CN114095249A - Malicious attack defense method and device, electronic equipment and storage medium - Google Patents
Malicious attack defense method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114095249A CN114095249A CN202111372923.6A CN202111372923A CN114095249A CN 114095249 A CN114095249 A CN 114095249A CN 202111372923 A CN202111372923 A CN 202111372923A CN 114095249 A CN114095249 A CN 114095249A
- Authority
- CN
- China
- Prior art keywords
- file
- script
- determining
- monitoring
- remote server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000007123 defense Effects 0.000 title claims abstract description 40
- 238000013515 script Methods 0.000 claims abstract description 162
- 238000012544 monitoring process Methods 0.000 claims abstract description 49
- 230000008569 process Effects 0.000 claims description 24
- 230000004913 activation Effects 0.000 claims description 12
- 230000002787 reinforcement Effects 0.000 claims description 9
- 230000004048 modification Effects 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 7
- 230000002159 abnormal effect Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a method and a device for defending against malicious attacks, electronic equipment and a storage medium, and relates to the technical field of network security. The invention aims to solve the problem that the file-free attack cannot be defended. The method for defending against malicious attacks comprises the following steps: monitoring a downloading operation of a predetermined file; determining whether a script in a current download file executes suspicious operation; if the suspicious operation is executed by the script in the current downloaded file, determining that the current system is attacked by the non-file; and executing a corresponding file-free attack defense strategy aiming at suspicious operation executed by the script in the current downloaded file. The method is suitable for application scenes which can be attacked by malicious attacks.
Description
Technical Field
The invention relates to the technical field of network security. And more particularly, to a method and apparatus for defending against malicious attacks, an electronic device, and a storage medium.
Background
Security software typically matches its own virus library based on some characteristic of the entity of the executable file to determine whether the executable file is a malicious program. The file-free attack does not write an entity of an executable file (such as a pe (portable executable) file under windows and an elf (executable and Linkable format) file under Linux) into the target disk, but exists in the computer in a script form, and is injected into a memory through an interpreter in an operating system of the computer to run. Therefore, security software is generally not able to defend against file-free attacks.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for defending against malicious attacks, an electronic device, and a storage medium, which can defend against file-free attacks.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for defending against malicious attacks, including: monitoring a downloading operation of a predetermined file; determining whether a script in a current download file executes suspicious operation; if the suspicious operation is executed by the script in the current downloaded file, determining that the current system is attacked by the non-file; and executing a corresponding file-free attack defense strategy aiming at the suspicious operation executed by the script in the current downloaded file.
According to a specific implementation manner of the embodiment of the present invention, the monitoring of the downloading operation of the predetermined file includes: monitoring the downloading operation of the picture file with the preset format; and/or monitoring download operations to the office activation tool; and/or monitoring download operations of the office file; and/or monitoring the downloading operation of the cracked software.
According to a specific implementation manner of the embodiment of the present invention, the determining whether there is a script in the current download file to execute the suspicious operation includes: and determining whether a script in the current download file establishes connection with a remote server, and downloading data from the remote server or uploading local data to the remote server.
According to a specific implementation manner of the embodiment of the present invention, the determining whether a script in a current download file establishes a connection with a remote server includes: determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process; and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
According to a specific implementation manner of the embodiment of the present invention, the determining whether there is a script in the current download file to execute the suspicious operation further includes: determining whether a script exists in the current download file to execute at least one of the following operations: carrying out encryption and/or decryption operation on the script; carrying out encryption operation on the local file; copying or deleting the script; modifying a system registry; and modifying the system planning task.
According to a specific implementation manner of the embodiment of the present invention, the executing a corresponding file-free attack defense strategy for suspicious operations executed by scripts in a currently downloaded file includes: aiming at suspicious operation executed by executing the script in the current downloaded file, at least one of the following file-free attack defense strategies is executed: executing a document security protection policy; executing a system script reinforcement strategy; executing a built-in program protection strategy of the system; and executing the memory protection strategy.
In a second aspect, an embodiment of the present invention provides a defense apparatus for malicious attacks, including: the download monitoring module is used for monitoring the download operation of the preset file; the suspicious operation determining module is used for determining whether a script in the current download file executes suspicious operation or not; the file attack free determining module is used for determining that the current system is attacked by the file if the script in the current download file executes suspicious operation; and the defense module is used for executing a corresponding file-free attack defense strategy aiming at suspicious operation executed by the script in the current downloaded file.
According to a specific implementation manner of the embodiment of the present invention, the download monitoring module is specifically configured to monitor a download operation of a picture file in a predetermined format, and/or monitor a download operation of an office activation tool; and/or monitoring download operations of the office file; and/or monitoring the downloading operation of the cracked software.
According to a specific implementation manner of the embodiment of the present invention, the suspicious operation determining module includes: and the remote connection determining submodule is used for determining whether a script in the current download file establishes connection with a remote server, downloading data from the remote server or uploading local data to the remote server.
According to a specific implementation manner of the embodiment of the present invention, the remote connection determining submodule is specifically configured to: determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process; and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
According to a specific implementation manner of the embodiment of the present invention, the suspicious operation determining module further includes at least one of the following sub-modules: the encryption and decryption determining submodule is used for determining that the script has encryption and/or decryption operation; the script copying or deleting submodule is used for determining that the script is subjected to copying or deleting operation; the registry modification determining submodule is used for determining that the operation of modifying the system registry exists; and the planning task determining submodule is used for determining that the operation of modifying the system planning task exists.
According to a specific implementation manner of the embodiment of the present invention, the defense module is specifically configured to: aiming at suspicious operation executed by a script in a current downloaded file, at least one of the following file-attack-free defense strategies is executed: executing a document security protection policy; executing a system script reinforcement strategy; executing a built-in program protection strategy of an operating system; and executing a memory protection strategy.
In a third aspect, an embodiment of the present invention provides an electronic device, including a housing, a processor, a memory, a circuit board, and a power circuit, where the circuit board is disposed inside a space surrounded by the housing, the processor and the memory are disposed on the circuit board, and the power circuit is configured to supply power to each circuit or device of the electronic device; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method for defending against malicious attacks according to any one of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium storing one or more programs, which are executable by one or more processors to implement the method for defending against malicious attacks described in any one of the first aspects.
According to the method, the device, the electronic equipment and the storage medium for defending against malicious attacks, whether scripts exist in the downloaded preset file can be determined in the daily operation process of a user by monitoring the downloading operation of the preset file; when the script exists in the preset file downloaded by the user, whether the current system is attacked by the non-file can be determined by monitoring the operation of the script; when the current system is determined to be attacked by the non-file, the corresponding defense strategy for the non-file attack can be executed according to the suspicious operation executed by the script, so that whether the current system is attacked by the non-file and what defense strategy should be adopted can be determined by monitoring all the operations of the script entering the current system along with the preset file, and the non-file attack can be defended.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for defending against malicious attacks according to an embodiment of the present invention;
FIG. 2 is a block diagram of a defense apparatus for malicious attacks according to an embodiment of the present invention;
fig. 3 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The file-free attack is not writing an executable file entity into a target disk, but exists in an operating system of a computer in the form of a script, and implements malicious behaviors by using tools or software carried by the operating system, such as executing a malicious script by powershell in Windows, batch (batch) in Windows, shell-bash in Linux, shell-bash in a domestic system, and the like. For the white list mode or the sandbox mode, the behavior of the tool or software carried by the operating system is normal, so the white list mode and the sandbox mode cannot defend against file-free attacks.
Referring to fig. 1, a method for defending against malicious attacks provided by an embodiment of the present invention includes:
s01, monitoring the downloading operation of the predetermined file.
The predetermined file refers to a file which is frequently used by an attacker for phishing or a social worker. The downloading operation of the predetermined file may be a downloading operation of an attachment in a mail, a file downloading operation in a browser, or a binding downloading operation of software, etc.
By monitoring the download of the predetermined file, it can be determined whether a script exists in the predetermined file. The script in the predetermined file may be JavaScript code, payload, or macro in the office document, or the like.
And S02, determining whether the script in the current download file executes suspicious operation.
It will be appreciated that in determining that a script exists in the currently downloaded file, all operations of the script are monitored to determine whether any of the scripts in the currently downloaded file perform suspicious operations.
Specifically, after the user executes the downloaded file, the JavaScript code, payload, or macro carried in the monitoring file may be executed by an interpreter of the operating system (e.g., powershell of Windows, and bash-shell of Linux).
And S03, if the suspicious operation is executed by the script in the current download file, determining that the current system is attacked by the files.
And S04, executing a corresponding file-free attack defense strategy aiming at the suspicious operation executed by the script in the current downloaded file.
According to the defense method for malicious attack, provided by the embodiment of the invention, whether a script exists in the downloaded preset file can be determined in the daily operation process of a user by monitoring the downloading operation of the preset file; when the script exists in the preset file downloaded by the user, whether the current system is attacked by the non-file can be determined by monitoring the operation of the script; when the current system is determined to be attacked by the non-file, the corresponding defense strategy for the non-file attack can be executed according to the suspicious operation executed by the script, so that whether the current system is attacked by the non-file and what defense strategy should be adopted can be determined by monitoring all the operations of the script entering the current system along with the preset file, and the non-file attack can be defended.
Attackers typically make file-free attacks by phishing or social workers. Specifically, an attacker presets a malicious script in a picture file, an office activation tool, an office file (especially an office document) or cracked software with a predetermined format, then lures a user to download and execute the file, and after executing the file, the preset malicious script executes operations such as establishing a connection with a remote server or modifying a local system registry through an interpreter of an operating system, and at this time, no actual real file exists. Accordingly, in one embodiment, the monitoring of the downloading operation of the predetermined file includes: monitoring the downloading operation of the picture file with the preset format; and/or monitoring download operations to the office activation tool; and/or monitoring download operations of the office file; and/or monitoring the downloading operation of the cracked software.
The picture file in the predetermined format is generally a picture file in a BMP format.
Generally, in order to reduce the risk of being killed by security software, scripts that enter the current system with a predetermined file only have the function of downloading the file and changing the configuration of the system. Therefore, the script entering the current system with the predetermined file needs to establish a connection with the remote server, download the script with malicious destruction function in the remote server, or upload the local data to the remote server, so in an embodiment, the determining whether there is a script in the current downloaded file to perform a suspicious operation includes: and determining whether a script in the current download file establishes connection with a remote server, and downloading data from the remote server or uploading local data to the remote server.
The local data uploaded to the remote server may be system log, security log, or the like.
Specifically, in an embodiment, the determining whether a script in the current download file establishes a connection with the remote server includes: determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process; and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
In this case, the number of parameters is generally very large, and therefore, when the process having the parameters is finished, the process cannot be completely cleared.
Because the script is copied or deleted, the relation between the script and the current downloaded file can be cut off so as to hide the script; by carrying out encryption operation on the local file, a user can be subjected to lasso; the method can be used for hiding or executing malicious scripts by modifying the system registry, modifying the system planning task and other operations, and can also be used for executing operations of closing certain system services, unloading security software, modifying accounts, closing firewalls, leaving backdoors and the like; therefore, in an embodiment, the determining whether there is a script in the current downloaded file to perform a suspicious operation further includes: determining whether a script exists in the current download file to execute at least one of the following operations: carrying out encryption and/or decryption operation on the script; carrying out encryption operation on the local file; copying or deleting the script; modifying a system registry; and modifying the system planning task.
Specifically, a dynamic link library may be registered by using regsvr32.exe to modify a system registry under windows, a scheduling task may be made by using schtasks.exe to modify a system scheduling task, a file may be downloaded by using certutil.exe, and the like; the method comprises the steps of making a starting-up starting service by using a system ctl under a Linux system, making a plan task by using a crontab, downloading a file by using a wget or a curl, rebounding a shell by using a bash or an nc and the like; the method comprises the steps of utilizing a systemctl to make a starting-up service under a domestic system, utilizing a crontab to make a planning task, utilizing wget or curl to download a file, utilizing a bash or nc reboundable shell and the like. Therefore, when the malicious script carries out encryption and/or decryption operation on the script, carries out encryption operation on a local file, carries out copy or deletion operation on the script, modifies a system registry or modifies system planning tasks and other system-level commands, the operating system can be configured without depending on other application programs, and therefore, whether the suspicious operation is executed by the script to determine whether the current operating system is attacked by no file or not is determined by monitoring the operation of the script, and the method is an effective mode.
Because the file-free attack generally loads the malicious script on the local or remote server, then modifies the system registry and modifies the system plan task, the script itself can be hidden, and the malicious script on the remote server is automatically downloaded or executed after the system is restarted, so as to implement persistent attack, and the script has the characteristics of decentralized execution and remote execution, for example, a first local malicious script is executed in a first period of time, and a second local and/or remote server malicious script is executed in a second period of time, in an embodiment, the suspicious operation executed for the script in the currently downloaded file executes a corresponding file-free attack defense strategy, which includes: aiming at suspicious operation executed by executing the script in the current downloaded file, at least one of the following file-free attack defense strategies is executed: executing a document security protection policy; executing a system script reinforcement strategy; executing a built-in program protection strategy of the system; and executing a memory protection strategy.
Specifically, the document security protection policy includes:
1. and filtering abnormal connection addresses, specifically, determining the real IP address of the connection address through DNS analysis, and disconnecting the current system from the connection address when the real IP address of the connection address is an overseas IP address.
2. Disabling a script in an office document in a predetermined file, specifically, disabling a VBA macro when detecting that the VBA macro is included in the office document in the downloaded predetermined file; deleting the JavaScript item when detecting that the office document in the downloaded preset file is embedded with the JavaScript; and when detecting that the office document has a new patch, updating in time.
3. And filtering abnormal mails, specifically, comprehensively determining whether the mails are abnormal mails by determining whether the mails have attachments, whether the mails are mass-sent into the network and whether senders of the mails are abnormal contacts. And when the three items are all 'yes', determining that the mail is an abnormal mail, and filtering the abnormal mail.
USB storage device safeguards, specifically, only allows authorized devices to connect to the current system and monitors the document copy behavior of authorized devices.
The system script reinforcement strategy comprises the following steps:
1. setting a cryptographic environment, in particular, prohibiting the script to start in the cryptographic environment.
2. Setting up a secure directory, in particular, only scripts installed in the secure directory may be launched.
3. The execution authority confirmation mechanism specifically removes the execution authority of a certain script when the script is found to have the execution authority.
4. The secondary validation mechanism, specifically, requires secondary operations by the user when the script performs an extranet download operation, modifies a registry, or modifies a planning task. Further, a secondary confirmation mechanism may also be provided in the secure directory, that is, when the script is installed in the secure directory, a secondary confirmation is required by the user.
The execution system built-in program protection strategy comprises the following steps:
1. prohibiting the script from calling at least part of the system built-in program, wherein the at least part of the system built-in program comprises: regsvr32.exe, schtasks. exe, systemctl, crontab. Specifically, when the script calls the system built-in program, the interception blocking is carried out on the program.
2. The script is prohibited from calling the unusual port, and particularly, the unusual or even the foreign IP is intercepted and blocked when establishing network connection with the unusual port.
3. And regularly detecting the startup items and the plan task names of the system, and timely processing the abnormal information when the abnormal information is found. For example, when an abnormal process occurs in the boot startup item and/or the planning task, the user is warned in time.
4. Renaming the system program, such as renaming the system program systemctl as systemctl _ Linux, can prevent malicious scripts from calling the system program because the malicious scripts call the systemctl to cause operation errors.
Executing the memory protection policy comprises:
1. and forbidding injection operation on the running program in the memory.
2. Determining whether a file running in the memory exists in a disk of the current system, specifically, obtaining an execution file path of the running program by checking the running program, and checking whether the file exists under the path.
3. When a program runs the strace, ptrace and ltrace and is added to other programs, intercepting and blocking the adding process.
Specifically, in a defense example of malicious attack, when a user downloads a picture file, an office activation tool, an office file (especially an office document) or cracked software in a predetermined format, a document security protection strategy is executed and blocked. When a user downloads the preset file into a local computer under the attraction of phishing or social workers of an attacker, and executes the file, the execution of a script is monitored after the execution of the preset file, the script has one or more of encryption operation on the local file, copying or deleting operation on the script, modification of a system registry, modification of a system plan task and connection establishment with a remote server, and a system script reinforcing strategy is executed to intercept and block the operation so as to prevent file-free attacks of Leersian.
In another example of protection against malicious attacks, it is monitored that when a user downloads a picture file in a predetermined format, an office activation tool, an office file (in particular, an office document) or cracked software, a document security protection policy is executed to intercept and block the picture file, the office activation tool, the office file or the cracked software. When a user downloads the preset file into a local computer under the attraction of phishing or social workers of an attacker and executes the file, the execution of a script is monitored after the execution of the preset file, the script has operations of modifying a system registry, modifying a system planning task and the like, a command is resident in the system, and when the script is pulled up regularly, a system script reinforcement strategy is executed to intercept and block the command so as to defend against the attack of mining without files.
Example two
Referring to fig. 2, an embodiment of the present invention provides a defense apparatus for malicious attacks, including: a download monitoring module 201 for monitoring a download operation of a predetermined file; a suspicious operation determining module 202, configured to determine whether there is a script in the current downloaded file to perform a suspicious operation; the no-file-attack determining module 203 is configured to determine that the current system is under no-file attack if a script executes suspicious operation in the current downloaded file; the defense module 204 is configured to execute a corresponding file-free attack defense strategy for suspicious operations executed by scripts in the currently downloaded file.
According to the defense device for malicious attack, provided by the embodiment of the invention, whether a script exists in a downloaded preset file can be determined in the daily operation process of a user by monitoring the downloading operation of the preset file; when the script exists in the preset file downloaded by the user, whether the current system is attacked by the non-file can be determined by monitoring the operation of the script; when the current system is determined to be attacked by the non-file, the corresponding defense strategy for the non-file attack can be executed according to the suspicious operation executed by the script, so that whether the current system is attacked by the non-file and what defense strategy should be adopted can be determined by monitoring all the operations of the script entering the current system along with the preset file, and the non-file attack can be defended.
In an embodiment, the download monitoring module 201 is specifically configured to monitor a download operation of a picture file in a predetermined format and/or a download operation of an office activation tool; and/or monitoring download operations of the office file; and/or monitoring the downloading operation of the cracked software.
When an attacker phishes or induces a user to download a file by a social worker, picture files, office activation tools, office files (especially office documents) and cracked software in a BMP format are usually adopted. Specifically, the files are generally pre-loaded with malicious scripts, and after the user executes the files, the malicious scripts are executed by an interpreter of an operating system (such as powershell of Windows and bash-shell of Linux).
Generally, scripts that enter the current system with a predetermined file, only have the function of downloading the file and changing the system configuration in order to reduce the risk of being killed by the security software. Because the script entering the current system with the predetermined file needs to establish a connection with the remote server, so as to download the script with malicious destruction function in the remote server, or upload the local data to the remote server, in an embodiment, the suspicious operation determining module 202 includes: and the remote connection determining submodule is used for determining whether a script in the current download file establishes connection with a remote server or not, downloading data from the remote server or uploading local data to the remote server.
In an embodiment, the remote connection determination submodule is specifically configured to: determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process; and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
In this case, the number of parameters is generally very large, and therefore, when the process having the parameters is finished, the process cannot be completely cleared.
Because the relation between the script and the current downloaded file can be cut off by copying or deleting the script, so as to hide the script; by carrying out encryption operation on the local file, a user can be subjected to lasso; the method can be used for hiding or executing malicious scripts by modifying the system registry, modifying the system planning task and other operations, and can also be used for executing operations of closing certain system services, unloading security software, modifying accounts, closing firewalls, leaving backdoors and the like; therefore, in an embodiment, the suspicious operation determining module 202 further includes at least one of the following sub-modules: the encryption and decryption determining submodule is used for determining that the script has encryption and/or decryption operation; the script copying or deleting submodule is used for determining that the script is subjected to copying or deleting operation; the registry modification determining submodule is used for determining that the operation of modifying the system registry exists; and the planning task determining submodule is used for determining that the operation of modifying the system planning task exists.
Since a file-free attack generally loads a malicious script on a local or remote server, then modifies a system registry and modifies a system planning task, the script itself can be hidden, and the malicious script on the remote server is automatically downloaded or executed after the system is restarted, so as to implement a persistent attack, and the script has a feature that can be executed dispersedly and remotely, for example, a first malicious script on the local server is executed in a first period of time, and a second malicious script on the local and/or remote server is executed in a second period of time, in an embodiment, the defense module 204 is specifically configured to: aiming at suspicious operation executed by a script in a current downloaded file, at least one of the following file-attack-free defense strategies is executed: executing a document security protection policy; executing a system script reinforcement strategy; executing a built-in program protection strategy of an operating system; and executing the memory protection strategy.
Here, the file-free attack defense strategy executed by the defense module 204 is the same as the file-free attack defense strategy in the first embodiment, and is not described herein again.
EXAMPLE III
Referring to fig. 3, an embodiment of the present invention provides an electronic device, which includes a housing 301, a processor 302, a memory 303, a circuit board 304, and a power circuit 305, wherein the circuit board 304 is disposed inside a space enclosed by the housing 301, the processor 302 and the memory 303 are disposed on the circuit board 304, and the power circuit 305 is configured to supply power to various circuits or devices of the electronic device; the memory 303 is used to store executable program code; the processor 302 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 303, so as to execute the method for defending against malicious attacks according to any one of the first embodiment.
Example four
The embodiment of the invention provides a computer storage medium, wherein one or more programs are stored in the computer storage medium, and the one or more programs can be executed by one or more processors to realize the method for defending against malicious attacks, which is described in the first embodiment.
The embodiment of the invention provides a method and a device for defending against malicious attacks, electronic equipment and a storage medium, wherein whether a script exists in a current download file is determined by monitoring the download operation of a picture file with a preset format, an office activation tool, an office file and cracked software; when the script exists in the current downloaded file, the operation of the script is monitored, when the script is connected with a remote server, or suspicious operations such as encryption and/or decryption operation on the script, encryption operation on a local file, copy or deletion operation on the script, system registry modification, system plan task modification and the like are executed, the current system is determined to be attacked by no file, and one or more file-free attack defense strategies in a document security protection strategy, a system script reinforcement strategy, an operating system built-in program protection strategy and a memory protection strategy are correspondingly executed aiming at one or more suspicious operations executed by the script, so that the file-free attack is defended.
It should be noted that, in this document, the emphasis points of the solutions described in the embodiments are different, but there is a certain correlation relationship between the embodiments, and in understanding the solution of the present invention, the embodiments may be referred to each other; moreover, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (14)
1. A method for defending against malicious attacks, comprising:
monitoring a downloading operation of a predetermined file;
determining whether a script in a current download file executes suspicious operation;
if the suspicious operation is executed by the script in the current downloaded file, determining that the current system is attacked by the non-file;
and executing a corresponding file-free attack defense strategy aiming at suspicious operation executed by the script in the current downloaded file.
2. The method of claim 1, wherein the monitoring of the downloading of the predetermined file comprises:
monitoring the downloading operation of the picture file with the preset format; and/or
Monitoring a download operation of the office activation tool; and/or
Monitoring downloading operation of the office file; and/or
And monitoring the downloading operation of the cracked software.
3. The method for defending against malicious attacks according to claim 1, wherein the determining whether the current downloaded file has a script to perform suspicious operations comprises:
and determining whether a script in the current download file establishes connection with a remote server, and downloading data from the remote server or uploading local data to the remote server.
4. The method for defending against malicious attacks according to claim 3, wherein the determining whether a script in the currently downloaded file establishes a connection with a remote server comprises:
determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process;
and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
5. The method of claim 3, wherein the determining whether the script in the currently downloaded file performs suspicious operations further comprises:
determining whether a script exists in the current download file to execute at least one of the following operations:
carrying out encryption and/or decryption operation on the script;
carrying out encryption operation on the local file;
copying or deleting the script;
modifying a system registry;
and modifying the system planning task.
6. The method for defending against malicious attacks according to claim 1, wherein the executing the corresponding file-free attack defense strategy for the suspicious operations executed by the script in the currently downloaded file comprises:
aiming at suspicious operation executed by scripts in the currently downloaded file, at least one of the following file attack free defense strategies is executed:
executing a document security protection policy;
executing a system script reinforcement strategy;
executing a built-in program protection strategy of an operating system;
and executing the memory protection strategy.
7. A defense apparatus against malicious attacks, comprising:
the download monitoring module is used for monitoring the download operation of the preset file;
the suspicious operation determining module is used for determining whether a script in the current download file executes suspicious operation or not;
the file attack free determining module is used for determining that the current system is attacked by the file if the script in the current download file executes suspicious operation;
and the defense module is used for executing a corresponding file-free attack defense strategy aiming at suspicious operation executed by the script in the current downloaded file.
8. The apparatus for defending against malicious attacks according to claim 7, wherein the download monitoring module is specifically configured to:
monitoring the downloading operation of the picture file with the preset format; and/or
Monitoring a download operation of the office activation tool; and/or
Monitoring the downloading operation of the office file; and/or
And monitoring the downloading operation of the cracked software.
9. The apparatus of claim 7, wherein the suspicious operation determination module comprises:
and the remote connection determining submodule is used for determining whether a script in the current download file establishes connection with a remote server or not, and downloading data from the remote server or uploading local data to the remote server.
10. The apparatus for defending against malicious attacks according to claim 9, wherein the remote connection determination submodule is specifically configured to:
determining whether a command and/or a parameter pointing to a remote server exists in a currently executed process;
and if the command and/or the parameter pointing to the remote server exists in the currently executed process, determining that the script in the currently downloaded file establishes connection with the remote server.
11. The apparatus of claim 9, wherein the suspicious operation determination module further comprises at least one of the following:
the encryption and decryption determining submodule is used for determining that the script has encryption and/or decryption operation; and/or determining that there is an encryption operation on the local file;
the script copying or deleting submodule is used for determining that the script is subjected to copying or deleting operation;
the registry modification determining submodule is used for determining that the operation of modifying the system registry exists;
and the planning task determining submodule is used for determining that the operation of modifying the system planning task exists.
12. The apparatus as claimed in claim 7, wherein the defense module is specifically configured to:
aiming at suspicious operation executed by a script in a current downloaded file, at least one of the following file-attack-free defense strategies is executed:
executing a document security protection policy;
executing a system script reinforcement strategy;
executing a built-in program protection strategy of an operating system;
and executing the memory protection strategy.
13. An electronic device, comprising: the electronic equipment comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, the processor and the memory are arranged on the circuit board, and the power circuit is used for supplying power to each circuit or device of the electronic equipment; the memory is used for storing executable program codes; the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory for executing the method for defending against a malicious attack as recited in any one of claims 1 to 6.
14. A computer storage medium, characterized in that the computer storage medium stores one or more programs executable by one or more processors to implement the method of defending against a malicious attack as recited in any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111372923.6A CN114095249A (en) | 2021-11-18 | 2021-11-18 | Malicious attack defense method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111372923.6A CN114095249A (en) | 2021-11-18 | 2021-11-18 | Malicious attack defense method and device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114095249A true CN114095249A (en) | 2022-02-25 |
Family
ID=80301981
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111372923.6A Pending CN114095249A (en) | 2021-11-18 | 2021-11-18 | Malicious attack defense method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114095249A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150058992A1 (en) * | 2012-03-20 | 2015-02-26 | British Telecommunications Public Limited Company | Method and system for malicious code detection |
CN105653974A (en) * | 2015-12-23 | 2016-06-08 | 北京奇虎科技有限公司 | Document protection method and device |
CN109960933A (en) * | 2017-12-26 | 2019-07-02 | 北京安天网络安全技术有限公司 | Means of defence, system and the terminal device of document |
CN110737894A (en) * | 2018-12-04 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
CN111030981A (en) * | 2019-08-13 | 2020-04-17 | 北京安天网络安全技术有限公司 | Method, system and storage device for blocking continuous attack of malicious file |
US20210097182A1 (en) * | 2019-10-01 | 2021-04-01 | Acronis International Gmbh | Systems and methods for countering removal of digital forensics information by malicious software |
-
2021
- 2021-11-18 CN CN202111372923.6A patent/CN114095249A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150058992A1 (en) * | 2012-03-20 | 2015-02-26 | British Telecommunications Public Limited Company | Method and system for malicious code detection |
CN105653974A (en) * | 2015-12-23 | 2016-06-08 | 北京奇虎科技有限公司 | Document protection method and device |
CN109960933A (en) * | 2017-12-26 | 2019-07-02 | 北京安天网络安全技术有限公司 | Means of defence, system and the terminal device of document |
CN110737894A (en) * | 2018-12-04 | 2020-01-31 | 哈尔滨安天科技集团股份有限公司 | Composite document security detection method and device, electronic equipment and storage medium |
CN111030981A (en) * | 2019-08-13 | 2020-04-17 | 北京安天网络安全技术有限公司 | Method, system and storage device for blocking continuous attack of malicious file |
US20210097182A1 (en) * | 2019-10-01 | 2021-04-01 | Acronis International Gmbh | Systems and methods for countering removal of digital forensics information by malicious software |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Poeplau et al. | Execute this! analyzing unsafe and malicious dynamic code loading in android applications. | |
Fedler et al. | On the effectiveness of malware protection on android | |
US20210264030A1 (en) | Integrated application analysis and endpoint protection | |
AU2016369460A1 (en) | Dual memory introspection for securing multiple network endpoints | |
Canfora et al. | Composition-malware: building android malware at run time | |
WO2017016814A1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
CN102081722A (en) | Method and device for protecting appointed application program | |
CN102737188A (en) | Method and device for detecting malicious webpage | |
CN102902919A (en) | Method, device and system for identifying and processing suspicious practices | |
CN101872400B (en) | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request | |
KR20140074252A (en) | Secure execution of unsecured apps on a device | |
US20050216762A1 (en) | Protecting embedded devices with integrated reset detection | |
CN103761479A (en) | Scanning method and scanning device for malicious programs | |
US20100313268A1 (en) | Method for protecting a computer against malicious software | |
Luo et al. | Anti-plugin: Don’t let your app play as an android plugin | |
Alsaleh et al. | gextractor: Towards automated extraction of malware deception parameters | |
CN102857519A (en) | Active defensive system | |
Min et al. | Feature-distributed malware attack: risk and defence | |
CN114095249A (en) | Malicious attack defense method and device, electronic equipment and storage medium | |
CN106446682A (en) | Security protection method and apparatus | |
CN111711656A (en) | Network edge storage device with safety function | |
Lee et al. | Ghost installer in the shadow: Security analysis of app installation on android | |
US11093615B2 (en) | Method and computer with protection against cybercriminal threats | |
KR101862382B1 (en) | Method and device for managing application data in Android | |
Whittaker et al. | Neutralizing windows-based malicious mobile code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220225 |