CN110837640A - Malicious file searching and killing method, device, storage medium and device - Google Patents

Malicious file searching and killing method, device, storage medium and device Download PDF

Info

Publication number
CN110837640A
CN110837640A CN201911093272.XA CN201911093272A CN110837640A CN 110837640 A CN110837640 A CN 110837640A CN 201911093272 A CN201911093272 A CN 201911093272A CN 110837640 A CN110837640 A CN 110837640A
Authority
CN
China
Prior art keywords
information
malicious file
killing
target
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911093272.XA
Other languages
Chinese (zh)
Other versions
CN110837640B (en
Inventor
范楷朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201911093272.XA priority Critical patent/CN110837640B/en
Publication of CN110837640A publication Critical patent/CN110837640A/en
Application granted granted Critical
Publication of CN110837640B publication Critical patent/CN110837640B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of computer security, and discloses a malicious file searching and killing method, a malicious file searching and killing device, a storage medium and a device. The method comprises the steps of identifying information of a file to be searched and killed to obtain target malicious file information in the information of the file to be searched and killed; acquiring target behavior feature code information in the target malicious file information; performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information; determining virus behavior path information of the target malicious file information according to the behavior feature information; and searching and killing the target malicious file information according to the virus behavior path information, thereby realizing searching and killing and defending the virus more three-dimensionally and all-directionally.

Description

Malicious file searching and killing method, device, storage medium and device
Technical Field
The invention relates to the technical field of computer security, in particular to a malicious file searching and killing method, a malicious file searching and killing device, a malicious file storage medium and a malicious file searching and killing device.
Background
At present, a local and cloud virus library of terminal security software mainly uses a Message-Digest Algorithm (MD 5) matching mode to check and kill viruses, an MD5 of each file is calculated and scanned and matched with a black MD5 in the virus library, and if matching is successful, the file is malicious, and the file is isolated. This has the disadvantage that the terminal security software only knows that the file is malicious, but not the behaviour of the file, such as: how it invades, what auto-launch items it creates, and whether it has moved laterally. Therefore, after the terminal security software isolates the file, the file may be invaded again from the outside, the file still has a self-starting item left to cause the file to be generated again, and the terminal security software cannot thoroughly check and kill the virus finally.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a malicious file searching and killing method, a malicious file searching and killing device, a malicious file storage medium and a malicious file searching and killing device, and aims to solve the technical problem of how to improve the thoroughness of virus searching and killing.
In order to achieve the above object, the present invention provides a method for searching and killing a malicious file, which comprises the following steps:
identifying file information to be searched and killed to obtain target malicious file information in the file information to be searched and killed;
acquiring target behavior feature code information in the target malicious file information;
performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information;
determining virus behavior path information of the target malicious file information according to the behavior feature information;
and searching and killing the target malicious file information according to the virus behavior path information.
Preferably, before the information of the file to be killed is identified and the target malicious file information in the information of the file to be killed is obtained, the method further includes:
monitoring access path information of current file information;
and coding the current file information according to the access path information through a preset encryption rule to obtain the file information to be checked and killed, which carries the target behavior feature code information.
Preferably, the identifying the information of the file to be killed to obtain the information of the target malicious file in the information of the file to be killed includes:
identifying file information to be searched and killed to obtain preset tag code information in the file information to be searched and killed;
judging whether the preset tag code information belongs to a malicious file blacklist or not;
and determining target malicious file information corresponding to the preset tag code information belonging to the malicious file blacklist according to the judgment result.
Preferably, the performing behavior feature recognition by using a preset threat modeling model according to the target behavior feature code information to obtain the behavior feature information of the target malicious file information includes:
obtaining position identification information of the target malicious file information in the preset threat modeling model according to the target behavior feature code information;
performing behavior feature recognition by adopting a preset threat modeling model according to the position identification information to obtain attack vector information and corresponding attack mode information of the target malicious file information;
and taking the attack vector information and the corresponding attack mode information as behavior characteristic information.
Preferably, the searching and killing the target malicious file information according to the virus behavior path information includes:
obtaining attack behavior information according to the virus behavior path information;
and searching and killing the target malicious file information by adopting a corresponding defense strategy according to the attack behavior information.
Preferably, the attack behavior information includes creation task behavior information;
the searching and killing of the target malicious file information by adopting a corresponding defense strategy according to the attack behavior information comprises the following steps:
detecting a task plan in a preset task plan table according to the created task behavior information;
and searching a task plan carrying preset keywords, and deleting the task plan carrying the preset keywords so as to realize searching and killing of the target malicious file information.
Preferably, after the target malicious file information is killed according to the virus behavior path information, the method for killing the malicious file further includes:
acquiring historical behavior feature code information obtained by a preset safety detection program;
performing cluster analysis on the historical behavior feature code information to obtain historical behavior feature code information with relevance;
and optimizing the feature codes of the preset threat modeling model according to the historical behavior feature code information with relevance.
In addition, in order to achieve the above object, the present invention further provides a searching and killing apparatus, including: the device comprises a memory, a processor and a searching and killing program which is stored on the memory and can run a malicious file on the processor, wherein the searching and killing program of the malicious file realizes the steps of the searching and killing method of the malicious file when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, on which a malicious file searching and killing program is stored, and when the malicious file searching and killing program is executed by a processor, the steps of the malicious file searching and killing method described above are implemented.
In addition, in order to achieve the above object, the present invention further provides a device for searching and killing a malicious file, including:
the identification module is used for identifying the information of the file to be searched and killed to obtain the information of the target malicious file in the information of the file to be searched and killed;
the acquisition module is used for acquiring target behavior feature code information in the target malicious file information;
the identification module is further used for performing behavior feature identification by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information;
the determining module is used for determining the virus behavior path information of the target malicious file information according to the behavior characteristic information;
and the searching and killing module is used for searching and killing the target malicious file information according to the virus behavior path information.
According to the technical scheme provided by the invention, target malicious file information in the file information to be searched and killed is obtained by identifying the file information to be searched and killed; acquiring target behavior feature code information in the target malicious file information; performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information; determining virus behavior path information of the target malicious file information according to the behavior feature information; and searching and killing the target malicious file information according to the virus behavior path information, thereby realizing searching and killing and defending the virus more three-dimensionally and all-directionally.
Drawings
FIG. 1 is a schematic structural diagram of a checking and killing device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating an embodiment of a method for searching and killing malicious files according to the present invention;
FIG. 3 is a schematic diagram illustrating a behavior path of a file according to an embodiment of the method for searching and killing a malicious file of the present invention;
FIG. 4 is a flowchart illustrating a method for searching and killing malicious files according to another embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for searching and killing malicious files according to yet another embodiment of the present invention;
fig. 6 is a block diagram of a malicious file searching and killing apparatus according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a checking and killing device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the searching and killing apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 is not intended to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a killer program of a malicious file.
In the killing apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting peripheral equipment; the searching and killing device calls a searching and killing program of the malicious file stored in the memory 1005 through the processor 1001 and executes the searching and killing method of the malicious file provided by the embodiment of the invention.
Based on the hardware structure, the embodiment of the searching and killing method for the malicious file is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating an embodiment of a method for searching and killing a malicious file according to the present invention.
In the embodiment of fig. 2, the method for searching and killing the malicious file includes the following steps:
step S10: and identifying the information of the file to be searched and killed to obtain the information of the target malicious file in the information of the file to be searched and killed.
It should be noted that, the execution subject of this embodiment is a searching and killing device, and may also be other devices that can achieve the same or similar functions
In this embodiment, a virus scanning instruction is obtained, a preset antivirus engine is called according to the virus scanning instruction, a terminal to be checked and killed is scanned through the preset antivirus engine, target malicious file information is obtained, a local and cloud virus libraries of terminal security software at present mainly use a Message-Digest Algorithm (MD 5) matching method to check and kill viruses, MD5 for scanning the information of the file to be checked and killed is calculated and matched with black MD5 in the virus library, if matching is successful, the file is malicious, so that identification of the malicious file is achieved, and identification of the malicious file can be performed in other manners.
Step S20: and acquiring target behavior feature code information in the target malicious file information.
It can be understood that the target behavior feature code information is feature code information configured for an accessed file in advance, and the feature code information carries related information of the file, so that the behavior of the target malicious file information can be identified and analyzed.
In this embodiment, the target behavior feature code information format is as follows: x, 298DF81D6D317BAEC14C0E9E19F591F4, wherein the last 32 bits are MD5 values of the file, the first 12 bits of characters correspond to 12 attack vectors of the ATT & CK model in sequence, the ":" is used as a separation, and X represents the position sequence of the attack mode in the preset threat modeling model and is represented by a two-bit 16-system table value.
Step S30: and performing behavior feature identification by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information.
It should be noted that the preset threat modeling model includes models and knowledge bases of attack behaviors of each attack life cycle, and a position corresponding relationship is established according to the models and the knowledge bases of the attack behaviors, so that corresponding attack behavior information is obtained according to the position relationship, for example: x '02:' represents the 2 nd attack mode of the 1 st attack vector Initial Access, namely, the Exploit Public-Facing Application (Application program vulnerability), so that the identification of the attack behavior is realized.
Step S40: and determining virus behavior path information of the target malicious file information according to the behavior characteristic information.
In this embodiment, the target malicious file information may be determined according to the behavior feature information, for example, the target behavior feature code information is 02: 18: 0E:03:06:0309: 01: 0A, and the attack behaviors corresponding to the preset threat modeling model frame are sequentially:
the behavior of malicious files can be obtained by: web vulnerability attack, service persistence, safety tool forbidding, password grabbing, network scanning, vulnerability attack, remote login, common port communication, automatic release and CPU resource consumption mining, thereby realizing the identification of malicious behaviors.
It can be understood that, these malicious behaviors may also be extracted automatically using a secure sandbox, and the malicious behaviors of the file are extracted by reversely analyzing the malicious file, so as to implement an overall analysis of the malicious behaviors, for example, as shown in the behavior path diagram of the file shown in fig. 3, a virus parent first releases a random name backdoor, then accesses the server and the registration service through the random name backdoor, and further downloads a propagation toolkit, and stores the propagation toolkit in a specified directory through a cloud server, and acquires a new process and releases data and starts to excavate through an excavation module, and further releases a propagation attack module, and registration service, release and operation of a propagation component, and modification of registration closing service are performed through the propagation attack module.
Step S50: and searching and killing the target malicious file information according to the virus behavior path information.
In a specific implementation, according to a virus behavior, a virus killing engine executes a corresponding clearing operation, scans a host vulnerability and patches, scans each service in a service list, if a file path of a service is a path of a virus file, clears the service, and repairs a configuration of a security tool, for example: detecting whether registry keys of a firewall, windows self-updating and a Defender of a host are normal or not, if not, recovering a default value, detecting whether a process reads a memory of lsass.exe or not, if so, ending the process, clearing corresponding files, detecting whether a process sends a large number of Transmission Control Protocol (TCP) data packets or not, if so, ending the process, clearing corresponding files, detecting whether a process attacks to the outside, if so, ending the process, clearing corresponding files, if so, whether a current host tries to log in other hosts or not, if so, stopping the process, whether a process is in a common port of a mine pool for communication or not, if so, ending the process, clearing corresponding files, whether a virus process has a sub-process or not, if so, ending the sub-process, clearing corresponding files, and detecting whether a CPU occupancy rate is higher than 50 percent or not, if yes, ending the sub-process, clearing the corresponding file, and finally clearing the current virus file and the corresponding process.
In this embodiment, after the virus is cleared, the harm of the virus can be visualized to the user, and a defense scheme is provided, for example, the virus invades through a Web vulnerability, so as to remind the user to check whether the Web application has a vulnerability, the security tool is closed by the virus, so as to remind the user to check whether the current state of the security tool is normal, the virus can scan and transversely propagate the intranet host, so as to remind the user to scan and kill other hosts in the intranet, the virus can grab a host password and transversely log in other hosts, so as to remind the user to modify the password, the virus excavates on the host, so as to remind the user to check whether the current host system is normal, and whether other services are influenced or not, thereby realizing omnibearing virus.
According to the scheme, the target malicious file information in the file information to be searched and killed is obtained by identifying the file information to be searched and killed; acquiring target behavior feature code information in the target malicious file information; performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information; determining virus behavior path information of the target malicious file information according to the behavior feature information; and searching and killing the target malicious file information according to the virus behavior path information, thereby realizing searching and killing and defending the virus more three-dimensionally and all-directionally.
Referring to fig. 4, fig. 4 is a schematic flowchart of another embodiment of the method for searching and killing a malicious file according to the present invention, and based on the embodiment shown in fig. 2, another embodiment of the method for searching and killing a malicious file according to the present invention is provided, where before the step S10, the method further includes:
monitoring access path information of current file information; and coding the current file information according to the access path information through a preset encryption rule to obtain the file information to be checked and killed, which carries the target behavior feature code information.
It should be noted that the preset encryption rule marks 12 attack vectors of the current virus, and the format is as follows: x, 298DF81D6D317BAEC14C0E9E19F591F4, wherein the last 32 bits are MD5 values of the file, the first 12 bits of characters correspond to 12 attack vectors of the ATT & CK model in sequence, the ":" is taken as a separation, X represents the position sequence of the attack mode in the ATT & CK model, and is represented by a two-bit 16-system table value, such as: "02:" represents the 2 nd attack mode of the 1 st attack vector Initial Access, Application vulnerability, and other encryption rules that can realize the same or similar functions, which is not limited in this embodiment.
Further, the step S10 includes:
step S101: and identifying the information of the file to be searched and killed to obtain the preset tag code information in the information of the file to be searched and killed.
The preset tag code information is obtained by encoding through MD5, and may also be obtained by other encryption methods, which is not limited in this embodiment, and in this embodiment, the encryption method of MD5 is taken as an example for description.
Step S102: and judging whether the preset tag code information belongs to a malicious file blacklist or not.
In specific implementation, the MD5 in the file information to be checked and killed is matched with the last 32 bits (MD5 value) of the behavior feature code in the virus library, that is, the blacklist of the malicious file is matched, and if the matching is successful, the file is malicious.
Step S103: and determining target malicious file information corresponding to the preset tag code information belonging to the malicious file blacklist according to the judgment result.
According to the scheme, the access file is processed in advance in the preset encryption mode, so that the access file carries the tag information of the access behavior, the tracking of the access path of the access file is achieved, the malicious file is identified through the malicious file blacklist, the path identification can be only carried out on the identified malicious file, and the virus searching and killing efficiency is improved.
Referring to fig. 5, fig. 5 is a flowchart illustrating a flowchart of a method for searching and killing a malicious file according to another embodiment of the present invention, and a further embodiment of the method for searching and killing a malicious file according to the present invention is proposed based on fig. 2 or fig. 4, in this embodiment, based on the embodiment of fig. 2, the step S30 includes:
step S301: and obtaining the position identification information of the target malicious file information in the preset threat modeling model according to the target behavior feature code information.
In the embodiment, a BuleHero virus is taken as an example for explanation, the target behavior feature code information of the BuleHero virus is obtained as 02: 18: 0E:03:06:0309: 01: 0A, wherein the' is a separator, if the attack vector does not exist, a space is reserved, and the position identification information of the target malicious file information in the preset threat modeling model is obtained according to the target behavior feature code information.
Step S302: and performing behavior feature recognition by adopting a preset threat modeling model according to the position identification information to obtain attack vector information and corresponding attack mode information of the target malicious file information.
In the specific implementation, the behavior attack vector information and the corresponding attack mode information, namely, the explicit Public-Facing Application, the New Service, the disabling security Tools, the generative duration, the Network Service Scanning, the explicit of the Remote Services, the common Used Port and the Resource Hijacking, are obtained by table look-up through a preset threat modeling model.
Step S303: and taking the attack vector information and the corresponding attack mode information as behavior characteristic information.
In this embodiment, the whole attack flow of the virus is obtained in this way: web vulnerability attack- > service persistence- > safety tool forbidding- > password capture- > network scanning- > vulnerability attack- > remote login- > common port communication- > automatic release- > CPU resource consumption mining, and therefore behavior characteristic information of target malicious file information is obtained.
Further, the step S50 includes:
and obtaining attack behavior information according to the virus behavior path information.
In this embodiment, behavior features such as features of an intrusion mode, a persistent residence mode, lateral movement, and the like of the current virus may be acquired by analyzing the behavior feature code, so that attack behavior information such as disabling a security tool, password capture, network scanning, and the like may be more three-dimensionally and omni-directionally investigated and killed.
And searching and killing the target malicious file information by adopting a corresponding defense strategy according to the attack behavior information.
Further, the attack behavior information comprises creating task behavior information; the step S502 includes:
detecting a task plan in a preset task plan table according to the created task behavior information; and searching a task plan carrying preset keywords, and deleting the task plan carrying the preset keywords so as to realize searching and killing of the target malicious file information.
It should be noted that, when the attack behavior information includes the created task behavior information, the target malicious file information may be checked and killed by a preset policy, for example, if there is a behavior of creating a task plan in the behavior feature code, whether there is a suspicious task plan is scanned, and it should be noted here that the behavior feature code only marks the behavior of creating a task plan for a virus file, and cannot mark which specific task plan is created, so that a heuristic manner is adopted to detect a task plan and detect the task plan in the task list: a task plan with a virus file name and a path; exe string with powershell.exe; exe string with wscript.exe; the task plan with the cmd.exe character string is deleted if detected, so that it can be seen that when the attack behavior information includes the created task behavior information, the preset keyword includes a powershell.exe character string, a wsscript.exe character string, a cmd.exe character string, and the like, and may further include other keyword information.
In the embodiment, since the virus is triggered only when the virus file is scanned during virus killing, false alarm and false killing can be greatly reduced, and detection and removal of a microsoft management instrumentation (WMI) attack mode are similar in addition to the current virus killing mode.
Further, after the step S50, the method for searching and killing the malicious file further includes:
acquiring historical behavior feature code information obtained by a preset safety detection program; performing cluster analysis on the historical behavior feature code information to obtain historical behavior feature code information with relevance; and optimizing the feature codes of the preset threat modeling model according to the historical behavior feature code information with relevance.
In this embodiment, a large amount of behavior feature codes are subjected to clustering big data analysis through terminal security software, a security cloud computer and the like, malicious files with consistent behavior feature codes are analyzed, the relevance among the behavior feature codes is obtained, and feature code optimization is performed on the preset threat modeling model through the relevance.
According to the scheme provided by the embodiment, the position identification information of the target malicious file information in the preset threat modeling model is obtained according to the target behavior feature code information, the behavior feature recognition is carried out by adopting the preset threat modeling model according to the position identification information, the attack vector information and the corresponding attack mode information of the target malicious file information are obtained, and the target malicious file information is killed by adopting the corresponding defense strategy according to the attack behavior information, so that the omnibearing virus killing is realized.
In addition, an embodiment of the present invention further provides a storage medium, where a program for searching and killing a malicious file is stored on the storage medium, and when the program for searching and killing a malicious file is executed by a processor, the steps of the terminal network access method described above are implemented.
Since the storage medium adopts all technical solutions of all the embodiments, at least all the beneficial effects brought by the technical solutions of the embodiments are achieved, and no further description is given here.
In addition, referring to fig. 6, an embodiment of the present invention further provides a device for searching and killing a malicious file, where the device for searching and killing a malicious file includes:
the identification module 10 is configured to identify file information to be searched and killed, so as to obtain target malicious file information in the file information to be searched and killed.
It should be noted that, the execution subject of this embodiment is a searching and killing device, and may also be other devices that can achieve the same or similar functions
In this embodiment, the local and cloud virus libraries of the terminal security software mainly use a Message-Digest Algorithm (MD 5) matching method to check and kill viruses, calculate and scan MD5 of information of a file to be checked and killed, match the file with black MD5 in the virus library, and if the matching is successful, indicate that the file is malicious, so as to identify the malicious file, and can also identify the malicious file in other manners, which is not limited in this embodiment, but only the identification manner of MD5 is used as an example in this embodiment.
And the obtaining module 20 is configured to obtain target behavior feature code information in the target malicious file information.
It can be understood that the target behavior feature code information is feature code information configured for an accessed file in advance, and the feature code information carries related information of the file, so that the behavior of the target malicious file information can be identified and analyzed.
In this embodiment, the target behavior feature code information format is as follows: x, 298DF81D6D317BAEC14C0E9E19F591F4, wherein the last 32 bits are MD5 values of the file, the first 12 bits of characters correspond to 12 attack vectors of the ATT & CK model in sequence, the ":" is used as a separation, and X represents the position sequence of the attack mode in the preset threat modeling model and is represented by a two-bit 16-system table value.
The identification module 10 is further configured to perform behavior feature identification by using a preset threat modeling model according to the target behavior feature code information, so as to obtain behavior feature information of the target malicious file information.
It should be noted that the preset threat modeling model includes models and knowledge bases of attack behaviors of each attack life cycle, and a position corresponding relationship is established according to the models and the knowledge bases of the attack behaviors, so that corresponding attack behavior information is obtained according to the position relationship, for example: x '02:' represents the 2 nd attack mode of the 1 st attack vector Initial Access, namely, the Exploit Public-Facing Application (Application program vulnerability), so that the identification of the attack behavior is realized.
And the determining module 30 is configured to determine, according to the behavior feature information, virus behavior path information of the target malicious file information.
In this embodiment, the target malicious file information may be determined according to the behavior feature information, for example, the target behavior feature code information is 02: 18: 0E:03:06:0309: 01: 0A, and the attack behaviors corresponding to the preset threat modeling model frame are sequentially:
the behavior of malicious files can be obtained by: web vulnerability attack, service persistence, safety tool forbidding, password grabbing, network scanning, vulnerability attack, remote login, common port communication, automatic release and CPU resource consumption mining, thereby realizing the identification of malicious behaviors.
It can be understood that, these malicious behaviors may also be extracted automatically using a secure sandbox, and the malicious behaviors of the file are extracted by reversely analyzing the malicious file, so as to implement an overall analysis of the malicious behaviors, for example, as shown in the behavior path diagram of the file shown in fig. 3, a virus parent first releases a random name backdoor, then accesses the server and the registration service through the random name backdoor, and further downloads a propagation toolkit, and stores the propagation toolkit in a specified directory through a cloud server, and acquires a new process and releases data and starts to excavate through an excavation module, and further releases a propagation attack module, and registration service, release and operation of a propagation component, and modification of registration closing service are performed through the propagation attack module.
And the searching and killing module 40 is used for searching and killing the target malicious file information according to the virus behavior path information.
In a specific implementation, according to a virus behavior, a virus killing engine executes a corresponding clearing operation, scans a host vulnerability and patches, scans each service in a service list, if a file path of a service is a path of a virus file, clears the service, and repairs a configuration of a security tool, for example: detecting whether registry keys of a firewall, windows self-updating and a Defender of a host are normal or not, if not, recovering a default value, detecting whether a process reads a memory of lsass.exe or not, if so, ending the process, clearing corresponding files, detecting whether a process sends a large number of Transmission Control Protocol (TCP) data packets or not, if so, ending the process, clearing corresponding files, detecting whether a process attacks to the outside, if so, ending the process, clearing corresponding files, if so, whether a current host tries to log in other hosts or not, if so, stopping the process, whether a process is in a common port of a mine pool for communication or not, if so, ending the process, clearing corresponding files, whether a virus process has a sub-process or not, if so, ending the sub-process, clearing corresponding files, and detecting whether a CPU occupancy rate is higher than 50 percent or not, if yes, ending the sub-process, clearing the corresponding file, and finally clearing the current virus file and the corresponding process.
In this embodiment, after the virus is cleared, the harm of the virus can be visualized to the user, and a defense scheme is provided, for example, the virus invades through a Web vulnerability, so as to remind the user to check whether the Web application has a vulnerability, the security tool is closed by the virus, so as to remind the user to check whether the current state of the security tool is normal, the virus can scan and transversely propagate the intranet host, so as to remind the user to scan and kill other hosts in the intranet, the virus can grab a host password and transversely log in other hosts, so as to remind the user to modify the password, the virus excavates on the host, so as to remind the user to check whether the current host system is normal, and whether other services are influenced or not, thereby realizing omnibearing virus.
According to the scheme, the target malicious file information in the file information to be searched and killed is obtained by identifying the file information to be searched and killed; acquiring target behavior feature code information in the target malicious file information; performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information; determining virus behavior path information of the target malicious file information according to the behavior feature information; and searching and killing the target malicious file information according to the virus behavior path information, thereby realizing searching and killing and defending the virus more three-dimensionally and all-directionally.
The device for searching and killing the malicious file adopts all technical schemes of all the embodiments, so that the device at least has all the beneficial effects brought by the technical schemes of the embodiments, and the details are not repeated.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order, but rather the words first, second, third, etc. are to be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as a read-only memory, a RAM, a magnetic disk, and an optical disk), and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for searching and killing a malicious file is characterized by comprising the following steps:
identifying file information to be searched and killed to obtain target malicious file information in the file information to be searched and killed;
acquiring target behavior feature code information in the target malicious file information;
performing behavior feature recognition by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information;
determining virus behavior path information of the target malicious file information according to the behavior feature information;
and searching and killing the target malicious file information according to the virus behavior path information.
2. The method for searching and killing the malicious file according to claim 1, wherein before the information of the file to be searched and killed is identified and the target malicious file information in the information of the file to be searched and killed is obtained, the method further comprises:
monitoring access path information of current file information;
and coding the current file information according to the access path information through a preset encryption rule to obtain the file information to be checked and killed, which carries the target behavior feature code information.
3. The method for searching and killing the malicious file according to claim 1, wherein the identifying the information of the file to be searched and killed to obtain the information of the target malicious file in the information of the file to be searched and killed comprises:
identifying file information to be searched and killed to obtain preset tag code information in the file information to be searched and killed;
judging whether the preset tag code information belongs to a malicious file blacklist or not;
and determining target malicious file information corresponding to the preset tag code information belonging to the malicious file blacklist according to the judgment result.
4. The method for searching and killing the malicious file according to any one of claims 1 to 3, wherein the performing behavior feature recognition by using a preset threat modeling model according to the target behavior feature code information to obtain the behavior feature information of the target malicious file information comprises:
obtaining position identification information of the target malicious file information in the preset threat modeling model according to the target behavior feature code information;
performing behavior feature recognition by adopting a preset threat modeling model according to the position identification information to obtain attack vector information and corresponding attack mode information of the target malicious file information;
and taking the attack vector information and the corresponding attack mode information as behavior characteristic information.
5. The method for searching and killing the malicious file according to any one of claims 1 to 3, wherein the searching and killing the target malicious file information according to the virus behavior path information comprises:
obtaining attack behavior information according to the virus behavior path information;
and searching and killing the target malicious file information by adopting a corresponding defense strategy according to the attack behavior information.
6. The method for killing the malicious file according to claim 5, wherein the attack behavior information includes creating task behavior information;
the searching and killing of the target malicious file information by adopting a corresponding defense strategy according to the attack behavior information comprises the following steps:
detecting a task plan in a preset task plan table according to the created task behavior information;
and searching a task plan carrying preset keywords, and deleting the task plan carrying the preset keywords so as to realize searching and killing of the target malicious file information.
7. The method for searching and killing the malicious file according to any one of claims 1 to 3, wherein after the target malicious file information is searched and killed according to the virus behavior path information, the method for searching and killing the malicious file further comprises:
acquiring historical behavior feature code information obtained by a preset safety detection program;
performing cluster analysis on the historical behavior feature code information to obtain historical behavior feature code information with relevance;
and optimizing the feature codes of the preset threat modeling model according to the historical behavior feature code information with relevance.
8. A killing apparatus, comprising: memory, a processor and a program for searching and killing a malicious file stored on the memory and capable of running on the processor, the program for searching and killing a malicious file implementing the steps of the method for searching and killing a malicious file according to any one of claims 1 to 7 when executed by the processor.
9. A storage medium having stored thereon a program for killing a malicious file, the program for killing a malicious file, when executed by a processor, implementing the steps of the method for killing a malicious file according to any one of claims 1 to 7.
10. The device for searching and killing the malicious file is characterized by comprising the following components:
the identification module is used for identifying the information of the file to be searched and killed to obtain the information of the target malicious file in the information of the file to be searched and killed;
the acquisition module is used for acquiring target behavior feature code information in the target malicious file information;
the identification module is further used for performing behavior feature identification by adopting a preset threat modeling model according to the target behavior feature code information to obtain behavior feature information of the target malicious file information;
the determining module is used for determining the virus behavior path information of the target malicious file information according to the behavior characteristic information;
and the searching and killing module is used for searching and killing the target malicious file information according to the virus behavior path information.
CN201911093272.XA 2019-11-08 2019-11-08 Malicious file searching and killing method, device, storage medium and device Active CN110837640B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911093272.XA CN110837640B (en) 2019-11-08 2019-11-08 Malicious file searching and killing method, device, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911093272.XA CN110837640B (en) 2019-11-08 2019-11-08 Malicious file searching and killing method, device, storage medium and device

Publications (2)

Publication Number Publication Date
CN110837640A true CN110837640A (en) 2020-02-25
CN110837640B CN110837640B (en) 2022-02-22

Family

ID=69574798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911093272.XA Active CN110837640B (en) 2019-11-08 2019-11-08 Malicious file searching and killing method, device, storage medium and device

Country Status (1)

Country Link
CN (1) CN110837640B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN111565205A (en) * 2020-07-16 2020-08-21 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium
CN111723372A (en) * 2020-06-22 2020-09-29 深信服科技股份有限公司 Virus checking and killing method and device and computer readable storage medium
CN112948829A (en) * 2021-03-03 2021-06-11 深信服科技股份有限公司 File searching and killing method, system, equipment and storage medium
CN112966269A (en) * 2021-03-16 2021-06-15 北京安天网络安全技术有限公司 Searching and killing method and device based on browser plug-in
EP3975022A1 (en) * 2020-09-29 2022-03-30 Saudi Arabian Oil Company System and method for detecting and preventing extraction of plaintext passwords using memory attacks
CN114692151A (en) * 2022-04-08 2022-07-01 成都理工大学 Discovery method of USB flash disk virus and application tool thereof
CN115664864A (en) * 2022-12-27 2023-01-31 北京珞安科技有限责任公司 Information security prompting method and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8904531B1 (en) * 2011-06-30 2014-12-02 Emc Corporation Detecting advanced persistent threats
US20170006055A1 (en) * 2015-06-30 2017-01-05 The Mitre Corporation Network attack simulation systems and methods
CN107172022A (en) * 2017-05-03 2017-09-15 成都国腾实业集团有限公司 APT threat detection method and system based on intrusion feature
US20170346835A1 (en) * 2014-12-15 2017-11-30 Sophos Limited Server drift monitoring
CN108256329A (en) * 2018-02-09 2018-07-06 杭州奇盾信息技术有限公司 Fine granularity RAT program detecting methods, system and corresponding APT attack detection methods based on dynamic behaviour
CN111541705A (en) * 2020-04-29 2020-08-14 四川大学 TTP automatic extraction and attack team clustering method
CN111552973A (en) * 2020-06-02 2020-08-18 奇安信科技集团股份有限公司 Method and device for risk assessment of equipment, electronic equipment and medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8904531B1 (en) * 2011-06-30 2014-12-02 Emc Corporation Detecting advanced persistent threats
US20170346835A1 (en) * 2014-12-15 2017-11-30 Sophos Limited Server drift monitoring
US20170006055A1 (en) * 2015-06-30 2017-01-05 The Mitre Corporation Network attack simulation systems and methods
CN107172022A (en) * 2017-05-03 2017-09-15 成都国腾实业集团有限公司 APT threat detection method and system based on intrusion feature
CN108256329A (en) * 2018-02-09 2018-07-06 杭州奇盾信息技术有限公司 Fine granularity RAT program detecting methods, system and corresponding APT attack detection methods based on dynamic behaviour
CN111541705A (en) * 2020-04-29 2020-08-14 四川大学 TTP automatic extraction and attack team clustering method
CN111552973A (en) * 2020-06-02 2020-08-18 奇安信科技集团股份有限公司 Method and device for risk assessment of equipment, electronic equipment and medium

Non-Patent Citations (11)

* Cited by examiner, † Cited by third party
Title
FREDDY DEZEURE: "ATT&CK in Practice A Primer to Improve Your Cyber Defense", 《HTTPS://PUBLISHED-PRD.LANYONEVENTS.COM/PUBLISHED/RSAUS19/SESSIONSFILES/13884/AIR-T07-ATT%26CK-IN-PRACTICE-A-PRIMER-TO-IMPROVE-YOUR-CYBER-DEFENSE-FINAL.PDF》 *
JARED MYERS: "How to Evolve Threat Hunting by Using the MITRE ATT&CK Framework", 《HTTPS://EDU.HEIBAI.ORG/ATT&CK/SPO3-W03-HOW_TO_EVOLVE_THREAT_HUNTING_BY_USING_THE_MITRE_ATT_CK_FRAMEWORK.PDF》 *
NSFOCUS: "威胁建模模型ATT&CK", 《HTTPS://WWW.FREEBUF.COM/COLUMN/197837.HTML》 *
QIUAILANG: "恶意代码的特征的定义和提取", 《HTTPS://BBS.PEDIY.COM/THREAD-156254.HTM》 *
刘东鑫 等: "面向企业网的 APT 攻击特征分析及防御技术探讨", 《电信科学》 *
杨萍 等: "一种基于语义分析的恶意代码攻击图生成方法", 《计算机科学》 *
绿盟科技研究通讯: "智能威胁分析之图数据构建", 《HTTPS://WWW.SECRSS.COM/ARTICLE/10897》 *
贵重: "基于ATT&CK的多源数据深度安全检测技术研究", 《电信工程技术与标准化》 *
郝增帅 等: "基于特征分析和行为监控的未知木马检测系统研究与实现", 《信息网络安全》 *
银雁冰: "ATT&CK一般性学习笔记", 《HTTPS://BBS.PEDIY.COM/THREAD-254825.HTM》 *
鲁刚 等: "恶意流量特征提取综述", 《信息网络安全》 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447215A (en) * 2020-03-25 2020-07-24 深信服科技股份有限公司 Data detection method, device and storage medium
CN111723372A (en) * 2020-06-22 2020-09-29 深信服科技股份有限公司 Virus checking and killing method and device and computer readable storage medium
CN111723372B (en) * 2020-06-22 2024-02-23 深信服科技股份有限公司 Virus checking and killing method and device and computer readable storage medium
CN111565205A (en) * 2020-07-16 2020-08-21 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium
CN111565205B (en) * 2020-07-16 2020-10-23 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium
EP3975022A1 (en) * 2020-09-29 2022-03-30 Saudi Arabian Oil Company System and method for detecting and preventing extraction of plaintext passwords using memory attacks
US11768935B2 (en) 2020-09-29 2023-09-26 Saudi Arabian Oil Company System and method for detecting and preventing extraction of plaintext passwords using memory attacks
CN112948829B (en) * 2021-03-03 2023-11-03 深信服科技股份有限公司 File searching and killing method, system, equipment and storage medium
CN112948829A (en) * 2021-03-03 2021-06-11 深信服科技股份有限公司 File searching and killing method, system, equipment and storage medium
CN112966269A (en) * 2021-03-16 2021-06-15 北京安天网络安全技术有限公司 Searching and killing method and device based on browser plug-in
CN112966269B (en) * 2021-03-16 2024-05-24 北京安天网络安全技术有限公司 Searching and killing method and device based on browser plug-in
CN114692151A (en) * 2022-04-08 2022-07-01 成都理工大学 Discovery method of USB flash disk virus and application tool thereof
CN114692151B (en) * 2022-04-08 2023-07-18 成都理工大学 USB flash disk virus discovery method and application tool thereof
CN115664864A (en) * 2022-12-27 2023-01-31 北京珞安科技有限责任公司 Information security prompting method and system
CN115664864B (en) * 2022-12-27 2023-03-21 北京珞安科技有限责任公司 Information security prompting method and system

Also Published As

Publication number Publication date
CN110837640B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
CN110837640B (en) Malicious file searching and killing method, device, storage medium and device
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
CN106796639B (en) Data mining algorithms for trusted execution environments
EP3113064B1 (en) System and method for determining modified web pages
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
CN112351017B (en) Transverse penetration protection method, device, equipment and storage medium
CN107247902B (en) Malicious software classification system and method
CN109586282B (en) Power grid unknown threat detection system and method
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
EP2642715A1 (en) Method and system for malicious code detection
CN107786564B (en) Attack detection method and system based on threat intelligence and electronic equipment
CA2940644A1 (en) System and method for verifying and detecting malware
CN110336835B (en) Malicious behavior detection method, user equipment, storage medium and device
CN112134897B (en) Network attack data processing method and device
CN110958257B (en) Intranet permeation process reduction method and system
CN111935061A (en) Industrial control host and network security protection implementation method thereof
CN113364799B (en) Method and system for processing network threat behaviors
CN109167781A (en) A kind of recognition methods of network attack chain and device based on dynamic associated analysis
Martinelli et al. I find your behavior disturbing: Static and dynamic app behavioral analysis for detection of android malware
CN114422255A (en) Cloud security simulation detection system and detection method
CN110750788A (en) Virus file detection method based on high-interaction honeypot technology
CN112351002B (en) Message detection method, device and equipment
CN103095714A (en) Trojan horse detection method based on Trojan horse virus type classification modeling
CN113722705B (en) Malicious program clearing method and device
CN113569240B (en) Method, device and equipment for detecting malicious software

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant