CN111027071B - Threat program full-behavior association analysis method and device - Google Patents
Threat program full-behavior association analysis method and device Download PDFInfo
- Publication number
- CN111027071B CN111027071B CN201911316671.8A CN201911316671A CN111027071B CN 111027071 B CN111027071 B CN 111027071B CN 201911316671 A CN201911316671 A CN 201911316671A CN 111027071 B CN111027071 B CN 111027071B
- Authority
- CN
- China
- Prior art keywords
- threat
- behavior
- program
- data
- behaviors
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012097 association analysis method Methods 0.000 title claims abstract description 18
- 230000006399 behavior Effects 0.000 claims abstract description 233
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000008569 process Effects 0.000 claims abstract description 14
- 230000003542 behavioural effect Effects 0.000 claims abstract description 12
- 238000004364 calculation method Methods 0.000 claims abstract description 12
- 230000007123 defense Effects 0.000 claims abstract description 9
- 238000001824 photoionisation detection Methods 0.000 claims description 24
- 230000009471 action Effects 0.000 claims description 19
- 238000010276 construction Methods 0.000 claims description 9
- 238000012098 association analyses Methods 0.000 claims description 7
- 238000004140 cleaning Methods 0.000 claims description 7
- 230000015572 biosynthetic process Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 239000012634 fragment Substances 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008030 elimination Effects 0.000 description 3
- 238000003379 elimination reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000014599 transmission of virus Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a threat program full-behavior association analysis method and device, relates to the technical field of endpoint security defense, and can construct a full-behavior chain of a threat program. Comprising the following steps: if the current equipment discovers a threat program, extracting a preset item value of the threat program; constructing a matching factor calculation formula based on a preset term value; carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors, and further positioning derivative behaviors related to the threat program; forming a complete behavioral chain based on the threat program and its derivative behaviors; the mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a threat program full behavior association analysis method, apparatus, electronic device, and storage medium.
Background
The modern virus threat technology is continuously developed and evolved, and the trend of working in a blocking and fragmenting mode is quite obvious. A large number of known virus threats and unknown virus threats generate a large number of fragment programs in the processes of detecting, delivering, executing and destroying a host, and part of the fragment programs are injected into the system process and the normal program to realize the self-increment and transmission of viruses, so that the realization of the functions is quite hidden. These shards are independent and behave similarly to normal programs, but interact with other parts to complete the threat action. Traditional detection and removal methods are difficult to clearly ascertain whether the fragments are viral threats. Even if most security detection software still relies on the detection and elimination method of known threats, the host computer processes the virus threat and informs the user that the processing is finished, most of the security detection software only removes part of fragments, and cannot eradicate all viruses.
The existing association analysis needs to collect mass data at a plurality of terminals, but only obtains association probability, presumes possible behaviors of viruses, has low association degree, and can not obtain the specific implementation time and execution condition of the behaviors of the threats, and can not provide a thorough clearing scheme and an intrusion manner for the threats with deep fragmentation.
Disclosure of Invention
In view of the above, the embodiment of the invention provides a method, a device, an electronic device and a storage medium for analyzing the whole behavior association of a threat program, which can effectively establish all behavior chains from the invasion start to the threat triggering point of the threat program.
The embodiment of the invention provides a threat program whole behavior association analysis method, which comprises the following steps:
If the current equipment discovers a threat program, extracting a preset item value of the threat program;
constructing a matching factor calculation formula based on a preset term value;
carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors, and further positioning derivative behaviors related to the threat program;
Forming a complete behavioral chain based on the threat program and its derivative behaviors;
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
Further, the correlation retrieval is carried out on the threat program and each data in the massive behavior library based on the matching factors, so that the derivative behaviors related to the threat program are positioned, and the method specifically comprises the following steps:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
The matching data space is a container containing a preset item value; the threat data space is a database that records threat programs and related derived actions.
Further, the threat program and the derivative behavior thereof form a complete behavior chain, and specifically include:
Searching parent behaviors of initial threat points which trigger threats first in the threat data space until no parent behaviors related to a threat program are marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; the associated but threat-free behavior data is removed and when all behavior tails are obtained, a complete behavior chain is obtained.
Further, the preset term value includes: MD5, PID, file pathname; the construction of the matching factor calculation formula based on the preset term value specifically comprises the following steps:
matching factor = sameMD5+ (samePID + same file pathname)/2;
Wherein, when MD5 is the same, then same md5=1; when MD5 is different, then same md5=0;
When PIDs are the same, then the same pid=1; when PIDs are different, then the same pid=0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, then the same file pathname=0.
Further, the calculating the matching factor between the threat program and each data in the massive behavior library, when the matching factor exceeds a preset value, extracting the corresponding data from the massive behavior library specifically includes:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
In the above method embodiment, the recording the corresponding data as the derivative action into the threat data space specifically includes:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
In a second aspect, an embodiment of the present invention provides a threat program whole-behavior association analysis apparatus, including:
the threat program discovery module is used for extracting a preset item value of the threat program if the current equipment discovers the threat program;
the matching factor construction module is used for constructing a matching factor calculation formula based on a preset term value;
the derived behavior positioning module is used for carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors so as to position derived behaviors related to the threat program;
the complete behavior chain forming module is used for forming a complete behavior chain based on the threat program and the derivative behaviors thereof;
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
Further, the derivative behavior positioning module is specifically configured to:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
The matching data space is a container containing a preset item value; the threat data space is a database that records threat programs and related derived actions.
Further, the complete behavioral chain forming module is specifically configured to:
Searching parent behaviors of initial threat points which trigger threats first in the threat data space until no parent behaviors related to a threat program are marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; and removing the associated but threat-free behavior data, and when all behavior tails are obtained, terminating the associated retrieval behaviors to obtain a complete behavior chain.
Further, the matching factor construction module is specifically configured to:
the preset item value comprises the following steps: MD5, PID, file pathname;
matching factor = sameMD5+ (samePID + same file pathname)/2;
Wherein, when MD5 is the same, then same md5=1; when MD5 is different, then same md5=0;
When PIDs are the same, then the same pid=1; when PIDs are different, then the same pid=0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, then the same file pathname=0.
Further, the calculating the matching factor between the threat program and each data in the massive behavior library, when the matching factor exceeds a preset value, extracting the corresponding data from the massive behavior library specifically includes:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
In the above embodiment of the present invention, the recording the corresponding data as the derivative action into the threat data space specifically includes:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes the program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing any threat program full behavior association analysis method.
In a fourth aspect, embodiments of the present invention further provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the threat program full behavior association analysis method of any of the foregoing implementations.
The embodiment of the invention provides a threat program full-behavior association analysis method, a threat program full-behavior association analysis device, electronic equipment and a storage medium, wherein all information generated in running is recorded at an equipment end and marked based on a network space threat framework; if a threat program appears in the equipment, the threat program is taken as a starting point, other derivative behaviors in the massive behavior library are searched based on the matching factor association, and finally, a complete behavior chain of the threat program is formed. The embodiment of the invention can quickly form the full-action chain of the threat program and finally completely eradicate the threat program.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a threat program full behavior association analysis method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of a threat program full behavior association analysis method according to another embodiment of the invention;
FIG. 3 is a flowchart of a threat program full behavior association analysis method according to another embodiment of the invention;
FIG. 4 is a schematic structural diagram of an embodiment of a threat program whole-behavior association analysis apparatus according to the present invention;
Fig. 5 is a schematic structural diagram of an embodiment of the electronic device of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order to more clearly illustrate the embodiments of the present invention, the technical terms involved will be explained and illustrated:
Correlation analysis: also known as association mining, is the finding of frequent patterns, associations, correlations, or causal structures that exist between sets of items or objects in transactional data, relational data, or other information carriers.
Network air threat framework: the network air threat framework divides the steps of an attacker into stages of management, preparation, interaction, existence, influence, continuous progress and the like, each stage comprises target activities to be achieved, each target activity comprises specific actions of the attacker, and the specific actions are classified and described in a professional and general way so as to be convenient for carrying out consistent description and classification on network threat events.
Threat behavior chain: the virus threat is part of the overall procedure from the start of the intrusion to the point of triggering the threat, as well as the overall behavior.
In a first aspect, an embodiment of the present invention provides a threat program full-behavior association analysis method, which can construct a full-behavior chain of a threat program.
FIG. 1 is a flowchart of a threat program full behavior association analysis method according to an embodiment of the invention, comprising:
S101: and if the current equipment discovers the threat program, extracting a preset item value of the threat program.
Wherein the preset term values include, but are not limited to: MD5, PID, file path name, modified record before and after, or floor mode.
S102: and constructing a matching factor calculation formula based on the preset term value.
S103: and carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors, and further positioning the derivative behaviors related to the threat program. Wherein the derivatizing action includes, but is not limited to: process start, file changes, registries, planning tasks, etc.
S104: a complete behavioral chain is formed based on the threat program and its derivative behaviors.
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework. The invention does not depend on a specific network space threat framework and can not limit thinking due to framework loopholes.
Preferably, the correlation retrieval is performed on the threat program and each data in the massive behavior library based on the matching factor, so as to locate the derivative behavior related to the threat program, which specifically comprises:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
The matching data space is a container containing a preset item value; the threat data space is a database that records threat programs and related derived actions.
Preferably, the forming a complete behavior chain based on the threat program and the derivative behavior thereof specifically comprises:
Searching parent behaviors of initial threat points which trigger threats first in the threat data space until no parent behaviors related to a threat program are marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; and removing the associated but threat-free behavior data to obtain a complete behavior chain.
Preferably, the preset term value includes: MD5, PID, file pathname; the construction of the matching factor calculation formula based on the preset term value specifically comprises the following steps:
matching factor = sameMD5+ (samePID + same file pathname)/2;
Wherein, when MD5 is the same, then same md5=1; when MD5 is different, then same md5=0;
When PIDs are the same, then the same pid=1; when PIDs are different, then the same pid=0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, then the same file pathname=0.
More preferably, the calculating the matching factor between the threat program and each data in the massive behavior library, and when the matching factor exceeds a preset value, extracting the corresponding data from the massive behavior library specifically includes:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
In the above method embodiment, the recording the corresponding data as the derivative action into the threat data space specifically includes:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
Wherein, a B+ tree is a tree data structure commonly used in database and operating system file systems. The B+ tree is characterized by being capable of keeping data stable and orderly, and has relatively stable logarithmic time complexity in insertion and modification. The b+ tree elements are inserted bottom-up, as opposed to binary trees.
The preset upper limit is set according to a specific practical situation, and the embodiment may be 100M.
In the embodiment, the threat program of equipment alarm is used as the starting point of the whole scheme, and the massive behavior libraries which are collected in advance and marked according to the network space threat framework are searched based on the matching factor association, so that the derivative behaviors related to the threat program are positioned, an integral behavior chain is finally formed, the visual angle limitation of the traditional safety software is broken through, and the equipment virus threat is helped to be eradicated.
FIG. 2 is a flowchart of a threat program full behavior association analysis method according to another embodiment of the invention, comprising:
s201: and if the current equipment discovers the threat program, extracting a preset item value of the threat program.
S202: and constructing a matching factor calculation formula based on the preset term value.
S203: and calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value.
S204: and recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space. More preferably, the preset item value data in the matching data space is screened, and redundancy needs to be removed according to the determined intrusion point or the first time point after the intrusion point is triggered if the acquired behaviors of the individual system files are excessive.
S205: and completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program.
S206: and performing redundancy elimination operation on the threat data space, and merging corresponding data repeatedly recorded in a counting mode.
S207: if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated. Meanwhile, the search upper limit, namely the preset level, can be set according to the requirement, and when the search level exceeds the preset level, the associated search behavior is terminated.
S208: and searching the parent behaviors of the initial threat point which triggers the threat first in the threat data space until the parent-free behaviors related to the threat program are marked as behavior heads.
S209: the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, the behavior is marked as a behavior tail.
S210: and removing the associated but threat-free behavior data to obtain a complete behavior chain.
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework. The matching data space is a container containing a preset item value; the threat data space is a database that records threat programs and related derived actions.
In the embodiment, the matching data space is utilized to complete the associated retrieval behavior based on the matching factors, the threat data space is utilized to store all the related data of the derivative behavior of the threat program, and finally, a complete behavior chain is constructed based on the threat data space.
FIG. 3 is a flowchart of a threat program full behavior association analysis method according to another embodiment of the invention, comprising:
S301: if the current device discovers a threat program, extracting preset item values of the threat program, including but not limited to: MD5, PID, file pathname.
S302: matching factor = sameMD5+ (samePID + same file pathname)/2.
Wherein, when MD5 is the same, then same md5=1; when MD5 is different, then same md5=0;
When PIDs are the same, then the same pid=1; when PIDs are different, then the same pid=0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, then the same file pathname=0.
S303: and when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
For example: if MD5 acquisition fails, but the PIDs are the same, the file path names are the same, the matching factor=0+ (1+1)/2=1 is satisfied, and the matching factor is 1 or more, the piece of data is extracted. Therefore, even if MD5 cannot extract, matching can be completed, and the fault tolerance of the system is greatly improved.
S304: the corresponding data is stored in the threat data space in a b+ tree form. The purpose is to facilitate redundancy elimination and frequent pruning.
More preferably, when the threat data space is larger than a preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the file in the floor mode once when the threat data space is started or shut down;
S305: and completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program.
S306: the tail search terminates when all actions are located.
S307: a complete behavioral chain is formed based on the threat program and its derivative behaviors.
In the embodiment, MD5, PID and file path name are used as preset item values to construct a matching factor calculation formula, positioning work of derivative behaviors is completed based on the formula, and finally a complete behavior chain is formed.
In a second aspect, an embodiment of the present invention provides a threat program full-behavior association analysis apparatus, which is capable of constructing a full-behavior chain of a threat program.
FIG. 4 is a schematic structural diagram of a threat program whole-behavior association analysis apparatus according to an embodiment of the invention, including:
A threat program discovery module 401, configured to extract a preset term value of a threat program if the current device discovers the threat program;
A matching factor construction module 402, configured to construct a matching factor calculation formula based on a preset term value;
The derived behavior positioning module 403 is configured to perform association retrieval on the threat program and each data in the massive behavior library based on the matching factor, so as to position derived behaviors related to the threat program;
A complete behavioral chain formation module 404 for forming a complete behavioral chain based on the threat program and its derivative behaviors;
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
Preferably, the derivative behavior positioning module is specifically configured to:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
The matching data space is a container containing a preset item value; the threat data space is a database that records threat programs and related derived actions.
Preferably, the complete behavioral chain forming module is specifically configured to:
Searching parent behaviors of initial threat points which trigger threats first until no parent behaviors related to a threat program are searched and marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; and removing the associated but threat-free behavior data to obtain a complete behavior chain.
Preferably, the matching factor construction module is specifically configured to:
the preset item value comprises the following steps: MD5, PID, file pathname;
matching factor = sameMD5+ (samePID + same file pathname)/2;
Wherein, when MD5 is the same, then same md5=1; when MD5 is different, then same md5=0;
When PIDs are the same, then the same pid=1; when PIDs are different, then the same pid=0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, then the same file pathname=0.
Preferably, the calculating the matching factor between the threat program and each data in the massive behavior library, and when the matching factor exceeds a preset value, extracting the corresponding data from the massive behavior library specifically includes:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
In the above embodiment of the present invention, the recording the corresponding data as the derivative action into the threat data space specifically includes:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
In the embodiment, the threat program of the equipment alarm is used as the starting point of the whole scheme, and the massive behavior libraries which are collected in advance and marked according to the network space threat framework are searched based on the matching factor association, so that the derivative behaviors related to the threat program are positioned, and finally, a complete behavior chain is formed, thereby being beneficial to eradicating the equipment virus threat.
In a third aspect, the embodiment of the present invention further provides an electronic device capable of constructing a full behavioral chain of a threat program.
Fig. 5 is a schematic structural diagram of an embodiment of an electronic device according to the present invention, where the electronic device may include: the processor 52 and the memory 53 are arranged on the circuit board 54, wherein the circuit board 54 is arranged in a space surrounded by the shell 51; a power supply circuit 55 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 53 is for storing executable program code; the processor 52 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 53, for executing the threat program full-behavior association analysis method described in any of the foregoing embodiments.
The specific implementation of the above steps by the processor 52 and the further implementation of the steps by the processor 52 by running executable program codes may be referred to the description of the embodiment of fig. 1 and 2 of the present invention, which is not repeated herein.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
In a fourth aspect, embodiments of the present invention further provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the threat program full behavior association analysis method of any of the foregoing implementations.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the method embodiments, since they are substantially similar to the apparatus embodiments, the description is relatively simple, with reference to the description of the apparatus embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random-access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A threat program full behavior association analysis method, comprising:
If the current equipment discovers a threat program, extracting a preset item value of the threat program;
Constructing a matching factor calculation formula based on a preset term value; the preset term value comprises: MD5, PID, file pathname; the construction of the matching factor calculation formula based on the preset term value specifically comprises the following steps:
matching factor = sameMD5+ (samePID + same file pathname)/2;
wherein, when MD5 is the same, sameMD5 =1; when MD5 is different, sameMD5 =0;
samePID =1 when PID is the same; when PIDs are different, samePID =0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, the same file pathname=0;
carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors, and further positioning derivative behaviors related to the threat program; the method specifically comprises the following steps:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
the matching data space is a container containing a preset item value; the threat data space is a database for recording threat programs and related derivative behaviors;
Forming a complete behavioral chain based on the threat program and its derivative behaviors;
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
2. The method of claim 1, wherein the forming a complete behavioral chain based on the threat program and its derivative behaviors, specifically comprises:
Searching parent behaviors of initial threat points which trigger threats first in the threat data space until no parent behaviors related to a threat program are marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; and removing the associated but threat-free behavior data to obtain a complete behavior chain.
3. The method of claim 2, wherein calculating the matching factor between the threat program and each data in the massive behavior library, and extracting the corresponding data from the massive behavior library when the matching factor exceeds a preset value, specifically comprises:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
4. A method according to any one of claims 2-3, wherein said posting of the corresponding data as a derivative action into a threat data space, in particular comprises:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
5. A threat program full-behavior association analysis apparatus, comprising:
the threat program discovery module is used for extracting a preset item value of the threat program if the current equipment discovers the threat program;
The matching factor construction module is used for constructing a matching factor calculation formula based on a preset term value; the matching factor construction module is specifically configured to:
the preset item value comprises the following steps: MD5, PID, file pathname;
matching factor = sameMD5+ (samePID + same file pathname)/2;
wherein, when MD5 is the same, sameMD5 =1; when MD5 is different, sameMD5 =0;
samePID =1 when PID is the same; when PIDs are different, samePID =0;
When the file pathnames are the same, then the same file pathname=1; when the file pathnames are different, the same file pathname=0;
The derived behavior positioning module is used for carrying out association retrieval on the threat program and each data in the massive behavior library based on the matching factors so as to position derived behaviors related to the threat program; the derivative behavior positioning module is specifically configured to:
Calculating a matching factor between the threat program and each data in the massive behavior library, and extracting corresponding data from the massive behavior library when the matching factor exceeds a preset value;
Recording the corresponding data as derivative behaviors into a threat data space, and storing preset item values of the corresponding data into a matching data space;
Completing the rest associated search based on the matched data space, and further positioning other derivative behaviors of the threat program;
if the matching factors between the threat program and the rest data in the massive behavior library are smaller than the preset value, the associated retrieval behavior is terminated;
the matching data space is a container containing a preset item value; the threat data space is a database for recording threat programs and related derivative behaviors;
the complete behavior chain forming module is used for forming a complete behavior chain based on the threat program and the derivative behaviors thereof;
The mass behavior library is a database of all information in the running process of the equipment, wherein the database is collected in advance for an active defense endpoint and marked based on a network air threat framework.
6. The apparatus of claim 5, wherein the complete behavioral chain formation module is specifically configured to:
Searching parent behaviors of initial threat points which trigger threats first in the threat data space until no parent behaviors related to a threat program are marked as behavior heads; the full behaviors are recursively connected downwards according to the number of the children of the behavior head; if no child behavior is located, marking the child behavior as a behavior tail; and removing the associated but threat-free behavior data to obtain a complete behavior chain.
7. The apparatus of claim 6, wherein the calculating the matching factor between the threat program and each data in the massive behavior library, and extracting the corresponding data from the massive behavior library when the matching factor exceeds a preset value, specifically comprises:
And when the matching factor between the threat program and certain data in the massive behavior library is greater than or equal to 1, extracting the data from the massive behavior library.
8. The apparatus according to any of claims 6-7, wherein said posting of the corresponding data as a derivative action into the threat data space, in particular comprises:
Storing the corresponding data as derivative behaviors to a threat data space according to a B+ tree form;
when the threat data space is larger than the preset upper limit, storing the threat data space as a file in a floor mode, and cleaning the floor file once by switching on and switching off the file once.
9. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of claims 1-4.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911316671.8A CN111027071B (en) | 2019-12-19 | 2019-12-19 | Threat program full-behavior association analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911316671.8A CN111027071B (en) | 2019-12-19 | 2019-12-19 | Threat program full-behavior association analysis method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111027071A CN111027071A (en) | 2020-04-17 |
| CN111027071B true CN111027071B (en) | 2024-05-24 |
Family
ID=70209708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911316671.8A Active CN111027071B (en) | 2019-12-19 | 2019-12-19 | Threat program full-behavior association analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111027071B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032784B (en) * | 2021-03-26 | 2023-07-21 | 安天科技集团股份有限公司 | Threat treatment method, threat treatment tool, and computer-readable medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6370648B1 (en) * | 1998-12-08 | 2002-04-09 | Visa International Service Association | Computer network intrusion detection |
| US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
| CN108875364A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Menace determination method, device, electronic equipment and the storage medium of unknown file |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052B (en) * | 2007-10-15 | 2010-11-03 | 北京瑞星信息技术有限公司 | Method and apparatus for discovering malignancy of computer program |
| US10262131B2 (en) * | 2016-03-22 | 2019-04-16 | Symantec Corporation | Systems and methods for obtaining information about security threats on endpoint devices |
| US10075457B2 (en) * | 2016-03-30 | 2018-09-11 | Fortinet, Inc. | Sandboxing protection for endpoints |
| US10791133B2 (en) * | 2016-10-21 | 2020-09-29 | Tata Consultancy Services Limited | System and method for detecting and mitigating ransomware threats |
| GB2574209B (en) * | 2018-05-30 | 2020-12-16 | F Secure Corp | Controlling Threats on a Computer System by Searching for Matching Events on other Endpoints |
-
2019
- 2019-12-19 CN CN201911316671.8A patent/CN111027071B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6370648B1 (en) * | 1998-12-08 | 2002-04-09 | Visa International Service Association | Computer network intrusion detection |
| US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
| CN108875364A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Menace determination method, device, electronic equipment and the storage medium of unknown file |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111027071A (en) | 2020-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111030986B (en) | Attack organization traceability analysis method and device and storage medium | |
| CN108875364B (en) | Threat determination method and device for unknown file, electronic device and storage medium | |
| CN111031017B (en) | Abnormal business account identification method, device, server and storage medium | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN113973012B (en) | Threat detection method and device, electronic equipment and readable storage medium | |
| CN111027071B (en) | Threat program full-behavior association analysis method and device | |
| CN110740117B (en) | Counterfeit domain name detection method and device, electronic equipment and storage medium | |
| CN111027064A (en) | Method and device for protecting and removing mine excavation viruses under Linux platform and storage equipment | |
| CN114372297A (en) | Method and device for verifying file integrity based on message digest algorithm | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN112070161A (en) | Network attack event classification method, device, terminal and storage medium | |
| CN108334778B (en) | Virus detection method, device, storage medium and processor | |
| CN117061202A (en) | Attack link generation method based on knowledge graph of multi-source vulnerability data | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| CN116132101A (en) | Method and device for verifying threat information misinformation and electronic equipment | |
| JP2011076366A (en) | Method, program and system for collecting content tag, and content retrieval system | |
| CN114528552A (en) | Security event correlation method based on vulnerability and related equipment | |
| CN111695116B (en) | Evidence obtaining method and device based on Rootkit of kernel layer of Linux system | |
| CN113722705A (en) | Malicious program clearing method and device | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| US20170154096A1 (en) | Data service system and electronic apparatus | |
| JPWO2020174565A1 (en) | Information processing equipment, information processing methods, and programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |