CN111723373A - Vulnerability exploitation file detection method and device of composite binary document - Google Patents
Vulnerability exploitation file detection method and device of composite binary document Download PDFInfo
- Publication number
- CN111723373A CN111723373A CN201910210484.5A CN201910210484A CN111723373A CN 111723373 A CN111723373 A CN 111723373A CN 201910210484 A CN201910210484 A CN 201910210484A CN 111723373 A CN111723373 A CN 111723373A
- Authority
- CN
- China
- Prior art keywords
- file
- composite binary
- document
- judging
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention provides a method and a device for detecting a vulnerability exploitation file of a composite binary document, wherein the method comprises the following steps: acquiring a composite binary document to be detected, and verifying the file structure; judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file; and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file. The invention also correspondingly provides a device for realizing the method. By the method, the newly appeared vulnerability exploitation file can be effectively detected without extracting new characteristics. And sensitive characteristic detection is only carried out aiming at the structural abnormal area, so that false alarm can be avoided, and the detection accuracy is further improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a vulnerability exploitation file detection method and device for a composite binary document.
Background
Compound binary document: a composite binary file (CFBF), also called a composite file, is a file format developed by microsoft for implementing COM structured storage, and is used to store a plurality of object contents in a hard disk file. The conventional detection of the exploit file based on the composite binary document is based on features, such as a specific structural tag and a numerical error at a specific position, and a malicious network link address and Shellcode (Shellcode: a self-contained binary code capable of completing a special task, which may be a Shell that issues a system call or establishes a high authority according to different tasks), and the like. Although the detection method can detect the corresponding exploit file, the detection universality is not strong enough, and new feature extraction is needed to detect when a new form of exploit sample appears.
Because vulnerability exploiting files based on the compound binary document have various forms, the detection only by simply extracting the features has limitation, and certain features can only act at specific positions corresponding to the document due to the document characteristics of the compound binary document. There is a possibility of false positives for detecting these features at other locations. Therefore, if the detection position of the corresponding feature in the scanned document is not specified, not only the detection efficiency is greatly affected, but also false alarm is possibly generated.
Disclosure of Invention
Based on the above problems, the application provides a method and a device for detecting a vulnerability file of a composite binary document, which solve the problem that the vulnerability file based on the composite binary document has multiple utilization modes and therefore needs to frequently extract features for detection, and also solve the problem that some features can generate false reports if full-text search is carried out.
Firstly, a method for detecting a vulnerability exploitation file of a composite binary document is provided, which comprises the following steps:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the method, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the method, the sensitive feature includes a network link or a calling sensitive program.
This application simultaneously provides a combined type binary document's exploit file detection device, includes: a memory and a processor;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
A vulnerability exploitation file detection device of a compound binary document comprises:
the checking module is used for acquiring a composite binary document to be detected and checking the file structure;
the abnormality judgment module is used for judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and the characteristic detection module is used for further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, the composite binary file is judged to be malicious, and if the sensitive characteristics do not exist, the composite binary file is judged to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
The present application further provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements any of the above methods for detecting a vulnerability exploitation file of a compound binary document.
The method is based on checking the structure of the composite binary document to detect the possible existing vulnerability exploitation files. Because the reason for the partial bug is that the file structure has an exception, the conventional processing program can not effectively process the exception. For the vulnerabilities generated due to the reasons, the vulnerabilities can be screened by checking the structure of the composite binary document, the detection method can be used for finding the vulnerabilities caused by new format structure errors, and generated vulnerability utilization files. And then, the sensitive features are checked at the positions of the files with abnormal structures to further confirm whether the files have the loophole utilization files or not, so that the problem of misinformation caused by the detection of the sensitive features in the full text can be avoided, and the detection accuracy is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a vulnerability exploiting file detecting method of a compound binary document;
FIG. 2 is a schematic structural diagram of a vulnerability exploiting file detecting apparatus for a compound binary document;
FIG. 3 is a schematic structural diagram of another vulnerability exploiting file detecting apparatus for compound binary documents.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the present invention more comprehensible, the technical solutions of the present invention are described in further detail below with reference to the accompanying drawings.
First, a method for detecting a vulnerability exploitation file of a compound binary document is provided, as shown in fig. 1, including:
s101: acquiring a composite binary document to be detected, and verifying the file structure;
s102: judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
s103: and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the method, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the method, the sensitive feature includes a network link or a calling sensitive program.
For a more clear understanding of the above inventive method, a practical case is listed for illustration:
the new bug is assumed to be a verification error generated in a structure at a certain position of a file, and a malicious website can be filled in a position where the file structure is abnormal, so that a malicious website is connected for malicious operation. If the malicious website does not appear before, the detection is carried out by using a conventional detection method, so that the malicious website cannot be detected due to the absence of the characteristic. If the data conforming to the website format is used as the characteristic to search all websites, the normal websites appear in the normal document and are misreported due to the document characteristic of the compound binary document.
However, through a format check-based mode, the files with abnormal structures can be screened out firstly, and the utilization files of the newly appeared vulnerability can be detected by finding the data of suspected websites which conform to the website format when sensitive features are searched in the areas with abnormal structures. And because the sensitive characteristics are detected only near the file with the abnormal file structure, the condition that the normal file is falsely reported is avoided.
The present application also provides a combined binary document vulnerability exploiting file detecting apparatus, as shown in fig. 2, including: a memory 201 and a processor 202;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
A vulnerability exploiting file detecting apparatus of compound binary document, as shown in fig. 3, includes:
the checking module 301 obtains the composite binary document to be detected, and checks the file structure;
an anomaly judgment module 302, which judges whether the file structure is abnormal, if so, further detecting, otherwise, judging that the composite binary document to be detected is a normal file;
the feature detection module 303 further detects a sensitive feature in the data segment of the abnormal area in the file structure, and if the sensitive feature exists, determines that the composite binary document is malicious, otherwise determines that the composite binary document is a normal file.
In the device, the file structure is verified to be that whether the composite binary document to be detected is consistent with the structure given by the official document or not is judged according to the file structure given by the official document, if so, the file structure is normal, and otherwise, the file structure is abnormal.
In the device, the sensitive feature includes a network link or a calling sensitive program.
The present application further provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements any of the above methods for detecting a vulnerability exploitation file of a compound binary document.
The method is based on checking the structure of the composite binary document to detect the possible existing vulnerability exploitation files. Because the reason for the partial bug is that the file structure has an exception, the conventional processing program can not effectively process the exception. For the vulnerabilities generated due to the reasons, the vulnerabilities can be screened by checking the structure of the composite binary document, the detection method can be used for finding the vulnerabilities caused by new format structure errors, and generated vulnerability utilization files. And then, the sensitive features are checked at the positions of the files with abnormal structures to further confirm whether the files have the loophole utilization files or not, so that the problem of misinformation caused by the detection of the sensitive features in the full text can be avoided, and the detection accuracy is further improved.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.
Claims (10)
1. A method for detecting a vulnerability exploitation file of a composite binary document is characterized by comprising the following steps:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
2. The method according to claim 1, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
3. The method of claim 1, wherein the sensitive feature comprises a web link or a call sensitive program.
4. A vulnerability exploitation file detection device of a composite binary document is characterized by comprising: a memory and a processor;
the memory for storing a computer program running on the processor;
the processor, when running the computer program, implements the steps of:
acquiring a composite binary document to be detected, and verifying the file structure;
judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, judging the composite binary file to be malicious, otherwise, judging the composite binary file to be a normal file.
5. The apparatus according to claim 4, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
6. The apparatus of claim 4, in which the sensitive feature comprises a network link or a call sensitive program.
7. A vulnerability exploitation file detection device of a composite binary document is characterized by comprising:
the checking module is used for acquiring a composite binary document to be detected and checking the file structure;
the abnormality judgment module is used for judging whether the file structure is abnormal or not, if so, further detecting, and otherwise, judging that the composite binary file to be detected is a normal file;
and the characteristic detection module is used for further detecting sensitive characteristics in the abnormal area data segment of the file structure, if the sensitive characteristics exist, the composite binary file is judged to be malicious, and if the sensitive characteristics do not exist, the composite binary file is judged to be a normal file.
8. The apparatus according to claim 7, wherein the file structure check is that whether the composite binary document to be detected is consistent with the official document given structure is judged according to the official document given structure, if so, the file structure is normal, otherwise, the file structure is abnormal.
9. The apparatus of claim 7, wherein the sensitive feature comprises a network link or a call sensitive program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the vulnerability file detection method of compound binary document according to any of claims 1-3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910210484.5A CN111723373A (en) | 2019-03-19 | 2019-03-19 | Vulnerability exploitation file detection method and device of composite binary document |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910210484.5A CN111723373A (en) | 2019-03-19 | 2019-03-19 | Vulnerability exploitation file detection method and device of composite binary document |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111723373A true CN111723373A (en) | 2020-09-29 |
Family
ID=72562858
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910210484.5A Pending CN111723373A (en) | 2019-03-19 | 2019-03-19 | Vulnerability exploitation file detection method and device of composite binary document |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111723373A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104966019A (en) * | 2014-06-16 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Method and system for heuristically detecting possible threats of a document |
CN105868630A (en) * | 2016-03-24 | 2016-08-17 | 中国科学院信息工程研究所 | Malicious PDF document detection method |
CN106295337A (en) * | 2015-06-30 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the malice method of leak file, device and terminal |
GB201706567D0 (en) * | 2017-04-25 | 2017-06-07 | Avecto Ltd | Computer device and method for handling files |
CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
US20170293761A1 (en) * | 2016-04-06 | 2017-10-12 | Nec Laboratories America, Inc. | Extraction and comparison of hybrid program binary features |
CN108985064A (en) * | 2018-07-16 | 2018-12-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of method and device identifying malice document |
CN109408810A (en) * | 2018-09-28 | 2019-03-01 | 东巽科技(北京)有限公司 | A kind of malice PDF document detection method and device |
-
2019
- 2019-03-19 CN CN201910210484.5A patent/CN111723373A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104966019A (en) * | 2014-06-16 | 2015-10-07 | 哈尔滨安天科技股份有限公司 | Method and system for heuristically detecting possible threats of a document |
CN106295337A (en) * | 2015-06-30 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the malice method of leak file, device and terminal |
CN105868630A (en) * | 2016-03-24 | 2016-08-17 | 中国科学院信息工程研究所 | Malicious PDF document detection method |
US20170293761A1 (en) * | 2016-04-06 | 2017-10-12 | Nec Laboratories America, Inc. | Extraction and comparison of hybrid program binary features |
CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
GB201706567D0 (en) * | 2017-04-25 | 2017-06-07 | Avecto Ltd | Computer device and method for handling files |
CN108985064A (en) * | 2018-07-16 | 2018-12-11 | 中国人民解放军战略支援部队信息工程大学 | A kind of method and device identifying malice document |
CN109408810A (en) * | 2018-09-28 | 2019-03-01 | 东巽科技(北京)有限公司 | A kind of malice PDF document detection method and device |
Non-Patent Citations (2)
Title |
---|
DAVIDE MAIORCA: "A_structural_and_content-based_approach_for_a_precise_and_robust_detection_of_malicious_PDF_files", 《ICISSP》 * |
唐彰国: "基于Fuzzing的文件格式漏洞挖掘技术", 《计算机工程》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101724307B1 (en) | Method and system for detecting a malicious code | |
KR101337874B1 (en) | System and method for detecting malwares in a file based on genetic map of the file | |
CN102542201B (en) | Detection method and system for malicious codes in web pages | |
US10558801B2 (en) | System and method for detection of anomalous events based on popularity of their convolutions | |
CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
CN102932370B (en) | A kind of security sweep method, equipment and system | |
CN108156121B (en) | Traffic hijacking monitoring method and device and traffic hijacking alarm method and device | |
US20140310560A1 (en) | Method and apparatus for module repair in software | |
CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
US11550920B2 (en) | Determination apparatus, determination method, and determination program | |
CN107103243B (en) | Vulnerability detection method and device | |
KR20190020963A (en) | Protecting personal information leakage interception system | |
CN108959915B (en) | Rootkit detection method, rootkit detection device and server | |
CN108268775B (en) | Web vulnerability detection method and device, electronic equipment and storage medium | |
CN111723373A (en) | Vulnerability exploitation file detection method and device of composite binary document | |
CN108171014B (en) | Method and system for detecting RTF suspicious file and storage medium | |
KR101725399B1 (en) | Apparatus and method for detection and execution prevention for malicious script based on host level | |
CN102598008A (en) | Windows kernel alteration searching method | |
KR101572239B1 (en) | Apparatus and system for detection and execution prevention for malicious script in user browser level | |
KR20130077184A (en) | Homepage infected with a malware detecting device and method | |
CN107330327B (en) | Infected file detection method, server, processing method, device and detection system | |
CN113129004A (en) | Transaction security detection method and device | |
CN112565298A (en) | Vulnerability scanning method and device and electronic equipment | |
KR100977150B1 (en) | Method and system for testing web site |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |