CN114338102A - Security detection method and device, electronic equipment and storage medium - Google Patents
Security detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114338102A CN114338102A CN202111529078.9A CN202111529078A CN114338102A CN 114338102 A CN114338102 A CN 114338102A CN 202111529078 A CN202111529078 A CN 202111529078A CN 114338102 A CN114338102 A CN 114338102A
- Authority
- CN
- China
- Prior art keywords
- rule
- detected
- rules
- detection result
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 177
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000007717 exclusion Effects 0.000 claims description 23
- 238000007689 inspection Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 235000013490 limbo Nutrition 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a security detection method and device, electronic equipment and a storage medium, and relates to the technical field of computer security. The safety detection method comprises the following steps: the method comprises the steps of obtaining an object to be detected and a plurality of rule models required by safety detection of the object to be detected; splitting the rule models to obtain a plurality of rules contained in the rule models; detecting the object to be detected by using the plurality of rules to obtain a detection result of each rule; and obtaining a detection result corresponding to each rule model according to the detection result of each rule. The embodiment of the invention has low computational resource occupation and high detection efficiency, and is particularly suitable for a detection scene with large data volume.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a security detection method and apparatus, an electronic device, and a storage medium.
Background
In the field of network security, detection of threats and abnormal behaviors is usually based on a rule detection model, a conventional rule detection model is usually asynchronously matched with a plurality of rule models (rule sets), each rule model is composed of a plurality of rules (judgment conditions), the rule models are relatively independent, the rule models are used as detection units and are respectively detected by each rule model, and finally detection results are uniformly recovered and comprehensively analyzed to give a detection conclusion. However, the conventional security detection method based on the rule detection model has high computational resource occupation and low detection efficiency because a large amount of inefficient calculation exists when a plurality of rule models have repeated rules or the rules are hit in a large amount but the rule models may not be hit. When the rule is modified, added or deleted, all historical data needs to be detected again, so that the method is difficult to be applied to a current large-data-volume detection scene.
Disclosure of Invention
In view of this, embodiments of the present invention provide a security detection method, an apparatus, an electronic device, and a storage medium with low computational resource occupancy and high detection efficiency.
In a first aspect, an embodiment of the present invention provides a security detection method, including:
the method comprises the steps of obtaining an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
splitting the rule models to obtain a plurality of rules contained in the rule models;
detecting the object to be detected by using the plurality of rules to obtain a detection result of each rule;
and obtaining a detection result corresponding to each rule model according to the detection result of each rule.
With reference to the first aspect, in an implementation manner of the first aspect, the acquiring an object to be detected and a plurality of rule models required for performing security detection on the object to be detected includes:
acquiring the type of an object to be detected;
and acquiring a plurality of rule models required for safety detection of the object to be detected according to the type.
With reference to the first aspect, in another implementation manner of the first aspect, the detecting the object to be detected by using the multiple rules to obtain a detection result of each rule includes:
traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the exclusive relation with the current rule according to a pre-stored rule exclusive relation table, if so, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
With reference to the first aspect, in a further implementation manner of the first aspect, if yes, skipping the current rule includes:
acquiring a known detection result of the rule having a mutual exclusion relation with the current rule to detect the object to be detected;
and setting the detection result of the current rule as an opposite detection result according to the known detection result.
With reference to the first aspect, in a further implementation manner of the first aspect, the detecting the object to be detected by using the multiple rules to obtain a detection result of each rule includes:
arranging rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relation table;
traversing the rules in sequence, judging whether the depended rules of the current rules hit or not, if so, detecting the object to be detected by using the current rules to obtain the detection result of the current rules, and if not, skipping the current rules.
With reference to the first aspect, in a further implementation manner of the first aspect, the obtaining, according to the detection result of each rule, a detection result corresponding to each rule model includes:
for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and performing hash operation on the combined result to obtain a hash value;
and judging whether the hash value is equal to a preset hash value or not, and if so, indicating that the rule model is hit.
In a second aspect, an embodiment of the present invention provides a security detection apparatus, including:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
the splitting module is used for splitting the rule models to obtain a plurality of rules contained in the rule models;
the detection module is used for detecting the object to be detected by utilizing the plurality of rules to obtain a detection result of each rule;
and the second acquisition module is used for acquiring the detection result corresponding to each rule model according to the detection result of each rule.
With reference to the second aspect, in an implementation manner of the second aspect, the first obtaining module includes:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required by the safety detection of the object to be detected according to the type.
With reference to the second aspect, in another embodiment of the second aspect, the detection module includes:
and the first traversal unit is used for traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a pre-stored rule mutual exclusion relation table, skipping the current rule if the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule, and detecting the object to be detected by using the current rule if the object to be detected is not detected by using the current rule to obtain a detection result of the current rule.
In a further embodiment of the second aspect in combination with the second aspect, the first traversal unit includes:
the acquisition subunit is used for acquiring a known detection result of the rule which has a mutual exclusion relationship with the current rule and detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule as an opposite detection result according to the known detection result.
With reference to the second aspect, in a further embodiment of the second aspect, the detection module includes:
the sorting unit is used for arranging the rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relationship table;
and the second traversal unit is used for traversing the plurality of rules in sequence and judging whether the depended rules of the current rule hit or not, if so, detecting the object to be detected by using the current rule to obtain the detection result of the current rule, and if not, skipping the current rule.
With reference to the second aspect, in a further implementation manner of the second aspect, the second obtaining module includes:
the combination unit is used for sequentially combining the detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined result to obtain a hash value;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing any of the methods described above.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement any of the methods described above.
According to the safety detection method, the safety detection device, the electronic equipment and the storage medium, firstly, an object to be detected and a plurality of rule models required for safety detection of the object to be detected are obtained, then the rule models are split to obtain a plurality of rules contained in the rule models, then the rule models are used for detecting the object to be detected to obtain a detection result of each rule, and finally, the detection result corresponding to each rule model is obtained according to the detection result of each rule. Therefore, the rule (judgment condition) is used as the minimum unit in the embodiment of the invention, but the rule model (rule group) is not used as the minimum unit in the prior art, when the multiple rule models have repeated rules or the rules are hit in a large amount, but the rule models may not hit, the problem that the same rule needs to be detected for multiple times in the multiple rule models can be solved, the embodiment of the invention only needs to detect once, and a large amount of inefficient calculation is effectively avoided; when the rules are modified, added or deleted, all rule models do not need to be detected again, and only the changed specific rules need to be detected again. Therefore, the embodiment of the invention has low computational resource occupation and high detection efficiency, solves the problems of resource occupation and efficiency caused by excessive rule models or frequent rule modification in the traditional method, and is particularly suitable for a detection scene with large data volume.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an embodiment of a security detection method of the present invention;
FIG. 2 is a schematic structural diagram of an embodiment of a security detection apparatus according to the present invention;
fig. 3 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In one aspect, an embodiment of the present invention provides a security detection method, as shown in fig. 1, the method of this embodiment may include:
step 101: the method comprises the steps of obtaining an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
as an optional embodiment, the obtaining an object to be detected and a plurality of rule models required for performing security detection on the object to be detected (step 101) may include:
step 1011: acquiring the type of an object to be detected;
in this step, the types of the object to be detected include, but are not limited to, a file, a software code, a behavior action (such as reading and writing a memory, reading and writing a file, accessing a network, accessing a local machine), and the like.
Step 1012: and acquiring a plurality of rule models required for safety detection of the object to be detected according to the type.
In this step, a plurality of required rule models are screened from the existing rule detection models/rule engines according to different types of the objects to be detected.
Taking the object to be detected as a file as an example, the screened rule models are shown in table 1 below.
TABLE 1
In table 1, there are 11 rule models for determining the threats existing in the file, including: suspicious self-decompressed files, suspicious macro documents, exton software, mock system programs, suspicious execution files, LPK virus infection, file bundles, etc.
As can be seen from table 1, each of the plurality of rule models of the conventional rule detection model includes a plurality of rules/determination conditions, and a repeated determination condition may occur in the plurality of rule models (for example, it is required to determine whether a file format is an executable file in each of the rule models corresponding to the serial numbers 4-6 and 8-11 in table 1), which results in that the same determination condition needs to be detected multiple times in the plurality of detection models, so that computational resource is occupied too much and detection efficiency is too low. The subsequent steps of the embodiment of the invention can effectively solve the problem.
Step 102: splitting the rule models to obtain a plurality of rules contained in the rule models;
in this step, taking the rule model corresponding to the sequence number 1 in table 1 as an example, two rules are obtained after splitting, which are: the file format is that the number of file names for self-decompression and decompression execution is equal to 2.
Step 103: detecting the object to be detected by using the plurality of rules to obtain a detection result of each rule;
as an optional embodiment, the detecting the object to be detected by using the multiple rules to obtain a detection result of each rule (step 103) may include:
step 1031: traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the exclusive relation with the current rule according to a pre-stored rule exclusive relation table, if so, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
In this step, mutual exclusion means: and when one rule hits a certain state, the other rule does not hit, and the rule A and the rule B are mutually exclusive rules. Mutual exclusion can be in a number of cases, for example:
1. two rules belong to different domain detection rules, for example:
rule a. whether it is an executable file;
rule B. whether it is a mail protocol;
2. the results after two rule hits are mutually exclusive, for example:
rule a. < file extension > is Montserrat lasso software;
rule B. < file extension > is odveta lasso software;
rule C. < file extension > is limbo lasso software;
rule D. < file extension > is Lazarus lasso software;
therefore, by utilizing the mutual exclusion relationship among the rules, the rule mutual exclusion relationship table can be established and stored in advance, when the object to be detected is detected, the rule is optimized by utilizing the rule mutual exclusion relationship table (for example, A, B two mutual exclusion rules cannot be hit by the hit A, and then the detection of the mutual exclusion rule B is not needed after the detection of the rule A), so that a large amount of operation resources can be reduced, the calculation resource occupation is further reduced, and the detection efficiency is improved.
In the foregoing step 1031, if yes, skipping the current rule may include:
step 10311: acquiring a known detection result of the rule having a mutual exclusion relation with the current rule to detect the object to be detected;
step 10312: and setting the detection result of the current rule as an opposite detection result according to the known detection result.
In the foregoing steps 10311-10312, if the detection result of the rule having the mutual exclusion relationship is known, the detection result of the current rule may be directly set as the opposite detection result without performing detection, so that the computational resource occupation is reduced, and the detection efficiency is improved.
As another optional embodiment, the detecting the object to be detected by using the multiple rules to obtain a detection result of each rule (step 103), may further include:
step 1031': arranging rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relation table;
in this step, the dependency means: there is a sequential dependency between two rules, for example:
rule A. whether it is a mail protocol;
rule B, whether the mail has the attachment or not;
from the above example, it can be seen that rule B depends on rule a, and rule B needs to be executed after rule a hits, and for such cases, this step performs sorting processing on the rules having dependency relationship, that is, the rule (rule B) that needs to depend on other rule detection results is arranged to be executed after the depended rule (rule a).
Step 1032': traversing the rules in sequence, judging whether the depended rules of the current rules hit or not, if so, detecting the object to be detected by using the current rules to obtain the detection result of the current rules, and if not, skipping the current rules.
In this step, if the current rule has no depended rule, the current rule can be normally utilized to detect the object to be detected, and the detection result of the current rule is obtained; if the current rule has a depended rule and the depended rule hits, the current rule detection can be performed, namely, the current rule is used for detecting the object to be detected to obtain the detection result of the current rule; if the current rule has a depended rule but the depended rule is not hit, the current rule detection is not needed, the current rule is skipped, or the detection result of the current rule is directly set as miss.
In steps 1031 '-1032', a rule dependency relationship table may be pre-established and stored by using the dependency relationship between the rules, and when the object to be detected is detected, the rule dependency relationship table is used to optimize the rules, thereby further reducing the occupation of computational resources and improving the detection efficiency.
Step 104: and obtaining a detection result corresponding to each rule model according to the detection result of each rule.
In this step, the detection results of the rules included in each rule model are combined, and the detection result corresponding to each rule model can be obtained.
As an alternative embodiment, the obtaining, according to the detection result of each rule, a detection result corresponding to each rule model (step 104) may include:
step 1041: for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and performing hash operation on the combined result to obtain a hash value;
in this step, the detection result may be subjected to a standardized convention, for example, consisting of a rule unique ID (e.g., aaf8c91cd5) + hit flag 0/1(0 indicates miss, 1 indicates hit), so that one detection result may be aaf8c91cd50 (the last 0 indicates miss); in order to combine the detection results conveniently, the detection results can be connected by a connector "-". In the step, hash operation is carried out on the combined result of the detection results, so that the problems that the related rules are more, the result is too long and comparison is not facilitated are avoided.
Step 1042: and judging whether the hash value is equal to a preset hash value or not, and if so, indicating that the rule model is hit.
In this step, the preset hash value is used to indicate that the rule model hits, and when all rules in the rule model hit, the detection results of the rules are combined to obtain a combined result, and the combined result is obtained by performing hash operation. In this step, if the hash value is not equal to the preset hash value, it indicates that the rule model is not hit.
In the above step 1041-1042, the detection result of each rule model can be obtained efficiently, and then the detection result can be given out by comprehensive analysis.
To sum up, the safety detection method provided in the embodiment of the present invention includes first obtaining an object to be detected and a plurality of rule models required for safety detection of the object to be detected, then splitting the rule models to obtain a plurality of rules included in the rule models, then detecting the object to be detected by using the rules to obtain a detection result of each rule, and finally obtaining a detection result corresponding to each rule model according to the detection result of each rule. Therefore, the rule (judgment condition) is used as the minimum unit in the embodiment of the invention, but the rule model (rule group) is not used as the minimum unit in the prior art, when the multiple rule models have repeated rules or the rules are hit in a large amount, but the rule models may not hit, the problem that the same rule needs to be detected for multiple times in the multiple rule models can be solved, the embodiment of the invention only needs to detect once, and a large amount of inefficient calculation is effectively avoided; when the rules are modified, added or deleted, all rule models do not need to be detected again, and only the changed specific rules need to be detected again. Therefore, the embodiment of the invention has low computational resource occupation and high detection efficiency, solves the problems of resource occupation and efficiency caused by excessive rule models or frequent rule modification in the traditional method, and is particularly suitable for a detection scene with large data volume.
In another aspect, an embodiment of the present invention provides a security detection apparatus, as shown in fig. 2, the apparatus may include:
the first acquisition module 11 is configured to acquire an object to be detected and a plurality of rule models required for performing security detection on the object to be detected;
a splitting module 12, configured to split the multiple rule models to obtain multiple rules included in the multiple rule models;
the detection module 13 is configured to detect the object to be detected by using the multiple rules to obtain a detection result of each rule;
and the second obtaining module 14 is configured to obtain a detection result corresponding to each rule model according to the detection result of each rule.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
Preferably, the first obtaining module 11 includes:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required by the safety detection of the object to be detected according to the type.
Preferably, the detection module 13 includes:
and the first traversal unit is used for traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a pre-stored rule mutual exclusion relation table, skipping the current rule if the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule, and detecting the object to be detected by using the current rule if the object to be detected is not detected by using the current rule to obtain a detection result of the current rule.
Preferably, the first traversal unit includes:
the acquisition subunit is used for acquiring a known detection result of the rule which has a mutual exclusion relationship with the current rule and detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule as an opposite detection result according to the known detection result.
Preferably, the detection module 13 includes:
the sorting unit is used for arranging the rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relationship table;
and the second traversal unit is used for traversing the plurality of rules in sequence and judging whether the depended rules of the current rule hit or not, if so, detecting the object to be detected by using the current rule to obtain the detection result of the current rule, and if not, skipping the current rule.
Preferably, the second obtaining module 14 includes:
the combination unit is used for sequentially combining the detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined result to obtain a hash value;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
An embodiment of the present invention further provides an electronic device, fig. 3 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and a flow of the embodiment shown in fig. 1 of the present invention may be implemented, as shown in fig. 3, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, for performing the method described in any of the method embodiments described above.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
The embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps described in any of the above method embodiments.
Embodiments of the invention also provide an application program, which is executed to implement the method provided by any one of the method embodiments of the invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment. For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (14)
1. A security detection method, comprising:
the method comprises the steps of obtaining an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
splitting the rule models to obtain a plurality of rules contained in the rule models;
detecting the object to be detected by using the plurality of rules to obtain a detection result of each rule;
and obtaining a detection result corresponding to each rule model according to the detection result of each rule.
2. The method according to claim 1, wherein the obtaining of the object to be detected and the plurality of rule models required for the security inspection of the object to be detected comprise:
acquiring the type of an object to be detected;
and acquiring a plurality of rule models required for safety detection of the object to be detected according to the type.
3. The method according to claim 1, wherein the detecting the object to be detected by using the plurality of rules to obtain the detection result of each rule comprises:
traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the exclusive relation with the current rule according to a pre-stored rule exclusive relation table, if so, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
4. The method of claim 3, wherein skipping a current rule if yes comprises:
acquiring a known detection result of the rule having a mutual exclusion relation with the current rule to detect the object to be detected;
and setting the detection result of the current rule as an opposite detection result according to the known detection result.
5. The method according to claim 1, wherein the detecting the object to be detected by using the plurality of rules to obtain the detection result of each rule comprises:
arranging rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relation table;
traversing the rules in sequence, judging whether the depended rules of the current rules hit or not, if so, detecting the object to be detected by using the current rules to obtain the detection result of the current rules, and if not, skipping the current rules.
6. The method according to any one of claims 1 to 5, wherein obtaining the detection result corresponding to each rule model according to the detection result of each rule comprises:
for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and performing hash operation on the combined result to obtain a hash value;
and judging whether the hash value is equal to a preset hash value or not, and if so, indicating that the rule model is hit.
7. A security detection device, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
the splitting module is used for splitting the rule models to obtain a plurality of rules contained in the rule models;
the detection module is used for detecting the object to be detected by utilizing the plurality of rules to obtain a detection result of each rule;
and the second acquisition module is used for acquiring the detection result corresponding to each rule model according to the detection result of each rule.
8. The apparatus of claim 7, wherein the first obtaining module comprises:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required by the safety detection of the object to be detected according to the type.
9. The apparatus of claim 7, wherein the detection module comprises:
and the first traversal unit is used for traversing the plurality of rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a pre-stored rule mutual exclusion relation table, skipping the current rule if the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule, and detecting the object to be detected by using the current rule if the object to be detected is not detected by using the current rule to obtain a detection result of the current rule.
10. The apparatus of claim 9, wherein the first traversal unit comprises:
the acquisition subunit is used for acquiring a known detection result of the rule which has a mutual exclusion relationship with the current rule and detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule as an opposite detection result according to the known detection result.
11. The apparatus of claim 7, wherein the detection module comprises:
the sorting unit is used for arranging the rules needing to depend on other rule detection results behind the depended rules according to a pre-stored rule dependency relationship table;
and the second traversal unit is used for traversing the plurality of rules in sequence and judging whether the depended rules of the current rule hit or not, if so, detecting the object to be detected by using the current rule to obtain the detection result of the current rule, and if not, skipping the current rule.
12. The apparatus according to any of claims 7-11, wherein the second obtaining module comprises:
the combination unit is used for sequentially combining the detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined result to obtain a hash value;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
13. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of any of the above claims 1-6.
14. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any of the preceding claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529078.9A CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529078.9A CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338102A true CN114338102A (en) | 2022-04-12 |
| CN114338102B CN114338102B (en) | 2024-03-19 |
Family
ID=81051264
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111529078.9A Active CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338102B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115589330A (en) * | 2022-11-09 | 2023-01-10 | 北京邮电大学 | Safety detection device and method |
| WO2024169181A1 (en) * | 2023-02-14 | 2024-08-22 | 华为云计算技术有限公司 | Rule recombination method, data management platform and computing device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150081612A1 (en) * | 2012-08-07 | 2015-03-19 | Huawei Technologies Co., Ltd. | Rule matching method and apparatus |
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN109543942A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Data verification method, device, computer equipment and storage medium |
| CN111524008A (en) * | 2020-04-16 | 2020-08-11 | 天使方舟有限公司 | Rule engine and modeling method thereof, modeling device and instruction processing method |
| CN112801667A (en) * | 2021-01-21 | 2021-05-14 | 中国银联股份有限公司 | Real-time transaction abnormity detection method and device |
-
2021
- 2021-12-14 CN CN202111529078.9A patent/CN114338102B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150081612A1 (en) * | 2012-08-07 | 2015-03-19 | Huawei Technologies Co., Ltd. | Rule matching method and apparatus |
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN109543942A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Data verification method, device, computer equipment and storage medium |
| CN111524008A (en) * | 2020-04-16 | 2020-08-11 | 天使方舟有限公司 | Rule engine and modeling method thereof, modeling device and instruction processing method |
| CN112801667A (en) * | 2021-01-21 | 2021-05-14 | 中国银联股份有限公司 | Real-time transaction abnormity detection method and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115589330A (en) * | 2022-11-09 | 2023-01-10 | 北京邮电大学 | Safety detection device and method |
| CN115589330B (en) * | 2022-11-09 | 2023-03-24 | 北京邮电大学 | Safety detection device and method |
| WO2024169181A1 (en) * | 2023-02-14 | 2024-08-22 | 华为云计算技术有限公司 | Rule recombination method, data management platform and computing device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338102B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109669795B (en) | Crash information processing method and device | |
| CN114338102A (en) | Security detection method and device, electronic equipment and storage medium | |
| CN108038398B (en) | Two-dimensional code analysis capability test method and device and electronic equipment | |
| CN105809471B (en) | Method and device for acquiring user attribute and electronic equipment | |
| CN115174250A (en) | Network asset safety assessment method and device, electronic equipment and storage medium | |
| CN108804917B (en) | File detection method and device, electronic equipment and storage medium | |
| CN114372297A (en) | Method and device for verifying file integrity based on message digest algorithm | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN110737894B (en) | Composite document security detection method and device, electronic equipment and storage medium | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN110874310A (en) | Terminal behavior monitoring method and device, electronic equipment and storage medium | |
| CN114070638A (en) | Computer system security defense method, device, electronic equipment and medium | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| CN108881151B (en) | Joint-point-free determination method and device and electronic equipment | |
| CN114329464A (en) | Anti-virus engine detection method and device, electronic equipment and storage medium | |
| CN111800391A (en) | Method and device for detecting port scanning attack, electronic equipment and storage medium | |
| CN110801630A (en) | Cheating program determining method, device, equipment and storage medium | |
| CN114638303B (en) | Application software group acquisition method, electronic equipment and readable storage medium | |
| CN116244659B (en) | Data processing method, device, equipment and medium for identifying abnormal equipment | |
| CN108875361A (en) | A kind of method, apparatus of monitoring programme, electronic equipment and storage medium | |
| CN114036518A (en) | Virus file processing method and device, electronic equipment and storage medium | |
| CN110659489B (en) | Threat detection method, device and storage medium for character string splicing behavior | |
| CN111797392B (en) | Method, device and storage medium for controlling infinite analysis of derivative files | |
| CN114417331A (en) | Method and device for determining virus characteristic credibility, electronic equipment and storage medium | |
| CN114168953A (en) | Malicious code detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |