CN114756865A - RDP file security detection method and device, electronic equipment and storage medium - Google Patents

RDP file security detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114756865A
CN114756865A CN202210434433.2A CN202210434433A CN114756865A CN 114756865 A CN114756865 A CN 114756865A CN 202210434433 A CN202210434433 A CN 202210434433A CN 114756865 A CN114756865 A CN 114756865A
Authority
CN
China
Prior art keywords
rdp file
rdp
detected
file
security detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210434433.2A
Other languages
Chinese (zh)
Inventor
孙勇
盛颖
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202210434433.2A priority Critical patent/CN114756865A/en
Publication of CN114756865A publication Critical patent/CN114756865A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation

Abstract

The embodiment of the invention relates to the technical field of network security protection, in particular to a security detection method and device for RDP (remote desktop protocol) files, electronic equipment and a storage medium. The method comprises the following steps: determining a security detection strategy based on all configuration items of the known RDP file; in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected; and performing security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected. According to the scheme, whether the RDP file to be detected is a malicious RDP file or not can be determined, and therefore effective detection of the malicious RDP file can be achieved.

Description

RDP file security detection method and device, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security protection, in particular to a security detection method and device for RDP (remote desktop protocol) files, electronic equipment and a storage medium.
Background
With the widespread use of computer technology in various fields of social life, viruses have come along as accessories. These viruses have become a significant problem that plagues computer use due to their infectivity, replication, and destruction.
In the related technology, lawless persons can induce users to click related links by means of mails, chats and the like, and then load malicious RDP (Remote Desktop Protocol) files, which can cause a user machine and a Remote server controlled by the lawless persons to establish connection, and at the moment, the lawless persons can control the user machine to execute related malicious operations through the Remote server.
Therefore, it is necessary to effectively check the security of the RDP file.
Disclosure of Invention
In order to solve the problem that effective security detection of malicious RDP files is difficult to realize, embodiments of the present invention provide a method and an apparatus for security detection of RDP files, an electronic device, and a storage medium.
In a first aspect, an embodiment of the present invention provides a method for detecting security of an RDP file, including:
determining a security detection strategy based on all configuration items of the known RDP file;
in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
and performing security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected.
In one possible design, the determining a security detection policy based on all configuration items of the known RDP file includes:
obtaining a score given to each configuration item of a known RDP file;
obtaining a first result of threat level classification for all configuration items of the known RDP file;
determining a reference threshold corresponding to each threat level based on the score and the first result;
a security detection policy is determined based on a reference threshold corresponding to each threat level.
In one possible design, the determining a reference threshold corresponding to each threat level based on the score and the first result includes:
determining a reference threshold corresponding to each threat level using the following formula:
Figure BDA0003612431410000021
wherein, ViReference threshold for the ith threat level, CijThe score of the jth configuration item in the ith threat level is n, and the n is the total number of the configuration items in the ith threat level.
In one possible design, after the obtaining the score assigned to each configuration item of the known RDP file, the method further includes:
obtaining a configuration item score library based on all configuration items of the known RDP file and the score corresponding to each configuration item;
the security detection of the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected comprises the following steps:
obtaining a safety evaluation value of the RDP file to be tested based on the configuration item score library and the configuration items of the RDP file to be tested;
and performing security detection on the RDP file to be detected based on the security evaluation value and the security detection strategy.
In a possible design, the obtaining, based on the configuration item score library and the configuration item of the RDP file to be tested, a security evaluation value of the RDP file to be tested includes:
and obtaining the safety evaluation value of the RDP file to be tested by adopting the following formula:
Figure BDA0003612431410000022
wherein S is the security of the RDP file to be testedEvaluation value, DjAnd k is the score of the jth configuration item in the RDP file to be tested, and k is the total number of the configuration items in the RDP file to be tested.
In one possible design, the performing security detection on the RDP file to be detected based on the security assessment value and the security detection policy includes:
and comparing the security evaluation value with a reference threshold value corresponding to each threat level included in the security detection strategy to obtain the threat level of the RDP file to be detected so as to complete the security detection of the RDP file to be detected.
In one possible design, the determining a security detection policy based on the configuration item of the known RDP file includes:
obtaining a first result of threat level classification for all configuration items of the known RDP file;
determining a security detection policy based on the first result;
the security detection of the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected comprises the following steps:
acquiring a second result of threat level classification performed on the configuration item of the RDP file to be tested; the threat level classification mode for the configuration items of the RDP file to be tested is the same as the threat level classification mode for all the configuration items of the known RDP file;
and performing security detection on the RDP file to be detected based on the security detection strategy and the second result.
In a second aspect, an embodiment of the present invention further provides a security detection apparatus for an RDP file, including:
the determining module is used for determining a security detection strategy based on all configuration items of the known RDP file;
the analysis module is used for responding to the acquired RDP file to be detected, analyzing the RDP file to be detected and acquiring a configuration item of the RDP file to be detected;
and the detection module is used for carrying out security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor executes the computer program to implement the method according to any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a security detection method, a security detection device, electronic equipment and a storage medium for RDP files.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a security detection method for RDP files according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for security detection of an RDP file according to an embodiment of the present invention;
FIG. 3 is a flowchart of another method for security detection of an RDP file according to an embodiment of the present invention;
FIG. 4 is a diagram of a hardware architecture of an electronic device according to an embodiment of the present invention;
fig. 5 is a structural diagram of a security detection apparatus for RDP files according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As described above, the lawbreaker may induce the user to click on the relevant link by using a mail, a chat, or the like, and then load a malicious RDP (Remote Desktop Protocol) file, which may cause the user machine and a Remote server controlled by the lawbreaker to establish a connection, and at this time, the lawbreaker may control the user machine to execute the relevant malicious operation through the Remote server.
Specifically, the lawbreaker may preset configuration items such as driver mapping, USB device mapping, printer mapping, clipboard mapping, and the like in the loaded malicious RDP file in advance, so that the lawbreaker can perform relevant malicious operations on the user machine by controlling the remote server, for example, stealing important file contents in the user machine.
In order to solve the technical problem, the inventor considers that a security detection policy for detecting the RDP to be detected can be determined by using the configuration item of the known RDP file, so that after the RDP file to be detected is detected, the security detection of the RDP file to be detected can be completed by analyzing the configuration item of the RDP file to be detected and the determined security detection policy, and thus, the loading of a malicious RDP file can be prevented by using the result of the security detection.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for detecting security of an RDP file, where the method includes:
step 100: determining a security detection strategy based on all configuration items of the known RDP file;
step 102: in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
step 104: and carrying out security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected.
In the embodiment of the invention, firstly, a security detection strategy is determined based on all configuration items of a known RDP file, then, when the RDP file to be detected is obtained, the RDP file to be detected is analyzed to obtain the configuration items of the RDP file to be detected, and finally, the RDP file to be detected is subjected to security detection based on the determined security detection strategy and the configuration items of the RDP file to be detected, so that whether the RDP file to be detected is a malicious RDP file or not can be determined, and effective detection on the malicious RDP file can be realized.
The manner in which the various steps shown in fig. 1 are performed is described below.
With respect to step 100:
in step 100, the embodiment of the present invention provides two ways of determining a security detection policy, and the security detection policies of the two ways are described below.
The first method is as follows:
in the first mode, step 100 may include:
and step A1, obtaining the score assigned to each configuration item of the known RDP file.
In this step, a technician may list all configuration items in the known RDP file in advance, and then score (i.e., assign a score) the security of each configuration item according to a priori knowledge (e.g., an expert security knowledge base), so that the user machine may obtain the score assigned to each configuration item of the known RDP file.
In some embodiments, the scores assigned to each configuration item of the known RDP files obtained by the user machine may be referred to in table 1. It should be noted that only some configuration items and scores of known RDP files are listed in table 1.
TABLE 1
Configuration item Score value
drivestorirection-drive mapping 100
redirectcliboard-clipboard mapping 85
Usbdevicetorediect-USB device mapping 80
redirectprinters-printer mapping 75
redirecttstmarstcards-smart card mapping 10
remotepapplicationicon-remote application icon 1
Screen mode id-on-screen display mode 1
Step A2, obtain a first result of threat level classification for all configuration items of known RDP files.
In this step, the threat levels may be classified into three categories, i.e., high security threat, medium security threat, and low security threat, for example. Of course, a greater or lesser number of threat levels may be assigned, and the number of threat levels is not limited herein.
In some embodiments, high security threats may include configuration items such as driver maps, clipboard maps, USB device maps, and printer maps, for example, medium security threats may include configuration items such as smart card maps, for example, and low security threats may include configuration items such as remote application icons and screen display modes, for example.
In some embodiments, the first result of the threat level classification obtained by the user machine for all configuration items of the known RDP file may be referred to in table 2. It should be noted that only some configuration items of the same known RDP file as those in table 1 and their threat levels are listed in table 2.
TABLE 2
Figure BDA0003612431410000071
In addition, the sequence of steps a1 and a2 is not specifically limited, that is, step a1 may be executed first, and then step a2 is executed, or step a2 may be executed first, and then step a1 is executed.
Step a3, based on the score and the first result, determines a reference threshold corresponding to each threat level.
After the steps A1 and A2, the configuration items in each threat level are assigned with scores, so that a reference threshold value of each threat level can be determined to facilitate subsequent security detection of the RDP file to be detected.
In some embodiments, step a3 may determine the reference threshold corresponding to each threat level using the following formula:
Figure BDA0003612431410000072
wherein, ViIs the ith powerReference threshold for hypochondriac level, CijThe score of the jth configuration item in the ith threat level is n, and the n is the total number of the configuration items in the ith threat level.
For example, as shown in tables 1 and 2, the reference thresholds corresponding to the threat levels of the high security threat, the medium security threat and the low security threat can be calculated by using the above formulas, so that the reference thresholds of the high security threat, the medium security threat and the low security threat can be calculated to be 85, 10 and 1 respectively.
It should be noted that, by using the mean value of the configuration items in each threat level as the reference threshold, it is possible to avoid obtaining more objective and accurate reference thresholds of each threat level when the threat levels are divided less and the score difference of different configuration items in each threat level is large, thereby improving the accuracy of security detection.
In this step, the reference threshold value of each threat level may also be determined in other manners, for example, the lowest score of the configuration item in each threat level may be used as the reference threshold value of the threat level. Alternatively, the median of the configuration items in each threat level may be used as the reference threshold of the threat level, and the determination method of the reference threshold is not limited here.
Step a4, a security detection policy is determined based on the reference threshold corresponding to each threat level.
In some embodiments, the security detection policy may be: and determining the threat level of the RDP file to be tested according to the score of the configuration item in the RDP file to be tested and the reference threshold corresponding to each threat level.
After the threat level of the RDP file to be tested is determined, the relevant operation corresponding to the threat level may be executed, for example, operation such as prohibition of operation, selection of whether to operate after popping a frame, permission of operation, and the like may be performed by the user.
In addition, in some embodiments, in order to facilitate matching scores with configuration items in the RDP file to be tested, after step a1, the method further includes:
and obtaining a configuration item score library based on all configuration items of the known RDP file and the score corresponding to each configuration item.
Then, after the configuration item of the RDP file to be detected is analyzed, the configuration item score library can be used to directly match and obtain the score of the configuration item of the RDP file to be detected, so as to improve the detection speed of the security detection.
In summary, a method of assigning a score to each configuration item of a known RDP file and classifying threat levels is used to calculate a reference threshold corresponding to each threat level, and then a security detection policy is formulated by referring to the threshold. Therefore, when the RDP file to be detected is subjected to security detection subsequently, the security detection result of the RDP to be detected can be obtained according to the score of the configuration item in the RDP file to be detected and the security detection strategy.
The second method comprises the following steps:
in the second mode, step 100 may include:
step B1, obtaining a first result of threat level classification for all configuration items of the known RDP file;
and step B2, determining a security detection strategy based on the first result.
In this embodiment, when the RDP file to be detected is detected, the security detection result of the RDP file to be detected may be determined by matching the configuration items in the RDP file to be detected with all the configuration items of the known RDP files in the first result.
With respect to step 102:
in this step, when the RDP file to be detected is detected, the user may obtain the RDP file to be detected, analyze the RDP file to be detected to obtain the configuration item in the RDP file to be detected, and then perform security detection on the RDP file to be detected by using the security detection policy determined in step 100 and the configuration item of the RDP file to be detected obtained through analysis. Here, the analysis manner of the RDP file to be tested is not specifically limited in the embodiment of the present invention, and may be, for example, regular matching.
With respect to step 104:
for mode one, step 104 may include:
and C1, obtaining the safety evaluation value of the RDP file to be tested based on the configuration item score library and the configuration items of the RDP file to be tested.
In this step, the configuration item score library is used to perform score matching on the configuration item of the RDP file to be tested obtained by analysis in step 102, and then the score of the configuration item of the RDP file to be tested is used to calculate a safety evaluation value so as to perform safety detection on the RDP file to be tested.
In some embodiments, the following formula may be used to obtain the security evaluation value of the RDP file to be tested:
Figure BDA0003612431410000091
wherein S is the safety evaluation value of the RDP file to be tested, DjAnd k is the score of the jth configuration item in the RDP file to be detected, and the total number of the configuration items in the RDP file to be detected.
In this embodiment, the sum of the scores of all the configuration items in the RDP file to be detected is used as the safety evaluation value of the RDP file to be detected, and compared with the case where the average value, the highest value, the lowest value and other numerical values of the scores of all the configuration items in the RDP file to be detected are used as the safety evaluation value of the RDP file to be detected, the former can prevent that when the number of the configuration items of the RDP file to be detected is small and the score difference of different configuration items is large, a more objective and accurate safety evaluation value for representing the threat level of the RDP file to be detected can still be obtained, so that the accuracy of the safety detection of the RDP file to be detected is improved.
Of course, the security evaluation value of the RDP file to be tested may also be determined in other manners, for example, the average value of all configuration items in the RDP file to be tested or the highest score value of the configuration items may be used as the security evaluation value, and therefore, the determination manner of the security evaluation value is not limited herein.
And step C2, performing security detection on the RDP file to be detected based on the security evaluation value and the security detection strategy.
In some embodiments, the security evaluation value may be compared with a reference threshold corresponding to each threat level included in the security detection policy to obtain a threat level of the RDP file to be detected, so as to complete security detection on the RDP file to be detected.
For example, the security evaluation value obtained in step C1 is compared with the reference threshold value corresponding to each threat level determined in step one in step 100, and if the security evaluation value is greater than or equal to the reference threshold value of the high security threat, S ≧ V3If so, the threat level of the RDP file to be tested is a high security threat level; if the safety evaluation value is greater than or equal to the reference threshold value of the medium safety threat and less than the reference threshold value of the high safety threat, namely S<V3And S is not less than V2If so, the threat level of the RDP file to be tested is the intermediate security threat level; if the safety evaluation value is larger than or equal to the reference threshold value of the low safety threat and smaller than the reference threshold value of the medium safety threat, the S is<V2And S is more than or equal to V1And if so, the threat level of the RDP file to be tested is the low security threat level. Then, the security detection result of the RDP file to be detected, that is, the threat level of the RDP file to be detected, can be obtained, and corresponding operations, such as operation prohibition, operation selection by the user after frame flipping, operation permission and the like, are executed according to the threat level of the RDP file to be detected.
In summary, in the first mode, the configuration item score library is used to obtain the score of the configuration item of the RDP file to be detected, the security evaluation value of the RDP file to be detected is determined according to the score of the configuration item of the RDP file to be detected, and the threat level of the RDP file to be detected is obtained by comparing the security evaluation value with the reference threshold corresponding to each threat level included in the security detection policy, so as to complete the security detection of the RDP file to be detected.
For mode two, step 104 may include:
step D1, acquiring a second result of threat level classification for the configuration items of the RDP file to be tested; the threat level classification method for the configuration items of the RDP file to be detected is the same as the threat level classification method for all the configuration items of the known RDP file;
and D2, performing security detection on the RDP file to be detected based on the security detection strategy and the second result.
In this step, the threat level with the highest threat level in all configuration items of the RDP file to be tested in the second result may be determined as the threat level of the RDP file to be tested, or the highest threat level in all configuration items of the RDP file to be tested may be determined as the threat level of the RDP file to be tested, so the manner of determining the security result is not limited here.
It should be noted that the security detection method provided in this embodiment may not only be used as a separate application to detect the security of the RDP file, but also be integrated into security protection software to detect the security of the RDP file.
FIG. 2 shows a flow diagram of a method for security detection of RDP files according to another embodiment. Referring to fig. 2, the method includes:
step 200: obtaining a score given to each configuration item of a known RDP file;
step 202: obtaining a configuration item score library based on all configuration items of the known RDP file and the score corresponding to each configuration item;
step 204: obtaining a first result of threat level classification for all configuration items of a known RDP file;
step 206: determining a reference threshold corresponding to each threat level based on the score and the first result;
step 208: determining a security detection policy based on a reference threshold corresponding to each threat level;
step 210: in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
step 212: obtaining a safety evaluation value of the RDP file to be tested based on the configuration item value library and the configuration items of the RDP file to be tested;
step 214: and comparing the security evaluation value with a reference threshold value corresponding to each threat level included in the security detection strategy to obtain the threat level of the RDP file to be detected so as to complete the security detection of the RDP file to be detected.
FIG. 3 illustrates a flow diagram of a method for security detection of RDP files according to yet another embodiment. Referring to fig. 3, the method includes:
step 300: acquiring a first result of threat level classification for all configuration items of a known RDP file;
step 302: determining a security detection policy based on the first result;
step 304: in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
step 306: acquiring a second result of threat level classification performed on the configuration items of the RDP file to be detected; the mode of threat level classification carried out on the configuration items of the RDP file to be detected is the same as the mode of threat level classification carried out on all the configuration items of the known RDP file;
step 308: and performing security detection on the RDP file to be detected based on the security detection strategy and the second result.
In the embodiment of the invention, a first result of threat level classification for all configuration items of a known RDP file is obtained firstly; when the configuration items of the RDP file to be tested are analyzed, carrying out threat level classification on the configuration items of the RDP file to be tested by using a classification mode which is the same as a threat level classification mode carried out on all the configuration items of the known RDP file, and obtaining a second result; and determining the safety detection result of the RDP file to be detected according to the threat level of each configuration item of the RDP file to be detected in the second result.
In the security detection policy, the threat level with the highest threat level in all configuration items of the RDP file to be detected in the second result may be determined as the threat level of the RDP file to be detected, or the threat level with the highest threat level in all configuration items of the RDP file to be detected may be determined as the threat level of the RDP file to be detected.
As shown in fig. 4 and 5, an embodiment of the present invention provides a security detection apparatus for an RDP file. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 4, for a hardware architecture diagram of an electronic device where a security detection apparatus for an RDP file provided in an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the electronic device where the apparatus is located in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a message, and the like. Taking a software implementation as an example, as shown in fig. 5, as a logically meaningful device, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located and running the computer program.
As shown in fig. 5, the security detection apparatus for RDP file provided in this embodiment includes:
a determining module 500, configured to determine a security detection policy based on all configuration items of the known RDP file;
the analysis module 502 is configured to, in response to acquiring the RDP file to be detected, analyze the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
and the detection module 504 is configured to perform security detection on the RDP file to be detected based on the security detection policy and the configuration item of the RDP file to be detected.
In one embodiment of the present invention, the determining module 500 is configured to perform the following operations:
obtaining a score given to each configuration item of a known RDP file;
acquiring a first result of threat level classification for all configuration items of a known RDP file;
determining a reference threshold corresponding to each threat level based on the score and the first result;
a security detection policy is determined based on a reference threshold corresponding to each threat level.
In one embodiment of the present invention, the determining module 500 is configured to perform the following operations:
determining a reference threshold corresponding to each threat level using the following formula:
Figure BDA0003612431410000131
wherein, ViReference threshold for the ith threat level, cijAs the ith threat, etcThe score of the jth configuration item in the level, and n is the total number of configuration items in the ith threat level.
In an embodiment of the present invention, after the obtaining of the score assigned to each configuration item of the known RDP file is performed, the determining module 500 is further configured to:
obtaining a configuration item score library based on all configuration items of the known RDP file and the score corresponding to each configuration item;
in an embodiment of the present invention, the detecting module 504 is configured to perform the following operations:
obtaining a safety evaluation value of the RDP file to be tested based on the configuration item value library and the configuration items of the RDP file to be tested;
and performing security detection on the RDP file to be detected based on the security evaluation value and the security detection strategy.
In an embodiment of the present invention, the detecting module 504 is configured to perform the following operations:
and obtaining the safety evaluation value of the RDP file to be tested by adopting the following formula:
Figure BDA0003612431410000141
wherein s is the safety evaluation value of the RDP file to be tested, DjAnd k is the score of the jth configuration item in the RDP file to be detected, and the total number of the configuration items in the RDP file to be detected.
In an embodiment of the present invention, the detecting module 504 is configured to perform the following operations:
and comparing the security evaluation value with a reference threshold value corresponding to each threat level included in the security detection strategy to obtain the threat level of the RDP file to be detected so as to complete the security detection of the RDP file to be detected.
In one embodiment of the present invention, the determining module 500 is configured to perform the following operations:
obtaining a first result of threat level classification for all configuration items of a known RDP file;
based on the first result, a security detection policy is determined.
In an embodiment of the present invention, the detecting module 504 is configured to perform the following operations:
acquiring a second result of threat level classification for the configuration items of the RDP file to be detected; the threat level classification method for the configuration items of the RDP file to be detected is the same as the threat level classification method for all the configuration items of the known RDP file;
and performing security detection on the RDP file to be detected based on the security detection strategy and the second result.
It is to be understood that the schematic structure of the embodiment of the present invention does not constitute a specific limitation to the security detection device for an RDP file. In other embodiments of the present invention, a security detection apparatus for RDP files may include more or fewer components than those shown, or some components may be combined, some components may be split, or a different arrangement of components may be used. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides electronic equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and when the processor executes the computer program, the safety detection method of the RDP file in any embodiment of the invention is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a method for detecting security of an RDP file in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
In summary, the present invention provides a method and an apparatus for security detection of an RDP file, an electronic device and a storage medium, and the method and the apparatus at least have the following beneficial effects:
1. in an embodiment of the invention, firstly, a security detection policy is determined based on all configuration items of a known RDP file, then, when the RDP file to be detected is obtained, the RDP file to be detected is analyzed to obtain the configuration items of the RDP file to be detected, and finally, the RDP file to be detected is subjected to security detection based on the determined security detection policy and the configuration items of the RDP file to be detected, so that whether the RDP file to be detected is a malicious RDP file can be determined, and effective detection of the malicious RDP file can be realized.
2. In an embodiment of the invention, the mean value of the configuration items in each threat level is used as the reference threshold, so that when the threat levels are divided less and the score difference of different configuration items in each threat level is large, the more objective and accurate reference threshold of each threat level can be still obtained, and the accuracy of the security detection is improved.
3. In one embodiment of the invention, a score is given to each configuration item of a known RDP file, and a threat level classification mode is used for calculating a reference threshold corresponding to each threat level, so that a security detection strategy is formulated by referring to the threshold. Therefore, when the RDP file to be detected is subjected to security detection subsequently, the security detection result of the RDP to be detected can be obtained according to the value of the configuration item in the RDP file to be detected and the security detection strategy.
4. In an embodiment of the invention, the sum of the scores of all the configuration items in the RDP file to be detected is used as the safety evaluation value of the RDP file to be detected, and compared with the case that the average value, the highest value, the lowest value and other numerical values of the scores of all the configuration items in the RDP file to be detected are used as the safety evaluation value of the RDP file to be detected, the former can prevent that when the number of the configuration items of the RDP file to be detected is small and the score difference of different configuration items is large, a more objective and accurate safety evaluation value for representing the threat level of the RDP file to be detected can be obtained, so that the accuracy of the safety detection of the RDP file to be detected is improved.
5. In one embodiment of the invention, a first result of threat level classification for all configuration items of a known RDP file is obtained first; when the configuration items of the RDP file to be tested are analyzed, carrying out threat level classification on the configuration items of the RDP file to be tested by using a classification mode which is the same as a threat level classification mode carried out on all the configuration items of the known RDP file, and obtaining a second result; and determining the safety detection result of the RDP file to be detected according to the threat level of each configuration item of the RDP file to be detected in the second result.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in the process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A security detection method for RDP files is characterized by comprising the following steps:
determining a security detection strategy based on all configuration items of the known RDP file;
in response to the acquisition of the RDP file to be detected, analyzing the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
and performing security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected.
2. The method of claim 1, wherein determining a security detection policy based on all configuration items of known RDP files comprises:
obtaining a score given to each configuration item of a known RDP file;
obtaining a first result of threat level classification for all configuration items of the known RDP file;
determining a reference threshold corresponding to each threat level based on the score and the first result;
a security detection policy is determined based on a reference threshold corresponding to each threat level.
3. The method of claim 2, wherein determining a reference threshold corresponding to each threat level based on the score and the first result comprises:
determining a reference threshold corresponding to each threat level using the following formula:
Figure FDA0003612431400000011
wherein, ViReference threshold for the ith threat level, CijThe score of the jth configuration item in the ith threat level is n, and the n is the total number of the configuration items in the ith threat level.
4. The method of claim 2, wherein after obtaining the score assigned to each configuration item of the known RDP file, further comprising:
obtaining a configuration item score library based on all configuration items of the known RDP file and the score corresponding to each configuration item;
the security detection of the RDP file to be detected based on the security detection policy and the configuration item of the RDP file to be detected comprises the following steps:
obtaining a safety evaluation value of the RDP file to be tested based on the configuration item score library and the configuration items of the RDP file to be tested;
and performing security detection on the RDP file to be detected based on the security evaluation value and the security detection strategy.
5. The method according to claim 4, wherein obtaining the security assessment value of the RDP file to be tested based on the configuration item score library and the configuration item of the RDP file to be tested comprises:
and obtaining the safety evaluation value of the RDP file to be tested by adopting the following formula:
Figure FDA0003612431400000021
wherein S is the safety evaluation value of the RDP file to be tested, DjAnd k is the score of the jth configuration item in the RDP file to be tested, and k is the total number of the configuration items in the RDP file to be tested.
6. The method according to claim 4, wherein the performing security detection on the RDP file to be detected based on the security assessment value and the security detection policy comprises:
and comparing the security evaluation value with a reference threshold value corresponding to each threat level included in the security detection strategy to obtain the threat level of the RDP file to be detected so as to complete the security detection of the RDP file to be detected.
7. The method of claim 1, wherein determining a security detection policy based on the configuration item of the known RDP file comprises:
obtaining a first result of threat level classification for all configuration items of the known RDP file;
determining a security detection policy based on the first result;
the security detection of the RDP file to be detected based on the security detection policy and the configuration item of the RDP file to be detected comprises the following steps:
acquiring a second result of threat level classification performed on the configuration item of the RDP file to be tested; the threat level classification mode for the configuration items of the RDP file to be tested is the same as the threat level classification mode for all the configuration items of the known RDP file;
and performing security detection on the RDP file to be detected based on the security detection strategy and the second result.
8. An apparatus for detecting security of an RDP file, comprising:
the determining module is used for determining a security detection strategy based on all configuration items of the known RDP file;
the analysis module is used for analyzing the RDP file to be detected in response to the acquisition of the RDP file to be detected to obtain a configuration item of the RDP file to be detected;
and the detection module is used for carrying out security detection on the RDP file to be detected based on the security detection strategy and the configuration item of the RDP file to be detected.
9. An electronic device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
CN202210434433.2A 2022-04-24 2022-04-24 RDP file security detection method and device, electronic equipment and storage medium Pending CN114756865A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210434433.2A CN114756865A (en) 2022-04-24 2022-04-24 RDP file security detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210434433.2A CN114756865A (en) 2022-04-24 2022-04-24 RDP file security detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114756865A true CN114756865A (en) 2022-07-15

Family

ID=82333228

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210434433.2A Pending CN114756865A (en) 2022-04-24 2022-04-24 RDP file security detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114756865A (en)

Similar Documents

Publication Publication Date Title
RU2454714C1 (en) System and method of increasing efficiency of detecting unknown harmful objects
CN110399925B (en) Account risk identification method, device and storage medium
US9621570B2 (en) System and method for selectively evolving phishing detection rules
CN109145600B (en) System and method for detecting malicious files using static analysis elements
US20180032726A1 (en) Elimination of false positives in antivirus records
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN110659486B (en) System and method for detecting malicious files using two levels of file classification
US8302194B2 (en) Using file prevalence to inform aggressiveness of behavioral heuristics
WO2022199185A1 (en) User operation inspection method and program product
US11847216B2 (en) Analysis device, analysis method and computer-readable recording medium
US20220277174A1 (en) Evaluation method, non-transitory computer-readable storage medium, and information processing device
US11321467B2 (en) System and method for security analysis
US8402537B2 (en) Detection accuracy tuning for security
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
CN113139025A (en) Evaluation method, device, equipment and storage medium of threat information
CN114756865A (en) RDP file security detection method and device, electronic equipment and storage medium
CN114065187B (en) Abnormal login detection method and device, computing equipment and storage medium
CN114238974A (en) Malicious Office document detection method and device, electronic equipment and storage medium
CN111625825B (en) Virus detection method, device, equipment and storage medium
JP2020119201A (en) Determination device, determination method and determination program
JP6740184B2 (en) Granting device, assigning method, and assigning program
CN112949752B (en) Training method and device of business prediction system
CN114978616B (en) Construction method and device of risk assessment system, and risk assessment method and device
CN113704752B (en) Method and device for detecting data leakage behavior, computer equipment and storage medium
CN111612677B (en) Event security detection method, detection device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination