Disclosure of Invention
The embodiment of the invention provides a vector level detection rule generation method, a vector level detection rule generation device, electronic equipment and a storage medium, which are used for solving the problem that rapid response cannot be performed on malicious events in the prior art.
Based on the above problem, a method for generating a vector level detection rule provided in an embodiment of the present invention includes:
monitoring the operation of the client; if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated; the client side sends the detection rule to a server side, and the server side evaluates the detection rule; and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server side also comprises a rule base, and the rule base is used for storing the detection rules sent by the client side;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library.
The embodiment of the invention provides a vector level detection rule generation device, which comprises:
the system comprises a server and a client, wherein the server and the client establish a data connection relationship through a data transmission management unit and a data transmission unit; the server side comprises an evaluation unit, and the client side comprises a detection engine, an extraction analysis unit, a detection rule generation unit and a detection unit; a detection engine: the client is used for monitoring the operation of the client; an extraction and analysis unit: the system is used for extracting vectors of suspicious behaviors and automatically analyzing the suspicious behaviors by combining with current scene information if the suspicious behaviors are monitored; a detection rule generation unit: for generating a detection rule; a detection unit: the client side is used for detecting suspicious behaviors according to the detection rules if the detection rules pass evaluation; an evaluation unit: and the detection rule is used for evaluating the detection rule sent by the client to the server.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server side also comprises a rule base, and the rule base is used for storing the detection rules sent by the client side;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library.
The embodiment of the invention also discloses a vector level detection rule generation electronic device, which comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing any one of the aforementioned vector magnitude detection rule generation methods.
An embodiment of the present invention provides a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores one or more programs, and the one or more programs are executable by one or more processors to implement any of the aforementioned vector level detection rule generation methods.
Compared with the prior art, the vector level detection rule generation method, the vector level detection rule generation device, the electronic equipment and the storage medium provided by the embodiment of the invention at least realize the following beneficial effects: monitoring the operation of the client; if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated; the client side sends the detection rule to a server side, and the server side evaluates the detection rule; and if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule. The embodiment of the invention does not need manual intervention, is automatically processed in the whole process, and can realize timely response to the malicious behaviors, thereby preventing the malicious behaviors from being further diffused.
Detailed Description
In the field of malicious software analysis, since security software is a resource which is easy to obtain, an attacker can modify malicious codes aiming at the security software so as to attack the security software more easily, and a security manufacturer is difficult to defend; in the traditional method, manual intervention is performed after malicious behaviors are found, but the manual intervention takes long time, and the malicious behaviors are already erupted in the network when a manual analysis summary method is waited and samples can be detected; and often some simple character strings and program logic codes behind a section of compiler frame codes can completely realize the detection of malicious behaviors.
Based on this, the following describes specific embodiments of a vector level detection rule generation method, device, electronic device, and storage medium according to embodiments of the present invention with reference to the accompanying drawings.
The method for generating the vector level detection rule provided by the embodiment of the invention, as shown in fig. 1, specifically comprises the following steps:
s101, a detection engine monitors the operation of a client;
s102, if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated;
the vector extraction refers to obtaining various valuable information in a sample; the content of vector extraction comprises: the APT organizes specific character strings (mutex, PDB path, special component name, etc.), IP addresses and domain names, behavior information obtained by static analysis and dynamic analysis, file structural information, etc.
S103, the client sends the detection rule to a server, and the server evaluates the detection rule;
the method specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
S104, if the detection rule passes the evaluation, informing the client, and detecting the suspicious behavior by the client according to the detection rule;
the detection rule comprises: a malicious behavior hash, a string in a malicious behavior (e.g., wanancryv2019), a compiler-framework code post-program logic code binary, and the like.
The embodiment of the invention does not need manual intervention, is automatically processed in the whole process, and can realize timely response to the malicious behaviors, thereby preventing the malicious behaviors from being further diffused.
As shown in fig. 2, the further method for generating a vector-level detection rule provided in the embodiment of the present invention specifically includes the following steps:
s201, a detection engine monitors the operation of a client;
s202, if suspicious behaviors are monitored, vector extraction is carried out on the suspicious behaviors by combining with current scene information, automatic analysis is carried out, and a detection rule is generated;
s203, the client sends the detection rule to the server, the detection rule received by the server is compared with the detection rule in the rule base, and if the detection rule exists in the rule base, the step S204 is executed; if not, go to step S205;
s204, the server side informs the client side, the client side detects suspicious behaviors according to the detection rules, and then step S207 is executed;
if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base; and the server side collects security samples and continuously updates the white list sample library.
S205, testing the detection rule by using a white list sample library, if the detection rule cannot detect a sample in a white list and indicates that the detection rule basically has no false alarm, passing the test, judging that the detection rule is effective, and executing the step S204; if the detection rule detects a sample in the white list, it indicates that the detection rule has a false alarm condition, and if the test does not pass, step S206 is executed;
s206, the server side informs the client side that the detection rule fails to be evaluated, and the client side does not execute any detection rule.
S207, sending the suspicious behavior and the corresponding detection rule to manual analysis, further extracting detailed vector characteristics, and generating a more effective detection rule;
and storing the perfect detection rules after manual analysis into a rule base.
According to the embodiment of the invention, manual intervention is not needed, the whole process is automated, and the timely response to the malicious behaviors can be realized, so that the malicious behaviors are prevented from being further diffused; the server side continuously updates the white list to reduce false alarm of the detection rule; meanwhile, manual analysis is introduced subsequently, so that the corresponding detection rule can be further improved.
An embodiment of the present invention further provides a vector-level detection rule generating apparatus, as shown in fig. 3, including:
the system comprises a server terminal 00 and a client terminal 01, wherein the server terminal and the client terminal establish a data connection relationship through a data transmission management unit 001 and a data transmission unit 011; the server comprises an evaluation unit 002, and the client comprises a detection engine 012, an extraction analysis unit 013, a detection rule generation unit 014, and a detection unit 015; a detection engine: the client is used for monitoring the operation of the client; an extraction and analysis unit: the system is used for extracting vectors of suspicious behaviors and automatically analyzing the suspicious behaviors by combining with current scene information if the suspicious behaviors are monitored; a detection rule generation unit: for generating a detection rule; a detection unit: the client side is used for detecting suspicious behaviors according to the detection rules if the detection rules pass evaluation; an evaluation unit: and the detection rule is used for evaluating the detection rule sent by the client to the server.
Further, the content of the vector extraction includes: APT organizes specific character strings, IP addresses and domain names, and behavior information and file structural information obtained through static analysis and dynamic analysis.
Further, the server further includes a rule base 003, where the rule base is used to store the detection rule sent by the client;
the server side evaluates the detection rule, and specifically comprises the following steps: if the received detection rule exists in a rule base, directly notifying a client; and if the received detection rule does not exist in a rule base, testing the detection rule by using a white list sample base, and if the test is passed, judging that the detection rule is effective.
Further, if the received detection rule does not exist in a rule base and the detection rule is finally judged to be valid, recording the detection rule into the rule base;
and the server side collects security samples and continuously updates the white list sample library 004.
An embodiment of the present invention further provides an electronic device, fig. 4 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiment shown in fig. 1-2 of the present invention can be implemented, as shown in fig. 4, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, and is configured to execute the program starting method according to any of the foregoing embodiments.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1-2 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
An embodiment of the present invention also provides a computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, and the one or more programs are executable by one or more processors to implement the aforementioned program starting method.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.