CN110336835A - Detection method, user equipment, storage medium and the device of malicious act - Google Patents

Detection method, user equipment, storage medium and the device of malicious act Download PDF

Info

Publication number
CN110336835A
CN110336835A CN201910720423.3A CN201910720423A CN110336835A CN 110336835 A CN110336835 A CN 110336835A CN 201910720423 A CN201910720423 A CN 201910720423A CN 110336835 A CN110336835 A CN 110336835A
Authority
CN
China
Prior art keywords
malicious
behavior
default
characteristic
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910720423.3A
Other languages
Chinese (zh)
Other versions
CN110336835B (en
Inventor
蒲大峰
周运金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201910720423.3A priority Critical patent/CN110336835B/en
Publication of CN110336835A publication Critical patent/CN110336835A/en
Application granted granted Critical
Publication of CN110336835B publication Critical patent/CN110336835B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The present invention relates to technical field of network security, disclose detection method, user equipment, storage medium and the device of a kind of malicious act.Measurement of discharge to be checked is obtained in the present invention;Each traffic characteristic corresponding with each default characteristic type is extracted from the measurement of discharge to be checked, the default characteristic type is characteristic type corresponding with malicious file downloading behavior;The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.Significantly, the default characteristic type of various dimensions will be preset in the present invention, analyze whether the file download behavior that flow to be monitored is included is malicious file downloading behavior by fixed default characteristic type, the detection accuracy for detecting malicious file downloading behavior is improved, the technical issues of malicious file downloads behavior can not accurately be detected by solving.

Description

Detection method, user equipment, storage medium and the device of malicious act
Technical field
The present invention relates to the detection method of technical field of network security more particularly to malicious act, user equipment, storages to be situated between Matter and device.
Background technique
More and more in view of malicious attack behavior, particularly, malicious attacker can mostly be attacked using some security breaches Some corporate server, and get and can subsequently be held by this by some exectorial execution permission of attack server Row permission goes on the server attacked to execute download command, to download preprepared rogue program to by attack server It is local, also just complete malicious intrusions process.
In order to take precautions against the malicious intrusions process, corresponding preventive means can be mostly used, for example, can be husky by deployment Intranet Case, gas defence case, firewall and antivirus software etc. go to take precautions against the malicious intrusions process.But these preventive means are disliked in detection It performs poor in detection accuracy when meaning file download behavior, greatly reduces safety.
So, it is believed that it there is technical issues that accurately detect that malicious file is downloaded.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill Art.
Summary of the invention
The main purpose of the present invention is to provide the detection method of malicious act, user equipment, storage medium and device, purports It is solving accurately detect the technical issues of malicious file downloads behavior.
To achieve the above object, the present invention provides a kind of detection method of malicious act, the detection side of the malicious act Method the following steps are included:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Preferably, before the acquisition measurement of discharge to be checked, the detection method of the malicious act further include:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Preferably, after malicious access flow sample of the acquisition comprising malicious file downloading behavior, the malice row For detection method further include:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
Preferably, described that default behavioral value model is established according to the access feature, it specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Preferably, described that the inspection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model It surveys, specifically includes:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Preferably, before the default traversal order for obtaining the traffic characteristic, the detection method of the malicious act Further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Preferably, described that the traffic characteristic is traversed based on the default traversal order, it is target signature by characteristic type The traffic characteristic of type determines behavior criterion corresponding with the target signature type, base as traffic characteristic to be processed The detection for carrying out malicious file downloading behavior to the traffic characteristic to be processed in the behavior criterion, specifically includes:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed Carry out the detection of malicious file downloading behavior.
In addition, to achieve the above object, the present invention also proposes a kind of user equipment, the user equipment include memory, Processor and the detection program for being stored in the malicious act that can be run on the memory and on the processor, the malice The step of detection program of behavior is arranged for carrying out the detection method of malicious act as described above.
In addition, to achieve the above object, the present invention also proposes a kind of storage medium, malice is stored on the storage medium The detection program of behavior, the detection program of the malicious act realize malicious act as described above when being executed by processor The step of detection method.
In addition, to achieve the above object, the present invention also proposes a kind of detection device of malicious act, the malicious act Detection device includes:
Flow detection module, for obtaining measurement of discharge to be checked;
Characteristic extracting module, for extracting each stream corresponding with each default characteristic type from the measurement of discharge to be checked Measure feature, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;
Behavioral value module, for carrying out malicious file downloading row to the traffic characteristic by default behavioral value model For detection.
Measurement of discharge to be checked is obtained in the present invention;It extracts from the measurement of discharge to be checked and is respectively corresponded with each default characteristic type Each traffic characteristic, the default characteristic type is to download the corresponding characteristic type of behavior with malicious file;By presetting behavior Detection model carries out the detection of malicious file downloading behavior to the traffic characteristic.It is apparent that will be preset in the present invention more The default characteristic type of dimension analyzes the file download row that flow to be monitored is included by fixed default characteristic type Whether to be that malicious file downloads behavior, the detection accuracy for detecting malicious file downloading behavior is improved, solving can not Accurately detect the technical issues of malicious file downloads behavior.
Detailed description of the invention
Fig. 1 is the user device architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the detection method first embodiment of malicious act of the present invention;
Fig. 3 is the flow diagram of the detection method second embodiment of malicious act of the present invention;
Fig. 4 is the flow diagram of the detection method 3rd embodiment of malicious act of the present invention;
Fig. 5 is the behavioral value flow chart of the detection method 3rd embodiment of malicious act of the present invention;
Fig. 6 is the structural block diagram of the detection device first embodiment of malicious act of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the user device architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
As shown in Figure 1, the user equipment may include: processor 1001, such as central processing unit (Central Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein, Communication bus 1002 is for realizing the connection communication between these components.User interface 1003 may include display screen (Display), optional user interface 1003 can also include the wireline interface and wireless interface of standard, and user interface 1003 Wireline interface in the present invention can be universal serial bus (Universal Serial Bus, USB) interface.Network interface 1004 optionally may include the wireline interface and wireless interface (such as WI-FI interface) of standard.Memory 1005 can be height Fast random access memory (Random Access Memory, RAM);It is also possible to stable memory, for example, non-volatile deposit Reservoir (Non-volatile Memory), concretely, magnetic disk storage.Memory 1005 optionally can also be independently of The storage device of aforementioned processor 1001.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to user equipment, can wrap It includes than illustrating more or fewer components, perhaps combines certain components or different component layouts.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage medium Believe the detection program of module, Subscriber Interface Module SIM and malicious act.
In user equipment shown in Fig. 1, network interface 1004 is mainly used for connecting background server, takes with the backstage Business device carries out data communication;User interface 1003 is mainly used for connecting peripheral hardware;The user equipment is called by processor 1001 The detection program of the malicious act stored in memory 1005, and execute following operation:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
Correspondingly, following operation is also executed:
Access feature is extracted from the HTTP flow.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Further, processor 1001 can call the detection program of the malicious act stored in memory 1005, also hold The following operation of row:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed Carry out the detection of malicious file downloading behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves It can not accurately detect the technical issues of malicious file downloads behavior.
Based on above-mentioned hardware configuration, the embodiment of the detection method of malicious act of the present invention is proposed.
It is the flow diagram of the detection method first embodiment of malicious act of the present invention referring to Fig. 2, Fig. 2.
In the first embodiment, detection method includes the following steps for the malicious act:
Step S10: measurement of discharge to be checked is obtained.
It should be understood that can analyze conventional safety means, for example, according to deployment Intranet sandbox, gas defence case And the mode of the components such as firewall removes preventing malice phagocytic process, can mostly monitor the file of network downloading, then to monitoring File carries out selective killing;Preventing malice phagocytic process is removed according to the mode of deployment antivirus software, can mostly wait rogue programs Download to the means for being used direct killing behind attack server local again.But conventional safety means are in killing rogue program When, possible false drop is killed or under-enumeration kills, moreover, fractionated viral may have the function of anti-killing, so, it is unable to reach higher Killing success rate.
In the concrete realization, in the present embodiment can by improve detect malicious file download behavior detection accuracy come Guarantee that killing success rate maintains a higher level, meanwhile, also reduce the probability that false drop is killed or under-enumeration kills.
It is understood that the executing subject of the present embodiment is user equipment, user equipment can be server or individual Computer.If user equipment is server A, it can first intercept server A and access the interactive information between network or other equipment, It may be flow measurement to be checked herein for the procedural information between request of data and request feedback, the interactive information in the interactive information Amount.
Step S20: each traffic characteristic corresponding with each default characteristic type, institute are extracted from the measurement of discharge to be checked Stating default characteristic type is characteristic type corresponding with malicious file downloading behavior.
It is understood that after being truncated to the measurement of discharge to be checked, the request class of the request of data in the measurement of discharge to be checked Type may be file download request, and downloading the file to be downloaded of request as this document may be malicious file may also be normal File.It may include the file for thering is this to be downloaded in the measurement of discharge to be checked, also may not include the file to be downloaded.
In the concrete realization, in order to more accurately judge in the measurement of discharge to be checked whether existing malicious file downloading row For in other words, if corresponding request feedback of the request of data and the request of data of existing malicious file to be downloaded etc., it can Prespecified default characteristic type, the default characteristic type can effectively determine malicious file downloading behavior.The default spy Levying type includes downloading file format type, downloading filename length, download path depth, hypertext transfer protocol (HyperText Transfer Protocol, HTTP) header fields number, downloading Internet protocol (Internet Protocol Address, IP) address attribution, downloading filename type and HTTP header reference (referer) field at least one ?.
If should be noted that, default characteristic type at this time is to download file format type and downloading filename length, The traffic characteristic extracted will include and download the corresponding traffic characteristic of file format type, corresponding with downloading filename length Traffic characteristic.
Step S30: the detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
In the concrete realization, after extracting traffic characteristic, flow spy can be judged by default behavioral value model It is still normal file that the included file to be downloaded of file download behavior of sign, which is malicious file,.If malicious file, then may be used Assert that this document downloading behavior is that malicious file downloads behavior;If normal file, then it can assert that this document downloading behavior is positive Normal file download behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves It can not accurately detect the technical issues of malicious file downloads behavior.
It is the flow diagram of the detection method second embodiment of malicious act of the present invention referring to Fig. 3, Fig. 3, based on above-mentioned First embodiment shown in Fig. 2 proposes the second embodiment of the detection method of malicious act of the present invention.
In second embodiment, before the step S10, the detection method of the malicious act further include:
Step S01: the malicious access flow sample comprising malicious file downloading behavior is obtained.
It is understood that malicious access flow sample can be prepared in advance, which can collect in advance, It can also be by automatic generating test case, to be used as model foundation.
Step S02: access feature is extracted from the malicious access flow sample.
It should be understood that can from determine have malicious file downloading behavior malicious access flow sample in extract with The corresponding each access feature of each default characteristic type.
Step S03: default behavioral value model is established according to the access feature.
It is understood that can be based on should after the access feature for actually including in getting malicious access flow sample Access feature establish out can accurately determine file download behavior whether be malicious file downloading behavior default behavioral value model.
Further, after the step S01, the detection method of the malicious act further include:
HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
In the concrete realization, in order to which that improves model establishes efficiency, the malicious access stream that can first be initiated from malicious attacker HTTP flow is filtered out in amount sample, the access feature for establishing model will be extracted from the HTTP flow.
Further, described that default behavioral value model is established according to the access feature, it specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
It should be understood that the model foundation process as default behavioral value model will be by the first default decision Tree algorithms It realizes, which is decision tree (Decision Tree) algorithm of supervised learning.This first it is default certainly Plan tree algorithm will be trained using access feature as input sample, be concluded the regularity in access feature, be determined and malice occurs Data characteristic when file download behavior, the result after training will be similar to the working model of binary tree for one, this can be used Model is default behavioral value model herein.
In the concrete realization, for example, if default characteristic type include downloading file format type, downloading filename length, Download path depth, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header At least one of in referer field, then the prescribed limit for presetting characteristic type in behavioral value model containing these is preset, it can Determine whether each traffic characteristic in measurement of discharge to be checked meets the prescribed limit of these default characteristic types one by one, according to meet with It is no come determine file download behavior whether be malicious file downloading behavior.
Default behavioral value model ready for use will be trained in the present embodiment using decision Tree algorithms, after training Default behavioral value model come carry out malicious file downloading behavior detection, substantially increase the accuracy of the judgement result.
Referring to Fig. 4, Fig. 4 is the flow diagram of the detection method 3rd embodiment of malicious act of the present invention, can be based on upper First embodiment shown in Fig. 2 or above-mentioned second embodiment shown in Fig. 3 are stated, it is real based on above-mentioned shown in Fig. 2 first herein Apply the 3rd embodiment that example proposes the detection method of malicious act of the present invention.
In 3rd embodiment, the step S30 is specifically included:
Step S301: the default traversal order of the traffic characteristic is obtained.
It is understood that default characteristic type includes downloading file format type, downloading filename length, download path In depth, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header referer field At least one of, and default traversal order is made of default characteristic type, moreover, by based on certain composition that puts in order.
Step S302: the traffic characteristic is traversed based on the default traversal order, is target signature class by characteristic type The traffic characteristic of type determines behavior criterion corresponding with the target signature type, is based on as traffic characteristic to be processed The behavior criterion carries out the detection of malicious file downloading behavior to the traffic characteristic to be processed.
It should be understood that if preset in default traversal order putting in order for characteristic type be respectively from head to tail " under Carry file format type, downloading filename length, download path depth, HTTP header Field Count, downloading IP address ownership place, under Carry filename type and HTTP header referer field ", downloading file format type can be target signature type, then will be first The corresponding traffic characteristic of downloading file format type is traversed, the corresponding behavior of the downloading file format type is read and determines mark Standard, judges whether the traffic characteristic meets behavior criterion;Then, the corresponding flow of downloading filename length will be traversed Feature reads the corresponding behavior criterion of the downloading filename length, judges whether the traffic characteristic meets behavior judgement Standard etc..Multiple judging results will be obtained, malicious file downloading row can be determined whether there is based on these judging results For.
In addition, the default characteristic type includes downloading file format type, downloading filename length, download path depth In degree, HTTP header Field Count, downloading IP address ownership place, downloading filename type and HTTP header referer field At least one of.
In the concrete realization, downloading file format type refers to the Format Type of downloading file, if downloading file is malice File, alternatively referred to as virus document, the Format Type of the virus document is common to can be performed (Portable for portable Executable, PE) format and script format;Downloading filename length refers to the filename length of downloading file, for example, if Downloading file is " www.abcd.com/1.exe ", can first remove the domain name in the filename of downloading file, i.e., after removal domain name File it is entitled " 1.exe ", it is believed that the downloading filename length be 1;Download path depth refers to the path in download path File depth, for example, if having download path is " www.abcd.com/1.exe ", but its path file folder depth is 1 layer, if Having download path is " www.abcd.com/down/1.exe ", but its path file folder depth is 2 layers.
It is to consider it is understood that introducing the detection operation that HTTP header Field Count carries out malicious file downloading behavior It is often more to HTTP fields for including of standard, and the field of rogue program downloading is often less.Downloading IP address is introduced to return Possession, it is external more suspicious for allowing for ownership place.Downloading filename type refers to " is in the filename of judgement downloading file It is no that there are words ", for example, can find wherein exist if the file of downloading file is entitled " www.abcd.com/word.exe " Word " word ".HTTP header referer field is introduced, allowing in the script file of malicious downloading does not often have Referer field.
Further, before the step S301, the detection method of the malicious act further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
It should be noted that the second default decision Tree algorithms and the first default decision Tree algorithms before herein can be phase Same decision Tree algorithms.
It should be understood that can be determined by information gain as putting in order for characteristic type is preset in default traversal order It is fixed.Entropy can indicate that the uncertainty of stochastic variable, conditional entropy can indicate the uncertainty of stochastic variables under the conditions of some, and Information gain is then the difference of entropy and conditional entropy, can indicate the degree of information uncertainty reductions under the conditions of some.As it can be seen that letter Breath gain can characterize some default characteristic type and directly affect degree or indirect influence degree to testing result, so, it can The information gain of characteristic type is preset according to some to determine the default corresponding priority of characteristic type.
In the concrete realization, for example, class file format can will be downloaded if the information gain of downloading file format type is larger The priority of type is classified as level-one, i.e., downloading file format type is classified as first item in default traversal order;If downloading filename The information gain of length is taken second place, and the priority for downloading filename length can be classified as second level, i.e., is classified as downloading filename length Section 2 in default traversal order.
Further, described that the traffic characteristic is traversed based on the default traversal order, it is that target is special by characteristic type The traffic characteristic of type is levied as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, The detection for being carried out malicious file downloading behavior to the traffic characteristic to be processed based on the behavior criterion, is specifically included:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed Carry out the detection of malicious file downloading behavior.
In the concrete realization, it if the first item in default traversal order is downloading file format type, can first traverse down The corresponding traffic characteristic of file format type is carried, which can be " script format ", corresponding with downloading file format type Behavior criterion in reference format in do not include have " script format ", then can be by the corresponding file download of measurement of discharge to be checked Malicious file downloading behavior is regarded as in behavior.
Certainly, if the traffic characteristic is " Word format ", include in the reference format in corresponding behavior criterion The corresponding file download behavior of measurement of discharge to be checked can then be regarded as normal file downloading behavior by " Word format ".
Further, referring also to Fig. 5, a kind of default characteristic type by 7 dimensions is provided in Fig. 5 comprehensively to examine Survey the detection mode of file download behavior.In Fig. 5, the corresponding behavior criterion of downloading file format type is denoted as the first row The second behavior criterion, download path depth are denoted as criterion, the corresponding behavior criterion of downloading filename length Corresponding behavior criterion is denoted as third behavior criterion, the corresponding behavior criterion of HTTP header Field Count is denoted as It is criterion, lower published article that four behavior criterion, the corresponding behavior criterion of downloading IP address ownership place, which are denoted as fifth line, The corresponding behavior criterion of part name type (i.e. downloading filename whether word) is denoted as the 6th behavior criterion and HTTP Referer field corresponding behavior criterion in head is denoted as the 7th behavior criterion.
If the corresponding traffic characteristic of downloading file format type meets the first behavior criterion, and measurement of discharge to be checked is corresponding File download behavior regard as normal file downloading behavior;If the corresponding traffic characteristic of downloading file format type does not meet the One behavior criterion will judge to download whether the corresponding traffic characteristic of filename length meets the second behavior criterion.If The corresponding traffic characteristic of downloading filename length meets the second behavior criterion, will judge the corresponding flow of download path depth Whether feature meets third behavior criterion;If the corresponding traffic characteristic of downloading filename length does not meet the second behavior judgement Standard will judge to download whether the corresponding traffic characteristic of filename type meets the 6th behavior criterion etc..Wherein, in Fig. 5 Y expression comply with standard, N expression be not inconsistent standardization;" normal " expression in Fig. 5 is determined as that normal file downloads behavior, " dislikes Meaning " indicates to be determined as that malicious file downloads behavior.
The traversal priority that will determine each default characteristic type in the present embodiment based on information gain, should by using Priority is traversed to carry out behavioral value, further increases detection efficiency and detection accuracy.
In addition, the embodiment of the present invention also proposes a kind of storage medium, the inspection of malicious act is stored on the storage medium Ranging sequence realizes following operation when the detection program of the malicious act is executed by processor:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default spy are extracted from the measurement of discharge to be checked Levying type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
Correspondingly, following operation is also realized:
Access feature is extracted from the HTTP flow.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, by the flow spy that characteristic type is target signature type Sign is used as traffic characteristic to be processed, determines behavior criterion corresponding with the target signature type, is sentenced based on the behavior The quasi- detection that malicious file downloading behavior is carried out to the traffic characteristic to be processed of calibration.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type is determining and institute State the corresponding priority of default characteristic type;
Default traversal order is constituted by the priority.
Further, following operation is also realized when the detection program of the malicious act is executed by processor:
The downloading file format type successively to sort in the default traversal order is read, the default traversal order is based on Traverse the traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, determining and institute The corresponding behavior criterion of downloading file format type is stated, based on the behavior criterion to the traffic characteristic to be processed Carry out the detection of malicious file downloading behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;By presetting row The detection that malicious file downloads behavior is carried out to the traffic characteristic for detection model.It is apparent that will be set in advance in the present embodiment The default characteristic type for setting various dimensions is analyzed under the file that flow to be monitored is included by fixed default characteristic type Whether load behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solves It can not accurately detect the technical issues of malicious file downloads behavior.
In addition, the embodiment of the present invention also proposes a kind of detection device of malicious act, the malicious act referring to Fig. 6 Detection device includes:
Flow detection module 10, for obtaining measurement of discharge to be checked.
It should be understood that can analyze conventional safety means, for example, according to deployment Intranet sandbox, gas defence case And the mode of the components such as firewall removes preventing malice phagocytic process, can mostly monitor the file of network downloading, then to monitoring File carries out selective killing;Preventing malice phagocytic process is removed according to the mode of deployment antivirus software, can mostly wait rogue programs Download to the means for being used direct killing behind attack server local again.But conventional safety means are in killing rogue program When, possible false drop is killed or under-enumeration kills, moreover, fractionated viral may have the function of anti-killing, so, it is unable to reach higher Killing success rate.
In the concrete realization, in the present embodiment can by improve detect malicious file download behavior detection accuracy come Guarantee that killing success rate maintains a higher level, meanwhile, also reduce the probability that false drop is killed or under-enumeration kills.
It is understood that can first intercept server and access the interactive information between network or other equipment, the friendship It may be measurement of discharge to be checked herein for the procedural information between request of data and request feedback, the interactive information in mutual information.
Characteristic extracting module 20, it is corresponding with each default characteristic type each for being extracted from the measurement of discharge to be checked Traffic characteristic, the default characteristic type are characteristic type corresponding with malicious file downloading behavior.
It is understood that after being truncated to the measurement of discharge to be checked, the request class of the request of data in the measurement of discharge to be checked Type may be file download request, and downloading the file to be downloaded of request as this document may be malicious file may also be normal File.It may include the file for thering is this to be downloaded in the measurement of discharge to be checked, also may not include the file to be downloaded.
In the concrete realization, in order to more accurately judge in the measurement of discharge to be checked whether existing malicious file downloading row For in other words, if corresponding request feedback of the request of data and the request of data of existing malicious file to be downloaded etc., it can Prespecified default characteristic type, the default characteristic type can effectively determine malicious file downloading behavior.The default spy Levying type includes downloading file format type, downloading filename length, download path depth, hypertext transfer protocol (HyperText Transfer Protocol, HTTP) header fields number, downloading Internet protocol (Internet Protocol Address, IP) address attribution, downloading filename type and HTTP header reference (referer) field at least one ?.
If should be noted that, default characteristic type at this time is to download file format type and downloading filename length, The traffic characteristic extracted will include and download the corresponding traffic characteristic of file format type, corresponding with downloading filename length Traffic characteristic.
Behavioral value module 30, for carrying out malicious file downloading to the traffic characteristic by default behavioral value model The detection of behavior.
In the concrete realization, after extracting traffic characteristic, flow spy can be judged by default behavioral value model It is still normal file that the included file to be downloaded of file download behavior of sign, which is malicious file,.If malicious file, then may be used Assert that this document downloading behavior is that malicious file downloads behavior;If normal file, then it can assert that this document downloading behavior is positive Normal file download behavior.
Measurement of discharge to be checked is obtained in the present embodiment;It is right respectively with each default characteristic type to extract from the measurement of discharge to be checked Each traffic characteristic answered, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;For by pre- If behavioral value model carries out the detection of malicious file downloading behavior to the traffic characteristic.It is apparent that will be pre- in the present embodiment The default characteristic type of various dimensions is first set, the text that flow to be monitored is included is analyzed by fixed default characteristic type Whether part downloading behavior is malicious file downloading behavior, improves the detection accuracy for detecting malicious file downloading behavior, solution The technical issues of malicious file downloads behavior can not accurately be detected by having determined.
In one embodiment, the detection device of the malicious act further include:
Model building module, for obtaining the malicious access flow sample comprising malicious file downloading behavior;From the evil Access feature is extracted in meaning flowing of access sample;Default behavioral value model is established according to the access feature.
In one embodiment, the model building module is also used to extract from the malicious access flow sample super literary This transport protocol HTTP flow;
The model building module is also used to extract access feature from the HTTP flow.
In one embodiment, the model building module is also used to through the access feature to the first default decision tree Algorithm is trained, to obtain default behavioral value model.
In one embodiment, the behavioral value module 30 is also used to obtain the default traversal order of the traffic characteristic; Traverse the traffic characteristic based on the default traversal order, using traffic characteristic that characteristic type is target signature type as to Traffic characteristic is handled, determines behavior criterion corresponding with the target signature type, is based on the behavior criterion pair The traffic characteristic to be processed carries out the detection of malicious file downloading behavior.
In one embodiment, the detection device of the malicious act further include:
Order establishes module, for corresponding according to the default characteristic type respectively based on the second default decision Tree algorithms The determining priority corresponding with the default characteristic type of information gain;Default traversal order is constituted by the priority.
In one embodiment, the behavioral value module 30 is also used to read and successively sort in the default traversal order Downloading file format type, the traffic characteristic is traversed based on the default traversal order;It is the downloading by characteristic type The traffic characteristic of file format type determines behavior corresponding with the downloading file format type as traffic characteristic to be processed Criterion carries out the detection of malicious file downloading behavior based on the behavior criterion to the traffic characteristic to be processed.
The other embodiments or specific implementation of the detection device of malicious act of the present invention can refer to above-mentioned each side Method embodiment, details are not described herein again.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.If listing equipment for drying Unit claim in, several in these devices, which can be, to be embodied by the same item of hardware.Word first, Second and the use of third etc. do not indicate any sequence, can be title by these word explanations.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as read-only memory, RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, count Calculation machine, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of detection method of malicious act, which is characterized in that detection method includes the following steps for the malicious act:
Obtain measurement of discharge to be checked;
Each traffic characteristic corresponding with each default characteristic type, the default feature class are extracted from the measurement of discharge to be checked Type is characteristic type corresponding with malicious file downloading behavior;
The detection that malicious file downloads behavior is carried out to the traffic characteristic by presetting behavioral value model.
2. the detection method of malicious act as described in claim 1, which is characterized in that before the acquisition measurement of discharge to be checked, The detection method of the malicious act further include:
Obtain the malicious access flow sample comprising malicious file downloading behavior;
Access feature is extracted from the malicious access flow sample;
Default behavioral value model is established according to the access feature.
3. the detection method of malicious act as claimed in claim 2, which is characterized in that described obtain is downloaded comprising malicious file After the malicious access flow sample of behavior, the detection method of the malicious act further include:
Hypertext transfer protocol HTTP flow is extracted from the malicious access flow sample;
It is described that access feature is extracted from the malicious access flow sample, it specifically includes:
Access feature is extracted from the HTTP flow.
4. the detection method of malicious act as claimed in claim 2, which is characterized in that described to be established according to the access feature Default behavioral value model, specifically includes:
The first default decision Tree algorithms are trained by the access feature, to obtain default behavioral value model.
5. the detection method of malicious act according to any one of claims 1 to 4, which is characterized in that described by default Behavioral value model carries out the detection of malicious file downloading behavior to the traffic characteristic, specifically includes:
Obtain the default traversal order of the traffic characteristic;
The traffic characteristic is traversed based on the default traversal order, the traffic characteristic that characteristic type is target signature type is made For traffic characteristic to be processed, behavior criterion corresponding with the target signature type is determined, mark is determined based on the behavior Standard carries out the detection of malicious file downloading behavior to the traffic characteristic to be processed.
6. the detection method of malicious act as claimed in claim 5, which is characterized in that described to obtain the pre- of the traffic characteristic If before traversal order, the detection method of the malicious act further include:
Based on the second default decision Tree algorithms respectively according to the corresponding information gain of the default characteristic type it is determining with it is described pre- If the corresponding priority of characteristic type;
Default traversal order is constituted by the priority.
7. the detection method of malicious act as claimed in claim 5, which is characterized in that described to be based on the default traversal order Traverse the traffic characteristic, using the traffic characteristic that characteristic type is target signature type as traffic characteristic to be processed, determine with The corresponding behavior criterion of the target signature type, based on the behavior criterion to the traffic characteristic to be processed into Row malicious file downloads the detection of behavior, specifically includes:
The downloading file format type successively to sort in the default traversal order is read, based on the default traversal order traversal The traffic characteristic;
Using the traffic characteristic that characteristic type is the downloading file format type as traffic characteristic to be processed, under determining and described The corresponding behavior criterion of file format type is carried, the traffic characteristic to be processed is carried out based on the behavior criterion The detection of malicious file downloading behavior.
8. a kind of user equipment, which is characterized in that the user equipment includes: memory, processor and is stored in the storage The detection program of malicious act can be run on device and on the processor, the detection program of the malicious act is by the processing The step of detection method of the malicious act as described in any one of claims 1 to 7 is realized when device executes.
9. a kind of storage medium, which is characterized in that be stored with the detection program of malicious act, the malice on the storage medium The detection side of the malicious act as described in any one of claims 1 to 7 is realized when the detection program of behavior is executed by processor The step of method.
10. a kind of detection device of malicious act, which is characterized in that the detection device of the malicious act includes:
Flow detection module, for obtaining measurement of discharge to be checked;
Characteristic extracting module, for extracting each flow spy corresponding with each default characteristic type from the measurement of discharge to be checked Sign, the default characteristic type are characteristic type corresponding with malicious file downloading behavior;
Behavioral value module, for carrying out malicious file downloading behavior to the traffic characteristic by presetting behavioral value model Detection.
CN201910720423.3A 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device Active CN110336835B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910720423.3A CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910720423.3A CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Publications (2)

Publication Number Publication Date
CN110336835A true CN110336835A (en) 2019-10-15
CN110336835B CN110336835B (en) 2021-10-19

Family

ID=68148596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910720423.3A Active CN110336835B (en) 2019-08-05 2019-08-05 Malicious behavior detection method, user equipment, storage medium and device

Country Status (1)

Country Link
CN (1) CN110336835B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110879885A (en) * 2019-11-05 2020-03-13 西安交通大学 Online file illegal downloading detection method and device
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium
CN112887327A (en) * 2021-02-23 2021-06-01 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium
CN116708008A (en) * 2023-07-18 2023-09-05 山东溯源安全科技有限公司 Method for determining malicious files in transformer substation system, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103577547A (en) * 2013-10-12 2014-02-12 优视科技有限公司 Webpage type identification method and device
CN105488413A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Malicious code detection method and system based on information gain
CN105894177A (en) * 2016-03-25 2016-08-24 国家电网公司 Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment
CN106485146A (en) * 2015-09-02 2017-03-08 腾讯科技(深圳)有限公司 A kind of information processing method and server
CN106960154A (en) * 2017-03-30 2017-07-18 兴华永恒(北京)科技有限责任公司 A kind of rogue program dynamic identifying method based on decision-tree model
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing
CN109800797A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 File black and white judgment method, device and equipment based on AI

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103577547A (en) * 2013-10-12 2014-02-12 优视科技有限公司 Webpage type identification method and device
CN105488413A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Malicious code detection method and system based on information gain
CN106485146A (en) * 2015-09-02 2017-03-08 腾讯科技(深圳)有限公司 A kind of information processing method and server
CN105894177A (en) * 2016-03-25 2016-08-24 国家电网公司 Decision-making-tree-algorithm-based analysis and evaluation method for operation risk of power equipment
CN107315954A (en) * 2016-04-27 2017-11-03 腾讯科技(深圳)有限公司 A kind of file type identification method and server
CN106960154A (en) * 2017-03-30 2017-07-18 兴华永恒(北京)科技有限责任公司 A kind of rogue program dynamic identifying method based on decision-tree model
CN109800797A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 File black and white judgment method, device and equipment based on AI
CN109768992A (en) * 2019-03-04 2019-05-17 深信服科技股份有限公司 Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110879885A (en) * 2019-11-05 2020-03-13 西安交通大学 Online file illegal downloading detection method and device
CN110879885B (en) * 2019-11-05 2022-04-05 西安交通大学 Online file illegal downloading detection method and device
CN110995576A (en) * 2019-12-16 2020-04-10 深信服科技股份有限公司 Mail detection method, device, equipment and storage medium
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium
CN114650158A (en) * 2020-12-21 2022-06-21 深信服科技股份有限公司 HTTP detection method, system, equipment and computer storage medium
CN112887327A (en) * 2021-02-23 2021-06-01 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN112887327B (en) * 2021-02-23 2022-11-22 深信服科技股份有限公司 Method, device and storage medium for detecting malicious behaviors
CN116708008A (en) * 2023-07-18 2023-09-05 山东溯源安全科技有限公司 Method for determining malicious files in transformer substation system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110336835B (en) 2021-10-19

Similar Documents

Publication Publication Date Title
CN110336835A (en) Detection method, user equipment, storage medium and the device of malicious act
US10534906B1 (en) Detection efficacy of virtual machine-based analysis with application specific events
US20230074151A1 (en) Multi-representational learning models for static analysis of source code
CN103617395B (en) Method, device and system for intercepting advertisement programs based on cloud security
CN103634306B (en) The safety detection method and safety detection server of network data
CN107659583B (en) Method and system for detecting attack in fact
CN102694817B (en) The whether abnormal method of the network behavior of a kind of recognizer, Apparatus and system
US10417420B2 (en) Malware detection and classification based on memory semantic analysis
EP3726410B1 (en) Interpretation device, interpretation method and interpretation program
CN112685737A (en) APP detection method, device, equipment and storage medium
CN108664793B (en) Method and device for detecting vulnerability
Shabtai et al. F-sign: Automatic, function-based signature generation for malware
CN106357689A (en) Method and system for processing threat data
US20040030931A1 (en) System and method for providing enhanced network security
Luoshi et al. A3: automatic analysis of android malware
US20230418943A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
Djanali et al. SQL injection detection and prevention system with raspberry Pi honeypot cluster for trapping attacker
KR101781780B1 (en) System and Method for detecting malicious websites fast based multi-server, multi browser
JP4309102B2 (en) Illegal command / data detection method, illegal command / data detection method, and illegal command / data detection program
CN115001789B (en) Method, device, equipment and medium for detecting collapse equipment
CN109951484A (en) The test method and system attacked for machine learning product
Takata et al. Website forensic investigation to identify evidence and impact of compromise
Chen et al. Detecting mobile application malicious behaviors based on data flow of source code
CN108197475A (en) A kind of malice so modules detection method and relevant apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant