CN112395600A - False alarm removing method, device and equipment for malicious behaviors - Google Patents
False alarm removing method, device and equipment for malicious behaviors Download PDFInfo
- Publication number
- CN112395600A CN112395600A CN201910755443.4A CN201910755443A CN112395600A CN 112395600 A CN112395600 A CN 112395600A CN 201910755443 A CN201910755443 A CN 201910755443A CN 112395600 A CN112395600 A CN 112395600A
- Authority
- CN
- China
- Prior art keywords
- instruction information
- binary instruction
- module
- preset
- stack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006399 behavior Effects 0.000 title claims abstract description 142
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 8
- 230000000694 effects Effects 0.000 claims description 2
- 238000001514 detection method Methods 0.000 abstract description 20
- 230000002159 abnormal effect Effects 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000010365 information processing Effects 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method, a device and equipment for removing false alarm of malicious behaviors, which relate to the technical field of network security and can filter instruction execution sequences of normal programs executing a ShellCode mode, reduce false alarms of the type and enable the detection of the instruction execution sequences of abnormal ShellCode modes to be more accurate, so that the accuracy of malicious behavior detection is improved. The method comprises the following steps: firstly, acquiring instruction execution sequence characteristics corresponding to target behaviors; if a stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics, querying binary instruction information corresponding to the stack return address; and if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling the malicious behavior reporting of the target behavior. The method and the device are suitable for false alarm removing processing of malicious behaviors.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for removing false alarm of malicious behavior.
Background
The ShellCode is a piece of code for execution with a software bug, which is 16-ary machine code, often named for the attackers to obtain Shell. ShellCode is often written in machine language. After the EIP register overflows, a section of ShellCode machine code which can be executed by the CPU is plugged in, so that the computer can execute any instruction of an attacker.
Currently, in order to detect the ShellCode in time, the judgment can be made according to the instruction execution sequence characteristics corresponding to the behaviors. For example, when an address that does not belong to any module appears in the instruction execution sequence, it is considered as a ShellCode and reported. However, some system behaviors may also have similar instruction execution sequence characteristics in practice, so that a ShellCode false alarm occurs, and the accuracy of malicious behavior detection is low.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a device for false alarm removal of malicious behavior, and mainly aims to solve the technical problem that the accuracy of malicious behavior detection is low due to the fact that a false alarm exists in an instruction execution sequence for recognizing a normal program executing a ShellCode mode at present.
According to one aspect of the application, a method for false alarm removal of malicious behaviors is provided, and the method comprises the following steps:
acquiring instruction execution sequence characteristics corresponding to target behaviors;
if a stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics, querying binary instruction information corresponding to the stack return address;
and if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling the malicious behavior reporting of the target behavior.
Optionally, before querying the binary instruction information corresponding to the stack return address, the method further includes:
detecting whether a module and a symbol of a previous stack of the stack return address are target monitoring points;
if the module and the symbol of the previous stack are target monitoring points, reporting the target behavior by malicious behavior;
and if the module and the symbol of the previous stack are not the target monitoring point, querying binary instruction information corresponding to the stack return address.
Optionally, if a plurality of stack return addresses which do not belong to any module address range and have an executable memory attribute exist in the instruction execution sequence feature, the querying binary instruction information corresponding to the stack return address specifically includes:
acquiring a stack return address which appears in the first of the stack return addresses which do not belong to any module address range and have the executable memory attribute;
and querying binary instruction information corresponding to the first occurring stack return address.
Optionally, the method further includes:
collecting false alarm information of malicious behaviors;
acquiring a sample instruction execution sequence characteristic corresponding to a false-reported malicious behavior from the false report information;
and determining sample binary instruction information corresponding to stack return addresses which do not belong to any module address range and have the executable memory attribute in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
Optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information;
matching the queried binary instruction information with preset binary instruction information in the preset white list, specifically comprising:
and matching the searched binary instruction information of the specific position interval in the binary instruction information with the preset binary instruction information.
Optionally, the method further includes:
and updating the preset binary instruction information in the preset white list at regular time or non-regular time.
Optionally, the malicious behavior is reported as an attack behavior report about the ShellCode mode.
Optionally, the canceling of the report of the malicious behavior to the target behavior specifically includes:
canceling the malicious behavior alarm output of the target behavior; or
And acquiring a client for sending the instruction execution sequence characteristics corresponding to the target behaviors, and sending instruction information for canceling the malicious behavior alarm output of the target behaviors to the client.
According to another aspect of the present application, there is provided a false alarm removing device for malicious behavior, the device including:
the acquisition module is used for acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
the query module is used for querying binary instruction information corresponding to the stack return address if the stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics;
and the reporting module is used for canceling the malicious behavior reporting of the target behavior if the binary instruction information is matched with the preset binary instruction information in a preset white list.
Optionally, the apparatus further comprises: a detection module;
the detection module is used for detecting whether a module and a symbol of a previous stack of the stack return address are dangerous or not before the binary instruction information corresponding to the stack return address is inquired;
the reporting module is further configured to report the malicious behavior of the target behavior if the module and the symbol of the previous stack are dangerous;
the query module is specifically configured to query binary instruction information corresponding to the stack return address if the module and the symbol of the previous stack are not dangerous.
Optionally, the query module is specifically configured to, if a plurality of stack return addresses that do not belong to any module address range and have an executable memory attribute exist in the instruction execution sequence feature, obtain a stack return address that appears first in the plurality of stack return addresses that do not belong to any module address range and have an executable memory attribute;
and querying binary instruction information corresponding to the first occurring stack return address.
Optionally, the apparatus further comprises: a collection module and a storage module;
the collection module is used for collecting false alarm information of malicious behaviors;
the obtaining module is further configured to obtain a sample instruction execution sequence feature corresponding to the false-reported malicious behavior from the false-report information;
the storage module is configured to determine sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has an executable memory attribute in the sample instruction execution sequence characteristics as the preset binary instruction information and collect the preset binary instruction information in the preset white list.
Optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information;
the device further comprises: a matching module;
the matching module is used for matching the searched binary instruction information of the specific position interval in the binary instruction information with the preset binary instruction information.
Optionally, the apparatus further comprises:
and the updating module is used for updating the preset binary instruction information in the preset white list at regular time or non-regular time.
Optionally, the malicious behavior is reported as an attack behavior report about the ShellCode mode.
Optionally, the reporting module is specifically configured to cancel malicious behavior alarm output of the target behavior; or
And acquiring a client for sending the instruction execution sequence characteristics corresponding to the target behaviors, and sending instruction information for canceling the malicious behavior alarm output of the target behaviors to the client.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described method of false positive removal of malicious activity.
According to another aspect of the present application, an entity device for removing false alarm of malicious behavior is provided, which includes a storage medium, a processor, and a computer program stored on the storage medium and capable of running on the processor, where the processor implements the method for removing false alarm of malicious behavior when executing the program.
By means of the technical scheme, compared with a target traditional mode, the method, the device and the equipment for removing the false alarm of the malicious behavior have the advantages that when the stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics corresponding to the target behavior, the binary instruction information corresponding to the stack return address can be matched with the preset binary instruction information in the preset white list, and if the matching is successful, the malicious behavior report of the target behavior can be cancelled. And further, the instruction execution sequence of the normal program executing the ShellCode mode can be filtered, the false alarms are reduced, the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for false alarm removal of malicious behavior according to an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating another method for false alarm removal of malicious behavior according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram illustrating an example of an instruction execution sequence in a ShellCode mode according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of a false alarm removal device for malicious behaviors provided by an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
As the normal program and the malicious code have the command mode of the Shellcode, the embodiment provides a false alarm removing method for malicious behaviors, as shown in fig. 1, aiming at the technical problem that the accuracy of malicious behavior detection is low due to the fact that the command execution sequence for identifying the Shellcode mode executed by the normal program at present is in false alarm, and the method comprises the following steps:
101. and acquiring the instruction execution sequence characteristics corresponding to the target behaviors.
The instruction execution sequence characteristics comprise stack sequence characteristics of all functional modules which are called in sequence to realize target behaviors.
For the device or equipment that the execution main body of this embodiment can report false for malicious behavior, the execution main body may be configured on the client side, or may be configured on the server side according to actual requirements (for example, the instruction execution sequence feature corresponding to the obtained target behavior is uploaded by the client), and may be used to identify the instruction sequence of the ShellCode mode executed by the normal program, so as to avoid reporting false.
In this embodiment, before performing step 101, the method may further include: monitoring points of applying for the memory and modifying the memory attribute, recording all obtained memory addresses and allocation sizes successfully applied, performing calling instruction execution sequence feature matching, and recording matching results, namely step 100.
102. And if the stack return address which does not belong to any module address range and has the executable memory attribute exists in the acquired instruction execution sequence characteristics, querying binary instruction information corresponding to the stack return address.
The modules may be "ole 32", "jscript 9", and the like, and may be determined according to actual service requirements.
Further, the instruction return address not belonging to any module is determined, and whether the memory address space recorded in step 100 is available is determined. If the instruction return address is in the recorded memory address space, detecting the corresponding calling instruction execution sequence feature matching result, and further realizing the detection of abnormal matching and successful passing matching; if the instruction return address is not in the recorded memory address space, the process described in step 102 is performed. By the method, more accurate detection and judgment of the malicious behaviors can be realized.
When a stack return address which does not belong to any module address range and has an executable memory attribute exists in the instruction execution sequence characteristics, the attack behavior of the ShellCode mode is determined by a traditional determination mode, and malicious behavior reporting is performed, however, some instruction execution sequences of normal programs executing the ShellCode mode also have the characteristics (the stack return address which does not belong to any module address range and has the executable memory attribute exists). Therefore, in order to avoid the occurrence of false alarm of the ShellCode, for the embodiment, when it is determined that a stack return address which does not belong to any module address range and has an executable memory attribute exists in the instruction execution sequence characteristics corresponding to the target behavior, the malicious behavior reporting may not be performed temporarily, and then the corresponding binary instruction information is found through the stack return address, so as to perform security analysis, and specifically, the queried binary instruction information may be matched with the preset binary instruction information in the preset white list.
The preset binary instruction information in the preset white list can be created by collecting binary instruction information corresponding to a stack return address which does not belong to any module address range and has the executable memory attribute in an instruction execution sequence of the normal program executing the ShellCode mode.
103. And if the inquired binary instruction information is matched with the preset binary instruction information in the preset white list, canceling the malicious behavior report of the target behavior.
If the inquired binary instruction information is matched with the preset binary instruction information in the preset white list, the instruction execution sequence corresponding to the target behavior is an instruction sequence for executing the ShellCode mode by the normal program, and then the target behavior can be cancelled from being reported by the malicious behavior.
Compared with the traditional target mode, the method can match the binary instruction information corresponding to the stack return address with the preset binary instruction information in the preset white list when the stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics corresponding to the target behavior, and can cancel the malicious behavior reporting of the target behavior if the matching is successful. And further, the instruction execution sequence of the normal program executing the ShellCode mode can be filtered, the false alarms are reduced, the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully explain the implementation process of the present embodiment, another method for false alarm removal of malicious behavior is provided, as shown in fig. 2, the method includes:
201. and collecting false alarm information of malicious behaviors.
For the embodiment, in order to create a white list capable of identifying the instruction sequence characteristics of the normal program executing the ShellCode mode, the false alarm information of the malicious behavior, especially the false alarm information of the ShellCode, may be collected in advance.
202. And acquiring sample instruction execution sequence characteristics corresponding to the false-reported malicious behaviors from the collected false-report information.
In particular, the present invention is directed to those sample instruction execution sequence features, i.e., the instruction sequence features of the ShellCode mode, that exist in the instruction execution sequence features that do not belong to any module address range and that have stack return addresses with executable memory attributes. Although these sample instruction execution sequence features belong to the ShellCode mode, these sample instruction execution sequences are instruction sequences in which the normal program executes the ShellCode mode.
203. And determining sample binary instruction information corresponding to the stack return address which does not belong to any module address range and has the executable memory attribute in the sample instruction execution sequence characteristics as preset binary instruction information and summarizing the preset binary instruction information in a preset white list.
The white list generated in the way can reflect the characteristic condition of the instruction sequence of the normal program executing the ShellCode mode, and can be used for accurately identifying the instruction execution sequence of the normal program executing the ShellCode mode.
Further, in order to ensure timeliness of updating data in the white list and meet the updating requirement of the white list, optionally, the method of this embodiment may update the preset binary instruction information in the preset white list at regular time or at irregular time (for example, operations such as modifying the existing binary instruction information, adding new binary instruction information, deleting invalid binary instruction information, and the like). And when the white list is needed to be used for identification, the white list of the latest version can be selected for identification so as to ensure the identification accuracy.
204. When the target behavior needs to be subjected to abnormity detection, the instruction execution sequence characteristics corresponding to the target behavior are obtained.
205. And if the stack return address which does not belong to any module address range and has the executable memory attribute exists in the acquired instruction execution sequence characteristics, detecting whether a module and a symbol of a previous stack of the stack return address are the target monitoring point.
If there is a stack return address in the instruction execution sequence signature that does not belong to any module address range and that possesses executable memory attributes, then the information on the stack immediately preceding the stack return address is likely to be the cause of this occurrence. Therefore, in this embodiment, in order to speed up the identification of whether an instruction execution sequence of the ShellCode mode is abnormal, when it is determined that a stack return address which does not belong to any module address range and has an executable memory attribute exists in the instruction execution sequence characteristics, it may be determined whether the instruction execution sequence of the ShellCode mode is abnormal by determining whether a module and a symbol of a previous stack of the suspicious stack return address are target monitoring points (e.g., defining the target monitoring points by a configuration file, such as monitoring points including characteristics of some dangerous modules and symbols). The process shown in step 206a and step 206b may be specifically performed.
206a, if the module and the symbol of the previous stack are the target monitoring point, reporting the target behavior by malicious behavior.
In the scheme, on the basis of the original strategy for judging the malicious behavior of the ShellCode mode, a new limiting condition is specified, and the method comprises the following steps: 1. an address appears in the stack that does not belong to any module; 2. the address is valid; 3. the module and symbol of the last stack of the suspect stack return address must be dangerous. Namely, by these 3 conditions, malicious behavior in the ShellCode mode is discriminated.
Optionally, the reporting of the malicious behavior in this embodiment may be reporting of an attack behavior related to the ShellCode mode.
And a step 206b parallel to the step 206a, if the module and the symbol of the previous stack are not the target monitoring point, querying the binary instruction information corresponding to the stack return address.
For this embodiment, when it is determined that the module and symbol of the previous stack of the suspicious stack return address are dangerous, malicious behavior reporting may be performed, and if it is determined that the module and symbol of the previous stack of the suspicious stack return address are not dangerous, binary instruction information corresponding to the stack return address is queried to perform white list matching. By the double judgment mode, the accuracy of identifying whether the command execution sequence of the ShellCode mode has an exception or not is improved, and the corresponding detection efficiency can be improved.
Optionally, if a plurality of stack return addresses which do not belong to any module address range and have the executable memory attribute exist in the instruction execution sequence feature, first obtaining a stack return address which appears in a first stack return address which does not belong to any module address range and has the executable memory attribute; and then querying binary instruction information corresponding to the first occurrence of the stack return address. And then performing white list matching through binary instruction information corresponding to the first occurring stack return address. In order to improve the accuracy and efficiency of identification, in this embodiment, only the binary instruction information corresponding to the first occurring stack return address in the plurality of stack return addresses that do not belong to any module address range and possess the executable memory attribute may be selected for white list matching.
For example, as shown in FIG. 3, a sequence of execution for a certain instruction. In the stack of the 05, 06, 07 rows, there is a stack return address which does not belong to any module address range and has an executable memory attribute, and in this case, binary instruction information corresponding to the stack return address corresponding to the 05 row is queried as a white list matching object.
207b, matching the inquired binary instruction information with preset binary instruction information in a preset white list.
In order to further improve the matching efficiency and accuracy, optionally, the preset binary instruction information may be binary instruction information of a specific position interval in the sample binary instruction information. Correspondingly, step 207b may specifically include: and matching the binary instruction information of the specific position interval in the inquired binary instruction information with preset binary instruction information. The specific location interval can be preset according to actual requirements. For example, a predetermined number of bytes at a specific byte position in the binary instruction are matched, and the like.
208b, if the binary instruction information is matched with the preset binary instruction information in the preset white list, the target behavior is cancelled from being reported by malicious behaviors.
The canceling of the report of the malicious behavior of the target behavior specifically may include: canceling the malicious behavior alarm output of the target behavior; or acquiring a client sending the instruction execution sequence characteristics corresponding to the target behaviors, and sending instruction information for canceling the malicious behavior alarm output of the target behaviors to the client.
For example, if the execution main body of the local side is the client side, when monitoring whether the target behavior is a malicious behavior, based on the above discrimination mode, if the normal behavior belongs to the ShellCode mode, the malicious behavior alarm output of the target behavior can be directly cancelled; if the execution main body at the side is the server side, the client for uploading the instruction execution sequence characteristics can be obtained, and then cancellation instruction information is sent to the client, so that the client cancels malicious behavior alarm output of the target behavior.
By applying the scheme of the embodiment, the problem of misinformation of all ShellCode encountered in the existing event is solved under the condition that the existing real ShellCode is not reported. And the method is simple to implement and can be directly modified in the configuration file. The method can filter the instruction execution sequence of the normal program executing the ShellCode mode, so that the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Further, as a specific implementation of the method shown in fig. 1 and fig. 2, the present embodiment provides a false alarm removal device for malicious behavior, as shown in fig. 4, the device includes: an acquisition module 31, a query module 32 and a reporting module 33.
The obtaining module 31 may be configured to obtain an instruction execution sequence feature corresponding to a target behavior;
the query module 32 is configured to query binary instruction information corresponding to a stack return address if the stack return address does not belong to any module address range and has an executable memory attribute exists in the instruction execution sequence feature;
the reporting module 33 is configured to cancel the malicious behavior reporting on the target behavior if the binary instruction information matches preset binary instruction information in a preset white list.
In a specific application scenario, the apparatus may further include: a detection module 34;
the detecting module 34 may be configured to detect whether a module and a symbol of a stack immediately previous to the stack return address are a target monitoring point before the binary instruction information corresponding to the stack return address is queried;
the reporting module 33 is further configured to report a malicious behavior to the target behavior if the module and the symbol of the previous stack are target monitoring points;
the query module 32 is specifically configured to query binary instruction information corresponding to the stack return address if the module and the symbol of the previous stack are not the target monitoring point.
In a specific application scenario, the query module 32 may be further configured to, if a plurality of stack return addresses that do not belong to any module address range and have an executable memory attribute exist in the instruction execution sequence feature, obtain a stack return address that appears first in the plurality of stack return addresses that do not belong to any module address range and have an executable memory attribute; and querying binary instruction information corresponding to the first occurring stack return address.
In a specific application scenario, the apparatus further comprises: a collection module 35 and a preservation module 36;
the collecting module 35 may be configured to collect false alarm information of malicious behaviors;
the obtaining module 31 may be further configured to obtain, from the false alarm information, a sample instruction execution sequence feature corresponding to a false-alarm malicious behavior;
the saving module 36 may be configured to determine, as the preset binary instruction information, sample binary instruction information corresponding to a stack return address that does not belong to any module address range and has an executable memory attribute in the sample instruction execution sequence characteristics, and collect the sample binary instruction information in the preset white list.
In a specific application scenario, optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information; correspondingly, the device also comprises: a matching module 37;
the matching module 37 may be configured to match the searched binary instruction information of the specific position interval in the binary instruction information with the preset binary instruction information.
In a specific application scenario, the apparatus further comprises: an update module 38;
and the updating module 38 may be configured to update the preset binary instruction information in the preset white list at regular time or at irregular time.
In a specific application scenario, optionally, the malicious behavior report is an attack behavior report about a ShellCode mode.
In a specific application scenario, the reporting module 33 may be specifically configured to cancel the malicious behavior alarm output of the target behavior; or acquiring a client sending the instruction execution sequence characteristics corresponding to the target behaviors, and sending instruction information for canceling the malicious behavior alarm output of the target behaviors to the client.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for removing false alarm of malicious behavior provided in this embodiment may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the above methods shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for false alarm removal of malicious behavior shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, and the software product to be identified may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, or the like), and include several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the method according to the implementation scenarios of the present application.
Based on the methods shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 4, in order to achieve the above object, this embodiment further provides an entity device for removing false alarms from malicious behaviors, which may specifically be a personal computer, a server, a smart phone, a tablet computer, a smart watch, or other network devices, and the entity device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing the computer program to implement the above-mentioned methods as shown in fig. 1 and fig. 2.
Optionally, the entity device may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
Those skilled in the art will appreciate that the physical device structure provided by the present embodiment for false alarm of malicious behavior does not constitute a limitation of the physical device, and may include more or less components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program for managing the hardware of the above-mentioned entity device and the software resources to be identified, and supports the operation of the information processing program and other software and/or programs to be identified. The network communication module is used for realizing communication among components in the storage medium and communication with other hardware and software in the information processing entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme of the application, the problem of misinformation of all ShellCode encountered in the existing event is solved under the condition that the existing real ShellCode is not reported. And the method is simple to implement and can be directly modified in the configuration file. The method can filter the instruction execution sequence of the normal program executing the ShellCode mode, so that the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method for false alarm removal of malicious behaviors is characterized by comprising the following steps:
acquiring instruction execution sequence characteristics corresponding to target behaviors;
if a stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics, querying binary instruction information corresponding to the stack return address;
and if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling the malicious behavior reporting of the target behavior.
2. The method of claim 1, wherein prior to said querying binary instruction information corresponding to said stack return address, said method further comprises:
detecting whether a module and a symbol of a previous stack of the stack return address are target monitoring points;
if the module and the symbol of the previous stack are target monitoring points, reporting the target behavior by malicious behavior;
and if the module and the symbol of the previous stack are not the target monitoring point, querying binary instruction information corresponding to the stack return address.
3. The method according to claim 1, wherein if there are a plurality of stack return addresses that do not belong to any module address range and have an executable memory attribute in the instruction execution sequence feature, the querying binary instruction information corresponding to the stack return addresses specifically includes:
acquiring a stack return address which appears in the first of the stack return addresses which do not belong to any module address range and have the executable memory attribute;
and querying binary instruction information corresponding to the first occurring stack return address.
4. The method of claim 1, further comprising:
collecting false alarm information of malicious behaviors;
acquiring a sample instruction execution sequence characteristic corresponding to a false-reported malicious behavior from the false report information;
and determining sample binary instruction information corresponding to stack return addresses which do not belong to any module address range and have the executable memory attribute in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
5. The method according to claim 4, wherein the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information;
matching the queried binary instruction information with preset binary instruction information in the preset white list, specifically comprising:
and matching the searched binary instruction information of the specific position interval in the binary instruction information with the preset binary instruction information.
6. The method of claim 4, further comprising:
and updating the preset binary instruction information in the preset white list at regular time or non-regular time.
7. The method according to any of claims 1 to 6, wherein the malicious behavior is reported as an attack behavior on ShellCode patterns.
8. A false positive removal device for malicious activities, comprising:
the acquisition module is used for acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
the query module is used for querying binary instruction information corresponding to the stack return address if the stack return address which does not belong to any module address range and has the executable memory attribute exists in the instruction execution sequence characteristics;
and the reporting module is used for canceling the malicious behavior reporting of the target behavior if the binary instruction information is matched with the preset binary instruction information in a preset white list.
9. A storage medium on which a computer program is stored, the program, when executed by a processor, implementing the method of de-misinformation of malicious behavior of any of claims 1 to 7.
10. A malicious behavior false alarm removing device, comprising a storage medium, a processor and a computer program stored on the storage medium and capable of running on the processor, wherein the processor implements the malicious behavior false alarm removing method according to any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755443.4A CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755443.4A CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395600A true CN112395600A (en) | 2021-02-23 |
| CN112395600B CN112395600B (en) | 2023-08-01 |
Family
ID=74601733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755443.4A Active CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395600B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049701A (en) * | 2012-11-30 | 2013-04-17 | 南京翰海源信息技术有限公司 | Detecting system and method for shellcode based on memory searching |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| US20150213260A1 (en) * | 2014-01-27 | 2015-07-30 | Igloo Security, Inc. | Device and method for detecting vulnerability attack in program |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| US9594912B1 (en) * | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
| US20190205530A1 (en) * | 2017-12-29 | 2019-07-04 | Crowdstrike, Inc. | Malware detection in event loops |
-
2019
- 2019-08-15 CN CN201910755443.4A patent/CN112395600B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049701A (en) * | 2012-11-30 | 2013-04-17 | 南京翰海源信息技术有限公司 | Detecting system and method for shellcode based on memory searching |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| US20150213260A1 (en) * | 2014-01-27 | 2015-07-30 | Igloo Security, Inc. | Device and method for detecting vulnerability attack in program |
| US9594912B1 (en) * | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| US20190205530A1 (en) * | 2017-12-29 | 2019-07-04 | Crowdstrike, Inc. | Malware detection in event loops |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395600B (en) | 2023-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| US8782791B2 (en) | Computer virus detection systems and methods | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| US20220318382A1 (en) | Analysis device, analysis method and computer-readable recording medium | |
| CN109815697B (en) | Method and device for processing false alarm behavior | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| JP2019159431A (en) | Evaluation program, evaluation method, and evaluation device | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN111753298A (en) | File abnormity identification method, device, equipment and computer readable storage medium | |
| JP2010134536A (en) | Pattern file update system, pattern file update method, and pattern file update program | |
| CN112580041A (en) | Malicious program detection method and device, storage medium and computer equipment | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN112395600B (en) | Misinformation removing method, device and equipment for malicious behaviors | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112090087B (en) | Game plug-in detection method and device, storage medium and computer equipment | |
| CN110555308A (en) | Terminal application behavior tracking and threat risk assessment method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |