Invention content
Based on the above problem, the present invention proposes a kind of Heuristic detection method, system and the storage medium of nested class file,
According to nested file type, heuristic detection is carried out, effectively improves the speed of detection.
The present invention realizes by the following method:
A kind of Heuristic detection method of nesting class file, including:
File declustering is carried out to the nested class file of acquisition;
The file type split out is obtained, and regularization processing is carried out to file type, is arranged as knowledge data;
The knowledge data is matched with knowledge base;If successful match, there is malice, output inspection in the nesting class file
It surveys as a result, terminating detection;Otherwise malicious analysis is carried out to the nested class file of non-successful match.
In the method, institute handles file type into brief biography of a deceased person regularization, arranges as knowledge data, specially:It will tear open
The all files type separated is integrated, and merges identical file type, and records the quantity of documents of same file type.
In the method, the knowledge base is, by carrying out Probability to the known nested class file with menace
Nested class file is carried out regularization treated knowledge data and is stored in knowledge base by statistics.
In the method, the nested class file to non-successful match carries out malicious analysis, specially:
The same type nesting class file of a large amount of known testing results is obtained, carries out Probability statistics, if malice is general in statistical result
Rate is more than non-malicious probability, then the nested class file of the non-successful match is malice, otherwise the nesting of the non-successful match
Class file is non-malicious.
In the method, after carrying out malicious analysis to the nested class file of non-successful match, further include:It is if malicious
Analysis result is malicious file, then extracts the knowledge data of nested class file;And by the knowledge data of the nested class file and
Corresponding testing result typing knowledge base.
The present invention also proposes a kind of heuristic detecting system of nested class file, including:
Module is split, file declustering is carried out to the nested class file of acquisition;
Data processing module obtains the file type split out, and carries out regularization processing to file type, arranges as knowledge number
According to;
Matching module matches the knowledge data with knowledge base;If successful match, the nesting class file, which exists, dislikes
Meaning exports testing result, terminates detection;Otherwise enter malicious analysis module;
Malicious analysis module carries out malicious analysis to the nested class file of non-successful match.
In the system, institute handles file type into brief biography of a deceased person regularization, arranges as knowledge data, specially:It will tear open
The all files type separated is integrated, and merges identical file type, and records the quantity of documents of same file type.
In the system, the knowledge base is, by carrying out Probability to the known nested class file with menace
Nested class file is carried out regularization treated knowledge data and is stored in knowledge base by statistics.
In the system, the nested class file to non-successful match carries out malicious analysis, specially:
The same type nesting class file of a large amount of known testing results is obtained, carries out Probability statistics, if malice is general in statistical result
Rate is more than non-malicious probability, then the nested class file of the non-successful match is malice, otherwise the nesting of the non-successful match
Class file is non-malicious.
In the system, after carrying out malicious analysis to the nested class file of non-successful match, further include:It is if malicious
Analysis result is malicious file, then extracts the knowledge data of nested class file;And by the knowledge data of the nested class file and
Corresponding testing result typing knowledge base.
A kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is held by processor
The Heuristic detection method of as above any nested class file is realized during row.
The present invention is analyzed not necessarily like traditional heuristic detection technique like that for sample entity, but to its into
The type of the simple file declustering of row, the then each derivative file of extraction, and it is organized into knowledge data, then know with existing
Know library to be matched, successful match then illustrates that the nesting class file has menace, otherwise carries out malicious detection, to malice text
Part carries out knowledge extraction, and extraction is completed directly to enter knowledge base.The present invention is compared to traditional heuristic detection, without carrying out complexity
Logic analysis, it is not required that virtual environment carrys out Dynamic Execution script, but be based on based on nested class file will under abnormal environment
This property of threat behavior is generated to carry out heuristic detection, can effectively improve speed, the accuracy of detection.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the technical solution in the embodiment of the present invention, and make the present invention's
Above-mentioned purpose, feature and advantage can be more obvious understandable, technical solution in the present invention made below in conjunction with the accompanying drawings further detailed
Thin explanation.
A kind of Heuristic detection method of nesting class file, as shown in Figure 1, including:
S101:File declustering is carried out to the nested class file of acquisition;
S102:Obtain the file type split out;
S103:Regularization processing is carried out to file type, is arranged as knowledge data;
S104:The knowledge data is matched with knowledge base;If successful match, there is malice in the nesting class file,
Testing result is exported, terminates detection;Otherwise malicious analysis is carried out to the nested class file of non-successful match.
In the method, institute handles file type into brief biography of a deceased person regularization, arranges as knowledge data, specially:It will tear open
The all files type separated is integrated, and merges identical file type, and records the quantity of documents of same file type.Example
Such as:The exe files of 32 and 64 are arranged as PE files.Two PE files are existed simultaneously in another nested class file, profit
With being expressed as json data reductions:{“file_type”:"PE”, “num”:2}.
In the method, the knowledge base is, by carrying out Probability to the known nested class file with menace
Nested class file is carried out regularization treated knowledge data and is stored in knowledge base by statistics.
The known nested class file with menace includes but not limited to several:
Macro and PE files exist simultaneously in Office files;
PE, APK file are entrained in Mail;
Nested flash file in pdf document;
Nesting PE files etc. in PE files.
Such as:Office macro is that Microsoft uses for convenience, and a kind of grammer provided is better simply can be with automatic running
Tool, but simultaneously containing macro and for PE files calling in the Office is likely to be then attacker in order to evade needle
The detection macro to office, by using it is macro can the characteristic of automatic running run the PE files of malice, with this complete entirely to attack
Hit behavior.If we carry out heuristic detection using the present invention, then it is prevented that such threatens the generation of event.
In the method, the nested class file to non-successful match carries out malicious analysis, specially:
The same type nesting class file of a large amount of known testing results is obtained, carries out Probability statistics, if malice is general in statistical result
Rate is more than non-malicious probability, then the nested class file of the non-successful match is malice, otherwise the nesting of the non-successful match
Class file is non-malicious.The process is similar to the process for forming knowledge base, and due to the appearance of unknown nested type, knowledge base exists
Can not matched situation, therefore can the mode of probability statistics be carried out by the testing result of the nested file to same type,
Judge the malicious probability of this document, if malicious larger, this document is judged as malice.
In the method, after carrying out malicious analysis to the nested class file of non-successful match, further include:It is if malicious
Analysis result is malicious file, then extracts the knowledge data of nested class file;And by the knowledge data of the nested class file and
Corresponding testing result typing knowledge base.
Such as:When knowledge data is two PE files, since the number comprising PE files in nested class file is more than 1, therefore
Heuristic testing result is with menace, so knowledge data and testing result are merged typing knowledge base, simplifies version json
Data representation is { " file_type ":"PE”, “num”:2, “trust”:”no”}.By to unknown nested class file
Detection and knowledge data extraction and typing, the extension knowledge base content that can be automated.
The present invention also proposes a kind of heuristic detecting system of nested class file, as shown in Fig. 2, including:
Module 201 is split, file declustering is carried out to the nested class file of acquisition;
Data processing module 202 obtains the file type split out, and carries out regularization processing to file type, arranges to know
Know data;
Matching module 203 matches the knowledge data with knowledge base;If successful match, the nesting class file is deposited
In malice, testing result is exported, terminates detection;Otherwise enter malicious analysis module;
Malicious analysis module 204 carries out malicious analysis to the nested class file of non-successful match.
In the system, institute handles file type into brief biography of a deceased person regularization, arranges as knowledge data, specially:It will tear open
The all files type separated is integrated, and merges identical file type, and records the quantity of documents of same file type.
In the system, the knowledge base is, by carrying out Probability to the known nested class file with menace
Nested class file is carried out regularization treated knowledge data and is stored in knowledge base by statistics.
In the system, the nested class file to non-successful match carries out malicious analysis, specially:
The same type nesting class file of a large amount of known testing results is obtained, carries out Probability statistics, if malice is general in statistical result
Rate is more than non-malicious probability, then the nested class file of the non-successful match is malice, otherwise the nesting of the non-successful match
Class file is non-malicious.
In the system, after carrying out malicious analysis to the nested class file of non-successful match, further include:It is if malicious
Analysis result is malicious file, then extracts the knowledge data of nested class file;And by the knowledge data of the nested class file and
Corresponding testing result typing knowledge base.
A kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is held by processor
The Heuristic detection method of as above any nested class file is realized during row.
The present invention is analyzed not necessarily like traditional heuristic detection technique like that for sample entity, but to its into
The type of the simple file declustering of row, the then each derivative file of extraction, and it is organized into knowledge data, then know with existing
Know library to be matched, successful match then illustrates that the nesting class file has menace, otherwise carries out malicious detection, to malice text
Part carries out knowledge extraction, and extraction is completed directly to enter knowledge base.The present invention is compared to traditional heuristic detection, without carrying out complexity
Logic analysis, it is not required that virtual environment carrys out Dynamic Execution script, but be based on based on nested class file will under abnormal environment
This property of threat behavior is generated to carry out heuristic detection, can effectively improve speed, the accuracy of detection.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Point just to refer each other, and the highlights of each of the examples are difference from other examples.Especially for system reality
For applying example, since it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method
Part explanation.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and
Change the spirit without departing from the present invention, it is desirable to which appended claim includes these deformations and changes without departing from the present invention's
Spirit.