CN110008701B - Static detection rule extraction method and detection method based on ELF file characteristics - Google Patents

Static detection rule extraction method and detection method based on ELF file characteristics Download PDF

Info

Publication number
CN110008701B
CN110008701B CN201910212116.4A CN201910212116A CN110008701B CN 110008701 B CN110008701 B CN 110008701B CN 201910212116 A CN201910212116 A CN 201910212116A CN 110008701 B CN110008701 B CN 110008701B
Authority
CN
China
Prior art keywords
value
elf
elf file
feature
static
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201910212116.4A
Other languages
Chinese (zh)
Other versions
CN110008701A (en
Inventor
文伟平
李经纬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peking University
Original Assignee
Peking University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University filed Critical Peking University
Priority to CN201910212116.4A priority Critical patent/CN110008701B/en
Publication of CN110008701A publication Critical patent/CN110008701A/en
Application granted granted Critical
Publication of CN110008701B publication Critical patent/CN110008701B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a static detection rule extraction method and a static detection method based on ELF file characteristics, wherein the method comprises the steps of analyzing an ELF file in a sample library, and respectively extracting and obtaining the static structure attribute content of a head table, the static structure attribute content of a program head table and the static structure attribute content of a section head table in the ELF file; and automatically extracting detection rules contained in the feature dictionary list. The system of the invention comprises: the ELF file analysis subsystem and the static detection rule base generation subsystem. The method can automatically extract the static detection rules existing in the ELF files under the Linux platform based on the ELF file sample library containing normal and malicious files, further detect the software containing the malicious ELF files under the Linux platform based on the static detection rules, solve the problem of low efficiency of manually extracting the detection rules, and can be applied to the construction of the static detection rule library and the file detection of the ELF files under the Linux platform.

Description

Static detection rule extraction method and detection method based on ELF file characteristics
Technical Field
The invention relates to the technical field of computer security, in particular to a static detection rule extraction method, a rule base construction method, a device and a static detection method based on ELF file characteristics.
Background
Linux is a Unix-based source-opening operating system, and most servers currently carry Linux operating systems of various versions, and are gradually concerned by hackers while providing services for users. Meanwhile, due to the openness of the system, vulnerabilities existing in the Linux system are gradually exposed, the Linux system is increasingly emphasized, meanwhile, the security problem is increased day by day, and the quantity of a large amount of malicious software based on the Linux operating system is rapidly increased. ELF (executable and LinkingFormat) is a standard file format for executable files, target files, shared libraries and core dumps. The ELF file is the most important executable file format in the Linux operating system, and as the security problem of the Linux system is continuously exposed, software containing malicious ELF files is generated in a large amount under the Linux platform, and the industry lacks the detection rule of the malicious ELF files, so that the malicious software under the Linux platform in a large scale can be quickly detected.
At present, automatic detection is mainly performed on malicious software based on rules, wherein the rules are divided into dynamic rules and static rules. The form of the dynamic rule mainly includes file operation behaviors, network connection behaviors and the like with malicious properties in the dynamic execution process of malicious software, but the detection efficiency is often too low; the static rules are mainly in the forms of special character strings, special functions, special keywords, file hash values and the like of codes in the malicious software, the detection method based on the static rules is high in detection speed and high in accuracy, the static detection rules are automatically formed aiming at the malicious ELF files, the malicious static rule base is constructed, the malicious software under a Linux platform is quickly detected and killed, the static detection rules are mainly extracted manually at present, and an effective solution is not provided in the field of automatically extracting the static detection rules from a large number of normal and malicious ELF files.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a method and a device for extracting the malicious software static detection rule based on ELF file characteristics, which can automatically extract the static detection rule existing in the ELF file under a Linux platform based on an ELF file sample library containing normal and malicious files, and further detect the software containing the malicious ELF file under the Linux platform based on the static detection rule.
The invention provides an automatic extraction method and device for malicious software static detection rules based on ELF file characteristics.
The detection rule extraction method comprises the following steps:
analyzing and extracting the static structure characteristics of an ELF file sample library;
the ELF file sample library comprises normal ELF file samples and malicious ELF file samples.
And step two, automatically generating a static detection rule.
Wherein, the first stage comprises the following steps:
step 1, analyzing an ELF file in a sample library, and extracting the attribute content of a static structure of a Header table (ELF Header) in the ELF file;
step 2, analyzing the ELF file in the sample library, and extracting the attribute content of the static structure of an ELF file program header table (ProgramHeader);
and 3, analyzing the ELF file in the sample library, and extracting the attribute content of the static structure of the ELF file section header table (section header).
Wherein the second stage comprises the steps of:
step 4, performing feature processing on the staticized structure attribute extracted from the ELF file in the sample library; the following operations are performed:
41) the method includes the steps that the staticized structure attribute is simplified through feature reduction, the staticized structure attribute feature which is more effective in identifying normal ELF files and malicious ELF files is mainly reserved, redundant features are removed, and a simplified feature set is obtained.
For example, some of the static structural attribute features FiValue in normal ELF file and malicious ELF fileiSimilarly, the characteristics have no effectiveness on identifying the malicious ELF files, and redundant characteristics with low effectiveness are removed by calculating the effectiveness of each characteristic.
42) Based on the reduced feature set, a feature dictionary is generated for each ELF file in the ELF sample library, for example, the ELF sample library includes m ELF files, where the feature dictionary structure generated by the jth ELF is Dictoryj={Filename:filename,F1:Value1,…,Fi:Valuei,…,Fn:ValuenJ is e [1, m ]],i∈[1,n]The feature dictionary generated by each ELF file consists of the ELF Filename key-value pairs Filenname and the feature key-value pair set { F } contained in the ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenA set of feature key-value pairs consisting of n feature key-value pairs, a feature key FiThe name of the attribute of the staticized structure and the Value of the characteristic Value in the ELF file extracted in the steps 1, 2 and 3iFor attribute F in the ELF fileiThe content of (1).
Further, combining feature dictionaries of all ELF files in the ELF sample library into a dictionary list, [ Dictory [ ]1,…,Dictoryj,…,Dictorym]Wherein DictoryjFeature dictionary { Filename: Filename, F) representing jth ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenAnd m is the total number of ELF files in the ELF sample library.
And 5, automatically extracting detection rules contained in the feature dictionary list based on the processed staticized structure attribute, wherein the method specifically comprises the following steps:
51) firstly, all the feature key value pairs { F ] which are not repeated in the feature dictionary list are searchedi:ValueiForm a feature key-value pair set C1={F1:Value1,F2:Value2,F3:Value3… }, and statistics of C1Each element of (1) { F }i:ValueiFrequency of occurrence in the feature dictionary list;
52) setting the minimum support threshold (e.g., to 0.9) further simplifies C as follows1: if C1Removing a certain element when the occurrence frequency of the element is the minimum support threshold (less than 0.9);
53) c is to be1All elements in (A) are combined with each other into a binomial feature key value pair { F }i:Valuei,Fj:ValuejForming a two-item characteristic key value pair set C2And count C2Each element of (1) { F }i:Valuei,Fj:ValuejFrequency of occurrence in the feature dictionary list;
54) further simplification of C as follows2: if C2Removing a certain element when the occurrence frequency of the element is the minimum support threshold (less than 0.9);
55) c is to be2All elements in (A) are combined with each other into a three-term feature key value pair { F }i:Valuei,Fj:Valuej,Fk:ValuekForming a set C of three characteristic key value pairs3And count C3Each element of (1) { F }i:Valuei,Fj:Valuej,Fk:ValuekFrequency of occurrence in the feature dictionary list;
56) further simplification of C as follows3If C3A minimum support threshold (less than 0.9) for the frequency of occurrence of an element, or a subset of the element that does not belong to C1Or C2Then remove the element ";
57) generating N items of characteristic key value pair sets C by recursion according to the methodnUntil C is generatednAnd stopping operation when the collection is empty.
58) A characteristic key value pair set C of the characteristic key value pairs obtained in the above steps1Two-term characteristic key value pair set C2To N sets of feature key-value pairs CnMerging to obtain the final characteristic key value pair set C, namely C ═ C1∪C2∪…∪Cn
And 6, screening the characteristic key value pair set C to generate a static detection rule for ELF file detection, and forming a static detection rule library.
And further screening all the elements in the characteristic key value pair set C, keeping the element with the occurrence frequency of 0 in the malicious ELF file in the sample library as a white list rule, and keeping the element with the occurrence frequency of 0 in the normal ELF file in the sample library as a black list rule, and combining the black list rule and the white list rule to form a static detection rule library. And finally, matching the ELF file to be detected with rules in a static detection rule base, judging the ELF file conforming to the blacklist rule as a malicious sample, and judging the ELF file conforming to the white list rule as a normal sample.
By utilizing the method for constructing the static detection rule base based on the ELF file characteristics, the invention also provides a device for constructing the static detection rule base based on the ELF file characteristics, which comprises the following subsystems:
subsystem unified, ELF file analysis subsystem
Subsystem II, static detection rule base generation subsystem
The subsystem comprises the following modules:
the first module and the second module are respectively used for analyzing the static structure attribute content recorded by the ELF head table according to the ELF file format, wherein the static structure attribute content comprises attributes such as e _ type, e _ machine, e _ version, e _ entry, e _ phoff, e _ shoff, e _ ehsize, e _ phnum and e _ shnum;
the second module is a program head table static structure attribute extraction module which analyzes static structure attribute contents recorded by program head tables such as PHDR, LOAD, DYNAMIC and EXIDX according to an ELF file format, wherein the static structure attribute contents comprise attributes such as p _ type, p _ offset, p _ filesz, p _ memsz, p _ flags and p _ align;
the third module is a node head table static structure attribute extraction module which analyzes static structure attribute contents recorded by node head tables such as dynsym, dyntr, rel, plt, text, rodata, dynamic, data, bss and the like according to an ELF file format, wherein the static structure attribute contents comprise sh _ type, sh _ flags, sh _ addr, sh _ offset, sh _ size and sh _ addralign;
wherein the second subsystem comprises the following modules:
the module IV is a staticized structure attribute feature processing module which is used for processing the staticized structure attribute features based on effectiveness and removing features with low effectiveness;
a fifth module, namely a detection rule extraction module, which is used for automatically extracting a feature key value pair set contained in the feature dictionary list based on the processed staticized structure attribute;
and the module six and a detection rule base generation module are used for screening the characteristic key value pair set to generate static detection rules which can be used for ELF file detection to form a static detection rule base.
The invention has the beneficial effects that:
the invention provides a static detection rule base construction method and device based on ELF file characteristics, which can automatically extract static detection rules existing in ELF files under a Linux platform based on an ELF file sample base containing normal and malicious ELF files, and further detect software containing malicious ELF files under the Linux platform based on the static detection rules. By adopting the technical scheme of the invention, the static structured attribute characteristics can be extracted from normal and malicious ELF files based on the existing ELF file sample library, the malicious ELF file detection rule can be automatically generated, the problem of low efficiency of manual extraction of the detection rule is solved, and the method can be applied to the construction of the static detection rule library of the ELF files under a Linux platform.
Drawings
FIG. 1 is a flow chart of the detection rule extraction method of the present invention.
FIG. 2 is a system diagram of the detection rule extracting apparatus according to the present invention.
Detailed Description
The invention is further illustrated with reference to the figures and the specific embodiments.
The specific embodiment of the invention is as follows:
analyzing and extracting the static structure characteristics of an ELF file sample library;
and step two, automatically generating a static detection rule.
Wherein, the first stage comprises the following steps:
step 1, establishing a sample library { filename) containing m ELF files1,…,filenamej,…,filenamemAnd the file types in the sample library comprise normal samples and malicious samples. Through analyzing the ELF file in the sample library, extracting the static structure attribute content of a head table (ELF Header) in the ELF file, wherein the extracted features include but are not limited to:
e _ type attribute content representing the file type in the ELF file header table;
the ELF file header table represents the e _ machine attribute content of the system structure required by operation;
e _ version attribute content representing the file version in the ELF file header table;
e _ entry attribute content representing a program entry address in an ELF file header table;
recording e _ phoff attribute content of Program head table (Program Header) offset in an ELF file head table;
recording e _ shoff attribute content of offset of a Section Header table (Section Header) in an ELF file Header table;
recording e _ ehsize attribute content of the size of a file Header table (ELF Header) in an ELF file Header table;
recording e _ phnum attribute content of the entry number of a Program head table (Program Header) in an ELF file head table;
the ELF file Header table records e _ shm attribute contents of the number of entries of a Section Header table (Section Header).
Step 2, analyzing the ELF file in the sample library, and extracting the static structure attribute contents of Program Header tables (Program Header) such as PHDR, LOAD, DYNAMIC, EXIDX and the like in the ELF file, wherein the extracted features include but are not limited to:
recording the p _ type attribute content of the type in the program header table;
recording the p _ offset attribute content of the offset of the first byte in the file in the program header table;
recording the p _ offset attribute content of the offset of the first byte in the memory in the program head table;
recording p _ filesz attribute content of the length of the Program segment in the file in the Program header table;
recording p _ memsz attribute content of the length of the Program segment in the memory in a Program head table;
and recording the p _ flags attribute content of the flag bit of the Program section in the Program header table.
And recording the p _ align attribute content of how the Program segment is aligned in the file and the memory in the Program header table.
Step 3, analyzing the ELF file in the sample library, and extracting static structure attribute contents of a Section Header (Section Header) of the ELF file, wherein the static structure attribute contents comprise but are not limited to:
recording the sh _ type attribute content of the Section classification in the Section header table;
recording the sh _ flags attribute content of the Section type in the Section header table;
recording the sh _ addr attribute content of the Section relative to the base address offset in the memory in the Section head table;
recording the sh _ offset attribute content of the byte offset from the Section to the file header in the Section header table;
recording the sh _ size attribute content of the Section size in the Section header table;
the segment header table records the sh _ addralign attribute content of the Section segment address alignment information.
Wherein the second phase comprises the following steps:
and 4, after the characteristics of each ELF sample file are extracted in the steps 1, 2 and 3, an original characteristic key value pair set is formed. For example, the filename is filenamejIs characterized byThe obtained original characteristic key value pair set is { F }1:Value1,…,Fi:Valuei,…,Fn:ValuenIn which Fi∈{e_type,e_machine,e_version,e_entry,e_phoff,e_shoff,e_ehsize,e_phnum,e_shnum,p_type,p_offset,p_offset,p_filesz,p_memsz,p_flags,p_align,sh_type,sh_flags,sh_addr,sh_offset,sh_size,sh_addralign},ValueiNamely the value of the corresponding attribute of the ELF file.
The method comprises the steps of carrying out feature processing on an original feature key value pair set extracted from an ELF file in a sample library, simplifying the original feature key value pair set through feature reduction, and removing redundant features mainly by reserving a static structure attribute feature which is more effective in identifying a normal ELF file and a malicious ELF file, wherein the specific feature reduction method comprises the following steps:
some staticized structural attribute features FiValue in normal ELF file and malicious ELF fileiSimilarly, the characteristics have no effectiveness on identifying the malicious ELF files, and redundant characteristics with low effectiveness are removed by calculating the effectiveness of each characteristic.
For example, the sample library contains p normal samples and q malicious samples. Characteristic FiThe value taking situation in P normal ELF files is represented by a set P, wherein P is { F }i:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:ValueipF in set Pi:ValueijRepresents a feature FiThe value in the jth normal sample. Characteristic FiThe value cases in Q malicious ELF files are represented by a set Q, and Q is { F }i:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:ValueiqF in set Qi:ValueijRepresents a feature FiThe value in the jth malicious sample.
Then characteristic FiThe validity is U ═ P ≦ Q |, i.e., the number of identical elements in set P and set Q. Meanwhile, setting validity threshold values according to various characteristics extracted by ELF in sample libraryThe validity condition is manually and dynamically adjusted, and the feature F with the validity lower than a threshold valueiAnd then removed.
Based on the reduced feature set, generating a feature dictionary for each ELF file in the sample library, wherein the feature dictionary is expressed as { Filename: Filename, F1:Value1,…,Fi:Valuei,…,Fn:ValuenF, collecting the ELF file name Filename and the characteristic key value pair set of the ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenThe feature key Value pair set consists of n feature key Value pairs, and the key is the name of the attribute of the staticized structure in the ELF file extracted in the steps 1, 2 and 3 and the ValueiAnd corresponding attribute content of the ELF file.
Combining the feature dictionaries formed by each ELF file into a feature dictionary list, wherein the structure is shown as the following table, wherein Fji:ValuejiRepresents a feature FiValue in file jji
Filename Feature set
Filename:filename1 F11:Value11,…,F1i:Value1i,…,F1n:Value1n
Filename:filename2 F21:Value21,…,F2i:Value2i,…,F2n:Value2n
Filename:filenamej Fj1:Valuej1,…,Fji:Valueji,…,Fjn:Valuejn
And 5, automatically extracting detection rules contained in the feature dictionary list based on the processed feature dictionary list, and specifically comprising the following steps of:
(1) firstly, searching all unrepeated feature key value pairs in a feature dictionary list to form a feature key value pair set, and counting the frequency of each element in the set in the feature dictionary list;
(2) setting a minimum support threshold (if the value is 0.2-1.0, the specific value is dynamically adjusted according to the sample characteristic condition), and removing elements with the occurrence frequency lower than the minimum support threshold in a characteristic key value pair set;
(3) combining all elements in the one-item characteristic key value pair set into two-item characteristic key value pairs to form a two-item characteristic key value pair set, and counting the frequency of each element in the two-item characteristic key value pair set in a characteristic dictionary list;
(4) removing elements with the occurrence frequency lower than the minimum support threshold in the two-term characteristic key value pair set;
(5) combining all elements in the binomial characteristic key value pair set into a trinomial characteristic key value pair to form a trinomial characteristic key value pair set, and counting the frequency of each element in the set in a characteristic dictionary list;
(6) if the minimum support threshold of the occurrence frequency of a certain element in the three-item key-value pair set or the subset of the element does not belong to one-item characteristic key-value pair set or two-item characteristic key-value pair set, removing the element;
(7) and recursively generating N sets of the characteristic key value pairs according to the method, and stopping operation until the generated N sets of the characteristic key value pairs are empty sets.
(8) And combining the feature key value set of one item and the feature key value set of two items obtained in the above steps to the feature key value set of N items to obtain a final feature key value set.
And 6, screening the characteristic key value pair set to generate a static detection rule for ELF file detection, and forming a static detection rule library.
And further screening all elements in the characteristic key value pair set, keeping an element with the occurrence frequency of 0 in the malicious ELF file in the sample library as a white list rule and an element with the occurrence frequency of 0 in the normal ELF file in the sample library as a black list rule, and combining the black list rule and the white list rule to form a static detection rule library, thereby completing the automatic construction of the static detection rule library based on the characteristics of the ELF file. And finally, matching the ELF file to be detected with rules in a static detection rule base, judging the ELF file conforming to the blacklist rule as a malicious sample, and judging the ELF file conforming to the white list rule as a normal sample.
It is noted that the disclosed embodiments are intended to aid in further understanding of the invention, but those skilled in the art will appreciate that: various substitutions and modifications are possible without departing from the spirit and scope of the invention and appended claims. Therefore, the invention should not be limited to the embodiments disclosed, but the scope of the invention is defined by the appended claims.

Claims (7)

1. An automatic extraction method for malicious software static detection rules based on ELF file characteristics comprises the following steps:
analyzing and extracting the static structure characteristics of an ELF file sample library; the ELF file sample library comprises normal ELF file samples and malicious ELF file samples; the method comprises the following steps:
step 1, analyzing an ELF file in a sample library, and extracting to obtain the attribute content of a static structure of a header table in the ELF file;
step 2, analyzing the ELF file in the sample library, and extracting to obtain the attribute content of the static structure of the ELF file program header table;
step 3, analyzing the ELF file in the sample library, and extracting to obtain the attribute content of the static structure of the ELF file header table;
step two, automatically extracting static detection rules; the method comprises the following steps:
step 4, performing feature processing on the staticized structure attribute extracted from the ELF file in the sample library; the following operations are performed:
41) simplifying the static structure attribute through feature reduction, and removing redundant features to obtain a simplified feature set;
42) based on the simplified feature set, generating a feature dictionary for each ELF file in the ELF sample library, wherein the feature dictionary structure is Dictoryj={Filename:filename,F1:Value1,…,Fi:Valuei,…,Fn:ValuenJ is e [1, m ]],i∈[1,n](ii) a m is the total number of the ELF files contained in the ELF sample library; n is the number of the characteristic key value pairs;
the feature dictionary generated by each ELF file consists of the ELF Filename key-value pairs Filenname and the feature key-value pair set { F } contained in the ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenA feature key-value pair set consists of n feature key-value pairs; wherein, the characteristic key FiFor the attribute name and the Value of the feature Value of the extracted static structure in the ELF fileiFor attribute F in the ELF fileiThe content of (a);
43) combining the feature dictionaries of all ELF files in the ELF sample library into a dictionary list, and expressing the dictionary list as follows: [ Dictory1,…,Dictoryj,…,Dictorym]Wherein DictoryjFeature dictionary { Filename: Filename, F) representing jth ELF file1:Value1,…,Fi:Valuei,…,Fn:Valuen};
And 5, automatically extracting detection rules contained in the feature dictionary list based on the processed staticized structure attribute, wherein the steps are as follows:
51) firstly, all the feature key value pairs { F ] which are not repeated in the feature dictionary list are searchedi:ValueiForm a feature key-value pair set C1={F1:Value1,F2:Value2,F3:Value3… }, and statistics of C1Each element of (1) { F }i:ValueiFrequency of occurrence in the feature dictionary list;
52) setting a minimum support threshold if C1If the frequency of occurrence of a certain element is less than the minimum support threshold, the element is removed, thereby simplifying a feature key value pair set C1
53) C obtained in step 52)1All elements in (A) are combined with each other into a binomial feature key value pair { F }i:Valuei,Fj:ValuejObtaining a two-item characteristic key value pair set C2And count C2Each element of (1) { F }i:Valuei,Fj:ValuejFrequency of occurrence in the feature dictionary list;
54) if C2If the frequency of occurrence of a certain element is less than the minimum support degree threshold value, the element is removed, thereby simplifying the two-term characteristic key value pair set C2
55) C is to be2All elements in (A) are combined with each other into a three-term feature key value pair { F }i:Valuei,Fj:Valuej,Fk:ValuekGet three feature key value pair sets C3And count C3Each element of (1) { F }i:Valuei,Fj:Valuej,Fk:ValuekFrequency of occurrence in the feature dictionary list;
56) if C3Wherein the frequency of occurrence of an element is less than a minimum support threshold, or wherein a subset of the element does not belong to C1Or C2Then the element is removed, thereby simplifying C3
57) Recursively generating a set C of N feature key-value pairsnUntil C is generatednStopping operation when the collection is empty;
58) a characteristic key value pair set C of the obtained characteristic key value pairs1Two-term characteristic key value pair set C2To N sets of feature key-value pairs CnMerging to obtain the final characteristic key value pair set C, namely C ═ C1∪C2∪…∪Cn
Step 6, screening the characteristic key value pair set C, and keeping an element with the occurrence frequency of 0 in the malicious ELF file in the sample library as a white list rule and an element with the occurrence frequency of 0 in the normal ELF file in the sample library as a black list rule; generating static detection rules which can be used for detecting the ELF file; a static detection rule base can be formed;
through the steps, the automatic extraction of the malicious software static detection rule based on the ELF file characteristics is realized.
2. The method as claimed in claim 1, wherein the method for automatically extracting the malware static detection rule based on the ELF file characteristics is characterized in that the attribute content of the static structure for analyzing the ELF header table records according to the ELF file format includes attributes e _ type, e _ machine, e _ version, e _ entry, e _ phoff, e _ shoff, e _ ehszze, e _ phnum, and e _ shmum.
3. The method as claimed in claim 1, wherein the program header table parsed according to the ELF file format includes PHDR, LOAD, DYNAMIC, EXIDX; the attribute content of the static structure recorded by the program head table comprises attributes p _ type, p _ offset, p _ filesz, p _ memsz, p _ flags and p _ align.
4. The method as claimed in claim 1, wherein the section header table parsed according to the ELF file format includes: dynsym, dynstr, rel, plt, text, rodata, dynamic, data, bss; the static structure attribute content recorded by the section head table comprises sh _ type, sh _ flags, sh _ addr, sh _ offset, sh _ size and sh _ addralign.
5. The method for automatically extracting the malware static detection rule based on the ELF file features as claimed in claim 1, wherein the minimum support threshold of step 52) is set to 0.2-1.0.
6. The method for automatically extracting the malware static detection rule based on the ELF file features as claimed in claim 1, wherein the static detection of the malware is performed by using the extracted static detection rule, comprising the following steps:
1) matching the ELF file to be detected with rules in a static detection rule base;
2) judging the ELF file conforming to the blacklist rule as a malicious sample;
3) and judging the ELF file meeting the white list rule as a normal sample.
7. The method for automatically extracting the malware static detection rule based on the ELF file features as claimed in claim 1, wherein the method is used to implement an automatic extraction system for the malware static detection rule based on the ELF file features; the system comprises: an ELF file analysis subsystem and a static detection rule base generation subsystem;
the ELF file parsing subsystem comprises: an ELF head table staticizing structure attribute extraction module, a program head table staticizing structure attribute extraction module and a section head table staticizing structure attribute extraction module;
the ELF head table static structure attribute extraction module is used for analyzing static structure attribute contents recorded by the ELF head table according to the ELF file format; the program head table static structure attribute extraction module is used for analyzing static structure attribute contents recorded by the program head table according to the ELF file format; the node head table static structure attribute extraction module is used for analyzing static structure attribute contents recorded by the node head table according to an ELF file format;
the static detection rule base generation subsystem comprises: the device comprises a staticizing structure attribute feature processing module, a detection rule extraction module and a detection rule base generation module; the staticizing structure attribute feature processing module is used for processing the staticizing structure attribute feature based on effectiveness; the detection rule extraction module is used for automatically extracting a characteristic key value pair set from the static structure attribute; and the detection rule base generation module is used for screening the characteristic key value pair set to generate a static detection rule base which can be used for detecting the ELF file.
CN201910212116.4A 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics Expired - Fee Related CN110008701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910212116.4A CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910212116.4A CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Publications (2)

Publication Number Publication Date
CN110008701A CN110008701A (en) 2019-07-12
CN110008701B true CN110008701B (en) 2020-11-03

Family

ID=67167480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910212116.4A Expired - Fee Related CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Country Status (1)

Country Link
CN (1) CN110008701B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378162B (en) * 2020-02-25 2023-11-07 深信服科技股份有限公司 Method, device and storage medium for checking executable and linkable format files
CN111800409B (en) * 2020-06-30 2023-04-25 杭州数梦工场科技有限公司 Interface attack detection method and device
CN115309785B (en) * 2022-08-08 2023-07-07 北京百度网讯科技有限公司 File rule engine library generation method, file information detection method, device and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN105138913A (en) * 2015-07-24 2015-12-09 四川大学 Malware detection method based on multi-view ensemble learning
CN107832609A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method and system based on authority feature
CN109299609A (en) * 2018-08-08 2019-02-01 北京奇虎科技有限公司 A kind of ELF file test method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN105138913A (en) * 2015-07-24 2015-12-09 四川大学 Malware detection method based on multi-view ensemble learning
CN107832609A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method and system based on authority feature
CN109299609A (en) * 2018-08-08 2019-02-01 北京奇虎科技有限公司 A kind of ELF file test method and device

Also Published As

Publication number Publication date
CN110008701A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
US8606795B2 (en) Frequency based keyword extraction method and system using a statistical measure
CN110008701B (en) Static detection rule extraction method and detection method based on ELF file characteristics
CN109104421B (en) Website content tampering detection method, device, equipment and readable storage medium
CN103455758A (en) Method and device for identifying malicious website
CN111723371A (en) Method for constructing detection model of malicious file and method for detecting malicious file
CN112328936A (en) Website identification method, device and equipment and computer readable storage medium
CN110619075B (en) Webpage identification method and equipment
CN115437877A (en) Online analysis method and system for multi-source log, electronic equipment and storage medium
CN112818200A (en) Data crawling and event analyzing method and system based on static website
US11334592B2 (en) Self-orchestrated system for extraction, analysis, and presentation of entity data
CN116186716A (en) Security analysis method and device for continuous integrated deployment
CN111814040B (en) Maintenance case searching method, device, terminal equipment and storage medium
US20190370476A1 (en) Determination apparatus, determination method, and determination program
CN111460803B (en) Equipment identification method based on Web management page of industrial Internet of things equipment
CN115801455B (en) Method and device for detecting counterfeit website based on website fingerprint
CN112463533A (en) Log data analysis method and device, electronic device and storage medium
CN107491530B (en) Social relationship mining analysis method based on file automatic marking information
CN115051859A (en) Information analysis method, information analysis device, electronic apparatus, and medium
CN107239704A (en) Malicious web pages find method and device
CN114706948A (en) News processing method and device, storage medium and electronic equipment
CN112597498A (en) Webshell detection method, system and device and readable storage medium
CN114024691A (en) Vulnerability information processing method, device, equipment and medium based on cloud security
KR20160089995A (en) Apparatus and method for collecting and analysing HTML5 documents based a distributed parallel processing
CN113407656B (en) Method and equipment for fast online log clustering
CN114817929B (en) Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201103