciphertext knowledge base.
In the method, after shell adding sample to be detected is obtained, further include:Extract the code of shell adding sample to be detected
Duan Tezheng matches the cryptographic Hash of the feature with existing feature in characteristic synthetic database, if successful match
Directly output judges result.
The invention also provides a kind of knowledge based driving shell adding code return detecting system, including:
Database module establishes characteristic synthetic database;
Acquisition module obtains shell adding sample to be detected;
Sample interpreter module carries out short feature for the decompression code of shell adding sample to be detected to be put into sample interpreter
Match somebody with somebody, if successful match, into inference engine module;
Inference engine module, for according to short feature in inference machine corresponding decipherment algorithm, shell adding sample to be detected is solved
It is close, and the data after decryption are extracted into short feature, typing plaintext knowledge base;Otherwise, inference machine is directly to shell adding sample to be detected
Extract feature, typing ciphertext knowledge base.
In the system, the characteristic synthetic database is made of plaintext knowledge base and ciphertext knowledge base.
In the system, the short feature includes feature and algorithm key position information.
In the system, it is described according to short feature in inference machine corresponding decipherment algorithm, to shell adding sample to be detected
It is decrypted, specifically, feature and algorithm key position information in short feature, match corresponding decipherment algorithm and carry out
Decryption.
In the system, by inference machine directly to shell adding sample extraction feature to be detected, it is specially:
According to known behavioral characteristics and static nature, in shell adding sample acquisition corresponding data to be detected, and point of each feature is set
Value;
According to entropy weight information law, the TOP SCORES of behavioral characteristics and static nature is calculated respectively;
Using the complex analysis method measured based on poicare, comprehensive assessment is carried out to the TOP SCORES of behavioral characteristics and static nature,
It determines to choose behavioral characteristics or static nature;
Using the behavioral characteristics of selection or static nature as the feature of shell adding sample to be detected, typing ciphertext knowledge base.
In the system, after shell adding sample to be detected is obtained, further include:Extract the code of shell adding sample to be detected
Duan Tezheng matches the cryptographic Hash of the feature with existing feature in characteristic synthetic database, if successful match
Directly output judges result.
Correspondingly, the present invention proposes a kind of non-transitorycomputer readable storage medium, computer program is stored thereon with,
Realize that the shell adding code as described in any in claim 1-6 returns detection method when the program is executed by processor.
Correspondingly, the present invention proposes a kind of computer program product, the electronic equipment includes:Housing, processor, storage
Device, circuit board and power supply, wherein, circuit board is placed in the interior volume that housing surrounds, and processor and memory are arranged on circuit
On plate;Power circuit, for powering for each circuit or device of above-mentioned electronic equipment;Memory is used to store executable program
Code;Processor runs journey corresponding with executable program code by reading the executable program code stored in memory
Sequence performs above method flow.
The advantage of technical solution of the present invention is that it is possible to comprehensive Through Several Survey Measure, by plaintext knowledge base and ciphertext knowledge
Storehouse composition characteristic integrated database by ciphertext and the cooperation detection of plaintext, has reached accurate, comprehensive, has efficiently been detected,
Finally by the way of returning, more new knowledge base carries out certain journey for the sample for using current unknown compression algorithm institute shell adding
The feature extraction of degree, to adapt to the continuous variation of detection code and detection mode.
Description of the drawings
It, below will be to embodiment or the prior art in order to illustrate more clearly of technical solution of the invention or of the prior art
Attached drawing is briefly described needed in description, it should be apparent that, the accompanying drawings in the following description is only in the present invention
Some embodiments recorded, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is that a kind of shell adding code of knowledge based driving of the present invention returns detection method embodiment flow chart;
Fig. 2 is that a kind of shell adding code of knowledge based driving of the present invention returns detecting system structure diagram;
Fig. 3 is the structure diagram of one embodiment of electronic equipment of the present invention.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the technical solution in the embodiment of the present invention, and make the present invention's
Above-mentioned purpose, feature and advantage can be more obvious understandable, technical solution in the present invention made below in conjunction with the accompanying drawings further detailed
Thin explanation.
First, the present invention proposes that a kind of shell adding code of knowledge based driving returns detection method, as shown in Figure 1, including:
S101:Characteristic synthetic database is established, obtains shell adding sample to be detected;
S102:The decompression code of shell adding sample to be detected is put into sample interpreter and carries out short characteristic matching, if matching into
Work(then performs S103, otherwise performs S104;The decompression code of shell adding sample, usually after second section of shell adding sample
Half part code;
S103:According to short feature in inference machine corresponding decipherment algorithm, shell adding sample to be detected is decrypted, and will decryption
Data afterwards extract short feature, typing plaintext knowledge base;
S104:By inference machine directly to shell adding sample extraction feature to be detected, typing ciphertext knowledge base.
In the method, the characteristic synthetic database is made of plaintext knowledge base and ciphertext knowledge base.
In the method, the short feature includes feature and algorithm key position information.
Short feature includes algorithm key position information, be due in ciphering process, when identical code is encrypted,
The position and offset of its first time appearance may be employed to complete, so in decryption, we can be with the scope of this offset
It as feature, that is, can guarantee accuracy, and can guarantee that characteristic length is relatively short.It is and because crucial comprising algorithm in short feature
Location information, so short feature can form mapping relations with Encryption Algorithm.
In the method, it is described according to short feature in inference machine corresponding decipherment algorithm, to shell adding sample to be detected
It is decrypted, specifically, feature and algorithm key position information in short feature, match corresponding decipherment algorithm and carry out
Decryption.
In the method, by inference machine directly to shell adding sample extraction feature to be detected, it is specially:
According to known behavioral characteristics and static nature, in shell adding sample acquisition corresponding data to be detected, and point of each feature is set
Value;Since the threat degree of feature is different, it is therefore desirable to each feature-set score value,
According to entropy weight information law, the TOP SCORES of behavioral characteristics and static nature is calculated respectively;Such as:For behavioral characteristics, I
Only consider equipment threaten (modification disk sector), system threaten (modification registration table), file I/O threaten (reading and writing of files), more than
The threat degree difference of three just necessarily has different subitem scorings;For static nature, the head 4K features of code section, file
Icon characteristics etc..Here the feature given according to threat degree and the mapping relations of scoring are based on substantial amounts of analysis experience
It obtains.
Here both behavioral characteristics and static nature are linear independences, so the two can be as plane rectangular coordinates
Two orthogonal vectors under system, therefore can subsequent analysis be carried out by complex function.
Using the complex analysis method measured based on poicare, the TOP SCORES of behavioral characteristics and static nature is integrated
Assessment determines to choose behavioral characteristics or static nature;
Using the behavioral characteristics of selection or static nature as the feature of shell adding sample to be detected, typing ciphertext knowledge base.
It is using the reason for above method, the ciphertext to be extracted is characterized in what is be not present in knowledge base, and calculation is compressed to it
Method is not known about, and goes for certain detection result, it is necessary to be carried out feature extraction and detection by non-precision mode, be adopted
The mode being combined with behavioral characteristics with static nature can find corresponding data in the sample.
In the method, after shell adding sample to be detected is obtained, further include:Extract the code of shell adding sample to be detected
Duan Tezheng matches the cryptographic Hash of the feature with existing feature in characteristic synthetic database, if successful match
Directly output judges result.
The invention also provides a kind of shell adding code recurrence detecting system of knowledge based driving, as shown in Fig. 2, including:
Database module 201 establishes characteristic synthetic database;
Acquisition module 202 obtains shell adding sample to be detected;
Sample interpreter module 203 carries out short spy for the decompression code of shell adding sample to be detected to be put into sample interpreter
Sign matching, if successful match, into inference engine module;
Inference engine module 204, for according to short feature in inference machine corresponding decipherment algorithm, to shell adding sample to be detected carry out
Decryption, and the data after decryption are extracted into short feature, typing plaintext knowledge base;If short characteristic matching failure, inference machine are direct
To shell adding sample extraction feature to be detected, typing ciphertext knowledge base.
In the system, the characteristic synthetic database is made of plaintext knowledge base and ciphertext knowledge base.
In the system, the short feature includes feature and algorithm key position information.
In the system, it is described according to short feature in inference machine corresponding decipherment algorithm, to shell adding sample to be detected
It is decrypted, specifically, feature and algorithm key position information in short feature, match corresponding decipherment algorithm and carry out
Decryption.
In the system, by inference machine directly to shell adding sample extraction feature to be detected, it is specially:
According to known behavioral characteristics and static nature, in shell adding sample acquisition corresponding data to be detected, and point of each feature is set
Value;
According to entropy weight information law, the TOP SCORES of behavioral characteristics and static nature is calculated respectively;
Using the complex analysis method measured based on poicare, comprehensive assessment is carried out to the TOP SCORES of behavioral characteristics and static nature,
It determines to choose behavioral characteristics or static nature;
Using the behavioral characteristics of selection or static nature as the feature of shell adding sample to be detected, typing ciphertext knowledge base.
In the system, after shell adding sample to be detected is obtained, further include:Extract the code of shell adding sample to be detected
Duan Tezheng matches the cryptographic Hash of the feature with existing feature in characteristic synthetic database, if successful match
Directly output judges result.
Correspondingly, the present invention proposes a kind of non-transitorycomputer readable storage medium, computer program is stored thereon with,
Realize that the shell adding code as described in any in claim 1-6 returns detection method when the program is executed by processor.
Correspondingly, the present invention proposes a kind of computer program product, as shown in figure 3, the electronic equipment includes:Housing
301st, processor 302, memory 303, circuit board 304 and power supply 305, wherein, circuit board is placed in the space that housing surrounds
Portion, processor and memory are set on circuit boards;Power circuit, for being supplied for each circuit or device of above-mentioned electronic equipment
Electricity;Memory is used to store executable program code;Processor by read the executable program code stored in memory come
Operation program corresponding with executable program code, performs above method flow.
The advantage of technical solution of the present invention is that it is possible to comprehensive Through Several Survey Measure, by plaintext knowledge base and ciphertext knowledge
Storehouse composition characteristic integrated database by ciphertext and the cooperation detection of plaintext, has reached accurate, comprehensive, has efficiently been detected,
Finally by the way of returning, more new knowledge base carries out certain journey for the sample for using current unknown compression algorithm institute shell adding
The feature extraction of degree, to adapt to the continuous variation of detection code and detection mode.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and
Change the spirit without departing from the present invention, it is desirable to which appended claim includes these deformations and changes without departing from the present invention's
Spirit.