CN110399720A - A kind of method and relevant apparatus of file detection - Google Patents
A kind of method and relevant apparatus of file detection Download PDFInfo
- Publication number
- CN110399720A CN110399720A CN201811533910.0A CN201811533910A CN110399720A CN 110399720 A CN110399720 A CN 110399720A CN 201811533910 A CN201811533910 A CN 201811533910A CN 110399720 A CN110399720 A CN 110399720A
- Authority
- CN
- China
- Prior art keywords
- strategy
- rule
- dynamic behaviour
- behavior log
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention discloses a kind of methods of file detection, comprising: obtains the goal behavior log of file to be detected, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is the integer more than or equal to 1 for indicating and operating associated information, N;Every dynamic behaviour in goal behavior log is matched with every rule corresponding to strategy each in strategy set, obtain matching result, wherein, strategy set includes preconfigured M strategy, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score, M is the integer more than or equal to 1;According to target malice score corresponding to matching result generation goal behavior log;If target malice score reaches malice score threshold, it is determined that file to be detected is virus document.The invention also discloses a kind of file detection devices.The present invention detects the dynamic behaviour of file, not will receive the influence of virus characteristic deformation, to reduce viral rate of false alarm.
Description
Technical field
A kind of method and relevant apparatus detected the present invention relates to internet security field more particularly to file.
Background technique
As internet is constantly merged with human lives, the main body of mankind's society such as economic, politics and culture is
This virtual world is constantly associated with and integrates with internet, this virtualization of the essential element and internet of society
Social boundary it is also increasingly fuzzyyer.The problem of consequent is real world also in virtual internet occur and it is quick-fried
Hair.Wherein safety is exactly a very crucial and sensitive Internet Problems, and virus is then one of this problem main
Source and pusher.Currently, the confrontation between Prevention-Security and virus is more and more fierce.
In traditional defence method, signature scan identification mainly is carried out to virus.First extract virus document
Feature, one or more binary codes of the virus are manually extracted according to virus characteristic, which is the viroid
Identity, i.e. condition code, then by signature update into cloud database.When carrying out file detection, by right
Than condition code to determine whether for virus.
However, although scanning feature code can accurately identify known virus, for unknown virus
Or the virus of deformation is then difficult to, and causes viral rate of false alarm higher.
Summary of the invention
The embodiment of the invention provides the methods and relevant apparatus of a kind of detection of file, can carry out file security
During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not
The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.
In view of this, first aspect present invention provides a kind of method of file detection, comprising:
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, institute
It is the integer more than or equal to 1 that dynamic behaviour, which is stated, for indicating and operating associated information, the N;
By every dynamic behaviour in the goal behavior log and every rules and regulations corresponding to strategy each in strategy set
It is then matched, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is right
At least one rule is answered, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document.
Second aspect of the present invention provides a kind of file detection device, comprising:
Module is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log includes N
Dynamic behaviour, the dynamic behaviour are the integer more than or equal to 1 for indicating and operating associated information, the N;
Matching module, the every dynamic behaviour and plan in the goal behavior log for obtaining the acquisition module
Every rule corresponding to each strategy is matched slightly in set, obtains matching result, wherein the strategy set includes pre-
The M strategy first configured, each corresponding at least one rule of strategy, and every strategy corresponds to malice point
Number, the M are the integer more than or equal to 1;
Generation module, the matching result for being obtained according to the matching module generate the goal behavior log institute
Corresponding target malice score;
Determining module, if the target malice score for the generation module to generate reaches malice score threshold,
Determine that the file to be detected is virus document.
It is described dynamic in the first implementation of the second aspect of the embodiment of the present invention in a kind of possible design
State behavior includes at least operator and application programming interface API;
Wherein, the operator indicates to initiate the object of the operation, and the API table, which shows, executes what the operation was called
Interface function;
The dynamic behaviour can also include at least one in process, operation object and additional parameter;
Wherein, the process indicates to run the entity of the operation, and the operation object indicates to receive pair of the operation
As the additional parameter indicates parameter relevant to the operation;
The matching module, specifically for obtaining the operation of every dynamic behaviour described in the goal behavior log
Person, the API, the process, the operation object and the additional parameter;
Obtain the predetermined registration operation person, default API, default process, predetermined registration operation of every rule described in each strategy
Object and default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule,
The API of every dynamic behaviour is matched with the default API of every rule, by every dynamic
The process of behavior is matched with the default process of every rule, by the behaviour of every dynamic behaviour
Make object to be matched with the predetermined registration operation object of every rule, by the additional ginseng of every dynamic behaviour
Number is matched with the default additional parameter of every rule, obtains the matching result.
In a kind of possible design, in second of implementation of the second aspect of the embodiment of the present invention,
The matching module, specifically for obtaining i-th dynamic behaviour in the goal behavior log, wherein the i
For the integer more than or equal to 1, and less than or equal to the N;
Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j be greater than or equal to 1, and
Less than or equal to the integer of the M, the k is the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
It, will be described if kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
It, will be described if it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with kth rule corresponding to j-th of strategy.
In a kind of possible design, in the third implementation of the second aspect of the embodiment of the present invention,
The generation module, if specifically for, with j-th of strategy matching success, being obtained in the goal behavior log
Take the first malice score corresponding to j-th of strategy;
If obtaining (j+1) a plan with (j+1) a strategy matching success in the goal behavior log
Slightly the second corresponding malice score;
The first malice score is added with the second malice score, obtains the target malice score.
In a kind of possible design, in the 4th kind of implementation of the second aspect of the embodiment of the present invention,
The acquisition module is also used to after the determining module determines the file to be detected for virus document, obtains
Take target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass includes and the N item
The strategy that dynamic behaviour matches;
According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the disease
Malicious classifying rules is the corresponding relationship between tactful subclass and Virus Type.
In a kind of possible design, in the 5th kind of implementation of the second aspect of the embodiment of the present invention, the text
Part detection device further includes receiving module;
The receiving module is also used to the matching module for the every dynamic behaviour and plan in the goal behavior log
Before every rule corresponding to each strategy is matched slightly in set, rule group configuration-direct is received;
The generation module, be also used to according to the received tactful configuration-direct create-rule group of the receiving module with
Corresponding relationship between at least one rule, wherein the rule group belongs to the strategy, and the strategy further includes the malice
Score;
The receiving module is also used to receive classification configurations instruction;
The generation module is also used to generate Virus Type according to the received classification configurations instruction of the receiving module
With the corresponding relationship between at least one regular group.
In a kind of possible design, in the 6th kind of implementation of the second aspect of the embodiment of the present invention, the text
Part detection device can also include computing module;
The acquisition module, be also used to the matching module by the goal behavior log every dynamic behaviour with
Before every rule corresponding to each strategy is matched in strategy set, safe sample set and Virus Sample collection are obtained
It closes, wherein the safe sample set includes at least one secure file sample, and the Virus Sample set includes at least one
Virus document sample;
The acquisition module is also used to obtain from strategy set to scoring tactics, wherein described to include to scoring tactics
One goal rule group;
The computing module, the goal rule group and the safe sample set for being obtained according to the acquisition module
The first number of matches is calculated in conjunction;
The computing module is also used to be calculated second according to the goal rule group and the Virus Sample set
With quantity;
The computing module is also used to that institute is calculated according to first number of matches and second number of matches
State the malice score to scoring tactics.
In a kind of possible design, in the 7th kind of implementation of the second aspect of the embodiment of the present invention,
The computing module, specifically for calculating the malice score to scoring tactics in the following way:
Q=(a/X-b/Y) * 100;
Wherein, the Q indicates the malice score to scoring tactics, and a indicates second number of matches, described
B indicates first number of matches, and the X indicates the quantity of virus document sample in the Virus Sample set, and the Y is indicated
The quantity of secure file sample in the safe sample set.
Third aspect present invention provides a kind of file detection device, comprising: memory, transceiver, processor and bus
System;
Wherein, the memory is for storing program;
The processor is used to execute the program in the memory, includes the following steps:
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, institute
It is the integer more than or equal to 1 that dynamic behaviour, which is stated, for indicating and operating associated information, the N;
By every dynamic behaviour in the goal behavior log and every rules and regulations corresponding to strategy each in strategy set
It is then matched, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is right
At least one rule is answered, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document;
The bus system is for connecting the memory and the processor, so that the memory and the place
Reason device is communicated.
The fourth aspect of the present invention provides a kind of computer readable storage medium, in the computer readable storage medium
It is stored with instruction, when run on a computer, so that computer executes method described in above-mentioned various aspects.
As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that
In the embodiment of the present invention, a kind of method of file detection is provided, obtains the goal behavior of file to be detected first
Log, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is used for the related information for indicating to execute operation, then
It can be by every dynamic behaviour in goal behavior log and every rule progress corresponding to strategy each in strategy set
Match, obtain matching result, generate target malice score corresponding to goal behavior log further according to matching result, if target malice
Score reaches malice score threshold, it is determined that file to be detected is virus document.By the above-mentioned means, carrying out file security
During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not
The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.
Detailed description of the invention
Fig. 1 is a configuration diagram of file detection system in the embodiment of the present invention;
Fig. 2 is an interactive structure schematic diagram of file detection system in the embodiment of the present invention;
Fig. 3 is method one embodiment schematic diagram of file detection in the embodiment of the present invention;
Fig. 4 is a schematic diagram of policy content in the embodiment of the present invention;
Fig. 5 is the matched one embodiment schematic diagram of file progress to be detected in the embodiment of the present invention;
Fig. 6 is a flow diagram of dynamic behaviour and each rule match in strategy in the embodiment of the present invention;
Fig. 7 is dynamic behaviour and the matched flow diagram of strategy set in the embodiment of the present invention;
Fig. 8 is a matching relationship schematic diagram between rule in the embodiment of the present invention, regular group and Virus Type;
Fig. 9 is another embodiment schematic diagram of the method for file detection in the embodiment of the present invention;
Figure 10 is one embodiment schematic diagram of file detection device in the embodiment of the present invention;
Figure 11 is another embodiment schematic diagram of file detection device in the embodiment of the present invention;
Figure 12 is another embodiment schematic diagram of file detection device in the embodiment of the present invention;
Figure 13 is a structural schematic diagram of terminal device in the embodiment of the present invention;
Figure 14 is a structural schematic diagram of server in the embodiment of the present invention.
Specific embodiment
The embodiment of the invention provides the methods and relevant apparatus of a kind of detection of file, can carry out file security
During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not
The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.
Description and claims of this specification and term " first ", " second ", " third ", " in above-mentioned attached drawing
The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage
The data that solution uses in this way are interchangeable under appropriate circumstances, so that the embodiment of the present invention described herein for example can be to remove
Sequence other than those of illustrating or describe herein is implemented.In addition, term " includes " and " having " and theirs is any
Deformation, it is intended that cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, production
Product or equipment those of are not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for this
A little process, methods, the other step or units of product or equipment inherently.
It should be understood that the present invention is mainly suitable for the scenes of viral diagnosis, it specifically can be used for detecting internet worm and (pass through
Computer network propagate infection network in executable file), file virus (i.e. infection computer in file, such as component pair
As model (component object model, COM), executable program (executable program, EXE) and document
(document, DOC) etc.) and boot-type virus (i.e. infection boot sector infects boot sector), there are also these three situations
Mixed type, such as two kinds of targets of many types of viral (file virus and boot-type virus) infected file and boot sector, virus is usually
All there is complicated algorithm, they use unconventional method invasive system, while having used encryption and deformation algorithm.
In order to make it easy to understand, this method is applied to file shown in FIG. 1 the invention proposes a kind of method of file detection
Detection system, referring to Fig. 1, Fig. 1 is a configuration diagram of file detection system in the embodiment of the present invention, as shown,
File detection device can dispose in the server, server automatically training obtains strategy set, include in strategy set to
A few strategy, each strategy have a regular group and a corresponding malice score, wherein regular group includes at least
One rule.Server local is stored with strategy set, and when carrying out file detection, parsing obtains the dynamic row of file first
For then every dynamic behaviour is successively matched with every rule.When regular all successful match in some strategy, i.e.,
Malice score corresponding to this strategy is obtained, is finally added malice score corresponding to the high strategy of all matching layers
With obtain a final result.If this result is greater than or equal to pre-determined threshold, server can determine that this document belongs to disease
Malicious file has client to show that this document belongs to virus document to user at this point, this result is fed back to client by server
Information, user is as early as possible handled virus document.
Similarly, file detection device can also be deployed in client, and strategy set has been locally stored in client, carry out
File detect when, first parsing obtain the dynamic behaviour of file, then by every dynamic behaviour successively with every rule carry out
Match.When regular all successful match in some strategy, that is, malice score corresponding to this strategy is obtained, finally by all
It is summed up with malice score corresponding to the high strategy of layer, obtains a final result.If this result is greater than or equal to pre-
Gating limit, then client can determine that this document belongs to virus document.In addition, client can directly show that this document belongs to virus
The information of file, handles user to virus document as early as possible.
It should be noted that client deployment is on terminal device, wherein terminal device includes but is not limited only to plate electricity
Brain, laptop, palm PC, mobile phone and PC (personal computer, PC), herein without limitation.Its
In, which specifically can be Tencent computer house keeper (Tencent personal computer manager), Tencent's computer
House keeper is a security software, possesses that cloud checking and killing Trojan, system acceleration, loophole reparation, real-time protection, network speed protection, computer examines
The functions such as institute, healthy assistant, desk organizer and document protection.
In order to make it easy to understand, referring to Fig. 2, Fig. 2 is an interactive structure of file detection system in the embodiment of the present invention
Schematic diagram obtains behavioral strategy library, behavior by server training as shown, automation training airplane is usually deployed in server
Policy library can be deployed in server, can also be deployed in client, be not construed as limiting herein.It is explained below how to train and be gone
For policy library.Training airplane is automated by sandbox system to the samples of attributes known to a large amount of (including safe sample and virus-like
This) dynamic behaviour is provided, form white sample behavior library and black sample behavior library, wherein sandbox system is to pass through virtual machine technique
Secured user's simulated environment is built, sample (such as EXE) is allowed to behave in the present context, the dynamic behaviour of observation sample,
And true user environment will not be impacted, virtual machine here is that open source software virtual machine (VirtualBox) is virtual
Machine.
Training scheduling obtains the dynamic behaviour in dynamic behaviour library, then detects to regular group manually extracted, and
And malice score is beaten for rule group.It scores in addition, automation training airplane can also regularly update malice, so that malice scoring energy
Enough more closing to reality situations.Automating training airplane is the dynamical system based on sandbox, and exportable sample is dynamic after input sample
State behavior.The historical sample of automatic training airplane processing magnanimity, row manually extract a dynamic behaviour at huge dynamic behaviour library
When, a malice score can be obtained by automating training airplane.Based on the training result of automation training airplane, behavior plan is obtained
Slightly library.It include rule base (including at least one dynamic behaviour), policy library in behavioral strategy library (i.e. including at least one plan
Omit) and class library (including classification of at least one strategy), during carrying out viruses indentification, basis is manually mentioned first
Then the user behaviors log of the Rule taken file to be detected matches user behaviors log using behavioral strategy library, last root
Determine whether the file to be detected belongs to virus document according to matching result.Further, if detecting that this document is viral text
Part, and other application detects that the file to be detected is secure file, that is, detection conflict occurs, then needs artificially to be sentenced
It is disconnected.
In conjunction with above-mentioned introduction, the method detected to file in the present invention is introduced below, referring to Fig. 3, of the invention
Method one embodiment of file detection includes: in embodiment
101, the goal behavior log of file to be detected is obtained, wherein goal behavior log includes N dynamic behaviour, is moved
State behavior is the integer more than or equal to 1 for indicating and operating associated information, N;
In the present embodiment, file to be detected is obtained first, wherein file to be detected, which specifically can be, needs electricity to be identified
Brain file, such as office (office) file, EXE file or dynamic link library (dynamic link library, DLL) text
Part etc..The goal behavior log of file to be detected is extracted, goal behavior log can reflect the behavior of user, such as access net
It stands, browse web sites, search entry and clicking the page etc..Goal behavior log generally includes at least one dynamic behaviour, dynamic
After behavior refers to that process executes, pass through application programming interface (Application Programming
Interface, API) obtain a series of behaviors of system resource, that is to say, that and every dynamic behaviour can indicate and user's operation phase
Associated information.
102, by every dynamic behaviour in goal behavior log and every rules and regulations corresponding to strategy each in strategy set
It is then matched, obtains matching result, wherein strategy set includes preconfigured M strategy, each strategy corresponding at least one
Rule, and every strategy corresponds to a malice score, M is the integer more than or equal to 1;
In the present embodiment, by goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to
Every rule is matched, and strategy set includes preconfigured M strategy, and M is the integer more than or equal to 1.For the ease of
Understand, referring to Fig. 4, Fig. 4 is a schematic diagram of policy content in the embodiment of the present invention, as shown, strategy is for reflecting
The method of fixed virus, strategy mainly include a rule group and a malice score, include at least one in a regular group
Rule, such as rule 1, rule 2 and rule 3, malice score refer to that the viral degree of malice of this rule group, value range are
More than or equal to 0, it is less than or equal to 100, wherein score value is bigger, and expression degree of malice is bigger, and 0 indicates without malice, i.e., safely,
100 indicate virus.And the extraction of rule group tends to rely on artificial experience.
Assuming that virus, which needs to access multiple API, could complete once to attack, then multiple API, which are equivalent to, has done same part thing
Feelings reach the same target, and a rule is exactly an API Access, and then, these rules collectively constitute a regular group.Again
By calculating the malice score of this available rule group, a strategy is thus generated.
Acquired matching result refer to every user behaviors log in goal behavior log whether with plan each in strategy set
Slightly corresponding every rule successful match.For the ease of introducing, referring to Fig. 5, Fig. 5 is text to be detected in the embodiment of the present invention
Part carries out matched one embodiment schematic diagram, as shown in the figure, it is assumed that goal behavior log includes 4 dynamic behaviours, set of strategies
Include 3 strategies in conjunction, dynamic behaviour 1 is matched with each rule in each strategy, by dynamic behaviour 2 and each plan
Each rule in slightly is matched, and dynamic behaviour 3 is matched with each rule in each strategy, by dynamic behaviour 4
It is matched with each rule in each strategy, obtaining matching result is, the rule 1 in tactful A is matched into dynamic behaviour 1
Function, rule 2 and 3 successful match of dynamic behaviour, i.e. strategy A successful match.Rule 3 in tactful B is matched into dynamic behaviour 2
Function, rule 4 and 3 successful match of dynamic behaviour, i.e. strategy B successful match.Rule 5 in tactful C is matched into dynamic behaviour 4
Function, but rule 6, not with any dynamic behaviour successful match, therefore, it fails to match by tactful C.
103, the target malice score according to corresponding to matching result generation goal behavior log;
In the present embodiment, having its corresponding malice score therefore based on each strategy can generate according to matching result
Target malice score corresponding to goal behavior log.Continue by taking Fig. 5 as an example, it is assumed that the malice score of tactful A is 30, tactful B
Malice score be 50, then target malice score be strategy A malice score and strategy B the sum of malice score, i.e., 80.
If 104, target malice score reaches malice score threshold, it is determined that file to be detected is virus document.
In the present embodiment, judge whether target malice score reaches malice score threshold, if having reached malice score threshold
Value, it is determined that the file to be detected is virus document, whereas if not up to malice score threshold, then it is assumed that the text to be detected
Part belongs to secure file.It is understood that malice score threshold usually can be set as 100, certainly, in practical applications,
It may be arranged as other numerical value, herein without limitation.
In the embodiment of the present invention, a kind of method of file detection is provided, obtains the goal behavior of file to be detected first
Log, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is used for the related information for indicating to execute operation, then
It can be by every dynamic behaviour in goal behavior log and every rule progress corresponding to strategy each in strategy set
Match, obtain matching result, generate target malice score corresponding to goal behavior log further according to matching result, if target malice
Score reaches malice score threshold, it is determined that file to be detected is virus document.By the above-mentioned means, carrying out file security
During detection, no longer the static nature of file is detected, but the dynamic behaviour of file is detected, thus not
The influence that will receive virus characteristic deformation, also has stronger killing ability to unknown virus, to reduce viral rate of false alarm.
Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection
In one alternative embodiment, dynamic behaviour includes at least operator and application programming interface API;
Wherein, operator indicates to initiate the object of operation, and API table, which shows to execute, operates called interface function;
Dynamic behaviour can also include at least one in process, operation object and additional parameter;
Wherein, process indicate operation operation entity, operation object indicate receive operation object, additional parameter indicate with
Operate relevant parameter;
By in goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to every rule into
Row matching, obtains matching result, may include:
Obtain operator, API, process, operation object and the additional parameter of every dynamic behaviour in goal behavior log;
Obtain the predetermined registration operation person, default API of every rule in each strategy, default process, predetermined registration operation object and
Default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, by every dynamic behaviour
API is matched with the default API of every rule, by the process of every dynamic behaviour and the progress of the default process of every rule
Match, the operation object of every dynamic behaviour is matched with the predetermined registration operation object of every rule, by every dynamic behaviour
Additional parameter is matched with the default additional parameter of every rule, obtains matching result.
In the present embodiment, rule is the dynamic behaviour extracted in advance, with the dynamic behaviour extracted from goal behavior log
It is similar, all there are at least two elements, i.e. operator and API, generally, operator is the object for initiating operation, and API is
Called interface function is operated to execute, according to API it is known that operation performed.Optionally, dynamic behaviour may be used also
To include at least one in process, operation object and additional parameter, the entity of process expression operation operation, operation object table
Show that the object for receiving operation, additional parameter indicate parameter relevant to operation.It is understood that the content of element is more complete,
Expressed behavior is also more accurate.
Specifically, it is assumed that a dynamic behaviour is made of operator, process, API, operation object and additional parameter, that
The dynamic behaviour can indicate are as follows:
bff30a6753338e7a9d371ec31c839a44,123.exe,CreateProcess,234.exe,c:\
234.exe
Wherein, operator bff30a6753338e7a9d371ec31c839a44, operator can be a virus;
123exe is process;
CreateProcess is API;
234exe is operation object;
C: 234.exe be additional parameter.
It is understood that API be " OpenProcess ", corresponding additional parameter be " ProcessId " and
"DesiredAccess".API is " ExitProcess ", and corresponding additional parameter is " ProcessName ".API is
" TerminateProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is
" SuspendProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is
" ResumeProcess ", corresponding additional parameter are " ProcessName " and " ProcessId ".API is
" OpenThread ", corresponding additional parameter are " ThreadId ", " ProcessId " and " DesiredAccess ".In reality
In, there is also additional parameters possessed by other kinds of API and these API, carry out exhaustion herein.
Correspondingly, every rule in strategy is also to have above-mentioned five classes parameter to constitute, and specifically can be predetermined registration operation person, pre-
If API, default process, predetermined registration operation object and default additional parameter.Therefore, it in actual matching process, needs to distinguish
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, and by the API of every dynamic behaviour with
The default API of every rule is matched, and the process of every dynamic behaviour is matched with the default process of every rule,
And the operation object of every dynamic behaviour is matched with the predetermined registration operation object of every rule, and by every dynamic behaviour
Additional parameter is matched with the default additional parameter of every rule.It, can namely by the matching one by one between each parameter
With the corresponding matching result of determination.
Secondly, describing the element content that dynamic behaviour specifically includes in the embodiment of the present invention, wherein operator and
API is essential elements, and each dynamic behaviour must all have an operator and API, and process, operation object and additional parameter
All it is optional element, there can be at least one in process, operation object and additional parameter, can also not have.By above-mentioned
Mode can recognize the relevant content of operation from each dynamic behaviour or each rule, the more full expression of element
Dynamic behaviour or rule are also more specific, to promote the feasibility and operability of operation.
Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection
In two alternative embodiments, by goal behavior log every dynamic behaviour in strategy set it is each strategy corresponding to it is every
Rule is matched, and matching result is obtained, comprising:
Obtain i-th dynamic behaviour in goal behavior log, wherein i is more than or equal to 1, and less than or equal to N
Integer;
Kth rule corresponding to j-th of strategy in acquisition strategy set, wherein j is greater than or equal to 1, and is less than or waits
In the integer of M, k is the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
If i-th dynamic behaviour and kth rule successful match corresponding to j-th of strategy, by (i+1) article dynamic
Behavior is matched with (k+1) rule corresponding to j-th of strategy;
If i-th dynamic behaviour is with kth rule corresponding to j-th of strategy, it fails to match, by (i+1) article dynamic
Behavior is matched with kth rule corresponding to j-th of strategy.
In the present embodiment, it will be introduced in conjunction with process of the attached drawing to dynamic behaviour and rule match.Please refer to Fig. 6 and
Fig. 7, Fig. 6 are a flow diagram of dynamic behaviour and each rule match in strategy in the embodiment of the present invention, and Fig. 7 is this hair
Dynamic behaviour and the matched flow diagram of strategy set in bright embodiment, as shown in fig. 7, by step 301 and step 302
Known to, it is assumed that there are strategy set D contains M item strategy in strategy set D, and goal behavior log L includes that N item is dynamic
State behavior, goal behavior log L needs are matched with each strategy in strategy set D.
In step 303, start to carry out the matching of M item strategy in goal behavior log L and strategy set D, specifically
It with mode as shown in fig. 6, referring to Fig. 6, step 201 is identical as step 301, i.e., is all dynamic to the N item in goal behavior log L
State behavior is matched.
In step 202, it is assumed that first obtain j-th of strategy from strategy set D, is i.e. contains K item in strategy S, tactful S
Rule.
In step 203, obtain goal behavior log in i-th dynamic behaviour, wherein i be more than or equal to 1, and
Integer less than or equal to N, and kth rule corresponding to j-th of strategy in acquisition strategy set, wherein j is greater than or waits
In 1, and it is less than or equal to the integer of M, k is the integer more than or equal to 1.When initial value is arranged, i is equal to 1, k and is equal to
1。
In step 204, by i-th dynamic behaviour in goal behavior log and kth rules and regulations corresponding to j-th of strategy
Canonical matching is then carried out, it is usually necessary to use regular expressions for canonical matching, wherein regular expression is to string operation
A kind of logical formula forms " regular a character with the combination of predefined some specific characters and these specific characters
String ", this " regular character string " are used to express a kind of filter logic to character string.
In step 205, judge whether i-th dynamic behaviour matches with kth rule corresponding to j-th of strategy
Success, if successful match, enters step 206, conversely, if it fails to match, gos to step 208;
It in step 206, will if i-th dynamic behaviour and kth rule successful match corresponding to j-th of strategy
(i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
In step 207, continue to judge whether (k+1) is greater than K, if so, 210 are entered step, whereas if (k+1)
Less than or equal to K, then 209 are entered step;
In a step 208, if i-th dynamic behaviour matches mistake with kth rule corresponding to j-th of strategy
It loses, then matches (i+1) article dynamic behaviour with kth rule corresponding to j-th of strategy;
In step 209, whether judgement (i+1) is greater than N, that is, whether judgement (i+1) is more than in goal behavior log
The sum of dynamic behaviour, whereas if be less than, then gos to step 204, continues if it is, enter step 211
Matching;
In step 210, if (k+1) is greater than K, then it represents that have been completed the K in the matching of tactful S, that is, strategy S
The equal successful match of rule;
In step 211, if after N dynamic behaviour is matched with K rule in strategy S, determination is not matched into
Function;
In the step 212, export matching result, that is, export file to be detected goal behavior log whether with tactful S
With success.
Secondly, being described every in every dynamic behaviour and the strategy set in goal behavior log in the embodiment of the present invention
Every rule corresponding to a strategy carries out matched concrete mode, i.e. i-th dynamic behaviour in acquisition goal behavior log,
Kth rule corresponding to j-th of strategy in acquisition strategy set, by i-th article of dynamic behaviour and corresponding to j-th strategy the
K rule is matched, if successful match, next dynamic behaviour is matched with next rule, conversely, if matching
Failure, then match next dynamic behaviour with kth rule corresponding to j-th of strategy.By the above-mentioned means, can
The matching between every rule in goal behavior log in every dynamic behaviour and each strategy is completed, use is matched one by one
Principle, guarantee is matched comprehensive, to promote matched success rate and reliability.
Optionally, on the basis of above-mentioned Fig. 3 corresponding second embodiment, the embodiment of the present invention provides file detection
In method third alternative embodiment, according to matching result generate goal behavior log corresponding to target malice score, can be with
Include:
If obtaining the first malice point corresponding to j-th of strategy with j-th of strategy matching success in goal behavior log
Number;
If obtaining corresponding to (j+1) a strategy the with the success of (j+1) a strategy matching in goal behavior log
Two malice scores;
First malice score is added with the second malice score, obtains target malice score.
In the present embodiment, it is based on corresponding second embodiment of above-mentioned Fig. 3, the mesh for how calculating file to be detected will be introduced
Mark malice score.It is exportable goal behavior day in the step 212 of Fig. 6 please continue to refer to Fig. 6 and Fig. 7 for the ease of introducing
The matching result of will and j-th of strategy, matching result include successful match or it fails to match two kinds of possibility.Fig. 7 the step of
In 304, determines whether goal behavior log and the matching of j-th of strategy succeed according to matching result, if successful match, enter
Step 306, conversely, entering step 305 if it fails to match.
In step 305, if goal behavior log is with j-th of strategy, it fails to match, continues goal behavior day
Will is matched with (j+1) a strategy.
Within step 306, if the successful match of goal behavior log and j-th of strategy, it is right to obtain j-th of strategy institute
The the first malice score answered, it is assumed that the first malice score is a, then target malice score W is a.Correspondingly, if target line
For the successful match of log and (j+1) a strategy, then the second malice score corresponding to (j+1) a strategy is obtained, it is assumed that
The second malice score is b, then target malice score W is (a+b), and so on.
In step 307, judge whether all matching is completed to M strategy in strategy set, if it is, executing
Step 308, conversely, thening follow the steps 305, that is, continue the judgement of next strategy.
In step 308, judge whether target malice score is greater than or equal to 100, if so, thening follow the steps 309, instead
It, thens follow the steps 311, that is, completes the testing process of file to be detected.
In a step 309, if target malice score is greater than or equal to 100, it is determined that the file to be detected is viral text
Part.
In the step 310, finally, the specific of the virus can also be determined regular group according to corresponding to the strategy of hit
Type.
In step 311, terminate the testing process to file to be detected.
Again, in the embodiment of the present invention, illustrate that the target according to corresponding to matching result generation goal behavior log is disliked
It anticipates the mode of score, with the success of j-th strategy matching even in goal behavior log, then obtains corresponding to j-th of strategy the
One malice score, if being obtained corresponding to (j+1) a strategy in goal behavior log with (j+1) a strategy matching success
The second malice score, the first malice score is added with the second malice score finally, obtains target malice score.By above-mentioned
Mode calculates target malice score in the method for accumulation, rather than directly using malice score of some strategy as finally
Target malice score, thus the reasonability of lifting scheme, and can more accurately assess the safety of file to be detected.
Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection
In four alternative embodiments, file to be detected is determined as that can also include: after virus document
Obtain target strategy subclass corresponding to goal behavior log, wherein target strategy subclass includes dynamic with N item
The strategy that state behavior matches;
According to the corresponding target viral type of virus taxis Rule target strategy subclass, wherein virus taxis rule
The then corresponding relationship between tactful subclass and Virus Type.
In the present embodiment, it will introduce how on the basis of determining file to be detected is virus document, further determine that this
The Virus Type of file to be detected.Assuming that there is 100 strategies in strategy set, wherein goal behavior log has hit therein 5
A strategy, this 5 strategies are target strategy subclass.It is understood that 5 strategies that target strategy subclass is included
It is the strategy with N dynamic strategy successful match in goal behavior log.Next, according to the virus taxis Rule mesh
Mark the corresponding target viral type of tactful subclass, wherein virus taxis rule is between tactful subclass and Virus Type
Corresponding relationship.For the ease of introducing, table 1 is please referred to, table 1 is a signal of virus taxis rule.
Table 1
Virus Type | Tactful subclass |
Trojan horse A | Strategy 1, strategy 6, strategy 55, strategy 60, strategy 77, strategy 89 and strategy 93 |
Trojan horse B | Strategy 1, strategy 2 and strategy 3 |
Trojan horse C | Strategy 5, strategy 15, strategy 38, strategy 40, strategy 45, strategy 69 and strategy 73 |
Trojan horse D | Strategy 7 and strategy 8 |
Trojan horse E | Strategy 42, strategy 44, strategy 45, strategy 50 and strategy 84 |
Trojan horse F | Strategy 9, strategy 19 and strategy 22 |
Trojan horse G | Strategy 11, strategy 22, strategy 26, strategy 28, strategy 29, strategy 36 and strategy 42 |
Trojan horse H | Strategy 85 and strategy 86 |
Trojan horse I | Strategy 74, strategy 75, strategy 78 and strategy 91 |
Where it is assumed that target strategy subclass includes strategy 42, strategy 44, strategy 45, strategy 50 and strategy 84, then basis
Virus taxis rule can determine that the Virus Type of the file to be detected is trojan horse E.
Secondly, after determining that file to be detected is virus document, can also further determine that disease in the embodiment of the present invention
Poison classification, i.e. acquisition target strategy subclass, target strategy subclass are the strategy for including hit, can according to virus taxis rule
To determine the corresponding target viral type of target strategy subclass.By the above-mentioned means, the class of virus can also be further determined that
Type, make it possible to forbid a series of unchartered operations according to Virus Type, so that effectively viral in prevention system answer
System, to improve the security performance of system.
Optionally, on the basis of any one of corresponding first to fourth embodiment of above-mentioned Fig. 3 and Fig. 3, this hair
Bright embodiment is provided in the 5th alternative embodiment of method of file detection, by goal behavior log every dynamic behaviour with
Before every rule corresponding to each strategy is matched in strategy set, can also include:
Receive rule group configuration-direct;
According to the corresponding relationship between tactful configuration-direct create-rule group and at least one rule, wherein rule group belongs to
In strategy, strategy further includes malice score;
Receive classification configurations instruction;
The corresponding relationship generated between Virus Type and at least one regular group is instructed according to classification configurations.
In the present embodiment, a kind of mode that relationship between regular, regular group and Virus Type is set will be introduced.It reflects in virus
Before fixed, it is also necessary to according to the matching relationship between artificial experience composition rule, regular group and Virus Type.
Specifically, user can first configure the relationship between configuration rule group and rule, according to artificial experience it is recognised that
It deletes file A and needs to access API 1, API 2 and API3, thus it is possible to be put using API 1, API 2 and API3 as three rules
In the same regular group, then the malice score of this rule group is calculated, to form a strategy.Further, also
The relationship between Virus Type and regular group can be configured according to artificial experience, this is because all at least one regular group
Rule often constitutes a complete attack.By taking trojan horse X as an example, the purpose of rule group 1 is to delete file A, rule
Then the purpose of group 2 is insertion plug-in unit B, and two regular groups are together constituted with the attack of this trojan horse X.Thus it is possible to
Rule group 1 and rule group 2 are classified as Virus Type X.
In order to make it easy to understand, referring to Fig. 8, Fig. 8 is between rule in the embodiment of the present invention, regular group and Virus Type
One matching relationship schematic diagram, as shown, be with regular group here for example, in practical applications, regular group can be with
It is strategy, the difference is that, it can also include malice score in addition to including regular group in strategy.Referred to according to rule group configuration
It enables, by rule 1 and 2 configuration of rule in rule group 1, by rule 1, rule 4 and 5 configuration of rule in rule group 2, by rule 3
Configuration is in rule group 3.By rule group 1 and 2 configuration of rule group in classification 1, that is, belong to Virus Type 1.By rule group 2 and rule
Then 3 configuration of group belongs to Virus Type 2 in classification 2.
Again, in the embodiment of the present invention, by goal behavior log every dynamic behaviour and strategy set in it is each
Before every rule corresponding to strategy is matched, tactful configuration-direct can also be received, and raw according to tactful configuration-direct
At the corresponding relationship between strategy and at least one rule, at the same time, classification configurations instruction can also be received, and according to classification
Configuration-direct generates the corresponding relationship between Virus Type and at least one strategy.By the above-mentioned means, user can voluntarily match
The relationship between rule, regular group and Virus Type is set, configuration can be completed by artificial experience, thus the practicability of lifting scheme
And feasibility.
Optionally, on the basis of above-mentioned Fig. 3 corresponding embodiment, the embodiment of the present invention provides the method the of file detection
In six alternative embodiments, each tactful institute in every dynamic behaviour by the goal behavior log and strategy set
Before corresponding every rule is matched, can also include:
Obtain safe sample set and Virus Sample set, wherein safe sample set includes at least one safety text
Part sample, Virus Sample set include at least one virus document sample;
It obtains from strategy set to scoring tactics, wherein include a goal rule group to scoring tactics;
The first number of matches is calculated according to goal rule group and safe sample set;
The second number of matches is calculated according to goal rule group and Virus Sample set;
The malice score to scoring tactics is calculated according to the first number of matches and the second number of matches.
In the present embodiment, the malice score for how obtaining strategy will be introduced.Specifically, with some plan in strategy set
Slightly example is introduced, which is to scoring tactics.Specifically, constantly located by the sandbox system in automation training airplane
The sample of existing and known attribute is managed, and saves their dynamic behaviour, forms dynamic behaviour library.Automate training airplane countermeasure
Slightly gather all strategies to be matched one by one with all sample behaviors in dynamic behaviour library, according to secure file sample and virus text
The ratio of part sample hit calculates a score.Wherein, in safe sample set all secure file samples with it is to be evaluated
The rule in strategy is divided to be matched, the number of successful match is the first number of matches.With owning in Virus Sample set
Virus document sample is matched with to the rule in scoring tactics, and the number of successful match is the second number of matches.Root
The malice score for waiting for scoring tactics can be calculated according to the first number of matches and the second number of matches.
Secondly, providing a kind of mode of determining tactful malice score in the embodiment of the present invention, that is, obtaining safe sample set
Then conjunction and Virus Sample set are obtained from strategy set to scoring tactics, further according to goal rule group and safe sample
The first number of matches is calculated in set, and the second coupling number is calculated according to goal rule group and Virus Sample set
Amount, is finally calculated the malice score to scoring tactics according to the first number of matches and the second number of matches.By above-mentioned
Mode, automation training airplane can also beat malice score to the strategy in strategy set, and timing updates malice score, utilizes
Known sample attribute and strategy to be scored carry out matching detection, using hit situation as score basis, to improve point
The reliability and feasibility that number calculates.
Optionally, on the basis of above-mentioned Fig. 3 corresponding 6th embodiment, the embodiment of the present invention provides file detection
In the 7th alternative embodiment of method, the evil to scoring tactics is calculated according to the first number of matches and the second number of matches
Anticipate score, may include:
The malice score to scoring tactics is calculated in the following way:
Q=(a/X-b/Y) * 100;
Wherein, Q indicates that the malice score to scoring tactics, a indicate the second number of matches, and b indicates the first number of matches, X
Indicate the quantity of virus document sample in Virus Sample set, Y indicates the quantity of secure file sample in safe sample set.
In the present embodiment, the malice score how being calculated to scoring tactics will be introduced, it is assumed that Virus Sample set packet
100 virus document samples are included, safe sample set includes 200 secure file samples.Regular group to scoring tactics is extracted,
The regular divisions to scoring tactics are taken not match with safe sample set and Virus Sample set this, it is assumed that wait score
After the rule group of strategy is matched with Virus Sample set, the virus document sample of 60 hits, i.e. the first coupling number are obtained
Amount is 60.Assuming that obtaining the secure file of 20 hits after the rule group of scoring tactics is matched with safe sample set
Sample, i.e. the second number of matches are 20.Malice score to scoring tactics is calculated using following formula:
Q=(a/X-b/Y) * 100;
Obtain Q=(60/100-20/200) * 100=50
I.e. this waits for that the malice score of scoring tactics is 50.In practical applications, it needs to reduce by the second number of matches as far as possible
With the ratio of safe sample set.
After calculating malice score, updates in corresponding strategy set, then just complete the process of self-teaching, be not required to
Want human intervention.
Again, in the embodiment of the present invention, tactful malice score can be calculated using corresponding calculation formula, by upper
Mode is stated, the calculating of malice score provides effective and feasible method, and then the feasibility and operability of lifting scheme.
Complete technical solution in order to facilitate understanding, referring to Fig. 9, Fig. 9 is the side of file detection in the embodiment of the present invention
Another embodiment schematic diagram of method, as shown, step S2 can also be performed to step S5 before step S11, wherein step
Rapid S2 to step S5 is mainly configuration process, can also configure Virus Type with the relationship between configuration rule rule of combination
And the relationship between regular group.Step S6 to step S10 is mainly the process of malice score setting.Step S14 is main to step 15
It to be the process of determining Virus Type.
It should be noted that the detailed process of step S1 to step S15 can not be done refering to above-mentioned each embodiment herein
It repeats.
The file detection device in the present invention is described in detail below, referring to Fig. 10, Figure 10 is that the present invention is implemented
File detection device one embodiment schematic diagram in example, file detection device 40 include:
Module 401 is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log packet
N dynamic behaviour is included, the dynamic behaviour is the integer more than or equal to 1 for indicating and operating associated information, the N;
Matching module 402, every dynamic row in the goal behavior log for obtaining the acquisition module 401
To be matched with every rule corresponding to strategy each in strategy set, matching result is obtained, wherein the strategy set
Including preconfigured M strategy, each corresponding at least one rule of strategy, and every strategy corresponds to an evil
Meaning score, the M are the integer more than or equal to 1;
Generation module 403, the matching result for being obtained according to the matching module 402 generate the goal behavior
Target malice score corresponding to log;
Determining module 404, if the target malice score for the generation module 403 to generate reaches malice score threshold
Value, it is determined that the file to be detected is virus document.
In the present embodiment, the goal behavior log that module 401 obtains file to be detected is obtained, wherein the goal behavior
Log includes N dynamic behaviour, and the dynamic behaviour is more than or equal to 1 for indicating and operating associated information, the N
Integer, matching module 402 by the goal behavior log that obtains of acquisition module 401 every dynamic behaviour and strategy
Every rule corresponding to each strategy is matched in set, obtains matching result, wherein the strategy set includes preparatory
M strategy of configuration, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score,
The M is the integer more than or equal to 1, and generation module 403 is generated according to the matching result that the matching module 402 obtains
Target malice score corresponding to the goal behavior log, if the target malice score that the generation module 403 generates
Reach malice score threshold, it is determined that module 404 determines that the file to be detected is virus document.
In the embodiment of the present invention, a kind of file detection device is provided, this document detection device first obtains text to be detected
The goal behavior log of part, wherein goal behavior log includes N dynamic behaviour, and dynamic behaviour is used to indicate to execute operation
Related information, then can by goal behavior log every dynamic behaviour in strategy set it is each strategy corresponding to it is every
Rule is matched, and matching result is obtained, and generates the malice point of target corresponding to goal behavior log further according to matching result
Number, if target malice score reaches malice score threshold, it is determined that file to be detected is virus document.By the above-mentioned means, In
During carrying out file security detection, no longer the static nature of file is detected, but the dynamic behaviour to file
It is detected, is influenced thus without being deformed by virus characteristic, also there is stronger killing ability to unknown virus, to drop
Low virus rate of false alarm.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention
It sets in 40 another embodiment, the dynamic behaviour includes at least operator and application programming interface API;
Wherein, the operator indicates to initiate the object of the operation, and the API table, which shows, executes what the operation was called
Interface function;
The dynamic behaviour can also include at least one in process, operation object and additional parameter;
Wherein, the process indicates to run the entity of the operation, and the operation object indicates to receive pair of the operation
As the additional parameter indicates parameter relevant to the operation;
The matching module 402, specifically for obtaining described in every dynamic behaviour described in the goal behavior log
Operator, the API, the process, the operation object and the additional parameter;
Obtain the predetermined registration operation person, default API, default process, predetermined registration operation of every rule described in each strategy
Object and default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule,
The API of every dynamic behaviour is matched with the default API of every rule, by every dynamic
The process of behavior is matched with the default process of every rule, by the behaviour of every dynamic behaviour
Make object to be matched with the predetermined registration operation object of every rule, by the additional ginseng of every dynamic behaviour
Number is matched with the default additional parameter of every rule, obtains the matching result.
Secondly, describing the element content that dynamic behaviour specifically includes in the embodiment of the present invention, wherein operator and
API is essential elements, and each dynamic behaviour must all have an operator and API, and process, operation object and additional parameter
All it is optional element, there can be at least one in process, operation object and additional parameter, can also not have.By above-mentioned
Mode can recognize the relevant content of operation from each dynamic behaviour or each rule, the more full expression of element
Dynamic behaviour or rule are also more specific, to promote the feasibility and operability of operation.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention
It sets in 40 another embodiment,
The matching module 402, specifically for obtaining i-th dynamic behaviour in the goal behavior log, wherein institute
Stating i is the integer more than or equal to 1, and less than or equal to the N;
Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j be greater than or equal to 1, and
Less than or equal to the integer of the M, the k is the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
It, will be described if kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
It, will be described if it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with kth rule corresponding to j-th of strategy.
Secondly, being described every in every dynamic behaviour and the strategy set in goal behavior log in the embodiment of the present invention
Every rule corresponding to a strategy carries out matched concrete mode, i.e. i-th dynamic behaviour in acquisition goal behavior log,
Kth rule corresponding to j-th of strategy in acquisition strategy set, by i-th article of dynamic behaviour and corresponding to j-th strategy the
K rule is matched, if successful match, next dynamic behaviour is matched with next rule, conversely, if matching
Failure, then match next dynamic behaviour with kth rule corresponding to j-th of strategy.By the above-mentioned means, can
The matching between every rule in goal behavior log in every dynamic behaviour and each strategy is completed, use is matched one by one
Principle, guarantee is matched comprehensive, to promote matched success rate and reliability.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention
It sets in 40 another embodiment,
The generation module 403, if specifically for successful with j-th of strategy matching in the goal behavior log,
Then obtain the first malice score corresponding to j-th of strategy;
If obtaining (j+1) a plan with (j+1) a strategy matching success in the goal behavior log
Slightly the second corresponding malice score;
The first malice score is added with the second malice score, obtains the target malice score.
Again, in the embodiment of the present invention, illustrate that the target according to corresponding to matching result generation goal behavior log is disliked
It anticipates the mode of score, with the success of j-th strategy matching even in goal behavior log, then obtains corresponding to j-th of strategy the
One malice score, if being obtained corresponding to (j+1) a strategy in goal behavior log with (j+1) a strategy matching success
The second malice score, the first malice score is added with the second malice score finally, obtains target malice score.By above-mentioned
Mode calculates target malice score in the method for accumulation, rather than directly using malice score of some strategy as finally
Target malice score, thus the reasonability of lifting scheme, and can more accurately assess the safety of file to be detected.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, file detection dress provided in an embodiment of the present invention
It sets in 40 another embodiment,
The acquisition module 401, be also used to the determining module 404 determine the file to be detected be virus document it
Afterwards, target strategy subclass corresponding to the goal behavior log is obtained, wherein the target strategy subclass includes and institute
State the strategy that N dynamic behaviour matches;
According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the disease
Malicious classifying rules is the corresponding relationship between tactful subclass and Virus Type.
Secondly, after determining that file to be detected is virus document, can also further determine that disease in the embodiment of the present invention
Poison classification, i.e. acquisition target strategy subclass, target strategy subclass are the strategy for including hit, can according to virus taxis rule
To determine the corresponding target viral type of target strategy subclass.By the above-mentioned means, the class of virus can also be further determined that
Type, make it possible to forbid a series of unchartered operations according to Virus Type, so that effectively viral in prevention system answer
System, to improve the security performance of system.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, Figure 11 is please referred to, it is provided in an embodiment of the present invention
In another embodiment of file detection device 40, the file detection device 40 further includes receiving module 405;
The receiving module 405 is also used to the matching module 402 for every dynamic row in the goal behavior log
Before being matched with every rule corresponding to strategy each in strategy set, rule group configuration-direct is received;
The generation module 403 is also used to generate rule according to the received tactful configuration-direct of the receiving module 405
The then corresponding relationship between group and at least one rule, wherein the rule group belongs to the strategy, and the strategy further includes institute
State malice score;
The receiving module 405 is also used to receive classification configurations instruction;
The generation module 403 is also used to generate disease according to the received classification configurations instruction of the receiving module 405
Corresponding relationship between malicious type and at least one regular group.
Again, in the embodiment of the present invention, by goal behavior log every dynamic behaviour and strategy set in it is each
Before every rule corresponding to strategy is matched, tactful configuration-direct can also be received, and raw according to tactful configuration-direct
At the corresponding relationship between strategy and at least one rule, at the same time, classification configurations instruction can also be received, and according to classification
Configuration-direct generates the corresponding relationship between Virus Type and at least one strategy.By the above-mentioned means, user can voluntarily match
The relationship between rule, regular group and Virus Type is set, configuration can be completed by artificial experience, thus the practicability of lifting scheme
And feasibility.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 10, Figure 12 is please referred to, it is provided in an embodiment of the present invention
In another embodiment of file detection device 40, the file detection device 40 further includes computing module 406;
The acquisition module 401 is also used to every dynamic row in the goal behavior log in the matching module
Before being matched with every rule corresponding to strategy each in strategy set, safe sample set and virus-like are obtained
This set, wherein the safe sample set includes at least one secure file sample, and the Virus Sample set includes at least
One virus document sample;
The acquisition module 401 is also used to obtain from strategy set to scoring tactics, wherein described to scoring tactics
Including a goal rule group;
The computing module 406, the goal rule group and the safety for being obtained according to the acquisition module 401
The first number of matches is calculated in sample set;
The computing module 406 is also used to be calculated the according to the goal rule group and the Virus Sample set
Two number of matches;
The computing module 406 is also used to be calculated according to first number of matches and second number of matches
To the malice score to scoring tactics.
Secondly, providing a kind of mode of calculative strategy malice score in the embodiment of the present invention, that is, obtaining safe sample set
Then conjunction and Virus Sample set are obtained from strategy set to scoring tactics, further according to goal rule group and safe sample
The first number of matches is calculated in set, and the second coupling number is calculated according to goal rule group and Virus Sample set
Amount, is finally calculated the malice score to scoring tactics according to the first number of matches and the second number of matches.By above-mentioned
Mode, automation training airplane can also beat malice score to the strategy in strategy set, and timing updates malice score, utilizes
Known sample attribute and strategy to be scored carry out matching detection, using hit situation as score basis, to improve point
The reliability and feasibility that number calculates.
Optionally, on the basis of the embodiment corresponding to above-mentioned Figure 12, file detection dress provided in an embodiment of the present invention
It sets in 40 another embodiment,
The computing module 406, specifically for calculating the malice score to scoring tactics in the following way:
Q=(a/X-b/Y) * 100;
Wherein, the Q indicates the malice score to scoring tactics, and a indicates second number of matches, described
B indicates first number of matches, and the X indicates the quantity of virus document sample in the Virus Sample set, and the Y is indicated
The quantity of secure file sample in the safe sample set.
Again, in the embodiment of the present invention, tactful malice score can be calculated using corresponding calculation formula, by upper
Mode is stated, the calculating of malice score provides effective and feasible method, and then the feasibility and operability of lifting scheme.
The embodiment of the invention also provides another file detection devices, as shown in figure 13, for ease of description, only show
Part related to the embodiment of the present invention, it is disclosed by specific technical details, please refer to present invention method part.It should
File detection device can be include mobile phone, tablet computer, personal digital assistant (PersonalDigital Assistant,
PDA), any terminal device such as point-of-sale terminal (Point of Sales, POS), vehicle-mounted computer is by mobile phone of terminal device
Example:
Figure 13 shows the block diagram of the part-structure of mobile phone relevant to terminal device provided in an embodiment of the present invention.Ginseng
Figure 13 is examined, mobile phone includes: radio frequency (Radio Frequency, RF) circuit 510, memory 520, input unit 530, display list
First 540, sensor 550, voicefrequency circuit 560, Wireless Fidelity (wireless fidelity, WiFi) module 570, processor
The components such as 580 and power supply 590.It will be understood by those skilled in the art that handset structure shown in Figure 13 does not constitute opponent
The restriction of machine may include perhaps combining certain components or different component layouts than illustrating more or fewer components.
It is specifically introduced below with reference to each component parts of the Figure 13 to mobile phone:
RF circuit 510 can be used for receiving and sending messages or communication process in, signal sends and receivees, particularly, by base station
After downlink information receives, handled to processor 580;In addition, the data for designing uplink are sent to base station.In general, RF circuit 510
Including but not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier (Low Noise
Amplifier, LNA), duplexer etc..In addition, RF circuit 510 can also be communicated with network and other equipment by wireless communication.
Any communication standard or agreement, including but not limited to global system for mobile communications (Global can be used in above-mentioned wireless communication
System of Mobile communication, GSM), general packet radio service (General Packet Radio
Service, GPRS), CDMA (Code Division Multiple Access, CDMA), wideband code division multiple access
(Wideband Code Division Multiple Access, WCDMA), long term evolution (Long Term Evolution,
LTE), Email, short message service (Short Messaging Service, SMS) etc..
Memory 520 can be used for storing software program and module, and processor 580 is stored in memory 520 by operation
Software program and module, thereby executing the various function application and data processing of mobile phone.Memory 520 can mainly include
Storing program area and storage data area, wherein storing program area can application journey needed for storage program area, at least one function
Sequence (such as sound-playing function, image player function etc.) etc.;Storage data area can be stored to be created according to using for mobile phone
Data (such as audio data, phone directory etc.) etc..It, can be in addition, memory 520 may include high-speed random access memory
Including nonvolatile memory, for example, at least a disk memory, flush memory device or other volatile solid-states
Part.
Input unit 530 can be used for receiving the number or character information of input, and generate with the user setting of mobile phone with
And the related key signals input of function control.Specifically, input unit 530 may include that touch panel 531 and other inputs are set
Standby 532.Touch panel 531, also referred to as touch screen, collect user on it or nearby touch operation (such as user use
The operation of any suitable object or attachment such as finger, stylus on touch panel 531 or near touch panel 531), and root
Corresponding attachment device is driven according to preset formula.Optionally, touch panel 531 may include touch detecting apparatus and touch
Two parts of controller.Wherein, the touch orientation of touch detecting apparatus detection user, and touch operation bring signal is detected,
Transmit a signal to touch controller;Touch controller receives touch information from touch detecting apparatus, and is converted into touching
Point coordinate, then gives processor 580, and can receive order that processor 580 is sent and be executed.Furthermore, it is possible to using electricity
The multiple types such as resistive, condenser type, infrared ray and surface acoustic wave realize touch panel 531.In addition to touch panel 531, input
Unit 530 can also include other input equipments 532.Specifically, other input equipments 532 can include but is not limited to secondary or physical bond
One of disk, function key (such as volume control button, switch key etc.), trace ball, mouse, operating stick etc. are a variety of.
Display unit 540 can be used for showing information input by user or be supplied to user information and mobile phone it is various
Menu.Display unit 540 may include display panel 541, optionally, can use liquid crystal display (Liquid Crystal
Display, LCD), the forms such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) it is aobvious to configure
Show panel 541.Further, touch panel 531 can cover display panel 541, when touch panel 531 detect it is on it or attached
After close touch operation, processor 580 is sent to determine the type of touch event, is followed by subsequent processing device 580 according to touch event
Type corresponding visual output is provided on display panel 541.Although in Figure 13, touch panel 531 and display panel 541
It is that the input and input function of mobile phone are realized as two independent components, but in some embodiments it is possible to by touch-control
Panel 531 and display panel 541 are integrated and that realizes mobile phone output and input function.
Mobile phone may also include at least one sensor 550, such as optical sensor, motion sensor and other sensors.
Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can be according to ambient light
Light and shade adjust the brightness of display panel 541, proximity sensor can close display panel 541 when mobile phone is moved in one's ear
And/or backlight.As a kind of motion sensor, accelerometer sensor can detect (generally three axis) acceleration in all directions
Size, can detect that size and the direction of gravity when static, can be used to identify the application of mobile phone posture, (for example horizontal/vertical screen is cut
Change, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;May be used also as mobile phone
The other sensors such as gyroscope, barometer, hygrometer, thermometer, the infrared sensor of configuration, details are not described herein.
Voicefrequency circuit 560, loudspeaker 561, microphone 562 can provide the audio interface between user and mobile phone.Audio-frequency electric
Electric signal after the audio data received conversion can be transferred to loudspeaker 561, be converted to sound by loudspeaker 561 by road 560
Signal output;On the other hand, the voice signal of collection is converted to electric signal by microphone 562, is turned after being received by voicefrequency circuit 560
It is changed to audio data, then by after the processing of audio data output processor 580, such as another mobile phone is sent to through RF circuit 510,
Or audio data is exported to memory 520 to be further processed.
WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronics postal by WiFi module 570
Part, browsing webpage and access streaming video etc., it provides wireless broadband internet access for user.Although Figure 13 is shown
WiFi module 570, but it is understood that, and it is not belonging to must be configured into for mobile phone, it can according to need do not changing completely
Become in the range of the essence of invention and omits.
Processor 580 is the control centre of mobile phone, using the various pieces of various interfaces and connection whole mobile phone, is led to
It crosses operation or executes the software program and/or module being stored in memory 520, and call and be stored in memory 520
Data execute the various functions and processing data of mobile phone, to carry out integral monitoring to mobile phone.Optionally, processor 580 can wrap
Include one or more processing units;Optionally, processor 580 can integrate application processor and modem processor, wherein answer
With the main processing operation system of processor, user interface and application program etc., modem processor mainly handles wireless communication.
It is understood that above-mentioned modem processor can not also be integrated into processor 580.
Mobile phone further includes the power supply 590 (such as battery) powered to all parts, and optionally, power supply can pass through power supply pipe
Reason system and processor 580 are logically contiguous, to realize management charging, electric discharge and power managed by power-supply management system
Etc. functions.
Although being not shown, mobile phone can also include camera, bluetooth module etc., and details are not described herein.
In embodiments of the present invention, processor 580 included by the terminal device is also with the following functions:
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, institute
It is the integer more than or equal to 1 that dynamic behaviour, which is stated, for indicating and operating associated information, the N;
By every dynamic behaviour in the goal behavior log and every rules and regulations corresponding to strategy each in strategy set
It is then matched, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is right
At least one rule is answered, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document.
Optionally, processor 580 is specifically used for executing following steps:
Obtain the operator, the API of every dynamic behaviour described in the goal behavior log, the process,
The operation object and the additional parameter;
Obtain the predetermined registration operation person, default API, default process, predetermined registration operation of every rule described in each strategy
Object and default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule,
The API of every dynamic behaviour is matched with the default API of every rule, by every dynamic
The process of behavior is matched with the default process of every rule, by the behaviour of every dynamic behaviour
Make object to be matched with the predetermined registration operation object of every rule, by the additional ginseng of every dynamic behaviour
Number is matched with the default additional parameter of every rule, obtains the matching result.
Optionally, processor 580 is specifically used for executing following steps:
Obtain i-th dynamic behaviour in the goal behavior log, wherein the i is and to be less than more than or equal to 1
Or the integer equal to the N;
Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j be greater than or equal to 1, and
Less than or equal to the integer of the M, the k is the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
It, will be described if kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
It, will be described if it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with kth rule corresponding to j-th of strategy.
Optionally, processor 580 is specifically used for executing following steps:
If being obtained corresponding to j-th of strategy in the goal behavior log with j-th of strategy matching success
The first malice score;
If obtaining (j+1) a plan with (j+1) a strategy matching success in the goal behavior log
Slightly the second corresponding malice score;
The first malice score is added with the second malice score, obtains the target malice score.
Optionally, processor 580 is also used to execute following steps:
Obtain target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass packet
Include the strategy to match with the N dynamic behaviour;
According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the disease
Malicious classifying rules is the corresponding relationship between tactful subclass and Virus Type.
Optionally, processor 580 is also used to execute following steps:
Receive rule group configuration-direct;
According to the corresponding relationship between the tactful configuration-direct create-rule group and at least one rule, wherein described
Regular group belongs to the strategy, and the strategy further includes the malice score;
Receive classification configurations instruction;
The corresponding relationship generated between Virus Type and at least one regular group is instructed according to the classification configurations.
Optionally, processor 580 is also used to execute following steps:
Obtain safe sample set and Virus Sample set, wherein the safe sample set includes at least one peace
Whole file sample, the Virus Sample set include at least one virus document sample;
It obtains from strategy set to scoring tactics, wherein described to include a goal rule group to scoring tactics;
The first number of matches is calculated according to the goal rule group and the safe sample set;
The second number of matches is calculated according to the goal rule group and the Virus Sample set;
The malice to scoring tactics is calculated according to first number of matches and second number of matches
Score.
Optionally, processor 580 is specifically used for executing following steps:
The malice score to scoring tactics is calculated in the following way:
Q=(a/X-b/Y) * 100;
Wherein, the Q indicates the malice score to scoring tactics, and a indicates second number of matches, described
B indicates first number of matches, and the X indicates the quantity of virus document sample in the Virus Sample set, and the Y is indicated
The quantity of secure file sample in the safe sample set.
Figure 14 is a kind of server architecture schematic diagram provided in an embodiment of the present invention, which can be because of configuration or property
Energy is different and generates bigger difference, may include one or more central processing units (central processing
Units, CPU) 622 (for example, one or more processors) and memory 632, one or more storages apply journey
The storage medium 630 (such as one or more mass memory units) of sequence 642 or data 644.Wherein, 632 He of memory
Storage medium 630 can be of short duration storage or persistent storage.The program for being stored in storage medium 630 may include one or one
With upper module (diagram does not mark), each module may include to the series of instructions operation in server.Further, in
Central processor 622 can be set to communicate with storage medium 630, execute on server 600 a series of in storage medium 630
Instruction operation.
Server 600 can also include one or more power supplys 626, one or more wired or wireless networks
Interface 650, one or more input/output interfaces 658, and/or, one or more operating systems 641, such as
Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
The step as performed by server can be based on server architecture shown in the Figure 14 in above-described embodiment.
In embodiments of the present invention, CPU 622 included by the server is also with the following functions:
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, institute
It is the integer more than or equal to 1 that dynamic behaviour, which is stated, for indicating and operating associated information, the N;
By every dynamic behaviour in the goal behavior log and every rules and regulations corresponding to strategy each in strategy set
It is then matched, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is right
At least one rule is answered, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document.
Optionally, CPU 622 is specifically used for executing following steps:
Obtain the operator, the API of every dynamic behaviour described in the goal behavior log, the process,
The operation object and the additional parameter;
Obtain the predetermined registration operation person, default API, default process, predetermined registration operation of every rule described in each strategy
Object and default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule,
The API of every dynamic behaviour is matched with the default API of every rule, by every dynamic
The process of behavior is matched with the default process of every rule, by the behaviour of every dynamic behaviour
Make object to be matched with the predetermined registration operation object of every rule, by the additional ginseng of every dynamic behaviour
Number is matched with the default additional parameter of every rule, obtains the matching result.
Optionally, CPU 622 is specifically used for executing following steps:
Obtain i-th dynamic behaviour in the goal behavior log, wherein the i is and to be less than more than or equal to 1
Or the integer equal to the N;
Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j be greater than or equal to 1, and
Less than or equal to the integer of the M, the k is the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
It, will be described if kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
It, will be described if it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy
(i+1) article dynamic behaviour is matched with kth rule corresponding to j-th of strategy.
Optionally, CPU 622 is specifically used for executing following steps:
If being obtained corresponding to j-th of strategy in the goal behavior log with j-th of strategy matching success
The first malice score;
If obtaining (j+1) a plan with (j+1) a strategy matching success in the goal behavior log
Slightly the second corresponding malice score;
The first malice score is added with the second malice score, obtains the target malice score.
Optionally, CPU 622 is also used to execute following steps:
Obtain target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass packet
Include the strategy to match with the N dynamic behaviour;
According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the disease
Malicious classifying rules is the corresponding relationship between tactful subclass and Virus Type.
Optionally, CPU 622 is also used to execute following steps:
Receive rule group configuration-direct;
According to the corresponding relationship between the tactful configuration-direct create-rule group and at least one rule, wherein described
Regular group belongs to the strategy, and the strategy further includes the malice score;
Receive classification configurations instruction;
The corresponding relationship generated between Virus Type and at least one regular group is instructed according to the classification configurations.
Optionally, CPU 622 is also used to execute following steps:
Obtain safe sample set and Virus Sample set, wherein the safe sample set includes at least one peace
Whole file sample, the Virus Sample set include at least one virus document sample;
It obtains from strategy set to scoring tactics, wherein described to include a goal rule group to scoring tactics;
The first number of matches is calculated according to the goal rule group and the safe sample set;
The second number of matches is calculated according to the goal rule group and the Virus Sample set;
The malice to scoring tactics is calculated according to first number of matches and second number of matches
Score.
Optionally, CPU 622 is specifically used for executing following steps:
The malice score to scoring tactics is calculated in the following way:
Q=(a/X-b/Y) * 100;
Wherein, the Q indicates the malice score to scoring tactics, and a indicates second number of matches, described
B indicates first number of matches, and the X indicates the quantity of virus document sample in the Virus Sample set, and the Y is indicated
The quantity of secure file sample in the safe sample set.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided by the present invention, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the present invention
Portion or part steps.And storage medium above-mentioned include: USB flash disk, mobile hard disk, read-only memory (read-only memory,
ROM), random access memory (random access memory, RAM), magnetic or disk etc. are various can store program
The medium of code.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although referring to before
Stating embodiment, invention is explained in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.
Claims (11)
1. a kind of method of file detection characterized by comprising
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, described dynamic
State behavior is the integer more than or equal to 1 for indicating and operating associated information, the N;
By in the goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to every rule into
Row matching, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is corresponding extremely
A few rule, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document.
2. the method according to claim 1, wherein the dynamic behaviour includes at least operator and applies journey
Sequence programming interface API;
Wherein, the operator indicates to initiate the object of the operation, and the API table, which shows, executes the called interface of the operation
Function;
The dynamic behaviour can also include at least one in process, operation object and additional parameter;
Wherein, the process indicates to run the entity of the operation, and the operation object indicates to receive the object of the operation, institute
Stating additional parameter indicates parameter relevant to the operation;
Every rules and regulations corresponding to each strategy in every dynamic behaviour by the goal behavior log and strategy set
It is then matched, obtains matching result, comprising:
Obtain the operator, the API of every dynamic behaviour described in the goal behavior log, the process, described
Operation object and the additional parameter;
Obtain the predetermined registration operation person, default API, default process, predetermined registration operation object of every rule described in each strategy
And default additional parameter;
The operator of every dynamic behaviour is matched with the predetermined registration operation person of every rule, by institute
The API for stating every dynamic behaviour is matched with the default API of every rule, by every dynamic behaviour
The process matched with the default process of every rule, by the operation pair of every dynamic behaviour
As the predetermined registration operation object with every rule is matched, by the additional parameter of every dynamic behaviour with
The default additional parameter of every rule is matched, and the matching result is obtained.
3. the method according to claim 1, wherein every dynamic row by the goal behavior log
To be matched with every rule corresponding to strategy each in strategy set, matching result is obtained, comprising:
Obtain i-th dynamic behaviour in the goal behavior log, wherein the i is and to be less than or wait more than or equal to 1
In the integer of the N;
Obtain kth rule corresponding to j-th of strategy in the strategy set, wherein the j is greater than or equal to 1, and is less than
Or the integer equal to the M, the k are the integer more than or equal to 1;
I-th dynamic behaviour is matched with kth rule corresponding to j-th of strategy;
If kth rule successful match corresponding to i-th dynamic behaviour and j-th of strategy the, by (i+
1) article dynamic behaviour is matched with (k+1) rule corresponding to j-th of strategy;
If it fails to match for kth rule corresponding to i-th dynamic behaviour and j-th of strategy, by (the i+
1) dynamic behaviour is matched with kth rule corresponding to j-th of strategy.
4. according to the method described in claim 3, it is characterized in that, described generate the goal behavior according to the matching result
Target malice score corresponding to log, comprising:
If obtaining corresponding to j-th of strategy the with j-th of strategy matching success in the goal behavior log
One malice score;
If obtaining (j+1) a tactful institute with (j+1) a strategy matching success in the goal behavior log
Corresponding second malice score;
The first malice score is added with the second malice score, obtains the target malice score.
5. the method according to claim 1, wherein the determination file to be detected be virus document it
Afterwards, the method also includes:
Obtain target strategy subclass corresponding to the goal behavior log, wherein the target strategy subclass include with
The strategy that the N dynamic behaviour matches;
According to the corresponding target viral type of target strategy subclass described in virus taxis Rule, wherein the virus point
Rule-like is the corresponding relationship between tactful subclass and Virus Type.
6. the method according to claim 1, wherein every dynamic row by the goal behavior log
Before being matched with every rule corresponding to strategy each in strategy set, the method also includes:
Receive rule group configuration-direct;
According to the corresponding relationship between the tactful configuration-direct create-rule group and at least one rule, wherein the rule
Group belongs to the strategy, and the strategy further includes the malice score;
Receive classification configurations instruction;
The corresponding relationship generated between Virus Type and at least one regular group is instructed according to the classification configurations.
7. method according to any one of claim 1 to 6, which is characterized in that it is described will be in the goal behavior log
Every dynamic behaviour in strategy set it is each strategy corresponding to every rule matched before, the method is also wrapped
It includes:
Obtain safe sample set and Virus Sample set, wherein the safe sample set includes at least one safety text
Part sample, the Virus Sample set include at least one virus document sample;
It obtains from strategy set to scoring tactics, wherein described to include a goal rule group to scoring tactics;
The first number of matches is calculated according to the goal rule group and the safe sample set;
The second number of matches is calculated according to the goal rule group and the Virus Sample set;
The malice score to scoring tactics is calculated according to first number of matches and second number of matches.
8. the method according to the description of claim 7 is characterized in that described according to the first number of matches and the second number of matches
The malice score to scoring tactics is calculated, comprising:
The malice score to scoring tactics is calculated in the following way:
Q=(a/X-b/Y) * 100;
Wherein, the Q indicates that the malice score to scoring tactics, a indicate second number of matches, the b table
Show first number of matches, the X indicates the quantity of virus document sample in the Virus Sample set, and the Y indicates institute
State the quantity of secure file sample in safe sample set.
9. a kind of file detection device characterized by comprising
Module is obtained, for obtaining the goal behavior log of file to be detected, wherein the goal behavior log includes that N item is dynamic
State behavior, the dynamic behaviour are the integer more than or equal to 1 for indicating and operating associated information, the N;
Matching module, for by it is described acquisition module obtain the goal behavior log in every dynamic behaviour and set of strategies
Every rule corresponding to each strategy is matched in conjunction, obtains matching result, wherein the strategy set includes matching in advance
The M strategy set, each corresponding at least one rule of strategy, and every strategy corresponds to a malice score, institute
Stating M is the integer more than or equal to 1;
Generation module, the matching result for being obtained according to the matching module generate corresponding to the goal behavior log
Target malice score;
Determining module, if the target malice score for the generation module to generate reaches malice score threshold, it is determined that
The file to be detected is virus document.
10. a kind of file detection device characterized by comprising memory, transceiver, processor and bus system;
Wherein, the memory is for storing program;
The processor is used to execute the program in the memory, includes the following steps:
Obtain the goal behavior log of file to be detected, wherein the goal behavior log includes N dynamic behaviour, described dynamic
State behavior is the integer more than or equal to 1 for indicating and operating associated information, the N;
By in the goal behavior log every dynamic behaviour and strategy set in it is each strategy corresponding to every rule into
Row matching, obtains matching result, wherein the strategy set includes preconfigured M strategy, and each strategy is corresponding extremely
A few rule, and every strategy corresponds to a malice score, the M is the integer more than or equal to 1;
According to the matching result generate the goal behavior log corresponding to target malice score;
If the target malice score reaches malice score threshold, it is determined that the file to be detected is virus document;
The bus system is for connecting the memory and the processor, so that the memory and the processor
It is communicated.
11. a kind of computer readable storage medium, including instruction, when run on a computer, so that computer executes such as
Method described in any item of the claim 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811533910.0A CN110399720B (en) | 2018-12-14 | 2018-12-14 | File detection method and related device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811533910.0A CN110399720B (en) | 2018-12-14 | 2018-12-14 | File detection method and related device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110399720A true CN110399720A (en) | 2019-11-01 |
CN110399720B CN110399720B (en) | 2022-12-16 |
Family
ID=68322578
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811533910.0A Active CN110399720B (en) | 2018-12-14 | 2018-12-14 | File detection method and related device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110399720B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110826069A (en) * | 2019-11-05 | 2020-02-21 | 深信服科技股份有限公司 | Virus processing method, device, equipment and storage medium |
CN110837639A (en) * | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
CN112100448A (en) * | 2020-08-07 | 2020-12-18 | 中山大学 | Directed acyclic graph comparison method, module and system based on dynamic programming |
CN112580047A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
CN113158185A (en) * | 2021-03-05 | 2021-07-23 | 杭州数梦工场科技有限公司 | Safety detection method and device |
CN113810242A (en) * | 2020-06-16 | 2021-12-17 | 中盈优创资讯科技有限公司 | System log analysis method and device |
CN116861430A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious file detection method, device, equipment and medium |
CN116861429A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
US20150135262A1 (en) * | 2012-05-03 | 2015-05-14 | Shine Security Ltd. | Detection and prevention for malicious threats |
CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
CN107992751A (en) * | 2017-12-21 | 2018-05-04 | 郑州云海信息技术有限公司 | A kind of real-time threat detection method based on branch's behavior model |
-
2018
- 2018-12-14 CN CN201811533910.0A patent/CN110399720B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150135262A1 (en) * | 2012-05-03 | 2015-05-14 | Shine Security Ltd. | Detection and prevention for malicious threats |
CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
CN105989283A (en) * | 2015-02-06 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for recognizing virus variant |
CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
CN107992751A (en) * | 2017-12-21 | 2018-05-04 | 郑州云海信息技术有限公司 | A kind of real-time threat detection method based on branch's behavior model |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110826069A (en) * | 2019-11-05 | 2020-02-21 | 深信服科技股份有限公司 | Virus processing method, device, equipment and storage medium |
CN110837639A (en) * | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
CN113810242A (en) * | 2020-06-16 | 2021-12-17 | 中盈优创资讯科技有限公司 | System log analysis method and device |
CN112100448A (en) * | 2020-08-07 | 2020-12-18 | 中山大学 | Directed acyclic graph comparison method, module and system based on dynamic programming |
CN112100448B (en) * | 2020-08-07 | 2023-09-26 | 中山大学 | Directed acyclic graph comparison method, module and system based on dynamic programming |
CN112580047B (en) * | 2020-12-23 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
CN112580047A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Industrial malicious code marking method, equipment, storage medium and device |
CN113158185A (en) * | 2021-03-05 | 2021-07-23 | 杭州数梦工场科技有限公司 | Safety detection method and device |
CN113158185B (en) * | 2021-03-05 | 2023-04-07 | 杭州数梦工场科技有限公司 | Safety detection method and device |
CN116861430A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious file detection method, device, equipment and medium |
CN116861429A (en) * | 2023-09-04 | 2023-10-10 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
CN116861430B (en) * | 2023-09-04 | 2023-11-17 | 北京安天网络安全技术有限公司 | Malicious file detection method, device, equipment and medium |
CN116861429B (en) * | 2023-09-04 | 2023-12-08 | 北京安天网络安全技术有限公司 | Malicious detection method, device, equipment and medium based on sample behaviors |
Also Published As
Publication number | Publication date |
---|---|
CN110399720B (en) | 2022-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110399720A (en) | A kind of method and relevant apparatus of file detection | |
TWI533241B (en) | A method, servers and devices achieve artificial intelligence | |
CN103761481A (en) | Method and device for automatically processing malicious code sample | |
CN107291317B (en) | The selection method and device of target in a kind of virtual scene | |
CN106709346B (en) | Document handling method and device | |
CN110738211A (en) | object detection method, related device and equipment | |
CN109977859A (en) | A kind of map logo method for distinguishing and relevant apparatus | |
CN110995810B (en) | Object identification method based on artificial intelligence and related device | |
CN111176977B (en) | Method and device for automatically identifying security vulnerabilities | |
CN111222563B (en) | Model training method, data acquisition method and related device | |
CN107451477A (en) | A kind of method, relevant apparatus and the system of rogue program detection | |
CN109376781A (en) | A kind of training method, image-recognizing method and the relevant apparatus of image recognition model | |
CN110781421B (en) | Virtual resource display method and related device | |
CN109107159A (en) | A kind of configuration method of application object attributes, device, equipment and medium | |
CN116956080A (en) | Data processing method, device and storage medium | |
CN115022098A (en) | Artificial intelligence safety target range content recommendation method, device and storage medium | |
WO2021223177A1 (en) | Abnormal file detection method and related product | |
CN109657469B (en) | Script detection method and device | |
CN111803961A (en) | Virtual article recommendation method and related device | |
CN115239941B (en) | Countermeasure image generation method, related device and storage medium | |
CN109726555B (en) | Virus detection processing method, virus prompting method and related equipment | |
CN106685796B (en) | A kind of information identifying method, device and system | |
CN115061939A (en) | Data set security test method and device and storage medium | |
CN115203194A (en) | Metadata information generation method, related device, equipment and storage medium | |
CN110503189A (en) | A kind of data processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |