CN114297630A - Malicious data detection method and device, storage medium and processor - Google Patents
Malicious data detection method and device, storage medium and processor Download PDFInfo
- Publication number
- CN114297630A CN114297630A CN202111502059.7A CN202111502059A CN114297630A CN 114297630 A CN114297630 A CN 114297630A CN 202111502059 A CN202111502059 A CN 202111502059A CN 114297630 A CN114297630 A CN 114297630A
- Authority
- CN
- China
- Prior art keywords
- data
- target
- pointer
- determining
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application discloses a method and a device for detecting malicious data, a storage medium and a processor. The method comprises the following steps: in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information. By the method and the device, the problem that malicious data detection efficiency is low in the related technology is solved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting malicious data, a storage medium, and a processor.
Background
Software bugs refer to bugs in the logic design or errors in writing of application software or operating system software. In a real-world defense and attack fight, a hacker may exploit a software vulnerability to run malicious code on a victim's machine that the hacker wants to run, thereby controlling the victim's machine. There are many techniques for exploiting vulnerabilities, such as ROP attack techniques.
In the related art, an instruction stream is obtained in an instrumentation mode, and the characteristic of the ROP attack of the statistical instruction is calculated by a mathematical method, but the scheme needs to obtain and store a large number of assembly instructions, so that a large number of computing resources are consumed, and the method is difficult to be applied to an actual large-scale sandbox system.
Aiming at the problem of low malicious data detection efficiency in the related technology, no effective solution is provided at present.
Disclosure of Invention
The present application mainly aims to provide a method, an apparatus, a storage medium, and a processor for detecting malicious data, so as to solve the problem of low malicious data detection efficiency in the related art.
In order to achieve the above object, according to one aspect of the present application, there is provided a method of detecting malicious data. The method comprises the following steps: in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information.
Further, before obtaining the structural information of the target data, the method further comprises: receiving data to be detected; determining a stack top pointer of data to be detected; acquiring first preset byte data from the position of a stack top pointer according to a target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and taking the data of the first preset byte as target data.
Further, before determining whether the target attack pointer exists in the structure information, the method further includes: grouping the data of the first preset bytes to obtain a plurality of data of second preset bytes, wherein the first preset bytes are larger than the second preset bytes; and traversing the structural information of the data of each second preset byte to obtain a traversal result.
Further, the determining whether the target attack pointer exists in the structure information includes: if the traversal result indicates that a target system pointer exists in the structural information, storing the target system pointer; judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; if the target system pointer is a pointer pointing to a preset assembly instruction, determining that the target system pointer is a secondary pointer pointing to malicious data; and under the condition that the target system pointer is a secondary pointer pointing to malicious data, determining that a target attack pointer exists in the structural information.
Further, determining that the target data is malicious data according to the quantity information includes: judging whether the quantity information of the target attack pointers is larger than a target threshold value; and if the quantity information of the target attack pointers is larger than the target threshold value, determining that the target data is malicious data.
Further, after determining that the target data is malicious data according to the quantity information, the method further includes: marking the target data to obtain marked data; and outputting the marked data.
In order to achieve the above object, according to another aspect of the present application, there is provided a malicious data detection apparatus. The device includes: the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the structure information of target data in the sandbox system, and the structure information at least comprises a stack top pointer pointing to the target data; the judging unit is used for judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; the second acquisition unit is used for acquiring the quantity information of the target attack pointers if the target attack pointers exist in the structure information; and the first determining unit is used for determining the target data as malicious data according to the quantity information.
Further, the apparatus further comprises: the receiving unit is used for receiving the data to be detected before acquiring the structural information of the target data; the second determining unit is used for a stack top pointer of the data to be detected; the third acquisition unit is used for acquiring first preset byte data from the position of the stack top pointer according to the target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and a third determining unit, configured to use the data of the first preset byte as target data.
Further, the apparatus further comprises: the grouping unit is used for grouping the data of the first preset byte before judging whether the target attack pointer exists in the structural information to obtain a plurality of data of the second preset byte, wherein the first preset byte is larger than the second preset byte; and the traversing unit is used for traversing the structural information of the data of each second preset byte to obtain a traversing result.
Further, the judging unit includes: the storage module is used for storing the target system pointer if the traversal result indicates that the target system pointer exists in the structural information; the first judgment module is used for judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; the first determining module is used for determining that the target system pointer is a secondary pointer pointing to malicious data if the target system pointer is a pointer pointing to a preset assembly instruction; and the second determining module is used for determining that a target attack pointer exists in the structural information under the condition that the target system pointer is a secondary pointer pointing to the malicious data.
Further, the first determination unit includes: the second judgment module is used for judging whether the quantity information of the target attack pointers is larger than a target threshold value or not; and the third determining module is used for determining the target data as malicious data if the quantity information of the target attack pointers is greater than the target threshold value.
Further, the apparatus further comprises: the marking unit is used for marking the target data after the target data are determined to be malicious data according to the quantity information to obtain marked data; and the output unit is used for outputting the marked data.
According to another aspect of the embodiments of the present application, there is also provided a processor configured to execute a program, where the program executes to perform the method of any one of the above.
According to another aspect of embodiments of the present application, there is also provided a computer-readable storage medium having stored thereon a computer program/instructions which, when executed by a processor, perform the method of any one of the above.
Through the application, the following steps are adopted: in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information. The problem of malicious data detection efficiency is lower in the correlation technique is solved. By determining the number of target attack pointers in the sandbox system and determining the target data as malicious data according to the number information, the effect of improving the malicious data detection efficiency is achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a method for detecting malicious data according to an embodiment of the present application;
fig. 2 is a stack data reading flow chart of a malicious data detection method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a pointer of a target system searching method according to an embodiment of the present disclosure;
fig. 4 is a flowchart of malicious data determination of a malicious data detection method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a sandbox system of a method for detecting malicious data according to an embodiment of the present application;
fig. 6 is a schematic diagram of a malicious data detection apparatus according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of description, some terms or expressions referred to in the embodiments of the present application are explained below:
ROP: return-oriented Programming, is a new type of attack based on code reuse technology.
And (3) Gadget: in an ROP attack, which refers to a library (.dll) already in computer memory or a piece of assembly code in an executable file, a chain of consecutive gadgets is called an ROP chain.
According to an embodiment of the application, a method for detecting malicious data is provided.
Fig. 1 is a flowchart of a malicious data detection method according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S101, in a sandbox system, structure information of target data is obtained, wherein the structure information at least comprises a stack top pointer pointing to the target data.
Specifically, the stack is used for temporarily storing the data and the address to be detected, acquiring a stack top pointer of the stack, and inserting or deleting the data to be detected in advance.
Optionally, in the method for detecting malicious data provided in the embodiment of the present application, before obtaining the structure information of the target data, the method further includes: receiving data to be detected; determining a stack top pointer of data to be detected; acquiring first preset byte data from the position of a stack top pointer according to a target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and taking the data of the first preset byte as target data.
Specifically, fig. 2 is a flow chart of reading stack data according to the detection method for malicious data provided in the embodiment of the present application, and as shown in fig. 2, when the monitor is started in the sandbox system, the target process calls the target API, reads M-byte data (corresponding to the first preset byte in the present application) before and after the top pointer at that time, and uses the M-byte data as the target data, and by starting the monitor in the sandbox system, the detection efficiency for malicious data is improved, and the detection overhead of the system is saved.
Step S102, judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data.
For example, before determining whether the target attack pointer exists in the structure information, M bytes of data before and after reading the top pointer need to be grouped, and the grouped data needs to be traversed.
Optionally, in the method for detecting malicious data provided in the embodiment of the present application, before determining whether the target attack pointer exists in the structure information, the method further includes: grouping the data of the first preset bytes to obtain a plurality of data of second preset bytes, wherein the first preset bytes are larger than the second preset bytes; and traversing the structural information of the data of each second preset byte to obtain a traversal result.
Specifically, as shown in fig. 3, a plurality of groups of data are obtained by grouping M-byte data into one group according to every 4 bytes (corresponding to second preset data in the present application), each group of data is traversed to obtain a traversal result, and the efficiency of detecting malicious data is improved by dividing the acquired target data into a plurality of groups for traversal.
Optionally, in the method for detecting malicious data provided in the embodiment of the present application, determining whether a target attack pointer exists in the structure information includes: if the traversal result indicates that a target system pointer exists in the structural information, storing the target system pointer; judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; if the target system pointer is a pointer pointing to a preset assembly instruction, determining that the target system pointer is a secondary pointer pointing to malicious data; and under the condition that the target system pointer is a secondary pointer pointing to malicious data, determining that a target attack pointer exists in the structural information.
It should be noted that, when the ROP attack is implemented, a "stable" system DLL is generally selected, where stable means that the loaded position of the system DLL is fixed every time and the system DLL is loaded into a memory space of system management. Such as: "msvcr 71. dll" of the previous version of office 2010. A "stable" gadget is selected in this "stable" system DLL. As shown in fig. 4, if a system DLL pointer (corresponding to a target system pointer in the present application) exists in the stack, it is determined whether the target system pointer points to a preset assembly instruction, and if the DLL pointer points to the preset assembly instruction, it is determined that a gadget pointer (corresponding to a target attack pointer in the present application) exists in the structure information, and the target attack pointer is searched by using the target system pointer, so that the efficiency of detecting malicious data is further improved.
Step S103, if the structure information has the target attack pointer, acquiring the quantity information of the target attack pointer.
Specifically, as shown in fig. 4, the present application may also determine whether the DLL pointer points to a preset assembly instruction according to a gadget commonly used in ROP attacks, and further identify that a target attack pointer exists in the structural information.
And step S104, determining the target data as malicious data according to the quantity information.
Specifically, the system DLL pointer is traversed, and if the gadget pointer is obtained, the quantity information of the gadget pointer is obtained.
Optionally, in the method for detecting malicious data provided in the embodiment of the present application, determining that the target data is the malicious data according to the quantity information includes: judging whether the quantity information of the target attack pointers is larger than a target threshold value; and if the quantity information of the target attack pointers is larger than the target threshold value, determining that the target data is malicious data.
Specifically, as shown in fig. 4, if the number of the gadget pointers exceeds the target threshold, it is determined that the target data is malicious data and an attack action exists, and if the number of the gadget pointers does not exceed the target threshold, it is determined that the target data does not have the attack action, and the efficiency of detecting the malicious data is further improved by determining the number of the gadget pointers.
Optionally, in the method for detecting malicious data provided in the embodiment of the present application, after determining that the target data is malicious data according to the quantity information, the method further includes: marking the target data to obtain marked data; and outputting the marked data.
Specifically, when the number of the gadget pointers exceeds a certain threshold, the target data is marked to have an ROP attack behavior, ROP attack information is output, and the malicious data is marked, so that the malicious data is tracked.
Fig. 5 is a schematic structural diagram of a sandbox system of the method for detecting malicious data according to the embodiment of the present application, and as shown in fig. 5, in the sandbox system, a sample (data) to be detected is received, a target process is monitored by using a plurality of monitors, and a detection report for the target data is generated after a detection result is processed.
In summary, the method for detecting malicious data provided in the embodiment of the present application obtains structure information of target data in a sandbox system, where the structure information at least includes a top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information. The problem of malicious data detection efficiency is lower in the correlation technique is solved. By determining the number of target attack pointers in the sandbox system and determining the target data as malicious data according to the number information, the effect of improving the malicious data detection efficiency is achieved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a device for detecting malicious data, and it should be noted that the device for detecting malicious data according to the embodiment of the present application may be used to execute the method for detecting malicious data according to the embodiment of the present application. The following introduces a malicious data detection apparatus provided in an embodiment of the present application.
Fig. 6 is a schematic diagram of a malicious data detection apparatus according to an embodiment of the present application. As shown in fig. 6, the apparatus includes: a first acquisition unit 601, a judgment unit 602, a second acquisition unit 603, and a first determination unit 604.
Specifically, the first obtaining unit 601 is configured to obtain structure information of the target data in the sandbox system, where the structure information at least includes a top pointer pointing to the target data;
a determining unit 602, configured to determine whether a target attack pointer exists in the structure information, where the target attack pointer is a pointer pointing to malicious data;
a second obtaining unit 603, configured to obtain quantity information of the target attack pointers if the structure information includes the target attack pointers;
a first determining unit 604, configured to determine that the target data is malicious data according to the quantity information.
To sum up, in the detection apparatus for malicious data provided in the embodiment of the present application, the first obtaining unit 601 obtains the structure information of the target data in the sandbox system, where the structure information at least includes a top pointer pointing to the target data; the determining unit 602 determines whether a target attack pointer exists in the structure information, where the target attack pointer is a pointer pointing to malicious data; the second obtaining unit 603 obtains the number information of the target attack pointers if the target attack pointers exist in the structure information; the first determining unit 604 determines that the target data is malicious data according to the quantity information, so that the problem of low malicious data detection efficiency in the related art is solved. By determining the number of target attack pointers in the sandbox system and determining the target data as malicious data according to the number information, the effect of improving the malicious data detection efficiency is achieved.
Optionally, in the apparatus for detecting malicious data provided in the embodiment of the present application, the apparatus further includes: the receiving unit is used for receiving the data to be detected before acquiring the structural information of the target data; the second determining unit is used for a stack top pointer of the data to be detected; the third acquisition unit is used for acquiring first preset byte data from the position of the stack top pointer according to the target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and a third determining unit, configured to use the data of the first preset byte as target data.
Optionally, in the apparatus for detecting malicious data provided in the embodiment of the present application, the apparatus further includes: the grouping unit is used for grouping the data of the first preset byte before judging whether the target attack pointer exists in the structural information to obtain a plurality of data of the second preset byte, wherein the first preset byte is larger than the second preset byte; and the traversing unit is used for traversing the structural information of the data of each second preset byte to obtain a traversing result.
Optionally, in the apparatus for detecting malicious data provided in the embodiment of the present application, the determining unit 602 includes: the storage module is used for storing the target system pointer if the traversal result indicates that the target system pointer exists in the structural information; the first judgment module is used for judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; the first determining module is used for determining that the target system pointer is a secondary pointer pointing to malicious data if the target system pointer is a pointer pointing to a preset assembly instruction; and the second determining module is used for determining that a target attack pointer exists in the structural information under the condition that the target system pointer is a secondary pointer pointing to the malicious data.
Optionally, in the apparatus for detecting malicious data provided in the embodiment of the present application, the first determining unit 604 includes: the second judgment module is used for judging whether the quantity information of the target attack pointers is larger than a target threshold value or not; and the third determining module is used for determining the target data as malicious data if the quantity information of the target attack pointers is greater than the target threshold value.
Optionally, in the apparatus for detecting malicious data provided in the embodiment of the present application, the apparatus further includes: the marking unit is used for marking the target data after the target data are determined to be malicious data according to the quantity information to obtain marked data; and the output unit is used for outputting the marked data.
The detection device for malicious data comprises a processor and a memory, wherein the first acquisition unit 601, the judgment unit 602, the second acquisition unit 603, the first determination unit 604 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more, and the detection of malicious data is carried out by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium on which a program is stored, where the program implements a method for detecting malicious data when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the detection method of malicious data is executed when the program runs.
The embodiment of the invention provides equipment, which comprises a processor, a memory and a program which is stored on the memory and can run on the processor, wherein the processor executes the program and realizes the following steps: in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information.
The processor executes the program and further realizes the following steps: receiving data to be detected before acquiring structural information of target data; determining a stack top pointer of data to be detected; acquiring first preset byte data from the position of a stack top pointer according to a target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and taking the data of the first preset byte as target data.
The processor executes the program and further realizes the following steps: before judging whether a target attack pointer exists in the structural information, grouping data of a first preset byte to obtain a plurality of data of a second preset byte, wherein the first preset byte is larger than the second preset byte; and traversing the structural information of the data of each second preset byte to obtain a traversal result.
The processor executes the program and further realizes the following steps: if the traversal result indicates that a target system pointer exists in the structural information, storing the target system pointer; judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; if the target system pointer is a pointer pointing to a preset assembly instruction, determining that the target system pointer is a secondary pointer pointing to malicious data; and under the condition that the target system pointer is a secondary pointer pointing to malicious data, determining that a target attack pointer exists in the structural information.
The processor executes the program and further realizes the following steps: judging whether the quantity information of the target attack pointers is larger than a target threshold value; and if the quantity information of the target attack pointers is larger than the target threshold value, determining that the target data is malicious data.
The processor executes the program and further realizes the following steps: after determining that the target data are malicious data according to the quantity information, marking the target data to obtain marked data; and outputting the marked data.
The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data; judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data; if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer; and determining that the target data are malicious data according to the quantity information.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: receiving data to be detected before acquiring structural information of target data; determining a stack top pointer of data to be detected; acquiring first preset byte data from the position of a stack top pointer according to a target interface, wherein the first preset byte data is obtained by intercepting data to be detected; and taking the data of the first preset byte as target data.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: before judging whether a target attack pointer exists in the structural information, grouping data of a first preset byte to obtain a plurality of data of a second preset byte, wherein the first preset byte is larger than the second preset byte; and traversing the structural information of the data of each second preset byte to obtain a traversal result.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: if the traversal result indicates that a target system pointer exists in the structural information, storing the target system pointer; judging whether the target system pointer is a pointer pointing to a preset assembly instruction, wherein the preset assembly instruction is an execution code of malicious data; if the target system pointer is a pointer pointing to a preset assembly instruction, determining that the target system pointer is a secondary pointer pointing to malicious data; and under the condition that the target system pointer is a secondary pointer pointing to malicious data, determining that a target attack pointer exists in the structural information.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: judging whether the quantity information of the target attack pointers is larger than a target threshold value; and if the quantity information of the target attack pointers is larger than the target threshold value, determining that the target data is malicious data.
When executed on a data processing device, is further adapted to perform a procedure for initializing the following method steps: after determining that the target data are malicious data according to the quantity information, marking the target data to obtain marked data; and outputting the marked data.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for detecting malicious data, comprising:
in a sandbox system, acquiring structural information of target data, wherein the structural information at least comprises a stack top pointer pointing to the target data;
judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data;
if the structural information contains a target attack pointer, acquiring the quantity information of the target attack pointer;
and determining that the target data are malicious data according to the quantity information.
2. The method of claim 1, wherein prior to obtaining structural information of the target data, the method further comprises:
receiving data to be detected;
determining a stack top pointer of data to be detected;
acquiring first preset byte data from the position of the stack top pointer according to a target interface, wherein the first preset byte data is obtained by intercepting the data to be detected;
and taking the data of the first preset byte as the target data.
3. The method of claim 2, wherein before determining whether a target attack pointer exists in the structure information, the method further comprises:
grouping the data of the first preset bytes to obtain a plurality of data of second preset bytes, wherein the first preset bytes are larger than the second preset bytes;
and traversing the structural information of the data of each second preset byte to obtain a traversal result.
4. The method of claim 3, wherein determining whether a target attack pointer exists in the structure information comprises:
if the traversal result indicates that a target system pointer exists in the structural information, storing the target system pointer;
judging whether the target system pointer is a pointer pointing to a preset assembly instruction or not, wherein the preset assembly instruction is an execution code of the malicious data;
if the target system pointer is a pointer pointing to a preset assembly instruction, determining that the target system pointer is a secondary pointer pointing to malicious data;
and under the condition that the target system pointer is a secondary pointer pointing to malicious data, determining that a target attack pointer exists in the structural information.
5. The method of claim 1, wherein determining that the target data is malicious data according to the quantity information comprises:
judging whether the quantity information of the target attack pointers is larger than a target threshold value;
and if the quantity information of the target attack pointers is larger than the target threshold value, determining that the target data is malicious data.
6. The method of claim 1, wherein after determining that the target data is malicious data according to the quantity information, the method further comprises:
marking the target data to obtain marked data;
and outputting the marked data.
7. An apparatus for detecting malicious data, comprising:
the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the structure information of target data in a sandbox system, and the structure information at least comprises a stack top pointer pointing to the target data;
the judging unit is used for judging whether a target attack pointer exists in the structural information, wherein the target attack pointer is a pointer pointing to malicious data;
a second obtaining unit, configured to obtain quantity information of the target attack pointers if the structure information includes the target attack pointers;
and the first determining unit is used for determining the target data as malicious data according to the quantity information.
8. The apparatus of claim 7, further comprising:
the receiving unit is used for receiving the data to be detected before the structural information of the target data is acquired;
the second determining unit is used for a stack top pointer of the data to be detected;
a third obtaining unit, configured to obtain, according to a target interface, data of a first preset byte from the position of the stack top pointer, where the data of the first preset byte is obtained by intercepting the data to be detected;
and the third determining unit is used for taking the data of the first preset byte as the target data.
9. A processor, configured to execute a program, wherein the program executes the method for detecting malicious data according to any one of claims 1 to 6.
10. A computer-readable storage medium, characterized in that the storage medium comprises a stored program, wherein,
the program performs the method of detecting malicious data according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111502059.7A CN114297630A (en) | 2021-12-09 | 2021-12-09 | Malicious data detection method and device, storage medium and processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111502059.7A CN114297630A (en) | 2021-12-09 | 2021-12-09 | Malicious data detection method and device, storage medium and processor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114297630A true CN114297630A (en) | 2022-04-08 |
Family
ID=80967810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111502059.7A Pending CN114297630A (en) | 2021-12-09 | 2021-12-09 | Malicious data detection method and device, storage medium and processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114297630A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
-
2021
- 2021-12-09 CN CN202111502059.7A patent/CN114297630A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114880665A (en) * | 2022-05-12 | 2022-08-09 | 电子科技大学 | Intelligent detection method and device for return programming attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11366908B2 (en) | Detecting unknown software vulnerabilities and system compromises | |
| KR102534334B1 (en) | Detection of software attacks on processes in computing devices | |
| US8397048B2 (en) | Memory leak detection during dynamic memory allocation | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| US20170103206A1 (en) | Method and apparatus for capturing operation in a container-based virtualization system | |
| US11443032B2 (en) | Stack pivot exploit detection and mitigation | |
| CN114676424B (en) | Container escape detection and blocking method, device, equipment and storage medium | |
| KR102045772B1 (en) | Electronic system and method for detecting malicious code | |
| CN111931185A (en) | Java anti-serialization vulnerability detection method and component | |
| CN109933986B (en) | Malicious code detection method and device | |
| CN114297630A (en) | Malicious data detection method and device, storage medium and processor | |
| US9965618B1 (en) | Reducing privileges for imported software packages | |
| US9646157B1 (en) | Systems and methods for identifying repackaged files | |
| CN114826793B (en) | ROP chain detection method, device and medium | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| US10809924B2 (en) | Executable memory protection | |
| US10019572B1 (en) | Detecting malicious activities by imported software packages | |
| US11170112B2 (en) | Exploit detection via induced exceptions | |
| CN113821193B (en) | Information generation method, device and storage medium | |
| CN113923002B (en) | Computer network intrusion prevention method, device, storage medium and processor | |
| US10198342B1 (en) | Advanced binary instrumentation for debugging and performance enhancement | |
| CN116668177A (en) | Network attack end identification method and device, processor and electronic equipment | |
| CN114003902A (en) | Network vulnerability detection method and device, storage medium and electronic equipment | |
| CN116975869A (en) | Attack defense method and device based on address processing, electronic equipment and medium | |
| CN115756933A (en) | Privacy interface call detection method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |