CN110399720A

CN110399720A - A kind of method and relevant apparatus of file detection

Info

Publication number: CN110399720A
Application number: CN201811533910.0A
Authority: CN
Inventors: 许天胜
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-12-14
Filing date: 2018-12-14
Publication date: 2019-11-01
Anticipated expiration: 2038-12-14
Also published as: CN110399720B

Abstract

The invention discloses a kind of methods of file detection, comprising: obtains the goal behavior log of file to be detected, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is the integer more than or equal to 1 for indicating and operating associated information, N；Every dynamic behaviour in goal behavior log is matched with every rule corresponding to strategy each in strategy set, obtain matching result, wherein, strategy set includes preconfigured M strategy, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score, M is the integer more than or equal to 1；According to target malice score corresponding to matching result generation goal behavior log；If target malice score reaches malice score threshold, it is determined that file to be detected is virus document.The invention also discloses a kind of file detection devices.The present invention detects the dynamic behaviour of file, not will receive the influence of virus characteristic deformation, to reduce viral rate of false alarm.

Description

A kind of method and relevant apparatus of file detection

Technical field

A kind of method and relevant apparatus detected the present invention relates to internet security field more particularly to file.

Background technique

As internet is constantly merged with human lives, the main body of mankind's society such as economic, politics and culture is This virtual world is constantly associated with and integrates with internet, this virtualization of the essential element and internet of society Social boundary it is also increasingly fuzzyyer.The problem of consequent is real world also in virtual internet occur and it is quick-fried Hair.Wherein safety is exactly a very crucial and sensitive Internet Problems, and virus is then one of this problem main Source and pusher.Currently, the confrontation between Prevention-Security and virus is more and more fierce.

In traditional defence method, signature scan identification mainly is carried out to virus.First extract virus document Feature, one or more binary codes of the virus are manually extracted according to virus characteristic, which is the viroid Identity, i.e. condition code, then by signature update into cloud database.When carrying out file detection, by right Than condition code to determine whether for virus.

However, although scanning feature code can accurately identify known virus, for unknown virus Or the virus of deformation is then difficult to, and causes viral rate of false alarm higher.

Summary of the invention

The embodiment of the invention provides the methods and relevant apparatus of a kind of detection of file, can carry out file security During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.

In view of this, first aspect present invention provides a kind of method of file detection, comprising:

Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, institute It is the integer more than or equal to 1 that dynamic behaviour, which is stated, for indicating and operating associated information, the N；

By every dynamic behaviour in the goal behavior log and every rules and regulations corresponding to strategy each in strategy set It is then matched, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is right At least one rule is answered, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1；

According to the matching result generate the goal behavior log corresponding to target malice score；

If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document.

Second aspect of the present invention provides a kind of file detection device, comprising:

Module is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log includes N Dynamic behaviour, the dynamic behaviour are the integer more than or equal to 1 for indicating and operating associated information, the N；

Matching module, the every dynamic behaviour and plan in the goal behavior log for obtaining the acquisition module Every rule corresponding to each strategy is matched slightly in set, obtains matching result, wherein the strategy set includes pre- The M strategy first configured, each corresponding at least one rule of strategy, and every strategy corresponds to malice point Number, the M are the integer more than or equal to 1；

Generation module, the matching result for being obtained according to the matching module generate the goal behavior log institute Corresponding target malice score；

Determining module, if the target malice score for the generation module to generate reaches malice score threshold, Determine that the file to be detected is virus document.

It is described dynamic in the first implementation of the second aspect of the embodiment of the present invention in a kind of possible design State behavior includes at least operator and application programming interface API；

Wherein, the operator indicates to initiate the object of the operation, and the API table, which shows, executes what the operation was called Interface function；

The dynamic behaviour can also include at least one in process, operation object and additional parameter；

Wherein, the process indicates to run the entity of the operation, and the operation object indicates to receive pair of the operation As the additional parameter indicates parameter relevant to the operation；

The matching module, specifically for obtaining the operation of every dynamic behaviour described in the goal behavior log Person, the API, the process, the operation object and the additional parameter；

Obtain the predetermined registration operation person, default API, default process, predetermined registration operation of every rule described in each strategy Object and default additional parameter；

The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, The API of every dynamic behaviour is matched with the default API of every rule, by every dynamic The process of behavior is matched with the default process of every rule, by the behaviour of every dynamic behaviour Make object to be matched with the predetermined registration operation object of every rule, by the additional ginseng of every dynamic behaviour Number is matched with the default additional parameter of every rule, obtains the matching result.

In a kind of possible design, in second of implementation of the second aspect of the embodiment of the present invention,

The matching module, specifically for obtaining i-th dynamic behaviour in the goal behavior log, wherein the i For the integer more than or equal to 1, and less than or equal to the N；

Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j be greater than or equal to 1, and Less than or equal to the integer of the M, the k is the integer more than or equal to 1；

I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy；

It, will be described if kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy (i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy；

It, will be described if it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy (i+1) article dynamic behaviour is matched with kth rule corresponding to j-th of strategy.

In a kind of possible design, in the third implementation of the second aspect of the embodiment of the present invention,

The generation module, if specifically for, with j-th of strategy matching success, being obtained in the goal behavior log Take the first malice score corresponding to j-th of strategy；

If obtaining (j+1) a plan with (j+1) a strategy matching success in the goal behavior log Slightly the second corresponding malice score；

The first malice score is added with the second malice score, obtains the target malice score.

In a kind of possible design, in the 4th kind of implementation of the second aspect of the embodiment of the present invention,

The acquisition module is also used to after the determining module determines the file to be detected for virus document, obtains Take target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass includes and the N item The strategy that dynamic behaviour matches；

According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the disease Malicious classifying rules is the corresponding relationship between tactful subclass and Virus Type.

In a kind of possible design, in the 5th kind of implementation of the second aspect of the embodiment of the present invention, the text Part detection device further includes receiving module；

The receiving module is also used to the matching module for the every dynamic behaviour and plan in the goal behavior log Before every rule corresponding to each strategy is matched slightly in set, rule group configuration-direct is received；

The generation module, be also used to according to the received tactful configuration-direct create-rule group of the receiving module with Corresponding relationship between at least one rule, wherein the rule group belongs to the strategy, and the strategy further includes the malice Score；

The receiving module is also used to receive classification configurations instruction；

The generation module is also used to generate Virus Type according to the received classification configurations instruction of the receiving module With the corresponding relationship between at least one regular group.

In a kind of possible design, in the 6th kind of implementation of the second aspect of the embodiment of the present invention, the text Part detection device can also include computing module；

The acquisition module, be also used to the matching module by the goal behavior log every dynamic behaviour with Before every rule corresponding to each strategy is matched in strategy set, safe sample set and Virus Sample collection are obtained It closes, wherein the safe sample set includes at least one secure file sample, and the Virus Sample set includes at least one Virus document sample；

The acquisition module is also used to obtain from strategy set to scoring tactics, wherein described to include to scoring tactics One goal rule group；

The computing module, the goal rule group and the safe sample set for being obtained according to the acquisition module The first number of matches is calculated in conjunction；

The computing module is also used to be calculated second according to the goal rule group and the Virus Sample set With quantity；

The computing module is also used to that institute is calculated according to first number of matches and second number of matches State the malice score to scoring tactics.

In a kind of possible design, in the 7th kind of implementation of the second aspect of the embodiment of the present invention,

The computing module, specifically for calculating the malice score to scoring tactics in the following way:

Q=(a/X-b/Y) * 100；

Wherein, the Q indicates the malice score to scoring tactics, and a indicates second number of matches, described B indicates first number of matches, and the X indicates the quantity of virus document sample in the Virus Sample set, and the Y is indicated The quantity of secure file sample in the safe sample set.

Third aspect present invention provides a kind of file detection device, comprising: memory, transceiver, processor and bus System；

Wherein, the memory is for storing program；

The processor is used to execute the program in the memory, includes the following steps:

If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document；

The bus system is for connecting the memory and the processor, so that the memory and the place Reason device is communicated.

The fourth aspect of the present invention provides a kind of computer readable storage medium, in the computer readable storage medium It is stored with instruction, when run on a computer, so that computer executes method described in above-mentioned various aspects.

As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that

In the embodiment of the present invention, a kind of method of file detection is provided, obtains the goal behavior of file to be detected first Log, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is used for the related information for indicating to execute operation, then It can be by every dynamic behaviour in goal behavior log and every rule progress corresponding to strategy each in strategy set Match, obtain matching result, generate target malice score corresponding to goal behavior log further according to matching result, if target malice Score reaches malice score threshold, it is determined that file to be detected is virus document.By the above-mentioned means, carrying out file security During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.

Detailed description of the invention

Fig. 1 is a configuration diagram of file detection system in the embodiment of the present invention；

Fig. 2 is an interactive structure schematic diagram of file detection system in the embodiment of the present invention；

Fig. 3 is method one embodiment schematic diagram of file detection in the embodiment of the present invention；

Fig. 4 is a schematic diagram of policy content in the embodiment of the present invention；

Fig. 5 is the matched one embodiment schematic diagram of file progress to be detected in the embodiment of the present invention；

Fig. 6 is a flow diagram of dynamic behaviour and each rule match in strategy in the embodiment of the present invention；

Fig. 7 is dynamic behaviour and the matched flow diagram of strategy set in the embodiment of the present invention；

Fig. 8 is a matching relationship schematic diagram between rule in the embodiment of the present invention, regular group and Virus Type；

Fig. 9 is another embodiment schematic diagram of the method for file detection in the embodiment of the present invention；

Figure 10 is one embodiment schematic diagram of file detection device in the embodiment of the present invention；

Figure 11 is another embodiment schematic diagram of file detection device in the embodiment of the present invention；

Figure 12 is another embodiment schematic diagram of file detection device in the embodiment of the present invention；

Figure 13 is a structural schematic diagram of terminal device in the embodiment of the present invention；

Figure 14 is a structural schematic diagram of server in the embodiment of the present invention.

Specific embodiment

Description and claims of this specification and term " first ", " second ", " third ", " in above-mentioned attached drawing The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage The data that solution uses in this way are interchangeable under appropriate circumstances, so that the embodiment of the present invention described herein for example can be to remove Sequence other than those of illustrating or describe herein is implemented.In addition, term " includes " and " having " and theirs is any Deformation, it is intended that cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, production Product or equipment those of are not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for this A little process, methods, the other step or units of product or equipment inherently.

It should be understood that the present invention is mainly suitable for the scenes of viral diagnosis, it specifically can be used for detecting internet worm and (pass through Computer network propagate infection network in executable file), file virus (i.e. infection computer in file, such as component pair As model (component object model, COM), executable program (executable program, EXE) and document (document, DOC) etc.) and boot-type virus (i.e. infection boot sector infects boot sector), there are also these three situations Mixed type, such as two kinds of targets of many types of viral (file virus and boot-type virus) infected file and boot sector, virus is usually All there is complicated algorithm, they use unconventional method invasive system, while having used encryption and deformation algorithm.

In order to make it easy to understand, this method is applied to file shown in FIG. 1 the invention proposes a kind of method of file detection Detection system, referring to Fig. 1, Fig. 1 is a configuration diagram of file detection system in the embodiment of the present invention, as shown, File detection device can dispose in the server, server automatically training obtains strategy set, include in strategy set to A few strategy, each strategy have a regular group and a corresponding malice score, wherein regular group includes at least One rule.Server local is stored with strategy set, and when carrying out file detection, parsing obtains the dynamic row of file first For then every dynamic behaviour is successively matched with every rule.When regular all successful match in some strategy, i.e., Malice score corresponding to this strategy is obtained, is finally added malice score corresponding to the high strategy of all matching layers With obtain a final result.If this result is greater than or equal to pre-determined threshold, server can determine that this document belongs to disease Malicious file has client to show that this document belongs to virus document to user at this point, this result is fed back to client by server Information, user is as early as possible handled virus document.

Similarly, file detection device can also be deployed in client, and strategy set has been locally stored in client, carry out File detect when, first parsing obtain the dynamic behaviour of file, then by every dynamic behaviour successively with every rule carry out Match.When regular all successful match in some strategy, that is, malice score corresponding to this strategy is obtained, finally by all It is summed up with malice score corresponding to the high strategy of layer, obtains a final result.If this result is greater than or equal to pre- Gating limit, then client can determine that this document belongs to virus document.In addition, client can directly show that this document belongs to virus The information of file, handles user to virus document as early as possible.

It should be noted that client deployment is on terminal device, wherein terminal device includes but is not limited only to plate electricity Brain, laptop, palm PC, mobile phone and PC (personal computer, PC), herein without limitation.Its In, which specifically can be Tencent computer house keeper (Tencent personal computer manager), Tencent's computer House keeper is a security software, possesses that cloud checking and killing Trojan, system acceleration, loophole reparation, real-time protection, network speed protection, computer examines The functions such as institute, healthy assistant, desk organizer and document protection.

In order to make it easy to understand, referring to Fig. 2, Fig. 2 is an interactive structure of file detection system in the embodiment of the present invention Schematic diagram obtains behavioral strategy library, behavior by server training as shown, automation training airplane is usually deployed in server Policy library can be deployed in server, can also be deployed in client, be not construed as limiting herein.It is explained below how to train and be gone For policy library.Training airplane is automated by sandbox system to the samples of attributes known to a large amount of (including safe sample and virus-like This) dynamic behaviour is provided, form white sample behavior library and black sample behavior library, wherein sandbox system is to pass through virtual machine technique Secured user's simulated environment is built, sample (such as EXE) is allowed to behave in the present context, the dynamic behaviour of observation sample, And true user environment will not be impacted, virtual machine here is that open source software virtual machine (VirtualBox) is virtual Machine.

Training scheduling obtains the dynamic behaviour in dynamic behaviour library, then detects to regular group manually extracted, and And malice score is beaten for rule group.It scores in addition, automation training airplane can also regularly update malice, so that malice scoring energy Enough more closing to reality situations.Automating training airplane is the dynamical system based on sandbox, and exportable sample is dynamic after input sample State behavior.The historical sample of automatic training airplane processing magnanimity, row manually extract a dynamic behaviour at huge dynamic behaviour library When, a malice score can be obtained by automating training airplane.Based on the training result of automation training airplane, behavior plan is obtained Slightly library.It include rule base (including at least one dynamic behaviour), policy library in behavioral strategy library (i.e. including at least one plan Omit) and class library (including classification of at least one strategy), during carrying out viruses indentification, basis is manually mentioned first Then the user behaviors log of the Rule taken file to be detected matches user behaviors log using behavioral strategy library, last root Determine whether the file to be detected belongs to virus document according to matching result.Further, if detecting that this document is viral text Part, and other application detects that the file to be detected is secure file, that is, detection conflict occurs, then needs artificially to be sentenced It is disconnected.

In conjunction with above-mentioned introduction, the method detected to file in the present invention is introduced below, referring to Fig. 3, of the invention Method one embodiment of file detection includes: in embodiment

101, the goal behavior log of file to be detected is obtained, wherein goal behavior log includes N dynamic behaviour, is moved State behavior is the integer more than or equal to 1 for indicating and operating associated information, N；

In the present embodiment, file to be detected is obtained first, wherein file to be detected, which specifically can be, needs electricity to be identified Brain file, such as office (office) file, EXE file or dynamic link library (dynamic link library, DLL) text Part etc..The goal behavior log of file to be detected is extracted, goal behavior log can reflect the behavior of user, such as access net It stands, browse web sites, search entry and clicking the page etc..Goal behavior log generally includes at least one dynamic behaviour, dynamic After behavior refers to that process executes, pass through application programming interface (Application Programming Interface, API) obtain a series of behaviors of system resource, that is to say, that and every dynamic behaviour can indicate and user's operation phase Associated information.

102, by every dynamic behaviour in goal behavior log and every rules and regulations corresponding to strategy each in strategy set It is then matched, obtains matching result, wherein strategy set includes preconfigured M strategy, each strategy corresponding at least one Rule, and every strategy corresponds to a malice score, M is the integer more than or equal to 1；

In the present embodiment, by goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to Every rule is matched, and strategy set includes preconfigured M strategy, and M is the integer more than or equal to 1.For the ease of Understand, referring to Fig. 4, Fig. 4 is a schematic diagram of policy content in the embodiment of the present invention, as shown, strategy is for reflecting The method of fixed virus, strategy mainly include a rule group and a malice score, include at least one in a regular group Rule, such as rule 1, rule 2 and rule 3, malice score refer to that the viral degree of malice of this rule group, value range are More than or equal to 0, it is less than or equal to 100, wherein score value is bigger, and expression degree of malice is bigger, and 0 indicates without malice, i.e., safely, 100 indicate virus.And the extraction of rule group tends to rely on artificial experience.

Assuming that virus, which needs to access multiple API, could complete once to attack, then multiple API, which are equivalent to, has done same part thing Feelings reach the same target, and a rule is exactly an API Access, and then, these rules collectively constitute a regular group.Again By calculating the malice score of this available rule group, a strategy is thus generated.

Acquired matching result refer to every user behaviors log in goal behavior log whether with plan each in strategy set Slightly corresponding every rule successful match.For the ease of introducing, referring to Fig. 5, Fig. 5 is text to be detected in the embodiment of the present invention Part carries out matched one embodiment schematic diagram, as shown in the figure, it is assumed that goal behavior log includes 4 dynamic behaviours, set of strategies Include 3 strategies in conjunction, dynamic behaviour 1 is matched with each rule in each strategy, by dynamic behaviour 2 and each plan Each rule in slightly is matched, and dynamic behaviour 3 is matched with each rule in each strategy, by dynamic behaviour 4 It is matched with each rule in each strategy, obtaining matching result is, the rule 1 in tactful A is matched into dynamic behaviour 1 Function, rule 2 and 3 successful match of dynamic behaviour, i.e. strategy A successful match.Rule 3 in tactful B is matched into dynamic behaviour 2 Function, rule 4 and 3 successful match of dynamic behaviour, i.e. strategy B successful match.Rule 5 in tactful C is matched into dynamic behaviour 4 Function, but rule 6, not with any dynamic behaviour successful match, therefore, it fails to match by tactful C.

103, the target malice score according to corresponding to matching result generation goal behavior log；

In the present embodiment, having its corresponding malice score therefore based on each strategy can generate according to matching result Target malice score corresponding to goal behavior log.Continue by taking Fig. 5 as an example, it is assumed that the malice score of tactful A is 30, tactful B Malice score be 50, then target malice score be strategy A malice score and strategy B the sum of malice score, i.e., 80.

If 104, target malice score reaches malice score threshold, it is determined that file to be detected is virus document.

In the present embodiment, judge whether target malice score reaches malice score threshold, if having reached malice score threshold Value, it is determined that the file to be detected is virus document, whereas if not up to malice score threshold, then it is assumed that the text to be detected Part belongs to secure file.It is understood that malice score threshold usually can be set as 100, certainly, in practical applications, It may be arranged as other numerical value, herein without limitation.

Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection In one alternative embodiment, dynamic behaviour includes at least operator and application programming interface API；

Wherein, operator indicates to initiate the object of operation, and API table, which shows to execute, operates called interface function；

Dynamic behaviour can also include at least one in process, operation object and additional parameter；

Wherein, process indicate operation operation entity, operation object indicate receive operation object, additional parameter indicate with Operate relevant parameter；

By in goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to every rule into Row matching, obtains matching result, may include:

Obtain operator, API, process, operation object and the additional parameter of every dynamic behaviour in goal behavior log；

Obtain the predetermined registration operation person, default API of every rule in each strategy, default process, predetermined registration operation object and Default additional parameter；

The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, by every dynamic behaviour API is matched with the default API of every rule, by the process of every dynamic behaviour and the progress of the default process of every rule Match, the operation object of every dynamic behaviour is matched with the predetermined registration operation object of every rule, by every dynamic behaviour Additional parameter is matched with the default additional parameter of every rule, obtains matching result.

In the present embodiment, rule is the dynamic behaviour extracted in advance, with the dynamic behaviour extracted from goal behavior log It is similar, all there are at least two elements, i.e. operator and API, generally, operator is the object for initiating operation, and API is Called interface function is operated to execute, according to API it is known that operation performed.Optionally, dynamic behaviour may be used also To include at least one in process, operation object and additional parameter, the entity of process expression operation operation, operation object table Show that the object for receiving operation, additional parameter indicate parameter relevant to operation.It is understood that the content of element is more complete, Expressed behavior is also more accurate.

Specifically, it is assumed that a dynamic behaviour is made of operator, process, API, operation object and additional parameter, that The dynamic behaviour can indicate are as follows:

bff30a6753338e7a9d371ec31c839a44,123.exe,CreateProcess,234.exe,c:\ 234.exe

Wherein, operator bff30a6753338e7a9d371ec31c839a44, operator can be a virus；

123exe is process；

CreateProcess is API；

234exe is operation object；

C: 234.exe be additional parameter.

It is understood that API be " OpenProcess ", corresponding additional parameter be " ProcessId " and "DesiredAccess".API is " ExitProcess ", and corresponding additional parameter is " ProcessName ".API is " TerminateProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is " SuspendProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is " ResumeProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is " OpenThread ", corresponding additional parameter are " ThreadId ", " ProcessId " and " DesiredAccess ".In reality In, there is also additional parameters possessed by other kinds of API and these API, carry out exhaustion herein.

Correspondingly, every rule in strategy is also to have above-mentioned five classes parameter to constitute, and specifically can be predetermined registration operation person, pre- If API, default process, predetermined registration operation object and default additional parameter.Therefore, it in actual matching process, needs to distinguish The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, and by the API of every dynamic behaviour with The default API of every rule is matched, and the process of every dynamic behaviour is matched with the default process of every rule, And the operation object of every dynamic behaviour is matched with the predetermined registration operation object of every rule, and by every dynamic behaviour Additional parameter is matched with the default additional parameter of every rule.It, can namely by the matching one by one between each parameter With the corresponding matching result of determination.

Secondly, describing the element content that dynamic behaviour specifically includes in the embodiment of the present invention, wherein operator and API is essential elements, and each dynamic behaviour must all have an operator and API, and process, operation object and additional parameter All it is optional element, there can be at least one in process, operation object and additional parameter, can also not have.By above-mentioned Mode can recognize the relevant content of operation from each dynamic behaviour or each rule, the more full expression of element Dynamic behaviour or rule are also more specific, to promote the feasibility and operability of operation.

Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection In two alternative embodiments, by goal behavior log every dynamic behaviour in strategy set it is each strategy corresponding to it is every Rule is matched, and matching result is obtained, comprising:

Obtain i-th dynamic behaviour in goal behavior log, wherein i is more than or equal to 1, and less than or equal to N Integer；

Kth rule corresponding to j-th of strategy in acquisition strategy set, wherein j is greater than or equal to 1, and is less than or waits In the integer of M, k is the integer more than or equal to 1；

If i-th dynamic behaviour and kth rule successful match corresponding to j-th of strategy, by (i+1) article dynamic Behavior is matched with (k+1) rule corresponding to j-th of strategy；

If i-th dynamic behaviour is with kth rule corresponding to j-th of strategy, it fails to match, by (i+1) article dynamic Behavior is matched with kth rule corresponding to j-th of strategy.

In the present embodiment, it will be introduced in conjunction with process of the attached drawing to dynamic behaviour and rule match.Please refer to Fig. 6 and Fig. 7, Fig. 6 are a flow diagram of dynamic behaviour and each rule match in strategy in the embodiment of the present invention, and Fig. 7 is this hair Dynamic behaviour and the matched flow diagram of strategy set in bright embodiment, as shown in fig. 7, by step 301 and step 302 Known to, it is assumed that there are strategy set D contains M item strategy in strategy set D, and goal behavior log L includes that N item is dynamic State behavior, goal behavior log L needs are matched with each strategy in strategy set D.

In step 303, start to carry out the matching of M item strategy in goal behavior log L and strategy set D, specifically It with mode as shown in fig. 6, referring to Fig. 6, step 201 is identical as step 301, i.e., is all dynamic to the N item in goal behavior log L State behavior is matched.

In step 202, it is assumed that first obtain j-th of strategy from strategy set D, is i.e. contains K item in strategy S, tactful S Rule.

In step 203, obtain goal behavior log in i-th dynamic behaviour, wherein i be more than or equal to 1, and Integer less than or equal to N, and kth rule corresponding to j-th of strategy in acquisition strategy set, wherein j is greater than or waits In 1, and it is less than or equal to the integer of M, k is the integer more than or equal to 1.When initial value is arranged, i is equal to 1, k and is equal to 1。

In step 204, by i-th dynamic behaviour in goal behavior log and kth rules and regulations corresponding to j-th of strategy Canonical matching is then carried out, it is usually necessary to use regular expressions for canonical matching, wherein regular expression is to string operation A kind of logical formula forms " regular a character with the combination of predefined some specific characters and these specific characters String ", this " regular character string " are used to express a kind of filter logic to character string.

In step 205, judge whether i-th dynamic behaviour matches with kth rule corresponding to j-th of strategy Success, if successful match, enters step 206, conversely, if it fails to match, gos to step 208；

It in step 206, will if i-th dynamic behaviour and kth rule successful match corresponding to j-th of strategy (i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy；

In step 207, continue to judge whether (k+1) is greater than K, if so, 210 are entered step, whereas if (k+1) Less than or equal to K, then 209 are entered step；

In a step 208, if i-th dynamic behaviour matches mistake with kth rule corresponding to j-th of strategy It loses, then matches (i+1) article dynamic behaviour with kth rule corresponding to j-th of strategy；

In step 209, whether judgement (i+1) is greater than N, that is, whether judgement (i+1) is more than in goal behavior log The sum of dynamic behaviour, whereas if be less than, then gos to step 204, continues if it is, enter step 211 Matching；

In step 210, if (k+1) is greater than K, then it represents that have been completed the K in the matching of tactful S, that is, strategy S The equal successful match of rule；

In step 211, if after N dynamic behaviour is matched with K rule in strategy S, determination is not matched into Function；

In the step 212, export matching result, that is, export file to be detected goal behavior log whether with tactful S With success.

Secondly, being described every in every dynamic behaviour and the strategy set in goal behavior log in the embodiment of the present invention Every rule corresponding to a strategy carries out matched concrete mode, i.e. i-th dynamic behaviour in acquisition goal behavior log, Kth rule corresponding to j-th of strategy in acquisition strategy set, by i-th article of dynamic behaviour and corresponding to j-th strategy the K rule is matched, if successful match, next dynamic behaviour is matched with next rule, conversely, if matching Failure, then match next dynamic behaviour with kth rule corresponding to j-th of strategy.By the above-mentioned means, can The matching between every rule in goal behavior log in every dynamic behaviour and each strategy is completed, use is matched one by one Principle, guarantee is matched comprehensive, to promote matched success rate and reliability.

Optionally, on the basis of above-mentioned Fig. 3 corresponding second embodiment, the embodiment of the present invention provides file detection In method third alternative embodiment, according to matching result generate goal behavior log corresponding to target malice score, can be with Include:

If obtaining the first malice point corresponding to j-th of strategy with j-th of strategy matching success in goal behavior log Number；

If obtaining corresponding to (j+1) a strategy the with the success of (j+1) a strategy matching in goal behavior log Two malice scores；

First malice score is added with the second malice score, obtains target malice score.

In the present embodiment, it is based on corresponding second embodiment of above-mentioned Fig. 3, the mesh for how calculating file to be detected will be introduced Mark malice score.It is exportable goal behavior day in the step 212 of Fig. 6 please continue to refer to Fig. 6 and Fig. 7 for the ease of introducing The matching result of will and j-th of strategy, matching result include successful match or it fails to match two kinds of possibility.Fig. 7 the step of In 304, determines whether goal behavior log and the matching of j-th of strategy succeed according to matching result, if successful match, enter Step 306, conversely, entering step 305 if it fails to match.

In step 305, if goal behavior log is with j-th of strategy, it fails to match, continues goal behavior day Will is matched with (j+1) a strategy.

Within step 306, if the successful match of goal behavior log and j-th of strategy, it is right to obtain j-th of strategy institute The the first malice score answered, it is assumed that the first malice score is a, then target malice score W is a.Correspondingly, if target line For the successful match of log and (j+1) a strategy, then the second malice score corresponding to (j+1) a strategy is obtained, it is assumed that The second malice score is b, then target malice score W is (a+b), and so on.

In step 307, judge whether all matching is completed to M strategy in strategy set, if it is, executing Step 308, conversely, thening follow the steps 305, that is, continue the judgement of next strategy.

In step 308, judge whether target malice score is greater than or equal to 100, if so, thening follow the steps 309, instead It, thens follow the steps 311, that is, completes the testing process of file to be detected.

In a step 309, if target malice score is greater than or equal to 100, it is determined that the file to be detected is viral text Part.

In the step 310, finally, the specific of the virus can also be determined regular group according to corresponding to the strategy of hit Type.

In step 311, terminate the testing process to file to be detected.

Again, in the embodiment of the present invention, illustrate that the target according to corresponding to matching result generation goal behavior log is disliked It anticipates the mode of score, with the success of j-th strategy matching even in goal behavior log, then obtains corresponding to j-th of strategy the One malice score, if being obtained corresponding to (j+1) a strategy in goal behavior log with (j+1) a strategy matching success The second malice score, the first malice score is added with the second malice score finally, obtains target malice score.By above-mentioned Mode calculates target malice score in the method for accumulation, rather than directly using malice score of some strategy as finally Target malice score, thus the reasonability of lifting scheme, and can more accurately assess the safety of file to be detected.

Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection In four alternative embodiments, file to be detected is determined as that can also include: after virus document

Obtain target strategy subclass corresponding to goal behavior log, wherein target strategy subclass includes dynamic with N item The strategy that state behavior matches；

According to the corresponding target viral type of virus taxis Rule target strategy subclass, wherein virus taxis rule The then corresponding relationship between tactful subclass and Virus Type.

In the present embodiment, it will introduce how on the basis of determining file to be detected is virus document, further determine that this The Virus Type of file to be detected.Assuming that there is 100 strategies in strategy set, wherein goal behavior log has hit therein 5 A strategy, this 5 strategies are target strategy subclass.It is understood that 5 strategies that target strategy subclass is included It is the strategy with N dynamic strategy successful match in goal behavior log.Next, according to the virus taxis Rule mesh Mark the corresponding target viral type of tactful subclass, wherein virus taxis rule is between tactful subclass and Virus Type Corresponding relationship.For the ease of introducing, table 1 is please referred to, table 1 is a signal of virus taxis rule.

Table 1

Virus Type	Tactful subclass
		Trojan horse A	Strategy 1, strategy 6, strategy 55, strategy 60, strategy 77, strategy 89 and strategy 93
Trojan horse B	Strategy 1, strategy 2 and strategy 3
		Trojan horse C	Strategy 5, strategy 15, strategy 38, strategy 40, strategy 45, strategy 69 and strategy 73
Trojan horse D	Strategy 7 and strategy 8
		Trojan horse E	Strategy 42, strategy 44, strategy 45, strategy 50 and strategy 84
Trojan horse F	Strategy 9, strategy 19 and strategy 22
		Trojan horse G	Strategy 11, strategy 22, strategy 26, strategy 28, strategy 29, strategy 36 and strategy 42
Trojan horse H	Strategy 85 and strategy 86
		Trojan horse I	Strategy 74, strategy 75, strategy 78 and strategy 91

Where it is assumed that target strategy subclass includes strategy 42, strategy 44, strategy 45, strategy 50 and strategy 84, then basis Virus taxis rule can determine that the Virus Type of the file to be detected is trojan horse E.

Secondly, after determining that file to be detected is virus document, can also further determine that disease in the embodiment of the present invention Poison classification, i.e. acquisition target strategy subclass, target strategy subclass are the strategy for including hit, can according to virus taxis rule To determine the corresponding target viral type of target strategy subclass.By the above-mentioned means, the class of virus can also be further determined that Type, make it possible to forbid a series of unchartered operations according to Virus Type, so that effectively viral in prevention system answer System, to improve the security performance of system.

Optionally, on the basis of any one of corresponding first to fourth embodiment of above-mentioned Fig. 3 and Fig. 3, this hair Bright embodiment is provided in the 5th alternative embodiment of method of file detection, by goal behavior log every dynamic behaviour with Before every rule corresponding to each strategy is matched in strategy set, can also include:

Receive rule group configuration-direct；

According to the corresponding relationship between tactful configuration-direct create-rule group and at least one rule, wherein rule group belongs to In strategy, strategy further includes malice score；

Receive classification configurations instruction；

The corresponding relationship generated between Virus Type and at least one regular group is instructed according to classification configurations.

In the present embodiment, a kind of mode that relationship between regular, regular group and Virus Type is set will be introduced.It reflects in virus Before fixed, it is also necessary to according to the matching relationship between artificial experience composition rule, regular group and Virus Type.

Specifically, user can first configure the relationship between configuration rule group and rule, according to artificial experience it is recognised that It deletes file A and needs to access API 1, API 2 and API3, thus it is possible to be put using API 1, API 2 and API3 as three rules In the same regular group, then the malice score of this rule group is calculated, to form a strategy.Further, also The relationship between Virus Type and regular group can be configured according to artificial experience, this is because all at least one regular group Rule often constitutes a complete attack.By taking trojan horse X as an example, the purpose of rule group 1 is to delete file A, rule Then the purpose of group 2 is insertion plug-in unit B, and two regular groups are together constituted with the attack of this trojan horse X.Thus it is possible to Rule group 1 and rule group 2 are classified as Virus Type X.

In order to make it easy to understand, referring to Fig. 8, Fig. 8 is between rule in the embodiment of the present invention, regular group and Virus Type One matching relationship schematic diagram, as shown, be with regular group here for example, in practical applications, regular group can be with It is strategy, the difference is that, it can also include malice score in addition to including regular group in strategy.Referred to according to rule group configuration It enables, by rule 1 and 2 configuration of rule in rule group 1, by rule 1, rule 4 and 5 configuration of rule in rule group 2, by rule 3 Configuration is in rule group 3.By rule group 1 and 2 configuration of rule group in classification 1, that is, belong to Virus Type 1.By rule group 2 and rule Then 3 configuration of group belongs to Virus Type 2 in classification 2.

Again, in the embodiment of the present invention, by goal behavior log every dynamic behaviour and strategy set in it is each Before every rule corresponding to strategy is matched, tactful configuration-direct can also be received, and raw according to tactful configuration-direct At the corresponding relationship between strategy and at least one rule, at the same time, classification configurations instruction can also be received, and according to classification Configuration-direct generates the corresponding relationship between Virus Type and at least one strategy.By the above-mentioned means, user can voluntarily match The relationship between rule, regular group and Virus Type is set, configuration can be completed by artificial experience, thus the practicability of lifting scheme And feasibility.

Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection In six alternative embodiments, each tactful institute in every dynamic behaviour by the goal behavior log and strategy set Before corresponding every rule is matched, can also include:

Obtain safe sample set and Virus Sample set, wherein safe sample set includes at least one safety text Part sample, Virus Sample set include at least one virus document sample；

It obtains from strategy set to scoring tactics, wherein include a goal rule group to scoring tactics；

The first number of matches is calculated according to goal rule group and safe sample set；

The second number of matches is calculated according to goal rule group and Virus Sample set；

The malice score to scoring tactics is calculated according to the first number of matches and the second number of matches.

In the present embodiment, the malice score for how obtaining strategy will be introduced.Specifically, with some plan in strategy set Slightly example is introduced, which is to scoring tactics.Specifically, constantly located by the sandbox system in automation training airplane The sample of existing and known attribute is managed, and saves their dynamic behaviour, forms dynamic behaviour library.Automate training airplane countermeasure Slightly gather all strategies to be matched one by one with all sample behaviors in dynamic behaviour library, according to secure file sample and virus text The ratio of part sample hit calculates a score.Wherein, in safe sample set all secure file samples with it is to be evaluated The rule in strategy is divided to be matched, the number of successful match is the first number of matches.With owning in Virus Sample set Virus document sample is matched with to the rule in scoring tactics, and the number of successful match is the second number of matches.Root The malice score for waiting for scoring tactics can be calculated according to the first number of matches and the second number of matches.

Secondly, providing a kind of mode of determining tactful malice score in the embodiment of the present invention, that is, obtaining safe sample set Then conjunction and Virus Sample set are obtained from strategy set to scoring tactics, further according to goal rule group and safe sample The first number of matches is calculated in set, and the second coupling number is calculated according to goal rule group and Virus Sample set Amount, is finally calculated the malice score to scoring tactics according to the first number of matches and the second number of matches.By above-mentioned Mode, automation training airplane can also beat malice score to the strategy in strategy set, and timing updates malice score, utilizes Known sample attribute and strategy to be scored carry out matching detection, using hit situation as score basis, to improve point The reliability and feasibility that number calculates.

Optionally, on the basis of above-mentioned Fig. 3 corresponding 6th embodiment, the embodiment of the present invention provides file detection In the 7th alternative embodiment of method, the evil to scoring tactics is calculated according to the first number of matches and the second number of matches Anticipate score, may include:

The malice score to scoring tactics is calculated in the following way:

Q=(a/X-b/Y) * 100；

Wherein, Q indicates that the malice score to scoring tactics, a indicate the second number of matches, and b indicates the first number of matches, X Indicate the quantity of virus document sample in Virus Sample set, Y indicates the quantity of secure file sample in safe sample set.

In the present embodiment, the malice score how being calculated to scoring tactics will be introduced, it is assumed that Virus Sample set packet 100 virus document samples are included, safe sample set includes 200 secure file samples.Regular group to scoring tactics is extracted, The regular divisions to scoring tactics are taken not match with safe sample set and Virus Sample set this, it is assumed that wait score After the rule group of strategy is matched with Virus Sample set, the virus document sample of 60 hits, i.e. the first coupling number are obtained Amount is 60.Assuming that obtaining the secure file of 20 hits after the rule group of scoring tactics is matched with safe sample set Sample, i.e. the second number of matches are 20.Malice score to scoring tactics is calculated using following formula:

Q=(a/X-b/Y) * 100；

Obtain Q=(60/100-20/200) * 100=50

I.e. this waits for that the malice score of scoring tactics is 50.In practical applications, it needs to reduce by the second number of matches as far as possible With the ratio of safe sample set.

After calculating malice score, updates in corresponding strategy set, then just complete the process of self-teaching, be not required to Want human intervention.

Again, in the embodiment of the present invention, tactful malice score can be calculated using corresponding calculation formula, by upper Mode is stated, the calculating of malice score provides effective and feasible method, and then the feasibility and operability of lifting scheme.

Complete technical solution in order to facilitate understanding, referring to Fig. 9, Fig. 9 is the side of file detection in the embodiment of the present invention Another embodiment schematic diagram of method, as shown, step S2 can also be performed to step S5 before step S11, wherein step Rapid S2 to step S5 is mainly configuration process, can also configure Virus Type with the relationship between configuration rule rule of combination And the relationship between regular group.Step S6 to step S10 is mainly the process of malice score setting.Step S14 is main to step 15 It to be the process of determining Virus Type.

It should be noted that the detailed process of step S1 to step S15 can not be done refering to above-mentioned each embodiment herein It repeats.

The file detection device in the present invention is described in detail below, referring to Fig. 10, Figure 10 is that the present invention is implemented File detection device one embodiment schematic diagram in example, file detection device 40 include:

Module 401 is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log packet N dynamic behaviour is included, the dynamic behaviour is the integer more than or equal to 1 for indicating and operating associated information, the N；

Matching module 402, every dynamic row in the goal behavior log for obtaining the acquisition module 401 To be matched with every rule corresponding to strategy each in strategy set, matching result is obtained, wherein the strategy set Including preconfigured M strategy, each corresponding at least one rule of strategy, and every strategy corresponds to an evil Meaning score, the M are the integer more than or equal to 1；

Generation module 403, the matching result for being obtained according to the matching module 402 generate the goal behavior Target malice score corresponding to log；

Determining module 404, if the target malice score for the generation module 403 to generate reaches malice score threshold Value, it is determined that the file to be detected is virus document.

In the present embodiment, the goal behavior log that module 401 obtains file to be detected is obtained, wherein the goal behavior Log includes N dynamic behaviour, and the dynamic behaviour is more than or equal to 1 for indicating and operating associated information, the N Integer, matching module 402 by the goal behavior log that obtains of acquisition module 401 every dynamic behaviour and strategy Every rule corresponding to each strategy is matched in set, obtains matching result, wherein the strategy set includes preparatory M strategy of configuration, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score, The M is the integer more than or equal to 1, and generation module 403 is generated according to the matching result that the matching module 402 obtains Target malice score corresponding to the goal behavior log, if the target malice score that the generation module 403 generates Reach malice score threshold, it is determined that module 404 determines that the file to be detected is virus document.

In the embodiment of the present invention, a kind of file detection device is provided, this document detection device first obtains text to be detected The goal behavior log of part, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is used to indicate to execute operation Related information, then can by goal behavior log every dynamic behaviour in strategy set it is each strategy corresponding to it is every Rule is matched, and matching result is obtained, and generates the malice point of target corresponding to goal behavior log further according to matching result Number, if target malice score reaches malice score threshold, it is determined that file to be detected is virus document.By the above-mentioned means, In During carrying out file security detection, no longer the static nature of file is detected, but the dynamic behaviour to file It is detected, is influenced thus without being deformed by virus characteristic, also there is stronger killing ability to unknown virus, to drop Low virus rate of false alarm.

Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention It sets in 40 another embodiment, the dynamic behaviour includes at least operator and application programming interface API；

The matching module 402, specifically for obtaining described in every dynamic behaviour described in the goal behavior log Operator, the API, the process, the operation object and the additional parameter；

Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention It sets in 40 another embodiment,

The matching module 402, specifically for obtaining i-th dynamic behaviour in the goal behavior log, wherein institute Stating i is the integer more than or equal to 1, and less than or equal to the N；

The generation module 403, if specifically for successful with j-th of strategy matching in the goal behavior log, Then obtain the first malice score corresponding to j-th of strategy；

The acquisition module 401, be also used to the determining module 404 determine the file to be detected be virus document it Afterwards, target strategy subclass corresponding to the goal behavior log is obtained, wherein the target strategy subclass includes and institute State the strategy that N dynamic behaviour matches；

Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, Figure 11 is please referred to, it is provided in an embodiment of the present invention In another embodiment of file detection device 40, the file detection device 40 further includes receiving module 405；

The receiving module 405 is also used to the matching module 402 for every dynamic row in the goal behavior log Before being matched with every rule corresponding to strategy each in strategy set, rule group configuration-direct is received；

The generation module 403 is also used to generate rule according to the received tactful configuration-direct of the receiving module 405 The then corresponding relationship between group and at least one rule, wherein the rule group belongs to the strategy, and the strategy further includes institute State malice score；

The receiving module 405 is also used to receive classification configurations instruction；

The generation module 403 is also used to generate disease according to the received classification configurations instruction of the receiving module 405 Corresponding relationship between malicious type and at least one regular group.

Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, Figure 12 is please referred to, it is provided in an embodiment of the present invention In another embodiment of file detection device 40, the file detection device 40 further includes computing module 406；

The acquisition module 401 is also used to every dynamic row in the goal behavior log in the matching module Before being matched with every rule corresponding to strategy each in strategy set, safe sample set and virus-like are obtained This set, wherein the safe sample set includes at least one secure file sample, and the Virus Sample set includes at least One virus document sample；

The acquisition module 401 is also used to obtain from strategy set to scoring tactics, wherein described to scoring tactics Including a goal rule group；

The computing module 406, the goal rule group and the safety for being obtained according to the acquisition module 401 The first number of matches is calculated in sample set；

The computing module 406 is also used to be calculated the according to the goal rule group and the Virus Sample set Two number of matches；

The computing module 406 is also used to be calculated according to first number of matches and second number of matches To the malice score to scoring tactics.

Secondly, providing a kind of mode of calculative strategy malice score in the embodiment of the present invention, that is, obtaining safe sample set Then conjunction and Virus Sample set are obtained from strategy set to scoring tactics, further according to goal rule group and safe sample The first number of matches is calculated in set, and the second coupling number is calculated according to goal rule group and Virus Sample set Amount, is finally calculated the malice score to scoring tactics according to the first number of matches and the second number of matches.By above-mentioned Mode, automation training airplane can also beat malice score to the strategy in strategy set, and timing updates malice score, utilizes Known sample attribute and strategy to be scored carry out matching detection, using hit situation as score basis, to improve point The reliability and feasibility that number calculates.

Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 12, file detection dress provided in an embodiment of the present invention It sets in 40 another embodiment,

The computing module 406, specifically for calculating the malice score to scoring tactics in the following way:

Q=(a/X-b/Y) * 100；

The embodiment of the invention also provides another file detection devices, as shown in figure 13, for ease of description, only show Part related to the embodiment of the present invention, it is disclosed by specific technical details, please refer to present invention method part.It should File detection device can be include mobile phone, tablet computer, personal digital assistant (PersonalDigital Assistant, PDA), any terminal device such as point-of-sale terminal (Point of Sales, POS), vehicle-mounted computer is by mobile phone of terminal device Example:

Figure 13 shows the block diagram of the part-structure of mobile phone relevant to terminal device provided in an embodiment of the present invention.Ginseng Figure 13 is examined, mobile phone includes: radio frequency (Radio Frequency, RF) circuit 510, memory 520, input unit 530, display list First 540, sensor 550, voicefrequency circuit 560, Wireless Fidelity (wireless fidelity, WiFi) module 570, processor The components such as 580 and power supply 590.It will be understood by those skilled in the art that handset structure shown in Figure 13 does not constitute opponent The restriction of machine may include perhaps combining certain components or different component layouts than illustrating more or fewer components.

It is specifically introduced below with reference to each component parts of the Figure 13 to mobile phone:

RF circuit 510 can be used for receiving and sending messages or communication process in, signal sends and receivees, particularly, by base station After downlink information receives, handled to processor 580；In addition, the data for designing uplink are sent to base station.In general, RF circuit 510 Including but not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier (Low Noise Amplifier, LNA), duplexer etc..In addition, RF circuit 510 can also be communicated with network and other equipment by wireless communication. Any communication standard or agreement, including but not limited to global system for mobile communications (Global can be used in above-mentioned wireless communication System of Mobile communication, GSM), general packet radio service (General Packet Radio Service, GPRS), CDMA (Code Division Multiple Access, CDMA), wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA), long term evolution (Long Term Evolution, LTE), Email, short message service (Short Messaging Service, SMS) etc..

Memory 520 can be used for storing software program and module, and processor 580 is stored in memory 520 by operation Software program and module, thereby executing the various function application and data processing of mobile phone.Memory 520 can mainly include Storing program area and storage data area, wherein storing program area can application journey needed for storage program area, at least one function Sequence (such as sound-playing function, image player function etc.) etc.；Storage data area can be stored to be created according to using for mobile phone Data (such as audio data, phone directory etc.) etc..It, can be in addition, memory 520 may include high-speed random access memory Including nonvolatile memory, for example, at least a disk memory, flush memory device or other volatile solid-states Part.

Input unit 530 can be used for receiving the number or character information of input, and generate with the user setting of mobile phone with And the related key signals input of function control.Specifically, input unit 530 may include that touch panel 531 and other inputs are set Standby 532.Touch panel 531, also referred to as touch screen, collect user on it or nearby touch operation (such as user use The operation of any suitable object or attachment such as finger, stylus on touch panel 531 or near touch panel 531), and root Corresponding attachment device is driven according to preset formula.Optionally, touch panel 531 may include touch detecting apparatus and touch Two parts of controller.Wherein, the touch orientation of touch detecting apparatus detection user, and touch operation bring signal is detected, Transmit a signal to touch controller；Touch controller receives touch information from touch detecting apparatus, and is converted into touching Point coordinate, then gives processor 580, and can receive order that processor 580 is sent and be executed.Furthermore, it is possible to using electricity The multiple types such as resistive, condenser type, infrared ray and surface acoustic wave realize touch panel 531.In addition to touch panel 531, input Unit 530 can also include other input equipments 532.Specifically, other input equipments 532 can include but is not limited to secondary or physical bond One of disk, function key (such as volume control button, switch key etc.), trace ball, mouse, operating stick etc. are a variety of.

Display unit 540 can be used for showing information input by user or be supplied to user information and mobile phone it is various Menu.Display unit 540 may include display panel 541, optionally, can use liquid crystal display (Liquid Crystal Display, LCD), the forms such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) it is aobvious to configure Show panel 541.Further, touch panel 531 can cover display panel 541, when touch panel 531 detect it is on it or attached After close touch operation, processor 580 is sent to determine the type of touch event, is followed by subsequent processing device 580 according to touch event Type corresponding visual output is provided on display panel 541.Although in Figure 13, touch panel 531 and display panel 541 It is that the input and input function of mobile phone are realized as two independent components, but in some embodiments it is possible to by touch-control Panel 531 and display panel 541 are integrated and that realizes mobile phone output and input function.

Mobile phone may also include at least one sensor 550, such as optical sensor, motion sensor and other sensors. Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can be according to ambient light Light and shade adjust the brightness of display panel 541, proximity sensor can close display panel 541 when mobile phone is moved in one's ear And/or backlight.As a kind of motion sensor, accelerometer sensor can detect (generally three axis) acceleration in all directions Size, can detect that size and the direction of gravity when static, can be used to identify the application of mobile phone posture, (for example horizontal/vertical screen is cut Change, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.；May be used also as mobile phone The other sensors such as gyroscope, barometer, hygrometer, thermometer, the infrared sensor of configuration, details are not described herein.

Voicefrequency circuit 560, loudspeaker 561, microphone 562 can provide the audio interface between user and mobile phone.Audio-frequency electric Electric signal after the audio data received conversion can be transferred to loudspeaker 561, be converted to sound by loudspeaker 561 by road 560 Signal output；On the other hand, the voice signal of collection is converted to electric signal by microphone 562, is turned after being received by voicefrequency circuit 560 It is changed to audio data, then by after the processing of audio data output processor 580, such as another mobile phone is sent to through RF circuit 510, Or audio data is exported to memory 520 to be further processed.

WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronics postal by WiFi module 570 Part, browsing webpage and access streaming video etc., it provides wireless broadband internet access for user.Although Figure 13 is shown WiFi module 570, but it is understood that, and it is not belonging to must be configured into for mobile phone, it can according to need do not changing completely Become in the range of the essence of invention and omits.

Processor 580 is the control centre of mobile phone, using the various pieces of various interfaces and connection whole mobile phone, is led to It crosses operation or executes the software program and/or module being stored in memory 520, and call and be stored in memory 520 Data execute the various functions and processing data of mobile phone, to carry out integral monitoring to mobile phone.Optionally, processor 580 can wrap Include one or more processing units；Optionally, processor 580 can integrate application processor and modem processor, wherein answer With the main processing operation system of processor, user interface and application program etc., modem processor mainly handles wireless communication. It is understood that above-mentioned modem processor can not also be integrated into processor 580.

Mobile phone further includes the power supply 590 (such as battery) powered to all parts, and optionally, power supply can pass through power supply pipe Reason system and processor 580 are logically contiguous, to realize management charging, electric discharge and power managed by power-supply management system Etc. functions.

Although being not shown, mobile phone can also include camera, bluetooth module etc., and details are not described herein.

In embodiments of the present invention, processor 580 included by the terminal device is also with the following functions:

Optionally, processor 580 is specifically used for executing following steps:

Obtain the operator, the API of every dynamic behaviour described in the goal behavior log, the process, The operation object and the additional parameter；

Optionally, processor 580 is specifically used for executing following steps:

Obtain i-th dynamic behaviour in the goal behavior log, wherein the i is and to be less than more than or equal to 1 Or the integer equal to the N；

Optionally, processor 580 is specifically used for executing following steps:

If being obtained corresponding to j-th of strategy in the goal behavior log with j-th of strategy matching success The first malice score；

Optionally, processor 580 is also used to execute following steps:

Obtain target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass packet Include the strategy to match with the N dynamic behaviour；

Optionally, processor 580 is also used to execute following steps:

Receive rule group configuration-direct；

According to the corresponding relationship between the tactful configuration-direct create-rule group and at least one rule, wherein described Regular group belongs to the strategy, and the strategy further includes the malice score；

Receive classification configurations instruction；

The corresponding relationship generated between Virus Type and at least one regular group is instructed according to the classification configurations.

Optionally, processor 580 is also used to execute following steps:

Obtain safe sample set and Virus Sample set, wherein the safe sample set includes at least one peace Whole file sample, the Virus Sample set include at least one virus document sample；

It obtains from strategy set to scoring tactics, wherein described to include a goal rule group to scoring tactics；

The first number of matches is calculated according to the goal rule group and the safe sample set；

The second number of matches is calculated according to the goal rule group and the Virus Sample set；

The malice to scoring tactics is calculated according to first number of matches and second number of matches Score.

Optionally, processor 580 is specifically used for executing following steps:

The malice score to scoring tactics is calculated in the following way:

Q=(a/X-b/Y) * 100；

Figure 14 is a kind of server architecture schematic diagram provided in an embodiment of the present invention, which can be because of configuration or property Energy is different and generates bigger difference, may include one or more central processing units (central processing Units, CPU) 622 (for example, one or more processors) and memory 632, one or more storages apply journey The storage medium 630 (such as one or more mass memory units) of sequence 642 or data 644.Wherein, 632 He of memory Storage medium 630 can be of short duration storage or persistent storage.The program for being stored in storage medium 630 may include one or one With upper module (diagram does not mark), each module may include to the series of instructions operation in server.Further, in Central processor 622 can be set to communicate with storage medium 630, execute on server 600 a series of in storage medium 630 Instruction operation.

Server 600 can also include one or more power supplys 626, one or more wired or wireless networks Interface 650, one or more input/output interfaces 658, and/or, one or more operating systems 641, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..

The step as performed by server can be based on server architecture shown in the Figure 14 in above-described embodiment.

In embodiments of the present invention, CPU 622 included by the server is also with the following functions:

Optionally, CPU 622 is specifically used for executing following steps:

Optionally, CPU 622 is also used to execute following steps:

Receive rule group configuration-direct；

Receive classification configurations instruction；

Optionally, CPU 622 is also used to execute following steps:

Optionally, CPU 622 is specifically used for executing following steps:

The malice score to scoring tactics is calculated in the following way:

Q=(a/X-b/Y) * 100；

It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.

In several embodiments provided by the present invention, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.

It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.

If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the present invention Portion or part steps.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic or disk etc. are various can store program The medium of code.

The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations；Although referring to before Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to preceding Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features；And these It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.

Claims

1. a kind of method of file detection characterized by comprising

Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, described dynamic State behavior is the integer more than or equal to 1 for indicating and operating associated information, the N；

By in the goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to every rule into Row matching, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is corresponding extremely A few rule, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1；

2. the method according to claim 1, wherein the dynamic behaviour includes at least operator and applies journey Sequence programming interface API；

Wherein, the operator indicates to initiate the object of the operation, and the API table, which shows, executes the called interface of the operation Function；

Wherein, the process indicates to run the entity of the operation, and the operation object indicates to receive the object of the operation, institute Stating additional parameter indicates parameter relevant to the operation；

Every rules and regulations corresponding to each strategy in every dynamic behaviour by the goal behavior log and strategy set It is then matched, obtains matching result, comprising:

Obtain the operator, the API of every dynamic behaviour described in the goal behavior log, the process, described Operation object and the additional parameter；

Obtain the predetermined registration operation person, default API, default process, predetermined registration operation object of every rule described in each strategy And default additional parameter；

The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, by institute The API for stating every dynamic behaviour is matched with the default API of every rule, by every dynamic behaviour The process matched with the default process of every rule, by the operation pair of every dynamic behaviour As the predetermined registration operation object with every rule is matched, by the additional parameter of every dynamic behaviour with The default additional parameter of every rule is matched, and the matching result is obtained.

3. the method according to claim 1, wherein every dynamic row by the goal behavior log To be matched with every rule corresponding to strategy each in strategy set, matching result is obtained, comprising:

Obtain i-th dynamic behaviour in the goal behavior log, wherein the i is and to be less than or wait more than or equal to 1 In the integer of the N；

Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j is greater than or equal to 1, and is less than Or the integer equal to the M, the k are the integer more than or equal to 1；

If kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy the, by (i+ 1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy；

If it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy, by (the i+ 1) dynamic behaviour is matched with kth rule corresponding to j-th of strategy.

4. according to the method described in claim 3, it is characterized in that, described generate the goal behavior according to the matching result Target malice score corresponding to log, comprising:

If obtaining corresponding to j-th of strategy the with j-th of strategy matching success in the goal behavior log One malice score；

If obtaining (j+1) a tactful institute with (j+1) a strategy matching success in the goal behavior log Corresponding second malice score；

5. the method according to claim 1, wherein the determination file to be detected be virus document it Afterwards, the method also includes:

Obtain target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass include with The strategy that the N dynamic behaviour matches；

According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the virus point Rule-like is the corresponding relationship between tactful subclass and Virus Type.

6. the method according to claim 1, wherein every dynamic row by the goal behavior log Before being matched with every rule corresponding to strategy each in strategy set, the method also includes:

Receive rule group configuration-direct；

According to the corresponding relationship between the tactful configuration-direct create-rule group and at least one rule, wherein the rule Group belongs to the strategy, and the strategy further includes the malice score；

Receive classification configurations instruction；

7. method according to any one of claim 1 to 6, which is characterized in that it is described will be in the goal behavior log Every dynamic behaviour in strategy set it is each strategy corresponding to every rule matched before, the method is also wrapped It includes:

Obtain safe sample set and Virus Sample set, wherein the safe sample set includes at least one safety text Part sample, the Virus Sample set include at least one virus document sample；

The malice score to scoring tactics is calculated according to first number of matches and second number of matches.

8. the method according to the description of claim 7 is characterized in that described according to the first number of matches and the second number of matches The malice score to scoring tactics is calculated, comprising:

The malice score to scoring tactics is calculated in the following way:

Q=(a/X-b/Y) * 100；

Wherein, the Q indicates that the malice score to scoring tactics, a indicate second number of matches, the b table Show first number of matches, the X indicates the quantity of virus document sample in the Virus Sample set, and the Y indicates institute State the quantity of secure file sample in safe sample set.

9. a kind of file detection device characterized by comprising

Module is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log includes that N item is dynamic State behavior, the dynamic behaviour are the integer more than or equal to 1 for indicating and operating associated information, the N；

Matching module, for by it is described acquisition module obtain the goal behavior log in every dynamic behaviour and set of strategies Every rule corresponding to each strategy is matched in conjunction, obtains matching result, wherein the strategy set includes matching in advance The M strategy set, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score, institute Stating M is the integer more than or equal to 1；

Generation module, the matching result for being obtained according to the matching module generate corresponding to the goal behavior log Target malice score；

Determining module, if the target malice score for the generation module to generate reaches malice score threshold, it is determined that The file to be detected is virus document.

10. a kind of file detection device characterized by comprising memory, transceiver, processor and bus system；

Wherein, the memory is for storing program；

The bus system is for connecting the memory and the processor, so that the memory and the processor It is communicated.

11. a kind of computer readable storage medium, including instruction, when run on a computer, so that computer executes such as Method described in any item of the claim 1 to 8.