CN114281771A - Malicious code naming method and device, electronic equipment and storage medium - Google Patents
Malicious code naming method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114281771A CN114281771A CN202111614170.5A CN202111614170A CN114281771A CN 114281771 A CN114281771 A CN 114281771A CN 202111614170 A CN202111614170 A CN 202111614170A CN 114281771 A CN114281771 A CN 114281771A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- dimension
- target
- code file
- naming
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a malicious code naming method and device, electronic equipment and a storage medium, which are applied to the technical field of network security, and the method comprises the following steps: acquiring file information of multiple dimensions of a malicious code file; judging whether file information of the malicious code file in the target dimension meets a preset naming condition corresponding to the target dimension; when the judgment result is yes, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension; and when the judgment result is negative, setting the next consequent dimension of the target dimension as the target dimension according to the preset dimension sequence, and continuously judging whether the file information of the malicious code file under the target dimension set at this time meets the preset naming condition corresponding to the target dimension. By the technical scheme, the malicious code file can be named quickly, efficiently and accurately, and convenience and effectiveness of naming the malicious code are improved.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of network security, in particular to a malicious code naming method and device, electronic equipment and a storage medium.
[ background of the invention ]
The most intuitive summary of the malicious code file is often the name of the malicious code file, and the name can reveal the type of the malicious code file, the running platform, the core behavior and other information capable of reflecting the nature and content of the malicious code file.
However, the amount of information in current networks explodes, and accordingly, the number of malicious code files has also grown in a blowout manner. For an attacker, in order to avoid the Malicious code file from being perceived by a user, a meaningless name is often set for the Malicious code file, such as Agent, Malicious, Gen, Suspicious, and the like, and even the name of the Malicious code file is set as a string of meaningless numbers. This results in the user not being able to identify the malicious code file as malicious in a timely manner when the user comes into contact with the malicious code file.
Meanwhile, when the known malicious code files are counted and analyzed, the known malicious code files also need to be named reasonably, so that the identification difficulty of the malicious code files is reduced, and the understanding degree of users on the malicious code files is improved. However, in the related art, it is often necessary to manually analyze and name known malicious code files, which is time-consuming and labor-consuming.
Therefore, how to name a large number of malicious code files quickly and efficiently becomes a technical problem to be solved urgently at present.
[ summary of the invention ]
The embodiment of the invention provides a method and a device for naming malicious codes, electronic equipment and a storage medium, and aims to solve the technical problems that malicious code files are inconvenient to identify and high in naming difficulty due to overlarge number in the related technology.
In a first aspect, an embodiment of the present invention provides a method for naming a malicious code, including: acquiring file information of multiple dimensions of a malicious code file; judging whether file information of the malicious code file in a target dimension meets a preset naming condition corresponding to the target dimension; when the judgment result is yes, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension; and when the judgment result is negative, setting the next consequent dimension of the target dimension as the target dimension in a preset dimension sequence, and continuously judging whether the file information of the malicious code file in the set target dimension meets a preset naming condition corresponding to the target dimension.
In the above embodiment of the present invention, optionally, the preset dimension order is, according to the priority order, respectively: a known name mapping relationship dimension, a digital signature dimension, an interface function dimension, and a static information dimension.
In the above embodiment of the present invention, optionally, the determining whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension includes: when the target dimension is the known name mapping relationship dimension, determining whether the malicious code file is matched with a known malicious code family name based on C2 information of the malicious code file and a preset mapping library, wherein when the malicious code file is matched with the known malicious code family name, determining the malicious code name corresponding to the malicious code file based on a naming mode corresponding to the target dimension includes: determining the known malicious code family name as a malicious code name corresponding to the malicious code file; when the malicious code file does not match the known malicious code family name, the step of setting the next consequent dimension of the target dimension as the target dimension includes: setting the digital signature dimension as a target dimension.
In the above embodiment of the present invention, optionally, the determining whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension includes: when the target dimension is the digital signature dimension, determining whether the malicious code file has a digital signature and whether the digital signature is a valid signature; when the malicious code file has the valid signature, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension, including: determining all the party names of the effective signatures as malicious code names corresponding to the malicious code files; when the malicious code file does not have the valid signature, the step of setting the next consequent dimension of the target dimension as the target dimension comprises: and setting the interface function dimension as a target dimension.
In the above embodiment of the present invention, optionally, the determining whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension includes: when the target dimension is the interface function dimension, determining whether the calling frequency of the target function is greater than or equal to a specified threshold value or not for the target function with the maximum calling frequency in a plurality of interface functions used by the malicious code file; when the number of times of calling the target function is greater than the specified threshold, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension, including: taking the name of the target function or preset name information corresponding to the target function as a malicious code name corresponding to the malicious code file; when the number of calls of the target function is less than the specified threshold, the step of setting the next consequent dimension of the target dimension as the target dimension includes: and setting the static information dimension as a target dimension.
In the above embodiment of the present invention, optionally, the determining whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension includes: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the determining the malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension includes: selecting target static information with the highest priority from a plurality of static information of the malicious code file based on a preset static information priority; and taking the target static information or the preset name information corresponding to the target static information as the malicious code name corresponding to the malicious code file.
In the above embodiment of the present invention, optionally, the determining whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension includes: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the determining the malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension includes: and connecting the plurality of static information of the malicious code file in sequence according to the sequence of the priority levels of the static information from high to low to obtain comprehensive static information which is used as the name of the malicious code corresponding to the malicious code file.
In a second aspect, an embodiment of the present invention provides a malicious code naming apparatus, including: the file information acquisition unit is used for acquiring file information of multiple dimensions of the malicious code file; the naming condition verification unit is used for judging whether the file information of the malicious code file in the target dimension meets a preset naming condition corresponding to the target dimension; the first execution unit is used for determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension when the judgment result of the naming condition verification unit is yes; and the second execution unit is used for setting the next consequent dimension of the target dimension as the target dimension according to a preset dimension sequence when the judgment result of the naming condition verification unit is negative, and continuously judging whether the file information of the malicious code file under the target dimension set at this time meets a preset naming condition corresponding to the target dimension.
In the above embodiment of the present invention, optionally, the preset dimension order is, according to the priority order, respectively: a known name mapping relationship dimension, a digital signature dimension, an interface function dimension, and a static information dimension.
In the foregoing embodiment of the present invention, optionally, the naming condition verification unit is configured to: when the target dimension is the known name mapping relationship dimension, determining whether the malicious code file matches a known malicious code family name based on the C2 information of the malicious code file and a preset mapping library, wherein when the malicious code file matches the known malicious code family name, the first execution unit is configured to: determining the known malicious code family name as a malicious code name corresponding to the malicious code file; when the malicious code file does not match the known malicious code family name, the second execution unit is to: setting the digital signature dimension as a target dimension.
In the foregoing embodiment of the present invention, optionally, the naming condition verification unit is configured to: when the target dimension is the digital signature dimension, determining whether the malicious code file has a digital signature and whether the digital signature is a valid signature; when the malicious code file has the valid signature, the first execution unit is to: determining all the party names of the effective signatures as malicious code names corresponding to the malicious code files; when the malicious code file does not have the valid signature, the second execution unit is to: and setting the interface function dimension as a target dimension.
In the foregoing embodiment of the present invention, optionally, the naming condition verification unit is configured to: when the target dimension is the interface function dimension, determining whether the calling frequency of the target function is greater than or equal to a specified threshold value or not for the target function with the maximum calling frequency in a plurality of interface functions used by the malicious code file; when the number of times of calling the target function is greater than the specified threshold, the first execution unit is configured to: taking the name of the target function or preset name information corresponding to the target function as a malicious code name corresponding to the malicious code file; when the number of calls of the target function is less than the specified threshold, the second execution unit is configured to: and setting the static information dimension as a target dimension.
In the foregoing embodiment of the present invention, optionally, the naming condition verification unit is configured to: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the first execution unit is to: selecting target static information with the highest priority from a plurality of static information of the malicious code file based on a preset static information priority; and taking the target static information or the preset name information corresponding to the target static information as the malicious code name corresponding to the malicious code file.
In the foregoing embodiment of the present invention, optionally, the naming condition verification unit is configured to: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the first execution unit is to: and connecting the plurality of static information of the malicious code file in sequence according to the sequence of the priority levels of the static information from high to low to obtain comprehensive static information which is used as the name of the malicious code corresponding to the malicious code file.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the first aspects above.
In a fourth aspect, an embodiment of the present invention provides a storage medium storing computer-executable instructions for performing the method flow described in any one of the first aspect.
According to the technical scheme, aiming at the technical problems that malicious code files are inconvenient to identify due to overlarge number and high in naming difficulty in the related technology, the malicious code files can be named quickly, efficiently and accurately, convenience and effectiveness of malicious code naming are improved, a user can conveniently and quickly know the content and the property of the malicious code files through the obtained names, and efficiency of network security maintenance is improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 illustrates a flow diagram of a malicious code naming method according to one embodiment of the present invention;
FIG. 2 illustrates a block diagram of a malicious code naming apparatus, according to one embodiment of the present invention;
FIG. 3 shows a block diagram of an electronic device according to an embodiment of the invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In an actual scenario, if a known malicious code file needs to be named, the following technical solution of the present application may be adopted.
In another practical scenario, a flow detection device may be provided outside the electronic device, or a flow detection module may be provided inside the electronic device, when external flow passes through the flow detection device or the flow detection module, a malicious code file in the flow is identified through the flow detection device or the flow detection module, and the malicious code file is named by using the following technical scheme of the present application, so that a user can know attack content carried by the flow.
FIG. 1 shows a flow diagram of a malicious code naming method according to one embodiment of the present invention.
As shown in fig. 1, a flow of a malicious code naming method according to an embodiment of the present invention includes:
The preset dimension sequence is respectively as follows according to the priority sequence: a known name mapping relationship dimension, a digital signature dimension, an interface function dimension, and a static information dimension. The higher the priority of the dimension is, when the malicious code file is named based on the dimension, the more sufficient the substantive content of the malicious code file can be embodied by the naming, and the better the user can know the malicious code file.
The file information of the known name mapping relation dimension is PE structure information, a timestamp, a version, a digit number and the like, and the C2 information of the malicious code file can be determined based on the content for subsequent judgment steps; the file information of the digital signature dimension is the digital signature and the validity of the digital signature; the file information of the interface function dimension is the name and calling times of the interface function; the static information dimension includes, but is not limited to, mutexes used for the samples, pdb, guid, special strings, etc. that can show the structure or content of the malicious code file.
And 104, judging whether the file information of the malicious code file in the target dimension meets a preset naming condition corresponding to the target dimension, if so, entering a step 106, and if not, entering a step 108.
And 106, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension.
If the file information of the malicious code file in the target dimension meets the preset naming condition corresponding to the target dimension, the naming mode corresponding to the target dimension can be called to name the malicious code file. When the judgment is carried out for the first time, the target dimension is the known name mapping relation dimension with the highest priority in the dimensions.
And 108, setting the next consequent dimension of the target dimension as the target dimension by taking the priority of the multiple dimensions as the sequence, returning to the step 104, and continuously judging whether the file information of the malicious code file under the target dimension set at this time meets the preset naming condition corresponding to the target dimension.
If the file information of the malicious code file in the target dimension does not meet the preset naming condition corresponding to the target dimension, judging whether the preset naming condition is met or not in the next dimension with the priority lower than the target dimension according to the priority sequence of the dimensions as the sequence until the preset naming condition corresponding to the dimension is met in a certain dimension.
According to the technical scheme, the malicious code files can be automatically named according to the dimension with the highest priority as possible in the multiple dimensions of the malicious code files, so that the more important dimension for the malicious code files can be preferentially selected to name the malicious code files, the reliability of the naming of the malicious code files is effectively improved on the basis of improving the automation and the convenience of the naming of the malicious code files, the substantive content of the malicious code files can be shown as much as possible through the naming, and users can conveniently know and learn the malicious code files.
Specifically, when the target dimension is the known name mapping relationship dimension, step 104 includes: determining whether the malicious code file matches with a known malicious code family name based on the C2 information of the malicious code file and the mapping relation between the C2 information in a preset mapping library and the known malicious code family name, wherein when the malicious code file matches with the known malicious code family name, the step 106 comprises: determining the known malicious code family name as a malicious code name corresponding to the malicious code file; when the malicious code file does not match the known malicious code family name, step 108 includes: setting the digital signature dimension as the target dimension.
Before, the family name and the C2 information of the known malicious code need to be acquired, and the association relationship between the family name and the C2 information needs to be stored in a preset mapping library, specifically, the manner of acquiring the family name and the C2 information of the known malicious code includes a crawler crawling manner and a manual entry manner. The contents such as description information, analysis reports, family names and C2 information of known malicious codes can be obtained in a crawler crawling mode, and the contents such as yara rules, family names and C2 information of the known malicious codes can be determined in a manual entry mode. Wherein, the C2 information refers to information for identifying malicious code, including but not limited to sample hash, URL, domain name, IP, and the like.
After information is acquired through a crawler crawling mode and a manual entry mode, various C2 information and family names are associated based on the information and stored in a preset mapping library.
Then, if the preset mapping library has a known malicious code family name matching with the C2 information of the malicious code file, the known malicious code family name can be directly set as the malicious code name corresponding to the malicious code file. In this way, the family to which the malicious code file belongs can be directly shown in the name, so that the user can quickly know the provenance and the corresponding characteristics of the malicious code based on the name.
Otherwise, if the preset mapping library does not have the known malicious code family name matched with the C2 information of the malicious code file, the digital signature dimension is entered for second step judgment.
Specifically, in the second step judgment, the step 104 includes: when the target dimension is the digital signature dimension, determining whether the malicious code file has a digital signature and whether the digital signature is a valid signature; when the malicious code file has the valid signature, step 106 includes: determining all the party names of the effective signatures as malicious code names corresponding to the malicious code files; when the malicious code file does not have the valid signature, step 108 comprises: setting the interface function dimension as the target dimension.
If the malicious code file has a digital signature and the digital signature is valid, it indicates that the malicious code file is made or handed by the owner who made the digital signature, and the owner is at least one of the sources of the malicious code file. Therefore, the name of the owner of the valid signature can be directly determined as the name of the malicious code corresponding to the malicious code file, and the source of the malicious code file can be quickly known by a user through the name, so that the user can conveniently perform corresponding processing based on the source.
Otherwise, if the malicious code file does not have the valid digital signature, the source of the malicious code file is unclear, and the interface function dimension is entered for the third step of judgment.
Specifically, in the third step of determination, step 104 includes: when the target dimension is the interface function dimension, determining whether the calling frequency of the target function is greater than or equal to a specified threshold value or not for the target function with the maximum calling frequency in a plurality of interface functions used by the malicious code file; when the number of calls of the target function is greater than the specified threshold, step 106 includes: taking the name of the target function or preset name information corresponding to the target function as a malicious code name corresponding to the malicious code file; when the number of calls of the target function is less than the specified threshold, step 108 includes: setting the static information dimension as the target dimension.
Interface functions used by malicious code files include, but are not limited to, process call functions, network call functions, file call functions, registry call functions, service call functions. In the case where the family name and source of the malicious code file cannot be known, a name may be set for it based on the interface function of its main application to show by name that the main behavior of the malicious code file is to use the interface function.
If the target function with the maximum calling times in the plurality of interface functions is greater than the specified threshold, the target function with the maximum calling times is sufficient to represent the main behaviors of the malicious code file, and at this time, a name can be set for the malicious code file based on the target function with the maximum calling times.
The name of the target function can be directly used as the name of the malicious code file, so that a user can directly know that the main behavior of the malicious code file is to use the interface function based on the name. Or, corresponding predetermined name information may be set for the target function, where the predetermined name information is common information related to the target function, and thus, based on the predetermined name information, the user may also directly know that the main behavior of the malicious code file is to use the interface function.
And when the calling frequency of the target function is smaller than the specified threshold, the target function with the calling frequency is not enough to represent the main behavior of the malicious code file, and other modes are further adopted for naming, and at the moment, the static information dimension can be entered for fourth step judgment.
In another possible design, if the target function with the highest calling frequency is a plurality of parallel functions with the same calling frequency, names of the functions connected according to the priority sequence of the functions can be used as the names of the malicious code files, or preset name information corresponding to the functions connected according to the priority sequence of the functions can be used as the names of the malicious code files,
in another possible design, all functions with the calling times larger than a specified threshold value in a plurality of calling functions used by the malicious code file can be extracted, and the names of the functions are connected as the names of the malicious code file according to the sequence of the calling times of the functions from at least one, or preset name information corresponding to the functions is connected as the names of the malicious code file according to the sequence of the calling times of the functions from at least one.
In another possible design, all functions with the calling times larger than a specified threshold value in a plurality of calling functions used by the malicious code file can be extracted, and corresponding weights are set for all the functions based on the calling times and the priorities of all the functions. And connecting the names of the functions as the names of the malicious code files according to the sequence of the weights of the functions from high to low, or connecting the preset name information corresponding to the functions as the names of the malicious code files according to the sequence of the weights of the functions from high to low.
In addition, for any interface function used by the malicious code file, the occurrence frequency of the keywords corresponding to the interface function in the file information of the malicious code file is determined, and the occurrence frequency is determined as the calling frequency of the interface function.
For example, an interface function keyword list may be set, and the list stores: 5 keywords related to a process call function, 4 keywords related to a network call function, 3 keywords related to a file call function, 2 keywords related to a registry call function, and 1 keyword related to a service call function.
In the function called by the malicious code file, only a process calling function and a service calling function appear, wherein a keyword a of the process calling function appears 3 times, a keyword b appears 3 times, other keywords appear 0 times, and a keyword x of the service calling function appears 7 times, if a preset threshold value is 6 times, the calling time of the service calling function can be determined to be 7 times, and is 6 times greater than the preset threshold value, and the service calling function is determined to be a target function.
It should be understood that the above example is only one implementation included in the present application, and the practical application of the present application is not limited to the numerical limitations given by the example.
In the fourth step, step 104 includes: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; step 106 comprises: selecting target static information with the highest priority from a plurality of static information of the malicious code file based on a preset static information priority; and taking the target static information or the preset name information corresponding to the target static information as the malicious code name corresponding to the malicious code file.
And (3) because the dimension of the static information is the last dimension and the static information is required to be named as the malicious code file directly, after the fourth step of judgment, the static information of the malicious code file is directly determined to meet the corresponding preset naming condition, and the static information of the malicious code file is directly used as the name of the malicious code file.
The specific naming mode is that the target static information with the highest priority is selected from the static information of the malicious code file, the target static information is used as the malicious code name corresponding to the malicious code file, and the target static information with the highest priority can reflect the property or influence of the malicious code file in the static information dimension, so that a user can quickly and effectively know the static information of the malicious code file based on the name by naming the target static information. Or, a predetermined information name reflecting the kernel of the target static information can be set for the target static information, and the predetermined name information is used as the malicious code name corresponding to the malicious code file, so that the user can quickly and effectively know the most influential static information of the malicious code file based on the name.
In another possible design, step 104 includes: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; step 106 comprises: and connecting the plurality of static information of the malicious code file in sequence according to the sequence of the priority levels of the static information from high to low to obtain comprehensive static information which is used as the name of the malicious code corresponding to the malicious code file.
Therefore, all static information can be embodied in the name of the malicious code file, so that a user can comprehensively know the specific situation of the static information through the name of the malicious code file, and the knowledge and the processing of the malicious code file are facilitated.
Through the technical scheme, the malicious code file can be named quickly, efficiently and accurately, convenience and effectiveness of naming the malicious code are improved, a user can conveniently and quickly know the content and the property of the malicious code file through the obtained name, and efficiency of network security maintenance is improved.
FIG. 2 illustrates a block diagram of a malicious code naming apparatus, according to one embodiment of the present invention; .
As shown in fig. 2, an embodiment of the present invention provides a malicious code naming apparatus 200, including: a file information obtaining unit 202, configured to obtain file information of multiple dimensions of a malicious code file; a naming condition verification unit 204, configured to determine whether file information of the malicious code file in a target dimension meets a predetermined naming condition corresponding to the target dimension; a first executing unit 206, configured to determine, when the determination result of the naming condition verifying unit is yes, a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension; and the second executing unit 208 is configured to, when the determination result of the naming condition verifying unit is negative, set a next consequent dimension of the target dimension as a target dimension in a preset dimension order, and continuously determine whether file information of the malicious code file in the target dimension set this time meets a predetermined naming condition corresponding to the target dimension.
In the above embodiment of the present invention, optionally, the preset dimension order is, according to the priority order, respectively: a known name mapping relationship dimension, a digital signature dimension, an interface function dimension, and a static information dimension.
In the above embodiment of the present invention, optionally, the naming condition verification unit 202 is configured to: when the target dimension is the known name mapping relationship dimension, determining whether the malicious code file matches a known malicious code family name based on C2 information of the malicious code file and a preset mapping library, where when the malicious code file matches the known malicious code family name, the first execution unit 204 is configured to: determining the known malicious code family name as a malicious code name corresponding to the malicious code file; when the malicious code file does not match the known malicious code family name, the second execution unit 208 is configured to: setting the digital signature dimension as a target dimension.
In the above embodiment of the present invention, optionally, the naming condition verification unit 204 is configured to: when the target dimension is the digital signature dimension, determining whether the malicious code file has a digital signature and whether the digital signature is a valid signature; when the malicious code file has the valid signature, the first execution unit 206 is to: determining all the party names of the effective signatures as malicious code names corresponding to the malicious code files; when the malicious code file does not have the valid signature, the second execution unit 208 is to: and setting the interface function dimension as a target dimension.
In the above embodiment of the present invention, optionally, the naming condition verification unit 204 is configured to: when the target dimension is the interface function dimension, determining whether the calling frequency of the target function is greater than or equal to a specified threshold value or not for the target function with the maximum calling frequency in a plurality of interface functions used by the malicious code file; when the number of calls of the target function is greater than the specified threshold, the first execution unit 206 is configured to: taking the name of the target function or preset name information corresponding to the target function as a malicious code name corresponding to the malicious code file; when the number of calls of the target function is less than the specified threshold, the second execution unit 208 is configured to: and setting the static information dimension as a target dimension.
In the above embodiment of the present invention, optionally, the method further includes: and the calling frequency determining unit is used for determining the occurrence frequency of keywords corresponding to the interface function in the file information of the malicious code file for any interface function used by the malicious code file, and determining the occurrence frequency as the calling frequency of the interface function.
In the above embodiment of the present invention, optionally, the naming condition verification unit 204 is configured to: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the first execution unit 206 is configured to: selecting target static information with the highest priority from a plurality of static information of the malicious code file based on a preset static information priority; and taking the target static information or the preset name information corresponding to the target static information as the malicious code name corresponding to the malicious code file.
In the above embodiment of the present invention, optionally, the naming condition verification unit 204 is configured to: when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition; the first execution unit 206 is configured to: and connecting the plurality of static information of the malicious code file in sequence according to the sequence of the priority levels of the static information from high to low to obtain comprehensive static information which is used as the name of the malicious code corresponding to the malicious code file.
The malicious code naming apparatus 200 uses the scheme described in any of the above embodiments, and therefore, has all the technical effects described above, and is not described herein again.
FIG. 3 shows a block diagram of an electronic device of one embodiment of the invention.
As shown in FIG. 3, an electronic device 300 of one embodiment of the invention includes at least one memory 302; and a processor 304 communicatively coupled to the at least one memory 302; wherein the memory stores instructions executable by the at least one processor 304, the instructions being configured to perform the scheme described in any of the above embodiments. Therefore, the electronic device 300 has the same technical effects as any of the above embodiments, and will not be described herein again.
The electronic device of embodiments of the present invention exists in a variety of forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
In addition, an embodiment of the present invention provides a storage medium, which stores computer-executable instructions for executing the method flow described in any of the foregoing embodiments.
The technical scheme of the invention is described in detail in combination with the attached drawings, and by the technical scheme of the invention, the malicious code file can be named quickly, efficiently and accurately, so that the convenience and the effectiveness of naming the malicious code are improved, a user can conveniently and quickly know the content and the property of the malicious code file through the obtained name, and the efficiency of network security maintenance is improved.
The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for naming malicious code, comprising:
acquiring file information of multiple dimensions of a malicious code file;
judging whether file information of the malicious code file in a target dimension meets a preset naming condition corresponding to the target dimension;
when the judgment result is yes, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension;
and when the judgment result is negative, setting the next consequent dimension of the target dimension as the target dimension in a preset dimension sequence, and continuously judging whether the file information of the malicious code file in the set target dimension meets a preset naming condition corresponding to the target dimension.
2. The malicious code naming method according to claim 1, wherein the preset dimension order is, according to the priority order, respectively: a known name mapping relationship dimension, a digital signature dimension, an interface function dimension, and a static information dimension.
3. The method for naming malicious codes according to claim 2, wherein the step of judging whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension comprises:
when the target dimension is the known name mapping relation dimension, determining whether the malicious code file is matched with a known malicious code family name or not based on the C2 information of the malicious code file and a preset mapping library, wherein,
when the malicious code file is matched with a known malicious code family name, the determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension includes:
determining the known malicious code family name as a malicious code name corresponding to the malicious code file;
when the malicious code file does not match the known malicious code family name, the step of setting the next consequent dimension of the target dimension as the target dimension includes:
setting the digital signature dimension as a target dimension.
4. The method for naming malicious codes according to claim 2, wherein the step of judging whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension comprises:
when the target dimension is the digital signature dimension, determining whether the malicious code file has a digital signature and whether the digital signature is a valid signature;
when the malicious code file has the valid signature, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension, including:
determining all the party names of the effective signatures as malicious code names corresponding to the malicious code files;
when the malicious code file does not have the valid signature, the step of setting the next consequent dimension of the target dimension as the target dimension comprises:
and setting the interface function dimension as a target dimension.
5. The method for naming malicious codes according to claim 2, wherein the step of judging whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension comprises:
when the target dimension is the interface function dimension, determining whether the calling frequency of the target function is greater than or equal to a specified threshold value or not for the target function with the maximum calling frequency in a plurality of interface functions used by the malicious code file;
when the number of times of calling the target function is greater than the specified threshold, determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension, including:
taking the name of the target function or preset name information corresponding to the target function as a malicious code name corresponding to the malicious code file;
when the number of calls of the target function is less than the specified threshold, the step of setting the next consequent dimension of the target dimension as the target dimension includes:
and setting the static information dimension as a target dimension.
6. The method for naming malicious codes according to claim 2, wherein the step of judging whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension comprises:
when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition;
the determining the malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension includes:
selecting target static information with the highest priority from a plurality of static information of the malicious code file based on a preset static information priority;
and taking the target static information or the preset name information corresponding to the target static information as the malicious code name corresponding to the malicious code file.
7. The method for naming malicious codes according to claim 2, wherein the step of judging whether the file information of the malicious code file in the target dimension meets a predetermined naming condition corresponding to the target dimension comprises:
when the target dimension is the static information dimension, determining that the static information of the malicious code file meets a corresponding preset naming condition;
the determining the malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension includes:
and connecting the plurality of static information of the malicious code file in sequence according to the sequence of the priority levels of the static information from high to low to obtain comprehensive static information which is used as the name of the malicious code corresponding to the malicious code file.
8. A malicious code naming apparatus, comprising:
the file information acquisition unit is used for acquiring file information of multiple dimensions of the malicious code file;
the naming condition verification unit is used for judging whether the file information of the malicious code file in the target dimension meets a preset naming condition corresponding to the target dimension;
the first execution unit is used for determining a malicious code name corresponding to the malicious code file based on the naming mode corresponding to the target dimension when the judgment result of the naming condition verification unit is yes;
and the second execution unit is used for setting the next consequent dimension of the target dimension as the target dimension according to the preset dimension sequence when the judgment result of the naming condition verification unit is negative, and continuously judging whether the file information of the malicious code file under the target dimension set at this time meets the preset naming condition corresponding to the target dimension.
9. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 7.
10. A storage medium having stored thereon computer-executable instructions for performing the method flow of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111614170.5A CN114281771A (en) | 2021-12-27 | 2021-12-27 | Malicious code naming method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111614170.5A CN114281771A (en) | 2021-12-27 | 2021-12-27 | Malicious code naming method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114281771A true CN114281771A (en) | 2022-04-05 |
Family
ID=80876091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111614170.5A Pending CN114281771A (en) | 2021-12-27 | 2021-12-27 | Malicious code naming method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114281771A (en) |
-
2021
- 2021-12-27 CN CN202111614170.5A patent/CN114281771A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020134657A1 (en) | System log desensitization method, desensitization system, computer device, and storage medium | |
| RU2614557C2 (en) | System and method for detecting malicious files on mobile devices | |
| US8726387B2 (en) | Detecting a trojan horse | |
| US9239922B1 (en) | Document exploit detection using baseline comparison | |
| WO2021135919A1 (en) | Machine learning-based sql statement security testing method and apparatus, device, and medium | |
| CN111090615A (en) | Method and device for analyzing and processing mixed assets, electronic equipment and storage medium | |
| US9349002B1 (en) | Android application classification using common functions | |
| CN110858247A (en) | Android malicious application detection method, system, device and storage medium | |
| CN106790025B (en) | Method and device for detecting link maliciousness | |
| US20090046708A1 (en) | Methods And Systems For Transmitting A Data Attribute From An Authenticated System | |
| CN109145589B (en) | Application program acquisition method and device | |
| CN112099870B (en) | Document processing method, device, electronic equipment and computer readable storage medium | |
| CN114189378A (en) | Network security event analysis method and device, electronic equipment and storage medium | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN103093147A (en) | Method and electronic device for identifying information | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN114281771A (en) | Malicious code naming method and device, electronic equipment and storage medium | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN109995605A (en) | A kind of method for recognizing flux and device and computer readable storage medium | |
| CN110801630B (en) | Method, device, equipment and storage medium for determining cheating program | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| CN105488083B (en) | Method and system for constructing name field in database honeypot | |
| CN115048533B (en) | Knowledge graph construction method and device, electronic equipment and readable storage medium | |
| CN114254321A (en) | Information detection method and device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |