Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, the first purpose of this invention is to propose a kind of detection method of malicious script,.
Second object of the present invention is to propose a kind of detection device of malicious script.
Third object of the present invention is to propose a kind of computer equipment.
Fourth object of the present invention is to propose a kind of non-transitorycomputer readable storage medium.
5th purpose of the invention is to propose a kind of computer program product.
In order to achieve the above objectives, first aspect present invention embodiment proposes a kind of detection method of malicious script, including
Following steps: obtaining script to be measured, and multiple logic partitionings of the script to be measured are obtained by morphology syntactic analysis;To described
Each logic partitioning of multiple logic partitionings carries out dynamic processing, and obtains the processing result of each logical block;According to institute
The processing result for stating each logical block obtains the malice testing result of the script to be measured.
The detection method of the malicious script of the embodiment of the present invention enables to malicious code can be in dynamic detection without item
Part executes, and fast and accurately detects the real malicious act of malicious script, effective detection of malicious script is realized, thus effectively
The accuracy and reliability for improving detection, so that user can promote making for user to avoid the attack by malicious script
With experience.
In addition, the detection method of malicious script according to the above embodiment of the present invention can also have following additional technology
Feature:
Further, in one embodiment of the invention, described that the script to be measured is obtained by morphology syntactic analysis
Multiple logic partitionings, further comprise: each in the script to be measured being individually performed most by morphology syntactic analysis
Small statement element obtains the multiple logic partitioning as a logic partitioning, with segmentation.
Further, in one embodiment of the invention, further includes: save the processing result of each logical block.
Further, in one embodiment of the invention, each logic partitioning to the multiple logic partitioning
Carry out dynamic processing, comprising: call dynamic Processing Interface, the multiple logic partitioning is successively passed to and carries out dynamic processing.
In order to achieve the above objectives, second aspect of the present invention embodiment proposes a kind of detection device of malicious script, comprising:
First obtains module, divides for obtaining script to be measured, and by multiple logics that morphology syntactic analysis obtains the script to be measured
Block;Processing module carries out dynamic processing for each logic partitioning to the multiple logic partitioning, and obtains and described each patrol
Collect the processing result of block;Second obtains module, for obtaining the script to be measured according to the processing result of each logical block
Malice testing result.
The detection device of the malicious script of the embodiment of the present invention enables to malicious code can be in dynamic detection without item
Part executes, and fast and accurately detects the real malicious act of malicious script, effective detection of malicious script is realized, thus effectively
The accuracy and reliability for improving detection, so that user can promote making for user to avoid the attack by malicious script
With experience.
In addition, the detection device of malicious script according to the above embodiment of the present invention can also have following additional technology
Feature:
Further, in one embodiment of the invention, wherein the first acquisition module is further used for passing through word
Method syntactic analysis is using the minimum statement element that each is individually performed in the script to be measured as a logic partitioning, with segmentation
Obtain the multiple logic partitioning;The processing module is further used for calling dynamic Processing Interface, by the multiple logic
Piecemeal is successively passed to and carries out dynamic processing.
Further, in one embodiment of the invention, further includes: preserving module, for saving each logic
The processing result of block.
In order to achieve the above objectives, third aspect present invention embodiment proposes a kind of computer equipment, including memory, place
The computer program managing device and storage on a memory and can running on a processor, when the processor executes described program,
Realize the malicious code dynamic testing method such as above-described embodiment.
In order to achieve the above objectives, fourth aspect present invention embodiment proposes a kind of non-transitory computer-readable storage medium
Matter is stored thereon with computer program, realizes that the malicious code dynamic such as above-described embodiment is examined when which is executed by processor
Survey method.
In order to achieve the above objectives, fifth aspect present invention embodiment proposes a kind of computer program product, when the meter
When instruction in calculation machine program product is executed by processor, the malicious code dynamic testing method such as above-described embodiment is executed.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description
Obviously, or practice through the invention is recognized.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
The detection method and device of the malicious script proposed according to embodiments of the present invention are described with reference to the accompanying drawings, first will
Describe the detection method of the malicious script proposed according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 is the flow chart of the detection method of the malicious script of one embodiment of the invention.
As shown in Figure 1, detection method includes the following steps for the malicious script:
In step s101, script to be measured is obtained, and obtains multiple logics point of script to be measured by morphology syntactic analysis
Block.
It is understood that as shown in Fig. 2, the embodiment of the present invention obtains script to be detected first, and by script to be detected
Static logic partitioning pretreatment is carried out by modes such as morphology syntactic analyses.
It should be noted that the embodiment of the present invention carries out static logic partitioning pretreatment to script to be detected, piecemeal
Purpose is to exclude logic judgment and the function call influence caused by following dynamic processing result all in script.Namely
Say, static logic partitioning pretreatment can effectively solve logic judgment and function call all in script to following dynamic at
It is influenced caused by reason result, to improve the acquisition capability and accuracy rate of dynamic behaviour.
Further, in one embodiment of the invention, the multiple of script to be measured are obtained by morphology syntactic analysis to patrol
Piecemeal is collected, further comprises: being made by the minimum statement element that each in script to be measured is individually performed for morphology syntactic analysis
For a logic partitioning, multiple logic partitionings are obtained with segmentation.
It is understood that the method for piecemeal is that each in script can be individually performed according to morphology syntactic analysis
Minimum statement element is as a logic partitioning (such as splitting unconditional execution etc. for the sentence inside if/else).
In step s 102, dynamic processing is carried out to each logic partitioning of multiple logic partitionings, and obtains each logic
The processing result of block.
It is understood that multiple logic partitionings are sent to dynamic detection module, dynamic detection mould by the embodiment of the present invention
The multiple logic partitionings received are carried out dynamic processing by block.
Further, in one embodiment of the invention, dynamic is carried out to each logic partitioning of multiple logic partitionings
Processing, comprising: call dynamic Processing Interface, multiple logic partitionings are successively passed to and carry out dynamic processing.
It is understood that the embodiment of the present invention calls dynamic Processing Interface, the logic partitioning divided successively is passed to
Dynamic processing is carried out, so that the processing result of each logic partitioning is obtained, in this way when a piecemeal is in the process of dynamic processing
In when the error occurs, will not influence the dynamic processing of subsequent module, as much as possible more codes can be executed, to mention
The acquisition capability of high malicious code dynamic behaviour.
Further, in one embodiment of the invention, the method for the embodiment of the present invention further include: save each logic
The processing result of block.
It is understood that as shown in Fig. 2, the embodiment of the present invention can treated that processing result is protected by each piecemeal dynamic
It deposits.
In step s 103, the malice testing result of script to be measured is obtained according to the processing result of each logical block.
For example, the malicious script overwhelming majority to be detected carries out overcompression encryption and the means such as obscures, if according to tradition
Dynamic detection mode detected, encounter by way of being delayed, judging the anti-sandbox such as current time around malicious code
When execution, the malicious act of malicious script just can not be really detected.Therefore the embodiment of the present invention is dynamically handling foot to be detected
Increase static logic partitioning pretreatment function before this, the sentence for enabling each to be individually performed can when dynamic is handled
It is performed, so as to effectively improve the acquisition capability and accuracy rate of malicious code dynamic behaviour.
Specifically, in one particular embodiment of the present invention, as shown in Fig. 2, the method for the embodiment of the present invention includes
Following steps:
Step S201 starts.
Step S202, script to be detected.
That is, obtaining script to be measured, S203. is entered step
Step S203, static logic piecemeal.
Specifically, script to be detected is subjected to static logic partitioning pretreatment by modes such as morphology syntactic analyses, thus
Exclude logic judgment and function call all in script influences caused by following dynamic processing result.
In an embodiment of the present invention, the embodiment of the present invention increases static logic partitioning pretreatment function, enables each
The sentence being enough individually performed can be performed when dynamic is handled, so as to effectively improve obtaining for malicious code dynamic behaviour
Take ability and accuracy rate.
Step S204, dynamic are handled.
After static logic partitioning pretreatment, the logic partitioning divided successively is passed to and carries out dynamic processing, thus
To the processing result of each logic partitioning, avoid working as a piecemeal during dynamic is handled when the error occurs, Bu Huiying
The dynamic processing for ringing subsequent module, performs effectively more codes, to improve the acquisition capability of malicious code dynamic behaviour.
Step S205 saves each piecemeal processing result.
Step S206 obtains malice testing result according to each piecemeal processing result.
In short, encountering if the dynamic detection mode according to the relevant technologies is detected by being delayed, judging current time
When mode etc. anti-sandbox bypasses the execution of malicious code, the malicious act of malicious script just can not be really detected, however originally
Inventive embodiments increase static logic partitioning pretreatment function before dynamically handling script to be detected, keep each independent
The sentence of execution dynamic handle when can be performed, and call dynamic Processing Interface, by the logic partitioning divided according to
Secondary incoming progress dynamic processing, to obtain the processing result of each logic partitioning.
Step S207 terminates.
The embodiment of the present invention enables to malicious code that can unconditionally execute in dynamic detection, fast and accurately detects
The real malicious act of malicious script out realizes effective detection of malicious script, and then effectively detects that malicious script is real
Malicious act avoids attacking by malicious script.
Logic point is added in the detection method of the malicious script proposed according to embodiments of the present invention on static detection method
Block preprocessing function simultaneously combines dynamic to handle, and enables to malicious code that can unconditionally execute in dynamic detection, quickly quasi-
True detects the real malicious act of malicious script, realizes effective detection of malicious script, so as to effectively improve malice
The acquisition capability of code dynamic behaviour effectively improves the accuracy and reliability of detection so that user can to avoid by
The attack of malicious script promotes the usage experience of user.
Referring next to the detection device for the malicious script that attached drawing description proposes according to embodiments of the present invention.
Fig. 3 is the structural schematic diagram of the detection device of the malicious script of one embodiment of the invention.
As shown in figure 3, the detection device 10 of the malicious script includes: the first acquisition module 100, processing module 200 and
Two obtain module 300.
Wherein, the first acquisition module 100 is for obtaining script to be measured, and obtains script to be measured by morphology syntactic analysis
Multiple logic partitionings.Processing module 200 is used to carry out dynamic processing to each logic partitioning of multiple logic partitionings, and obtains every
The processing result of a logical block.Second acquisition module 300 is used to obtain script to be measured according to the processing result of each logical block
Malice testing result.The device 10 of the embodiment of the present invention enables to malicious code that can unconditionally execute in dynamic detection,
It fast and accurately detects effectively to detect the real malicious act of malicious script, realizes effective detection of malicious script, thus
The accuracy and reliability of detection is effectively improved, so that user can promote user to avoid the attack by malicious script
Usage experience.
Further, in one embodiment of the invention, wherein the first acquisition module 100 is further used for passing through word
The minimum statement element that each in script to be measured is individually performed for method syntactic analysis is obtained as a logic partitioning with segmentation
Multiple logic partitionings;Processing module is further used for calling dynamic Processing Interface, and multiple logic partitionings are successively passed to and are carried out
Dynamic is handled.
Further, in one embodiment of the invention, the device 10 of the embodiment of the present invention further include: preserving module.
Wherein, preserving module is used to save the processing result of each logical block.
It should be noted that the explanation of the aforementioned detection method embodiment to malicious script is also applied for the embodiment
Malicious script detection device, details are not described herein again.
Logic point is added in the detection device of the malicious script proposed according to embodiments of the present invention on static detection method
Block preprocessing function simultaneously combines dynamic to handle, and enables to malicious code that can unconditionally execute in dynamic detection, quickly quasi-
True detects the real malicious act of malicious script, realizes effective detection of malicious script, so as to effectively improve malice
The acquisition capability of code dynamic behaviour effectively improves the accuracy and reliability of detection so that user can to avoid by
The attack of malicious script promotes the usage experience of user.
In addition, the embodiment of the present invention also proposed a kind of computer equipment, including memory, processor and it is stored in storage
On device and the computer program that can run on a processor, when processor executes program, the malice generation such as above-described embodiment is realized
Code dynamic testing method.
In addition, the embodiment of the present invention also proposed a kind of non-transitorycomputer readable storage medium, it is stored thereon with meter
Calculation machine program realizes the malicious code dynamic testing method such as above-described embodiment when the program is executed by processor.
In addition, embodiment of the invention also proposed a kind of computer program product, when the finger in computer program product
When order is executed by processor, the malicious code dynamic testing method such as above-described embodiment is executed.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.