CN112395149B - Script behavior identification method and device, storage medium and computer equipment - Google Patents
Script behavior identification method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112395149B CN112395149B CN201910755855.8A CN201910755855A CN112395149B CN 112395149 B CN112395149 B CN 112395149B CN 201910755855 A CN201910755855 A CN 201910755855A CN 112395149 B CN112395149 B CN 112395149B
- Authority
- CN
- China
- Prior art keywords
- thread
- script
- module
- behavior
- instruction execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 157
- 238000012544 monitoring process Methods 0.000 claims abstract description 130
- 230000008569 process Effects 0.000 claims abstract description 113
- 230000006399 behavior Effects 0.000 claims abstract description 108
- 238000012545 processing Methods 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims description 15
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 13
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 206010001488 Aggression Diseases 0.000 abstract description 6
- 208000012761 aggressive behavior Diseases 0.000 abstract description 6
- 230000016571 aggressive behavior Effects 0.000 abstract description 6
- 230000007123 defense Effects 0.000 abstract description 4
- 239000010410 layer Substances 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000011241 protective layer Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a script behavior identification method and device, a storage medium and computer equipment, relates to the technical field of network security, and mainly aims to solve the problems that when vulnerability defense is carried out, only an instruction execution sequence in a script is monitored, aggressive behaviors cannot be identified, vulnerability protection fails, monitoring of script behaviors is influenced, and therefore potential safety hazards of vulnerability protection in network security are generated. The method comprises the following steps: configuring an API (application program interface) calling parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API calling parameter is monitored to be called, and acquiring an instruction execution sequence in the process; judging whether the instruction execution sequence returns to the script module for execution; and if the instruction execution sequence is not returned to the script module for execution, determining a script behavior corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behavior.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for identifying a script behavior, a storage medium, and a computer device.
Background
The script is composed of a plurality of instruction execution sequences, and behaviors corresponding to the instruction execution sequences are executed through a script compiler. At present, in an existing system, because an execution instruction sequence in a script is written by technicians according to different requirements in a combined manner, the existing system often has a normal instruction execution sequence, when vulnerability defense is performed, only the instruction execution sequence in the script is monitored, aggressive behaviors cannot be identified, vulnerability protection failure is caused, monitoring of script behaviors is influenced, and therefore potential safety hazards of vulnerability protection in network safety are generated.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for identifying a script behavior, a storage medium, and a computer device, and mainly aims to solve the problem that when vulnerability defense is performed, only an instruction execution sequence in a script is monitored, an aggressive behavior cannot be identified, vulnerability protection fails, monitoring of the script behavior is affected, and thus potential safety hazards of vulnerability protection in network security are generated.
According to an aspect of the present invention, there is provided a method for identifying script behavior, including:
configuring an API call parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API call parameter is monitored to be called, and acquiring an instruction execution sequence in the process;
judging whether the instruction execution sequence returns to the script module for execution;
and if the instruction execution sequence does not return to the script module for execution, determining script behaviors corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behaviors.
Further, the configuring an API call parameter in a target monitoring event, when it is monitored that the API call parameter is called, suspending a process executing the target monitoring event, and acquiring an instruction execution sequence in the process includes:
when a process for executing a target monitoring event is monitored, suspending the process and judging whether an execution main body of the process accords with a preset monitoring main body range;
and if the execution main body accords with a preset monitoring main body range, acquiring the instruction execution sequence in the user state.
Further, if the instruction execution sequence does not return to the script module for execution, determining a script behavior corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behavior includes:
if the instruction execution sequence does not return to the script module for execution, searching a parent thread in the process according to a thread ID data table and judging whether the parent thread is a script thread or not;
if the father thread is a script thread, outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior;
and if the father thread is not the script thread, releasing the target monitoring event corresponding to the script behavior determined as the normal behavior.
Further, after the determining whether the instruction execution sequence returns to the script module for execution, the method further includes:
if the instruction execution sequence returns to the script module for execution, judging whether to execute the thread creating event;
if a thread creating event is executed, ID marking of a script thread is carried out on the created thread and a sub-thread corresponding to the thread, a father thread corresponding to the thread and the sub-thread is searched according to a thread ID data table, and whether the father thread is the script thread or not is judged;
if the father thread is a script thread, outputting the target monitoring event corresponding to the script behavior determined as abnormal behavior;
and if the father thread is not the script thread, releasing the target monitoring event corresponding to the script behavior determined as the normal behavior.
Further, after determining whether to execute creating a thread event, the method further includes:
and if the thread creating event is not executed, outputting the target monitoring event to an application layer.
Further, the method further comprises:
and if the execution main body does not accord with the preset monitoring main body range, releasing the target monitoring event.
Further, the target monitoring event comprises a process creation, a file reading and writing, a registry modification and a thread creation.
According to an aspect of the present invention, there is provided an apparatus for identifying a script behavior, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for configuring an API (application program interface) calling parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API calling parameter is monitored to be called, and acquiring an instruction execution sequence in the process;
the judging module is used for judging whether the instruction execution sequence returns to the script module for execution;
and the determining module is used for determining the script behavior corresponding to the instruction execution sequence according to the thread creation state of the process if the instruction execution sequence does not return to the script module for execution, and processing the process according to the script behavior.
Further, the acquisition module comprises:
the system comprises a judging unit, a monitoring unit and a monitoring unit, wherein the judging unit is used for suspending a process when the process for executing a target monitoring event is monitored, and judging whether an execution main body of the process accords with a preset monitoring main body range;
and the acquisition unit is used for acquiring the instruction execution sequence in the user state if the execution main body accords with a preset monitoring main body range.
Further, the determining module includes:
a determining unit, configured to, if the instruction execution sequence does not return to the script module for execution, search a parent thread in the process according to a thread ID data table and determine whether the parent thread is a script thread;
the output unit is used for outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior if the father thread is the script thread;
and the releasing unit is used for releasing the target monitoring event corresponding to the script behavior determined as the normal behavior if the father thread is not the script thread.
Further, the apparatus further comprises: a search module, an output module, a release module,
the judging module is also used for judging whether to execute the thread creating event or not if the instruction execution sequence returns to the script module for execution;
the searching module is used for carrying out ID marking of a script thread on the created thread and a sub-thread corresponding to the thread if a thread creating event is executed, searching a father thread corresponding to the thread and the sub-thread according to a thread ID data table, and judging whether the father thread is the script thread or not;
the output module is used for outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior if the father thread is the script thread;
and the releasing module is used for releasing the target monitoring event corresponding to the script behavior determined as the normal behavior if the father thread is not the script thread.
Further, the output module is configured to output the target monitoring event to an application layer if the thread creating event is not executed.
Further, the release module is configured to release the target monitoring event if the execution subject does not meet a preset monitoring subject range.
Further, the target monitoring event comprises a process creation, a file reading and writing, a registry modification and a thread creation.
According to another aspect of the present invention, there is provided a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the method for identifying a script behavior as described above.
According to still another aspect of the present invention, there is provided a computer apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the identification method of the script behavior.
By means of the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:
the invention provides a script behavior identification method and device, a storage medium and computer equipment, compared with the existing kernel system that the execution instruction sequence in the script is written by technicians according to different requirements in a combined manner, when vulnerability defense is carried out, only the instruction execution sequence in the script is monitored, and aggressive behaviors cannot be identified, so that vulnerability protection failure is caused.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for identifying script behavior according to an embodiment of the present invention;
FIG. 2 is a flow chart of another method for identifying script behavior provided by an embodiment of the invention;
FIG. 3 is a diagram illustrating a flow of identifying script behavior according to an embodiment of the present invention;
FIG. 4 is a block diagram of an apparatus for identifying script behavior according to an embodiment of the present invention;
FIG. 5 is a block diagram of another apparatus for identifying script behavior provided by an embodiment of the invention;
fig. 6 shows a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for identifying a script behavior, as shown in fig. 1, where the method includes:
101. configuring an API calling parameter in a target monitoring event, when the API calling parameter is called, suspending a process for executing the target monitoring event, and acquiring an instruction execution sequence in the process.
In the embodiment of the invention, in order to monitor different events executed by a script thread, the event executed by a calling script thread is configured as a monitoring point in advance, and the target monitoring event comprises a process creation, a file reading and writing, a registry modification and a thread creation, so that when the process of executing the target monitoring event is monitored, the process is suspended. The method for suspending the process can hook the process through a hook function so as to execute the sequence process acquisition on the instruction executed in the process. In addition, when monitoring the target monitoring event, an API call parameter in the monitored target monitoring event needs to be configured, and when the API call parameter is monitored, the process of the target monitoring event is suspended, so as to monitor the instruction execution sequence of the process.
It should be noted that when a script thread included in the kernel process runs, an instruction execution sequence run by a thread of the application layer is traced back, so as to obtain the instruction execution sequence.
102. And judging whether the instruction execution sequence returns to the script module for execution.
For the embodiment of the present invention, since the instruction execution sequence with the malicious purpose expects corresponding operations to be performed on the script module, in order to determine whether the script behavior corresponding to the instruction execution sequence executes the malicious behavior, it is determined whether the instruction execution sequence returns to the script module for execution. Specifically, the script module that determines whether to return includes a script module scrubj.dll that provides a functional interface of the sct script file, a script module scrrun.dll that provides an interface of the script read-write file, and jscript.dll and vbscript.dll, which are not specifically limited in the embodiment of the present invention.
103. And if the instruction execution sequence does not return to the script module for execution, determining script behaviors corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behaviors.
Because the instruction execution sequence executed by the script module which is not returned can still be attacked or maliciously modified, if the instruction execution sequence is not returned to the script module for execution, the script behavior corresponding to the instruction execution sequence is determined according to the thread creation state of the process, so that the process is processed according to the script behavior. The thread creating state is to determine whether to create a thread event in the script module, so as to determine a script behavior according to the created thread state or the non-created thread state, thereby performing output processing or release processing on the process.
The invention provides a script behavior identification method, which is compared with the failure of vulnerability protection caused by the fact that in the conventional kernel system, because an execution instruction sequence in a script is written by technicians according to different requirements in a combined manner, when vulnerability protection is carried out, only the instruction execution sequence in the script is monitored, and aggressive behaviors cannot be identified.
An embodiment of the present invention provides another method for identifying a script behavior, where as shown in fig. 3, the method includes:
201. when a process for executing the target monitoring event is monitored, suspending the process and judging whether an execution main body of the process accords with a preset monitoring main body range.
For the embodiment of the invention, in order to further limit whether the execution main body of the process which monitors the target monitoring event is a main body object which needs to be monitored, so as to improve the monitoring efficiency, after the process is suspended, whether the execution main body of the process conforms to the preset monitoring main body range is judged. The preset monitoring subject range is a subject object which is set in the kernel system according to different monitoring requirements and executes the execution of the execution target monitoring time, and the embodiment of the present invention is not particularly limited.
It should be noted that, as to the script attack type of the target monitoring event, the script thread may call shelxecute to create a new thread to create a white process, for example, processes such as xcopy and the like reach a copy file, the script thread directly reads a file and creates a process, and the script thread directly sends a wmi request.
202a, if the execution main body accords with a preset monitoring main body range, acquiring the instruction execution sequence in the user state.
The user mode is resource data which can be acquired by other programs, only limited access to the memory is available, peripheral equipment is not allowed to be accessed, and the cpu capacity is not occupied. In the embodiment of the invention, when the execution subject accords with the preset subject range, the instruction execution sequence of the process in the user state is acquired, namely the instruction execution sequence in the user state is called into the kernel by the current kernel system in a calling mode for protection monitoring, so that the recognition monitoring of the kernel-level script behavior is realized. In addition, because the script behavior in the system kernel is identified, the identification of the script behavior in the embodiment of the present invention may be applied to both the terminal and the server, and the embodiment of the present invention is not particularly limited.
For the embodiment of the present invention, in step 202b, which is parallel to step 202a, if the execution subject does not meet the preset monitoring subject range, the target monitoring event is released.
If the execution main body does not accord with the preset monitoring main body range, the execution main body of the process is not the monitoring object identified by the script behavior in the embodiment of the invention, so that the target monitoring event can be directly released, and the target monitoring event can be continuously operated.
203. And judging whether the instruction execution sequence returns to the script module for execution.
This step is the same as step 102 shown in fig. 1, and is not described herein again.
204a, if the instruction execution sequence does not return to the script module for execution, looking up a parent thread in the process according to a thread ID data table and judging whether the parent thread is a script thread.
In the embodiment of the invention, when the instruction execution sequence does not return to the script module for execution, whether a parent thread in the executed process is a script thread is further judged. Specifically, when a new thread is created, each thread is marked with an ID to determine a relationship chain corresponding to the thread, where the relationship chain includes both parent threads IDs corresponding to different threads and child threads IDs corresponding to different threads, so as to determine whether the parent threads in the process are script threads by using all parent threads found in the thread ID data table, as shown in fig. 3.
205a, if the parent thread is a script thread, outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior.
In the embodiment of the invention, when a father thread in the process is found to be a script thread from the thread ID data table, the script behavior executed by the process is shown to be an abnormal behavior, the target monitoring event is output to the application layer so that the protective layer can monitor the target monitoring event, and the interception or release of the target monitoring event is determined according to the returned monitoring result.
In the embodiment of the present invention, 205b, which is parallel to step 205a, if the parent thread is not a script thread, the target monitoring event corresponding to the script behavior determined as the normal behavior is released.
In the embodiment of the invention, when the father thread is not the script thread found from the thread ID data table, the script behavior executed by the process is the normal behavior, and the target monitoring event is released so as to be convenient for the normal operation of the target monitoring event.
In the embodiment of the present invention, in step 204b, which is parallel to step 204a, if the instruction execution sequence returns to the script module for execution, it is determined whether to execute the create thread event.
Because the father thread is prevented from being output for the process of the script thread, the monitoring times are reduced, the monitoring efficiency is improved, and after the instruction execution sequence returns to the script module for execution, whether the thread event is executed and created is judged, so that the father thread is inquired in the thread ID data table according to the relation chain of the son thread and the father thread determined by the thread.
In the embodiment of the present invention, in step 205c after step 204b, if the created thread event is executed, ID tagging of the script thread is performed on the created thread and the child thread corresponding to the thread, and a parent thread corresponding to the thread and the child thread is searched according to a thread ID data table, so as to determine whether the parent thread is the script thread.
In order to determine the relationship chain state of the created thread in the created thread event, after the created thread event is executed, the created thread and the corresponding sub-thread are subjected to ID marking of the script thread, and whether a parent thread corresponding to the thread and the sub-thread after the ID marking is a script thread or not is inquired in a thread ID database. The thread for ID marking comprises the mark of the current thread, the mark of the sub-thread of the current thread and the mark of the sub-thread of the current sub-thread, thereby forming a relation chain, and the marked ID is marked according to the father/sub-thread relation in the thread ID data table, therefore, the father thread of each thread can be found out according to the thread ID data table, and whether the father thread is a script thread is judged.
For the embodiment of the present invention, in step 206a after step 205c, if the parent thread is a script thread, the target monitoring event corresponding to the script behavior determined as the abnormal behavior is output.
The step is the same as the step 205a, and is not described herein again.
For the embodiment of the present invention, in step 206b parallel to step 206a, if the parent thread is not a script thread, the target monitoring event corresponding to the script behavior determined as the normal behavior is released.
The method in this step is the same as that in step 205b, and is not described herein again.
For the embodiment of the present invention, in step 205d, which is parallel to step 205c, if the thread creating event is not executed, the target monitoring event is output to the application layer.
In order to improve the protection accuracy of the instruction execution sequence returned to the script module for execution, when the instruction execution sequence is returned to the script module for execution, a thread event is not created, and a target monitoring event is directly output so as to further monitor the target monitoring event, thereby improving the monitoring efficiency.
The invention provides another method for identifying script behaviors, the embodiment of the invention judges whether an instruction execution sequence in the process returns to a script module for execution or not by monitoring the process of a target monitoring event, if the instruction execution sequence does not return to the script module for execution, the script behaviors are determined according to the thread creation state of the process and are processed, the aim of identifying the script behaviors by using the instruction execution sequence is fulfilled, the accuracy of vulnerability monitoring is increased, the potential safety hazard of vulnerability protection is reduced, and the identification efficiency of the script behaviors is improved.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides an apparatus for identifying a script behavior, and as shown in fig. 4, the apparatus includes: an acquisition module 31, a judgment module 32 and a determination module 33.
An obtaining module 31, configured to configure an API call parameter in a target monitoring event, suspend a process of executing the target monitoring event when it is monitored that the API call parameter is called, and obtain an instruction execution sequence in the process;
a judging module 32, configured to judge whether the instruction execution sequence returns to the script module for execution;
a determining module 33, configured to determine, according to the thread creation state of the process, a script behavior corresponding to the instruction execution sequence if the instruction execution sequence does not return to the script module for execution, and process the process according to the script behavior.
The invention provides a script behavior recognition device, which is compared with the failure of vulnerability protection caused by the fact that in the existing kernel system, because an execution instruction sequence in a script is compiled by technicians according to different requirements in a combined manner, when vulnerability protection is carried out, only the instruction execution sequence in the script is monitored, and aggressive behaviors cannot be recognized.
Further, as an implementation of the method shown in fig. 2, an embodiment of the present invention provides another apparatus for identifying a script behavior, as shown in fig. 5, where the apparatus includes: the device comprises an acquisition module 41, a judgment module 42, a determination module 43, a search module 44, an output module 45 and a release module 46.
An obtaining module 41, configured to configure an API call parameter in a target monitoring event, suspend a process of executing the target monitoring event when it is monitored that the API call parameter is called, and obtain an instruction execution sequence in the process;
a judging module 42, configured to judge whether the instruction execution sequence returns to the script module for execution;
a determining module 43, configured to determine, according to the thread creation state of the process, a script behavior corresponding to the instruction execution sequence if the instruction execution sequence does not return to the script module for execution, and process the process according to the script behavior.
Further, the obtaining module 41 includes:
a determining unit 4101, configured to suspend a process when the process for executing a target monitoring event is monitored, and determine whether an execution subject of the process conforms to a preset monitoring subject range;
an obtaining unit 4102, configured to obtain the instruction execution sequence performed in the user state if the execution subject meets a preset monitoring subject range.
Further, the determining module 43 includes:
a determining unit 4301, configured to, if the instruction execution sequence does not return to the script module for execution, find a parent thread in the process according to a thread ID data table, and determine whether the parent thread is a script thread;
an output unit 4302, configured to output, if the parent thread is a script thread, the target monitoring event corresponding to the script behavior determined as the abnormal behavior;
a releasing unit 4304, configured to release the target monitoring event corresponding to the script behavior determined as the normal behavior if the parent thread is not the script thread.
Further, the apparatus further comprises: a look-up module 44, an output module 45, a release module 46,
the determining module 42 is further configured to determine whether to execute the thread creating event if the instruction execution sequence returns to the script module for execution;
the search module 44 is configured to, if a thread creating event is executed, perform ID marking on a script thread on the created thread and a child thread corresponding to the thread, search a parent thread corresponding to the thread and the child thread according to a thread ID data table, and determine whether the parent thread is the script thread;
the output module 45 is configured to, if the parent thread is a script thread, output the target monitoring event corresponding to the script behavior determined as the abnormal behavior;
the release module 46 is configured to release the target monitoring event corresponding to the script behavior determined as the normal behavior if the parent thread is not the script thread.
Further, the output module 45 is configured to output the target monitoring event to the application layer if the create thread event is not executed.
Further, the release module 46 is configured to release the target monitoring event if the execution subject does not meet a preset monitoring subject range.
Further, the target monitoring event comprises a process creation, a file reading and writing, a registry modification and a thread creation.
The invention provides another device for identifying script behaviors, the embodiment of the invention judges whether an instruction execution sequence in the process returns to a script module for execution or not by monitoring the process of a target monitoring event, if the instruction execution sequence does not return to the script module for execution, the script behaviors are determined according to the thread creation state of the process and are processed, the aim of identifying the script behaviors by using the instruction execution sequence is fulfilled, the accuracy of vulnerability monitoring is increased, the generation of potential safety hazards of vulnerability protection is reduced, and the identification efficiency of the script behaviors is improved.
According to an embodiment of the present invention, a storage medium is provided, where the storage medium stores at least one executable instruction, and the computer executable instruction can execute the method for identifying the script behavior in any of the method embodiments described above.
Fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present invention, where the embodiment of the present invention does not limit the specific implementation of the computer device.
As shown in fig. 6, the computer apparatus may include: a processor (processor) 502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically execute relevant steps in the above-described method for identifying a script behavior.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit ASIC (Application Specific Integrated Circuit), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computer device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
configuring an API call parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API call parameter is monitored to be called, and acquiring an instruction execution sequence in the process;
judging whether the instruction execution sequence returns to the script module for execution;
and if the instruction execution sequence is not returned to the script module for execution, determining a script behavior corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behavior.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: rather, the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore, may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the asset data management method and apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on a computer readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website, or provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (14)
1. A method for identifying script behavior, comprising:
configuring an API (application program interface) calling parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API calling parameter is monitored to be called, and acquiring an instruction execution sequence in the process;
judging whether the instruction execution sequence executes operation on the script module;
if the instruction execution sequence does not execute the operation on the script module, determining a script behavior corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behavior;
determining a script behavior corresponding to the instruction execution sequence according to the thread creation state of the process, and processing the process according to the script behavior includes:
if the instruction execution sequence does not execute the operation on the script module, searching a parent thread in the process according to a thread ID data table and judging whether the parent thread is a script thread or not;
if the father thread is a script thread, outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior;
and if the father thread is not the script thread, releasing the target monitoring event corresponding to the script behavior determined as the normal behavior.
2. The method of claim 1, wherein the configuring an API call parameter in a target monitoring event, and when it is monitored that the API call parameter is called, suspending a process executing the target monitoring event, and obtaining an instruction execution sequence in the process comprises:
when a process for executing a target monitoring event is monitored, suspending the process and judging whether an execution main body of the process accords with a preset monitoring main body range;
and if the execution main body accords with a preset monitoring main body range, acquiring an instruction execution sequence of the process in a user state.
3. The method of claim 2, wherein after determining whether the sequence of instruction execution performs an operation on a script module, the method further comprises:
if the instruction execution sequence executes the operation on the script module, judging whether to execute the thread creating event;
if a thread creating event is executed, ID marking of a script thread is carried out on the created thread and a sub-thread corresponding to the thread, a father thread corresponding to the thread and the sub-thread is searched according to a thread ID data table, and whether the father thread is the script thread or not is judged;
if the father thread is a script thread, outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior;
and if the father thread is not the script thread, releasing the target monitoring event corresponding to the script behavior determined as the normal behavior.
4. The method of claim 3, wherein after determining whether to perform creating a thread event, the method further comprises:
and if the thread creating event is not executed, outputting the target monitoring event to an application layer.
5. The method of claim 4, further comprising:
and if the execution main body does not accord with the preset monitoring main body range, releasing the target monitoring event.
6. The method of any one of claims 1-5, wherein the target monitoring event comprises creating a process, reading and writing a file, modifying a registry, creating a thread.
7. An apparatus for identifying script behavior, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for configuring an API (application program interface) calling parameter in a target monitoring event, suspending a process for executing the target monitoring event when the API calling parameter is monitored to be called, and acquiring an instruction execution sequence in the process;
the judging module is used for judging whether the instruction execution sequence executes the operation on the script module;
a determining module, configured to determine, according to a thread creation state of the process, a script behavior corresponding to the instruction execution sequence if the instruction execution sequence does not perform an operation on the script module, and process the process according to the script behavior;
wherein the determining module comprises:
a determining unit, configured to, if the instruction execution sequence does not perform an operation on the script module, look up a parent thread in the process according to a thread ID data table and determine whether the parent thread is a script thread;
the output unit is used for outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior if the father thread is the script thread;
and the releasing unit is used for releasing the target monitoring event corresponding to the script behavior determined as the normal behavior if the father thread is not the script thread.
8. The apparatus of claim 7, wherein the obtaining module comprises:
the device comprises a judging unit, a monitoring unit and a processing unit, wherein the judging unit is used for suspending a process when the process for executing a target monitoring event is monitored, and judging whether an execution main body of the process accords with a preset monitoring main body range;
and the acquisition unit is used for acquiring the instruction execution sequence of the process in the user state if the execution main body conforms to the preset monitoring main body range.
9. The apparatus of claim 8, further comprising: a search module, an output module, a release module,
the judging module is further configured to judge whether to execute the thread creating event if the instruction execution sequence executes an operation on the script module;
the searching module is used for carrying out ID marking of a script thread on the created thread and a sub-thread corresponding to the thread if a thread creating event is executed, searching a father thread corresponding to the thread and the sub-thread according to a thread ID data table, and judging whether the father thread is the script thread or not;
the output module is used for outputting the target monitoring event corresponding to the script behavior determined as the abnormal behavior if the father thread is the script thread;
and the releasing module is used for releasing the target monitoring event corresponding to the script behavior determined as the normal behavior if the father thread is not the script thread.
10. The apparatus of claim 9,
and the output module is used for outputting the target monitoring event to an application layer if the thread creating event is not executed.
11. The apparatus of claim 10,
and the release module is used for releasing the target monitoring event if the execution main body does not accord with a preset monitoring main body range.
12. The apparatus of any one of claims 7-11, wherein the target monitoring event comprises a create process, a read-write file, a registry modification, a create thread.
13. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method for identifying script behavior according to any one of claims 1-6.
14. A computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the identification method of the script behavior according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755855.8A CN112395149B (en) | 2019-08-15 | 2019-08-15 | Script behavior identification method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755855.8A CN112395149B (en) | 2019-08-15 | 2019-08-15 | Script behavior identification method and device, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395149A CN112395149A (en) | 2021-02-23 |
| CN112395149B true CN112395149B (en) | 2023-01-06 |
Family
ID=74601788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755855.8A Active CN112395149B (en) | 2019-08-15 | 2019-08-15 | Script behavior identification method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395149B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| WO2017180666A1 (en) * | 2016-04-15 | 2017-10-19 | Sophos Limited | Forensic analysis of computing activity and malware detection using an event graph |
| WO2019048858A1 (en) * | 2017-09-08 | 2019-03-14 | Sophos Limited | Realtime event detection |
| CN109800577A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of method and device of identification escape security monitoring behavior |
| CN110048932A (en) * | 2019-04-03 | 2019-07-23 | 北京奇安信科技有限公司 | Validation checking method, apparatus, equipment and the storage medium of mail Monitoring function |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4906672B2 (en) * | 2007-10-22 | 2012-03-28 | 株式会社日立製作所 | Web application process recording method and process recording apparatus |
| US20160335232A1 (en) * | 2015-05-11 | 2016-11-17 | Government Of The United States As Represetned By The Secretary Of The Air Force | Remote script execution for secure and private browsing |
-
2019
- 2019-08-15 CN CN201910755855.8A patent/CN112395149B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102651060A (en) * | 2012-03-31 | 2012-08-29 | 北京奇虎科技有限公司 | Method and system for detecting vulnerability |
| WO2017180666A1 (en) * | 2016-04-15 | 2017-10-19 | Sophos Limited | Forensic analysis of computing activity and malware detection using an event graph |
| CN106991324A (en) * | 2017-03-30 | 2017-07-28 | 兴华永恒(北京)科技有限责任公司 | It is a kind of that the malicious code Tracking Recognition method that type is monitored is protected based on internal memory |
| WO2019048858A1 (en) * | 2017-09-08 | 2019-03-14 | Sophos Limited | Realtime event detection |
| CN109800577A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of method and device of identification escape security monitoring behavior |
| CN110048932A (en) * | 2019-04-03 | 2019-07-23 | 北京奇安信科技有限公司 | Validation checking method, apparatus, equipment and the storage medium of mail Monitoring function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395149A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100645983B1 (en) | Module for detecting an illegal process and method thereof | |
| CN107563201B (en) | Associated sample searching method and device based on machine learning and server | |
| CN111191243B (en) | Vulnerability detection method, vulnerability detection device and storage medium | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| US20150113545A1 (en) | Modified jvm with multi-tenant application domains and class differentiation | |
| CN114676424B (en) | Container escape detection and blocking method, device, equipment and storage medium | |
| CN103839007A (en) | Method and system for detecting abnormal threading | |
| CN110717181B (en) | Non-control data attack detection method and device based on novel program dependency graph | |
| CN112395593A (en) | Instruction execution sequence monitoring method and device, storage medium and computer equipment | |
| CN112395149B (en) | Script behavior identification method and device, storage medium and computer equipment | |
| CN110231921B (en) | Log printing method, device, equipment and computer readable storage medium | |
| CN107103099B (en) | Browser homepage returning method and device | |
| CN107861807B (en) | Optimization method and device for program call | |
| US7784034B1 (en) | System, method and computer program product for hooking a COM interface | |
| US10417015B2 (en) | Modified JVM with multi-tenant application domains and class differentiation | |
| US20160006759A1 (en) | System and Method for Automatic Use-After-Free Exploit Detection | |
| CN114327673B (en) | Task starting method and device, electronic equipment and storage medium | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN112685744B (en) | Method and device for detecting software bugs by using stack-related registers | |
| CN112395595B (en) | Method and device for monitoring instruction execution sequence, storage medium and computer equipment | |
| CN111552474B (en) | Processing method and device for executing distributed lock operation | |
| CN110674501B (en) | Malicious drive detection method, device, equipment and medium | |
| CN113297149A (en) | Method and device for monitoring data processing request | |
| CN114662098A (en) | Attack code detection method, apparatus, electronic device, program, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |