CN111723373A - Vulnerability exploitation file detection method and device of composite binary document - Google Patents

Vulnerability exploitation file detection method and device of composite binary document Download PDF

Info

Publication number
CN111723373A
CN111723373A CN201910210484.5A CN201910210484A CN111723373A CN 111723373 A CN111723373 A CN 111723373A CN 201910210484 A CN201910210484 A CN 201910210484A CN 111723373 A CN111723373 A CN 111723373A
Authority
CN
China
Prior art keywords
file
composite binary
document
judging
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910210484.5A
Other languages
Chinese (zh)
Inventor
韩志辉
吕志泉
梅瑞
严寒冰
丁丽
李佳
沈元
张帅
李志辉
张腾
陈阳
王适文
马莉雅
高川
周昊
周彧
袁炯晔
童志明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201910210484.5A priority Critical patent/CN111723373A/en
Publication of CN111723373A publication Critical patent/CN111723373A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Abstract

The invention provides a method and a device for detecting a vulnerability exploitation file of a composite binary document, wherein the method comprises the following steps: acquiring a composite binary document to be detected, and verifying the file structure; judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file; and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file. The invention also correspondingly provides a device for realizing the method. By the method, the newly appeared vulnerability exploitation file can be effectively detected without extracting new characteristics. And sensitive characteristic detection is only carried out aiming at the structural abnormal area, so that false alarm can be avoided, and the detection accuracy is further improved.

Description

Vulnerability exploitation file detection method and device of composite binary document
Technical Field
The invention relates to the technical field of network security, in particular to a vulnerability exploitation file detection method and device for a composite binary document.
Background
Compound binary document: a composite binary file (CFBF), also called a composite file, is a file format developed by microsoft for implementing COM structured storage, and is used to store a plurality of object contents in a hard disk file. The conventional detection of the exploit file based on the composite binary document is based on features, such as a specific structural tag and a numerical error at a specific position, and a malicious network link address and Shellcode (Shellcode: a self-contained binary code capable of completing a special task, which may be a Shell that issues a system call or establishes a high authority according to different tasks), and the like. Although the detection method can detect the corresponding exploit file, the detection universality is not strong enough, and new feature extraction is needed to detect when a new form of exploit sample appears.
Because vulnerability exploiting files based on the compound binary document have various forms, the detection only by simply extracting the features has limitation, and certain features can only act at specific positions corresponding to the document due to the document characteristics of the compound binary document. There is a possibility of false positives for detecting these features at other locations. Therefore, if the detection position of the corresponding feature in the scanned document is not specified, not only the detection efficiency is greatly affected, but also false alarm is possibly generated.
Disclosure of Invention
Based on the above problems, the application provides a method and a device for detecting a vulnerability file of a composite binary document, which solve the problem that the vulnerability file based on the composite binary document has multiple utilization modes and therefore needs to frequently extract features for detection, and also solve the problem that some features can generate false reports if full-text search is carried out.
Firstly, a method for detecting a vulnerability exploitation file of a composite binary document is provided, which comprises the following steps:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the method, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the method, the sensitive feature includes a network link or a calling sensitive program.
This application simultaneously provides a combined type binary document's exploit file detection device, includes: a memory and a processor;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
A vulnerability exploitation file detection device of a compound binary document comprises:
the checking module is used for acquiring a composite binary document to be detected and checking the file structure;
the abnormality judgment module is used for judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and the characteristic detection module is used for further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, the composite binary file is judged to be malicious, and if the sensitive characteristics do not exist, the composite binary file is judged to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
The present application further provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements any of the above methods for detecting a vulnerability exploitation file of a compound binary document.
The method is based on checking the structure of the composite binary document to detect the possible existing vulnerability exploitation files. Because the reason for the partial bug is that the file structure has an exception, the conventional processing program can not effectively process the exception. For the vulnerabilities generated due to the reasons, the vulnerabilities can be screened by checking the structure of the composite binary document, the detection method can be used for finding the vulnerabilities caused by new format structure errors, and generated vulnerability utilization files. And then, the sensitive features are checked at the positions of the files with abnormal structures to further confirm whether the files have the loophole utilization files or not, so that the problem of misinformation caused by the detection of the sensitive features in the full text can be avoided, and the detection accuracy is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a vulnerability exploiting file detecting method of a compound binary document;
FIG. 2 is a schematic structural diagram of a vulnerability exploiting file detecting apparatus for a compound binary document;
FIG. 3 is a schematic structural diagram of another vulnerability exploiting file detecting apparatus for compound binary documents.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.
First, a method for detecting a vulnerability exploitation file of a compound binary document is provided, as shown in fig. 1, including:
s101: acquiring a composite binary document to be detected, and verifying the file structure;
s102: judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
s103: and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the method, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the method, the sensitive feature includes a network link or a calling sensitive program.
For a more clear understanding of the above inventive method, a practical case is listed for illustration:
the new bug is assumed to be a verification error generated in a structure at a certain position of a file, and a malicious website can be filled in a position where the file structure is abnormal, so that a malicious website is connected for malicious operation. If the malicious website does not appear before, the detection is carried out by using a conventional detection method, so that the malicious website cannot be detected due to the absence of the characteristic. If the data conforming to the website format is used as the characteristic to search all websites, the normal websites appear in the normal document and are misreported due to the document characteristic of the compound binary document.
However, through a format check-based mode, the files with abnormal structures can be screened out firstly, and the utilization files of the newly appeared vulnerability can be detected by finding the data of suspected websites which conform to the website format when sensitive features are searched in the areas with abnormal structures. And because the sensitive characteristics are detected only near the file with the abnormal file structure, the condition that the normal file is falsely reported is avoided.
The present application also provides a combined binary document vulnerability exploiting file detecting apparatus, as shown in fig. 2, including: a memory 201 and a processor 202;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
A vulnerability exploiting file detecting apparatus of compound binary document, as shown in fig. 3, includes:
the checking module 301 obtains the composite binary document to be detected, and checks the file structure;
an anomaly judgment module 302, which judges whether the file structure is abnormal, if so, further detecting, otherwise, judging that the composite binary document to be detected is a normal file;
the feature detection module 303 further detects a sensitive feature in the data segment of the abnormal area in the file structure, and if the sensitive feature exists, determines that the composite binary document is malicious, otherwise determines that the composite binary document is a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
The present application further provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements any of the above methods for detecting a vulnerability exploitation file of a compound binary document.
The method is based on checking the structure of the composite binary document to detect the possible existing vulnerability exploitation files. Because the reason for the partial bug is that the file structure has an exception, the conventional processing program can not effectively process the exception. For the vulnerabilities generated due to the reasons, the vulnerabilities can be screened by checking the structure of the composite binary document, the detection method can be used for finding the vulnerabilities caused by new format structure errors, and generated vulnerability utilization files. And then, the sensitive features are checked at the positions of the files with abnormal structures to further confirm whether the files have the loophole utilization files or not, so that the problem of misinformation caused by the detection of the sensitive features in the full text can be avoided, and the detection accuracy is further improved.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.

Claims (10)

1. A method for detecting a vulnerability exploitation file of a composite binary document is characterized by comprising the following steps:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
2. The method according to claim 1, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
3. The method of claim 1, wherein the sensitive feature comprises a web link or a call sensitive program.
4. A vulnerability exploitation file detection device of a composite binary document is characterized by comprising: a memory and a processor;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
5. The apparatus according to claim 4, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
6. The apparatus of claim 4, in which the sensitive feature comprises a network link or a call sensitive program.
7. A vulnerability exploitation file detection device of a composite binary document is characterized by comprising:
the checking module is used for acquiring a composite binary document to be detected and checking the file structure;
the abnormality judgment module is used for judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and the characteristic detection module is used for further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, the composite binary file is judged to be malicious, and if the sensitive characteristics do not exist, the composite binary file is judged to be a normal file.
8. The apparatus according to claim 7, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
9. The apparatus of claim 7, wherein the sensitive feature comprises a network link or a call sensitive program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the vulnerability file detection method of compound binary document according to any of claims 1-3.
CN201910210484.5A 2019-03-19 2019-03-19 Vulnerability exploitation file detection method and device of composite binary document Pending CN111723373A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910210484.5A CN111723373A (en) 2019-03-19 2019-03-19 Vulnerability exploitation file detection method and device of composite binary document

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910210484.5A CN111723373A (en) 2019-03-19 2019-03-19 Vulnerability exploitation file detection method and device of composite binary document

Publications (1)

Publication Number Publication Date
CN111723373A true CN111723373A (en) 2020-09-29

Family

ID=72562858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910210484.5A Pending CN111723373A (en) 2019-03-19 2019-03-19 Vulnerability exploitation file detection method and device of composite binary document

Country Status (1)

Country Link
CN (1) CN111723373A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104966019A (en) * 2014-06-16 2015-10-07 哈尔滨安天科技股份有限公司 Method and system for heuristically detecting possible threats of a document
CN105868630A (en) * 2016-03-24 2016-08-17 中国科学院信息工程研究所 Malicious PDF document detection method
CN106295337A (en) * 2015-06-30 2017-01-04 安恒通(北京)科技有限公司 For detecting the malice method of leak file, device and terminal
GB201706567D0 (en) * 2017-04-25 2017-06-07 Avecto Ltd Computer device and method for handling files
CN107025407A (en) * 2017-03-22 2017-08-08 国家计算机网络与信息安全管理中心 The malicious code detecting method and system of a kind of office document files
US20170293761A1 (en) * 2016-04-06 2017-10-12 Nec Laboratories America, Inc. Extraction and comparison of hybrid program binary features
CN108985064A (en) * 2018-07-16 2018-12-11 中国人民解放军战略支援部队信息工程大学 A kind of method and device identifying malice document
CN109408810A (en) * 2018-09-28 2019-03-01 东巽科技(北京)有限公司 A kind of malice PDF document detection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104966019A (en) * 2014-06-16 2015-10-07 哈尔滨安天科技股份有限公司 Method and system for heuristically detecting possible threats of a document
CN106295337A (en) * 2015-06-30 2017-01-04 安恒通(北京)科技有限公司 For detecting the malice method of leak file, device and terminal
CN105868630A (en) * 2016-03-24 2016-08-17 中国科学院信息工程研究所 Malicious PDF document detection method
US20170293761A1 (en) * 2016-04-06 2017-10-12 Nec Laboratories America, Inc. Extraction and comparison of hybrid program binary features
CN107025407A (en) * 2017-03-22 2017-08-08 国家计算机网络与信息安全管理中心 The malicious code detecting method and system of a kind of office document files
GB201706567D0 (en) * 2017-04-25 2017-06-07 Avecto Ltd Computer device and method for handling files
CN108985064A (en) * 2018-07-16 2018-12-11 中国人民解放军战略支援部队信息工程大学 A kind of method and device identifying malice document
CN109408810A (en) * 2018-09-28 2019-03-01 东巽科技(北京)有限公司 A kind of malice PDF document detection method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DAVIDE MAIORCA: "A_structural_and_content-based_approach_for_a_precise_and_robust_detection_of_malicious_PDF_files", 《ICISSP》 *
唐彰国: "基于Fuzzing的文件格式漏洞挖掘技术", 《计算机工程》 *

Similar Documents

Publication Publication Date Title
KR101724307B1 (en) Method and system for detecting a malicious code
KR101337874B1 (en) System and method for detecting malwares in a file based on genetic map of the file
CN102542201B (en) Detection method and system for malicious codes in web pages
US10558801B2 (en) System and method for detection of anomalous events based on popularity of their convolutions
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN102932370B (en) A kind of security sweep method, equipment and system
CN108156121B (en) Traffic hijacking monitoring method and device and traffic hijacking alarm method and device
US20140310560A1 (en) Method and apparatus for module repair in software
CN106250761B (en) Equipment, device and method for identifying web automation tool
CN113055399A (en) Attack success detection method, system and related device for injection attack
US11550920B2 (en) Determination apparatus, determination method, and determination program
CN107103243B (en) Vulnerability detection method and device
KR20190020963A (en) Protecting personal information leakage interception system
CN108959915B (en) Rootkit detection method, rootkit detection device and server
CN108268775B (en) Web vulnerability detection method and device, electronic equipment and storage medium
CN111723373A (en) Vulnerability exploitation file detection method and device of composite binary document
CN108171014B (en) Method and system for detecting RTF suspicious file and storage medium
KR101725399B1 (en) Apparatus and method for detection and execution prevention for malicious script based on host level
CN102598008A (en) Windows kernel alteration searching method
KR101572239B1 (en) Apparatus and system for detection and execution prevention for malicious script in user browser level
KR20130077184A (en) Homepage infected with a malware detecting device and method
CN107330327B (en) Infected file detection method, server, processing method, device and detection system
CN113129004A (en) Transaction security detection method and device
CN112565298A (en) Vulnerability scanning method and device and electronic equipment
KR100977150B1 (en) Method and system for testing web site

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination