CN112395600B - Misinformation removing method, device and equipment for malicious behaviors - Google Patents
Misinformation removing method, device and equipment for malicious behaviors Download PDFInfo
- Publication number
- CN112395600B CN112395600B CN201910755443.4A CN201910755443A CN112395600B CN 112395600 B CN112395600 B CN 112395600B CN 201910755443 A CN201910755443 A CN 201910755443A CN 112395600 B CN112395600 B CN 112395600B
- Authority
- CN
- China
- Prior art keywords
- instruction information
- module
- binary instruction
- behavior
- stack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006399 behavior Effects 0.000 title claims abstract description 161
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000001514 detection method Methods 0.000 claims abstract description 22
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 7
- 230000001788 irregular Effects 0.000 claims description 4
- 206010001488 Aggression Diseases 0.000 claims 2
- 230000016571 aggressive behavior Effects 0.000 claims 2
- 208000012761 aggressive behavior Diseases 0.000 claims 2
- 230000002159 abnormal effect Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Quality & Reliability (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a false alarm removing method, device and equipment for malicious behaviors, which relate to the technical field of network security, and can filter instruction execution sequences of normal program execution ShellCode modes, reduce false alarm of the type, enable detection of the instruction execution sequences of abnormal ShellCode modes to be more accurate, and further improve the accuracy of malicious behavior detection. The method comprises the following steps: firstly, acquiring the instruction execution sequence characteristics corresponding to target behaviors; if the stack return address which does not belong to any module address range and has executable memory attribute exists in the instruction execution sequence characteristics, inquiring binary instruction information corresponding to the stack return address; and if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling malicious behavior reporting on the target behavior. The method and the device are suitable for false alarm removal processing of malicious behaviors.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for misinformation removal of malicious behavior.
Background
ShellCode is a piece of code for execution with software vulnerabilities, which is a 16-ary machine code, since Shell is often made available to an attacker. ShellCode is often written using machine language. After the EIP register overflows, a section of ShellCode machine code which can be executed by the CPU is inserted, so that the computer can execute any instruction of an attacker.
Currently, in order to timely detect the ShellCode, judgment can be performed according to the instruction execution sequence characteristics corresponding to the behaviors. For example, when an address that does not belong to any module appears in the instruction execution sequence, the address is considered to be a ShellCode and is reported. However, some system behaviors also have similar instruction execution sequence characteristics in practice, so that ShellCode misinformation occurs, and thus the accuracy of malicious behavior detection is lower.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus and a device for false alarm removal of malicious behavior, which mainly aims to solve the technical problem that the accuracy of malicious behavior detection is low due to false alarm existing in the instruction execution sequence for identifying the normal program execution ShellCode mode at present.
According to one aspect of the present application, there is provided a method for false alarm removal of malicious behavior, the method comprising:
acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
if the stack return address which does not belong to any module address range and has executable memory attribute exists in the instruction execution sequence characteristics, inquiring binary instruction information corresponding to the stack return address;
and if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling malicious behavior reporting on the target behavior.
Optionally, before the querying binary instruction information corresponding to the stack return address, the method further includes:
detecting whether a module and a symbol of a last stack of the stack return address are target monitoring points;
if the module and the symbol of the last stack are target monitoring points, carrying out malicious behavior reporting on the target behavior;
and if the module and the symbol of the last stack are not the target monitoring points, inquiring binary instruction information corresponding to the stack return address.
Optionally, if there are multiple stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence feature, the querying binary instruction information corresponding to the stack return addresses specifically includes:
acquiring a first stack return address of the stack return addresses which do not belong to any module address range and have executable memory attributes;
and querying binary instruction information corresponding to the first occurring stack return address.
Optionally, the method further comprises:
collecting false positive information of malicious behaviors;
acquiring sample instruction execution sequence characteristics corresponding to false-reported malicious behaviors from the false-reported information;
and determining sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attributes in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
Optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information;
matching the queried binary instruction information with preset binary instruction information in the preset white list, wherein the matching comprises the following steps of:
and matching the binary instruction information of the specific position interval in the queried binary instruction information with the preset binary instruction information.
Optionally, the method further comprises:
and updating preset binary instruction information in the preset white list at regular or irregular time.
Optionally, the malicious behavior is reported as an attack behavior about a ShellCode mode.
Optionally, the cancelling the malicious behavior reporting of the target behavior specifically includes:
canceling malicious behavior alarm output of the target behavior; or (b)
And acquiring a client for transmitting the instruction execution sequence characteristics corresponding to the target behavior, and transmitting instruction information for canceling malicious behavior alarm output of the target behavior to the client.
According to another aspect of the present application, there is provided a false alarm removing device for malicious behavior, the device including:
the acquisition module is used for acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
the query module is used for querying binary instruction information corresponding to the stack return address if the stack return address which does not belong to any module address range and has executable memory attribute exists in the instruction execution sequence characteristics;
and the reporting module is used for canceling malicious behavior reporting on the target behavior if the binary instruction information is matched with the preset binary instruction information in the preset white list.
Optionally, the apparatus further includes: a detection module;
the detection module is used for detecting whether the module and the symbol of the last stack of the stack return address are dangerous or not before the binary instruction information corresponding to the stack return address is queried;
the reporting module is further configured to report the malicious behavior to the target behavior if the module and the symbol of the last stack are dangerous;
and the query module is specifically configured to query binary instruction information corresponding to the stack return address if the module and the symbol of the last stack are not dangerous.
Optionally, the query module is specifically configured to obtain, if there are multiple stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence feature, a stack return address that appears first in the multiple stack return addresses that do not belong to any module address range and have executable memory attributes;
and querying binary instruction information corresponding to the first occurring stack return address.
Optionally, the apparatus further includes: the device comprises a collection module and a storage module;
the collecting module is used for collecting false alarm information of malicious behaviors;
the acquisition module is further used for acquiring sample instruction execution sequence characteristics corresponding to false-reported malicious behaviors from the false-reported information;
and the storage module is used for determining sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attribute in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
Optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information;
the apparatus further comprises: a matching module;
the matching module is used for matching the binary instruction information of the specific position interval in the queried binary instruction information with the preset binary instruction information.
Optionally, the apparatus further includes:
and the updating module is used for updating preset binary instruction information in the preset white list at regular time or at irregular time.
Optionally, the malicious behavior is reported as an attack behavior about a ShellCode mode.
Optionally, the reporting module is specifically configured to cancel malicious behavior alert output of the target behavior; or (b)
And acquiring a client for transmitting the instruction execution sequence characteristics corresponding to the target behavior, and transmitting instruction information for canceling malicious behavior alarm output of the target behavior to the client.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described misinformation-removing method of malicious behaviour.
According to still another aspect of the present application, there is provided an entity device for misinformation removal of malicious behavior, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the misinformation removal method of malicious behavior when executing the program.
By means of the technical scheme, compared with a target traditional mode, the false alarm removing method, device and equipment for malicious behaviors provided by the application can match binary instruction information corresponding to stack return addresses with preset binary instruction information in a preset white list when stack return addresses which do not belong to any module address range and have executable memory attributes exist in the instruction execution sequence characteristics corresponding to the target behaviors, and if matching is successful, malicious behavior reporting on the target behaviors can be canceled. And the instruction execution sequence of the normal program execution ShellCode mode can be filtered, false alarms are reduced, the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic flow chart of a method for removing false alarms of malicious behaviors according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating another method for false alarm removal of malicious behavior according to an embodiment of the present application;
FIG. 3 is a schematic diagram showing an example of an instruction execution sequence of a ShellCode mode according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for removing false alarms of malicious behaviors according to an embodiment of the present application.
Detailed Description
The present application will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
Because the normal program has the instruction mode of the Shellcode as the malicious code, aiming at the technical problem that the instruction execution sequence for identifying the normal program to execute the Shellcode mode has false alarm at present and further causes lower accuracy of malicious behavior detection, the embodiment provides a false alarm removing method for malicious behavior, as shown in fig. 1, which comprises the following steps:
101. and obtaining the instruction execution sequence characteristics corresponding to the target behaviors.
The instruction execution sequence features comprise stack sequence features of functional modules which are called in turn for realizing target behaviors.
For the device or apparatus for misinformation removal of malicious behavior in this embodiment, the device or apparatus may be configured on the client side, or configured on the server side according to actual requirements (for example, the instruction execution sequence corresponding to the obtained target behavior is uploaded by the client), and may be used to identify the instruction sequence of the ShellCode mode of normal program execution, so as to avoid misinformation.
In this embodiment, before performing step 101, the method may further include: and (3) monitoring points for applying for the memory and modifying the memory attribute, recording the obtained memory addresses and the allocation sizes of all applications successfully, performing feature matching of the calling instruction execution sequence, and recording the matching result, namely step 100.
102. If the acquired instruction execution sequence features have stack return addresses which do not belong to any module address range and have executable memory attributes, the binary instruction information corresponding to the stack return addresses is queried.
The modules may be modules such as "ole32" and "jscript9", and may be specifically determined according to actual service requirements.
Further, a determination is made as to whether the memory address space is recorded in step 100, for instruction return addresses that do not belong to any of the modules. If the instruction return address is in the recorded memory address space, detecting the corresponding calling instruction execution sequence feature matching result, thereby realizing detection of abnormal matching and successful passing of matching; if the instruction return address is not in the recorded memory address space, the process described in step 102 is performed. By the method, more accurate malicious behavior detection and discrimination can be realized.
When there is a stack return address which does not belong to any module address range and has an executable memory attribute in the instruction execution sequence characteristics, the attack behavior of the ShellCode mode is determined and the malicious behavior is reported by the traditional judging method, however, some instruction execution sequences of the normal program execution ShellCode mode also have the characteristics (there is a stack return address which does not belong to any module address range and has an executable memory attribute). Therefore, in order to avoid the situation of misreporting of the ShellCode, for the embodiment, when it is determined that a stack return address which does not belong to any module address range and has executable memory attributes exists in the instruction execution sequence feature corresponding to the target behavior, malicious behavior reporting can be temporarily not performed, then corresponding binary instruction information is found through the stack return address, further security analysis is performed, and specifically, the queried binary instruction information can be matched with preset binary instruction information in a preset white list.
The preset binary instruction information in the preset white list can be created for binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attribute in an instruction execution sequence of the normal program execution ShellCode mode in advance.
103. If the queried binary instruction information is matched with the preset binary instruction information in the preset white list, the malicious behavior reporting of the target behavior is canceled.
If the queried binary instruction information is matched with the preset binary instruction information in the preset white list, the instruction execution sequence corresponding to the target behavior is the instruction sequence of the normal program execution ShellCode mode, and further malicious behavior reporting on the target behavior can be canceled.
Compared with the target traditional mode, the method can be applied to system and program exception Shellcode instruction sequence detection, by applying the method for removing false alarm of malicious behaviors, when stack return addresses which do not belong to any module address range and have executable memory attributes exist in the instruction execution sequence characteristics corresponding to the target behaviors, binary instruction information corresponding to the stack return addresses can be matched with preset binary instruction information in a preset white list, and if matching is successful, malicious behavior reporting on the target behaviors can be canceled. And the instruction execution sequence of the normal program execution ShellCode mode can be filtered, false alarms are reduced, the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Further, as a refinement and extension of the specific implementation manner of the foregoing embodiment, in order to fully describe the implementation process of this embodiment, another method for removing false alarm of malicious behavior is provided, as shown in fig. 2, where the method includes:
201. collecting false positive information of malicious behaviors.
For the present embodiment, in order to create a white list that can identify the instruction sequence feature of the normal program execution ShellCode mode, false positive information of malicious behavior, in particular false positive information of ShellCode, may be collected in advance.
202. And acquiring sample instruction execution sequence characteristics corresponding to the misinformation malicious behavior from the collected misinformation.
In particular, those sample instruction execution sequence features that do not belong to any module address range and possess stack return addresses with executable memory attributes, namely instruction sequence features of the ShellCode mode, are targeted at the instruction execution sequence features. These sample instruction execution sequences are characterized as belonging to the ShellCode mode, but these sample instruction execution sequences are instruction sequences of the normal program execution ShellCode mode.
203. And determining sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attributes in the sample instruction execution sequence characteristics as preset binary instruction information, and summarizing the preset binary instruction information in a preset white list.
The white list generated in this way can reflect the characteristic condition of the instruction sequence of the normal program execution ShellCode mode, and can be used for accurately identifying the instruction execution sequence of the normal program execution ShellCode mode.
Further, in order to ensure timeliness of data update in the white list and meet the update requirement of the white list, optionally, the method of the embodiment can update preset binary instruction information in the preset white list regularly or irregularly (such as modifying the existing binary instruction information, adding new binary instruction information, deleting invalid binary instruction information and the like). And when the white list is required to be used for identification, the white list of the latest version can be selected for identification so as to ensure the identification accuracy.
204. When the target behavior is required to be detected abnormally, the instruction execution sequence characteristics corresponding to the target behavior are acquired.
205. If the acquired instruction execution sequence features have a stack return address which does not belong to any module address range and has executable memory attributes, detecting whether a module and a symbol of a last stack of the stack return address are target monitoring points.
If there is a stack return address in the instruction execution sequence feature that does not belong to any module address range and that has executable memory attributes, then the information of the last stack of this stack return address is likely to be the cause of this occurrence. Therefore, in this embodiment, in order to expedite recognition of whether there is an exception in the instruction execution sequence of the ShellCode mode, when determining that there is a stack return address that does not belong to any module address range and has an executable memory attribute in the instruction execution sequence feature, it may be further determined whether there is an exception in the instruction execution sequence of the ShellCode mode by determining whether the module and the symbol of the last stack of the suspicious stack return address are target monitoring points (e.g., defining the target monitoring points through a configuration file, such as monitoring points including some dangerous modules and symbols, etc.). The processes shown in steps 206a and 206b may be specifically performed.
206a, if the module and symbol of the last stack are the target monitoring points, reporting the malicious behavior of the target behavior.
In the scheme, on the basis of original malicious behavior strategy for judging the ShellCode mode, new limiting conditions are specified, and the method comprises the following steps: 1. an address that does not belong to any module appears in the stack; 2. the address is valid; 3. the module and sign of the last stack of suspicious stack return addresses must be dangerous. That is, by these 3 conditions, malicious behavior in the ShellCode pattern is discriminated.
Alternatively, the malicious behavior report in this embodiment may be an attack behavior report about the ShellCode mode.
In step 206b, which is in parallel with step 206a, if the module and symbol of the last stack is not the target monitoring point, the binary instruction information corresponding to the stack return address is queried.
For this embodiment, if it is determined that the module and the symbol of the last stack of the return address of the suspicious stack are dangerous, malicious behavior may be reported, and if it is determined that the module and the symbol of the last stack of the return address of the suspicious stack are not dangerous, the binary instruction information corresponding to the return address of the stack is queried to perform white list matching. By the double judgment mode, the accuracy of identifying whether the instruction execution sequence of the ShellCode mode is abnormal or not is improved, and the corresponding detection efficiency is improved.
Optionally, if there are multiple stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence feature, first acquiring a stack return address that first appears in the multiple stack return addresses that do not belong to any module address range and have executable memory attributes; binary instruction information corresponding to the first occurring stack return address is then queried. And performing white list matching through binary instruction information corresponding to the first stack return address. Since the other stack return addresses, except the first-occurring stack return address, are not belonging to any module, but are likely to be invalid addresses, in order to improve the accuracy and efficiency of identification, in this embodiment, only the binary instruction information corresponding to the first-occurring stack return address in the stack return address which does not belong to any module address range and has an executable memory attribute may be selected for white list matching.
For example, as shown in fig. 3, is a sequence of execution of a certain instruction. The stacks of 05, 06 and 07 rows have stack return addresses which do not belong to any module address range and have executable memory attributes, and in this case, binary instruction information corresponding to the stack return address corresponding to the 05 rows is queried and used as a white list matching object.
207b, matching the queried binary instruction information with preset binary instruction information in a preset white list.
In order to further improve the matching efficiency and accuracy, optionally, the preset binary instruction information may be binary instruction information of a specific location interval in the sample binary instruction information. Accordingly, step 207b may specifically include: and matching binary instruction information of a specific position interval in the queried binary instruction information with preset binary instruction information. The specific location interval can be preset according to actual requirements. For example, a match is made to a preset number of bytes at a particular byte position in a binary instruction, etc.
208b, if the binary instruction information is matched with the preset binary instruction information in the preset white list, canceling malicious behavior reporting on the target behavior.
The canceling of the malicious behavior reporting of the target behavior may specifically include: canceling malicious behavior alarm output of the target behavior; or a client for acquiring the instruction execution sequence characteristics corresponding to the sending target behavior and sending instruction information for canceling malicious behavior alarm output of the target behavior to the client.
For example, if the executing body of the local side is a client side, when monitoring whether the target behavior is a malicious behavior, based on the above-mentioned discrimination mode, if the normal behavior belongs to the ShellCode mode, the malicious behavior alarm output of the target behavior can be directly canceled; if the executing main body of the local side is a server side, a client for uploading the instruction executing sequence characteristics can be obtained, and then cancellation instruction information is sent to the client, so that the client cancels malicious behavior alarm output of target behaviors.
By applying the scheme of the embodiment, the problem of misinformation of all the Shellcodes in the existing event is solved under the condition that the existing real Shellcodes are not reported. And the implementation is simpler, and can be directly modified in the configuration file. The instruction execution sequence of the normal program execution ShellCode mode can be filtered, so that the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Further, as a specific implementation of the methods shown in fig. 1 and fig. 2, the present embodiment provides a device for removing false alarms of malicious behaviors, as shown in fig. 4, where the device includes: the system comprises an acquisition module 31, a query module 32 and a reporting module 33.
The obtaining module 31 may be configured to obtain an instruction execution sequence feature corresponding to the target behavior;
a query module 32, configured to query binary instruction information corresponding to a stack return address that does not belong to any module address range and has an executable memory attribute, if the stack return address exists in the instruction execution sequence feature;
the reporting module 33 may be configured to cancel reporting of malicious behavior on the target behavior if the binary instruction information matches with preset binary instruction information in a preset whitelist.
In a specific application scenario, the device may further include: a detection module 34;
the detecting module 34 may be configured to detect, before the querying binary instruction information corresponding to the stack return address, whether a module and a symbol of a last stack of the stack return address are target monitoring points;
the reporting module 33 may be further configured to report a malicious behavior to the target behavior if the module and the symbol of the last stack are target monitoring points;
the query module 32 is specifically configured to query binary instruction information corresponding to the stack return address if the module and symbol of the last stack are not the target monitoring point.
In a specific application scenario, the query module 32 may be specifically further configured to obtain, if there are multiple stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence feature, a stack return address that occurs first in the multiple stack return addresses that do not belong to any module address range and have executable memory attributes; and querying binary instruction information corresponding to the first occurring stack return address.
In a specific application scenario, the device further includes: a collection module 35 and a preservation module 36;
the collecting module 35 may be configured to collect false alarm information of malicious behavior;
the obtaining module 31 may be further configured to obtain, from the misinformation, a sample instruction execution sequence feature corresponding to a misreported malicious behavior;
the saving module 36 may be configured to determine, as the preset binary instruction information, sample binary instruction information corresponding to a stack return address that does not belong to any module address range and has an executable memory attribute in the sample instruction execution sequence feature, and aggregate the sample binary instruction information in the preset whitelist.
In a specific application scenario, optionally, the preset binary instruction information is binary instruction information of a specific position interval in the sample binary instruction information; correspondingly, the device also comprises: a matching module 37;
the matching module 37 may be configured to match the binary instruction information of the specific location interval in the queried binary instruction information with the preset binary instruction information.
In a specific application scenario, the device further includes: an update module 38;
an updating module 38, configured to update the preset binary instruction information in the preset whitelist periodically or non-periodically.
In a specific application scenario, optionally, the malicious behavior report is an attack behavior report about a ShellCode mode.
In a specific application scenario, the reporting module 33 may be specifically configured to cancel malicious behavior alert output of the target behavior; or acquiring a client for transmitting the instruction execution sequence characteristics corresponding to the target behavior, and transmitting instruction information for canceling malicious behavior alarm output of the target behavior to the client.
It should be noted that, other corresponding descriptions of each functional unit related to the misinformation removing device for malicious behavior provided in this embodiment may refer to corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the above methods shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the above method for misinformation removal of malicious behaviors shown in fig. 1 and fig. 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, where the software product to be identified may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disc, a mobile hard disk, etc.), and include several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in each implementation scenario of the present application.
Based on the methods shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 4, in order to achieve the above objective, this embodiment further provides an entity device for misreporting of malicious behavior, which may specifically be a personal computer, a server, a smart phone, a tablet computer, a smart watch, or other network devices, where the entity device includes a storage medium and a processor; a storage medium storing a computer program; a processor for executing a computer program to implement the method as shown in fig. 1 and 2.
Optionally, the physical device may further include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, WI-FI modules, and the like. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
It will be appreciated by those skilled in the art that the structure of the entity device for misinformation about malicious behavior provided in this embodiment is not limited to the entity device, and may include more or fewer components, or may combine some components, or may be a different arrangement of components.
The storage medium may also include an operating system, a network communication module. The operating system is a program for managing the entity equipment hardware and the software resources to be identified, and supports the operation of the information processing program and other software and/or programs to be identified. The network communication module is used for realizing communication among all components in the storage medium and communication with other hardware and software in the information processing entity equipment.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware. By applying the technical scheme, under the condition that the existing real Shellcode is not reported, the problem of misreporting of all the Shellcodes in the existing event is solved. And the implementation is simpler, and can be directly modified in the configuration file. The instruction execution sequence of the normal program execution ShellCode mode can be filtered, so that the detection of the instruction execution sequence of the abnormal ShellCode mode is more accurate, and the accuracy of malicious behavior detection is improved.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the modules or flows in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario. The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.
Claims (16)
1. A false positive removing method for malicious behaviors, comprising the steps of:
acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
if the stack return address which does not belong to any module address range and has executable memory attribute exists in the instruction execution sequence characteristics, inquiring binary instruction information corresponding to the stack return address;
if the binary instruction information is matched with preset binary instruction information in a preset white list, canceling malicious behavior reporting on the target behavior;
the method further comprises the steps of:
collecting false positive information of malicious behaviors;
acquiring sample instruction execution sequence characteristics corresponding to false-reported malicious behaviors from the false-reported information;
and determining sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attributes in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
2. The method of claim 1, wherein prior to the querying binary instruction information corresponding to the stack return address, the method further comprises:
detecting whether a module and a symbol of a last stack of the stack return address are target monitoring points;
if the module and the symbol of the last stack are target monitoring points, carrying out malicious behavior reporting on the target behavior;
and if the module and the symbol of the last stack are not the target monitoring points, inquiring binary instruction information corresponding to the stack return address.
3. The method according to claim 1, wherein if there are a plurality of stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence, the querying binary instruction information corresponding to the stack return addresses specifically includes:
acquiring a first stack return address of the stack return addresses which do not belong to any module address range and have executable memory attributes;
and querying binary instruction information corresponding to the first occurring stack return address.
4. The method according to claim 1, wherein the preset binary instruction information is binary instruction information of a specific location section in the sample binary instruction information;
matching the queried binary instruction information with preset binary instruction information in the preset white list, wherein the matching comprises the following steps of:
and matching the binary instruction information of the specific position interval in the queried binary instruction information with the preset binary instruction information.
5. The method according to claim 1, wherein the method further comprises:
and updating preset binary instruction information in the preset white list at regular or irregular time.
6. The method according to any of claims 1 to 5, wherein the malicious behavior report is an aggressive behavior report with respect to a ShellCode pattern.
7. The method of claim 1, wherein the canceling the malicious behavior report on the target behavior specifically comprises:
canceling malicious behavior alarm output of the target behavior; or (b)
And acquiring a client for transmitting the instruction execution sequence characteristics corresponding to the target behavior, and transmitting instruction information for canceling malicious behavior alarm output of the target behavior to the client.
8. A false alarm removing device for malicious behavior, comprising:
the acquisition module is used for acquiring the instruction execution sequence characteristics corresponding to the target behaviors;
the query module is used for querying binary instruction information corresponding to the stack return address if the stack return address which does not belong to any module address range and has executable memory attribute exists in the instruction execution sequence characteristics;
the reporting module is used for canceling malicious behavior reporting on the target behavior if the binary instruction information is matched with preset binary instruction information in a preset white list;
the apparatus further comprises: the device comprises a collection module and a storage module;
the collecting module is used for collecting false alarm information of malicious behaviors;
the acquisition module is further used for acquiring sample instruction execution sequence characteristics corresponding to false-reported malicious behaviors from the false-reported information;
and the storage module is used for determining sample binary instruction information corresponding to a stack return address which does not belong to any module address range and has executable memory attribute in the sample instruction execution sequence characteristics as the preset binary instruction information and summarizing the preset binary instruction information in the preset white list.
9. The apparatus of claim 8, wherein the apparatus further comprises: a detection module;
the detection module is used for detecting whether the module and the symbol of the last stack of the stack return address are dangerous or not before the binary instruction information corresponding to the stack return address is queried;
the reporting module is further configured to report the malicious behavior to the target behavior if the module and the symbol of the last stack are dangerous;
and the query module is specifically configured to query binary instruction information corresponding to the stack return address if the module and the symbol of the last stack are not dangerous.
10. The apparatus of claim 8, wherein the device comprises a plurality of sensors,
the query module is specifically configured to obtain, if there are multiple stack return addresses that do not belong to any module address range and have executable memory attributes in the instruction execution sequence feature, a stack return address that appears first in the multiple stack return addresses that do not belong to any module address range and have executable memory attributes;
and querying binary instruction information corresponding to the first occurring stack return address.
11. The apparatus of claim 8, wherein the predetermined binary instruction information is binary instruction information of a specific location section in the sample binary instruction information;
the apparatus further comprises: a matching module;
the matching module is used for matching the binary instruction information of the specific position interval in the queried binary instruction information with the preset binary instruction information.
12. The apparatus of claim 8, wherein the apparatus further comprises:
and the updating module is used for updating preset binary instruction information in the preset white list at regular time or at irregular time.
13. The apparatus according to any of claims 8 to 12, wherein the malicious behavior report is an aggressive behavior report with respect to a ShellCode pattern.
14. The apparatus of claim 8, wherein the device comprises a plurality of sensors,
the reporting module is specifically used for canceling malicious behavior alarm output of the target behavior; or (b)
And acquiring a client for transmitting the instruction execution sequence characteristics corresponding to the target behavior, and transmitting instruction information for canceling malicious behavior alarm output of the target behavior to the client.
15. A storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of misinformation removal of malicious behaviour according to any one of claims 1 to 7.
16. A misinformation-removing device for malicious behavior, comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, characterized in that the processor implements the misinformation-removing method for malicious behavior according to any one of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755443.4A CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755443.4A CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395600A CN112395600A (en) | 2021-02-23 |
| CN112395600B true CN112395600B (en) | 2023-08-01 |
Family
ID=74601733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755443.4A Active CN112395600B (en) | 2019-08-15 | 2019-08-15 | Misinformation removing method, device and equipment for malicious behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395600B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US12058137B1 (en) | 2021-10-20 | 2024-08-06 | Wells Fargo Bank, N.A. | Internet protocol (IP) curator |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049701A (en) * | 2012-11-30 | 2013-04-17 | 南京翰海源信息技术有限公司 | Detecting system and method for shellcode based on memory searching |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| US9594912B1 (en) * | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101445634B1 (en) * | 2014-01-27 | 2014-10-06 | 주식회사 이글루시큐리티 | Device and Method for detecting vulnerability attack in any program |
| US11086987B2 (en) * | 2017-12-29 | 2021-08-10 | Crowdstrike, Inc. | Malware detection in event loops |
-
2019
- 2019-08-15 CN CN201910755443.4A patent/CN112395600B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049701A (en) * | 2012-11-30 | 2013-04-17 | 南京翰海源信息技术有限公司 | Detecting system and method for shellcode based on memory searching |
| CN103714292A (en) * | 2014-01-15 | 2014-04-09 | 四川师范大学 | Method for detecting exploit codes |
| US9594912B1 (en) * | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395600A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109299135B (en) | Abnormal query recognition method, recognition equipment and medium based on recognition model | |
| US8782791B2 (en) | Computer virus detection systems and methods | |
| CN108650225B (en) | Remote safety monitoring equipment, system and remote safety monitoring method | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| JP2019159431A (en) | Evaluation program, evaluation method, and evaluation device | |
| CN112395600B (en) | Misinformation removing method, device and equipment for malicious behaviors | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN113225356B (en) | TTP-based network security threat hunting method and network equipment | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| CN112090087B (en) | Game plug-in detection method and device, storage medium and computer equipment | |
| US11503060B2 (en) | Information processing apparatus, information processing system, security assessment method, and security assessment program | |
| CN106203088A (en) | The method and device of acquisition of information | |
| US10810098B2 (en) | Probabilistic processor monitoring | |
| CN118018264B (en) | Detection blocking method and system for network malicious attack | |
| KR20120056719A (en) | Apparatus and method for total management of computating risk monitoring personal information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |