CN114780957A - Script detection method, device, equipment and storage medium - Google Patents
Script detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114780957A CN114780957A CN202210288602.6A CN202210288602A CN114780957A CN 114780957 A CN114780957 A CN 114780957A CN 202210288602 A CN202210288602 A CN 202210288602A CN 114780957 A CN114780957 A CN 114780957A
- Authority
- CN
- China
- Prior art keywords
- node
- malicious
- matching
- script
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Abstract
The embodiment of the application provides a script detection method, a script detection device and a storage medium, wherein the method comprises the following steps: acquiring a target code attribute graph of a target script to be detected and a malicious code attribute graph of a known malicious script; determining a matching sequence for the malicious code attribute map; the matching sequence comprises all malicious nodes of the malicious code attribute graph; preprocessing according to the malicious code attribute graph to obtain corresponding father node information; the parent node information combines connection information between the matching sequence and the malicious node; determining a next matching node pair according to the matching sequence and the father node information, and adding the next matching node pair to the current state space; and when the current state space meets a preset condition, determining that the malicious script is matched with the target script. According to the method and the device, the state space is pruned based on the father node information, the matching content is reduced, and therefore the script matching accuracy and the script matching detection efficiency are improved.
Description
Technical Field
The embodiment of the application relates to the technical field of information security, in particular to a script detection method and device, electronic equipment and a storage medium.
Background
With the continuous development of computer technology, information security is more and more emphasized by people. The script detection is an important mode for actively defending security events such as data leakage, data tampering and the like, and the script written by developers is detected, so that abnormal scripts/malicious scripts can be found before being attacked, and loss is reduced.
In the related technology, malicious scripts mainly pass through static detection, and common static detection methods mainly include a detection method based on similarity and a detection method based on machine learning. Specifically, the similarity-based detection method comprises the steps of abstractly describing code segments through code characteristics and code segment levels, and judging the similarity of the characteristics of the code segments to be detected and the characteristics of known malicious scripts by comparing the characteristics of the code segments to be detected with the characteristics of the known malicious scripts, wherein the common characteristics comprise texts, metrics, labels, trees and graphs, the graph-based characteristics comprise semantic and syntactic information, the information is most comprehensive, and the characteristics are most accurate. The detection method based on machine learning is characterized in that texts are classified by extracting attribute features of codes so as to detect malicious scripts, common attribute features include system function call information and the like, the attribute feature extraction stage of the detection method based on machine learning depends on subjective experience, specific analysis needs to be carried out on script vulnerabilities, the detection result is not visual enough, and the false report rate is high.
In view of the above problems of the detection method, it is desirable to provide a script detection method to improve the script matching accuracy, the detection efficiency, and the scalability of the detection method.
Disclosure of Invention
The embodiment of the application provides a script detection method based on subgraph matching, and aims to solve the problems of improving script matching accuracy, efficiency and expandability.
Correspondingly, the embodiment of the application also provides a script detection device, an electronic device and a storage medium, which are used for ensuring the realization and the application of the method.
In order to solve the above problem, an embodiment of the present application discloses a script detection method, where the method includes:
acquiring a target code attribute diagram of a target script to be detected and a malicious code attribute diagram of a known malicious script; the object code attribute graph comprises object nodes and edges connected with the object nodes, and the malicious code attribute graph comprises malicious nodes and edges connected with the malicious nodes, wherein the nodes have corresponding node information, and the edges have corresponding edge information;
determining a matching sequence for the malicious code attribute map; the matching sequence comprises all malicious nodes of the malicious code attribute graph;
preprocessing according to the malicious code attribute graph to obtain corresponding father node information; the parent node information incorporates connection information between the matching sequence and the malicious node;
determining a next matching node pair according to the matching sequence and the father node information, and adding the next matching node pair to the current state space;
and when the current state space meets a preset condition, determining that the malicious script is matched with the target script.
Optionally, the method further comprises:
acquiring a script to be detected;
performing confusion conversion processing on the script to obtain a target script after confusion conversion; the obfuscation transformation process includes at least variable transformation, alias transformation, relative path transformation to absolute path, and obfuscation semantic transformation.
Optionally, the determining a matching sequence for the malicious code attribute map includes:
comparing the node mapping degrees of the malicious nodes in the malicious code attribute graph;
if the node mapping degrees are the same, comparing the node probability of the malicious node; the node probability is generated according to node information, side information, node in degree and node out degree;
if the node probabilities are the same, comparing the node in-degree and the node out-degree of the malicious node;
and sequentially adding all malicious nodes in the malicious code attribute graph to a matching sequence through comparison.
Optionally, the parent node of the malicious node is a neighboring node that appears earliest before the malicious node in the matching sequence, and determining a next matching node pair according to the matching sequence and the malicious parent node information includes:
obtaining a last state space, wherein the last state space comprises matched node pairs, the matched node pairs comprise last matched node pairs, and the last matched node pairs comprise last matched malicious nodes and last matched target nodes;
determining a next matching malicious node of the last matching malicious node, wherein the next matching malicious node is a next malicious node corresponding to the last matching malicious node in the matching sequence;
determining a candidate matching target node of the last matching target node; the candidate matching target node is a target node which is not in the last state space in the target code graph and has the same node information as the next matching malicious node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a successor node of the father node, randomly selecting a successor node of the node corresponding to the last matching malicious node from the candidate matching target nodes, and taking the node with the same node information and edge information as the next matching target node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a precursor node of the father node, randomly selecting a node which is the precursor node of the node corresponding to the last matching malicious node and has the same node information and edge information as the next matching malicious node from the candidate matching target nodes as a next matching target node;
and adding the next matching malicious node and the next matching target node as a next matching node pair to the previous state space to obtain the current state space.
Optionally, the method further comprises:
and when the father node of the next matching malicious node is determined to be empty according to the malicious father node information, randomly selecting a node matched with the node information from the candidate matching target nodes as a next matching target node.
Optionally, when the current state space meets a preset condition, determining that the malicious script is matched with the target script includes:
and when the current state space meets a preset semantic information rule and preset topological structure information and the next matching malicious node in the current state space is the last malicious node in the matching sequence, determining that the malicious script is matched with the target script.
Optionally, the node information includes a node label, and the side information includes a side label.
The embodiment of the application also discloses a script detection device, the device includes:
the code attribute graph acquisition module is used for acquiring a target code attribute graph of a target script to be detected and a malicious code attribute graph of a known malicious script; the object code attribute graph comprises an object node and an edge connected with the object node, and the malicious code attribute graph comprises a malicious node and an edge connected with the malicious node, wherein the node has corresponding node information, and the edge has corresponding edge information;
a matching sequence determination module for determining a matching sequence for the malicious code attribute map; the matching sequence comprises all malicious nodes of the malicious code attribute graph;
the father node information acquisition module is used for acquiring corresponding father node information according to the malicious code attribute graph preprocessing; the parent node information combines connection information between the matching sequence and the malicious node;
the current state space determining module is used for determining a next matching node pair according to the matching sequence and the father node information and adding the next matching node pair to a current state space;
and the script matching determining module is used for determining that the malicious script is matched with the target script when the current state space meets a preset condition.
Optionally, the apparatus further comprises: the confusion conversion module is used for acquiring a script to be detected; performing confusion conversion processing on the script to obtain a target script after confusion conversion; the confusion transformation process at least comprises variable transformation, alias transformation, relative path transformation into absolute path and confusion semantic transformation.
Optionally, the matching sequence determining module is configured to compare node mapping degrees of malicious nodes in the malicious code attribute map; if the node mapping degrees are the same, comparing the node probability of the malicious node; the node probability is generated according to node information, side information, node in degree and node out degree; if the node probabilities are the same, comparing the node in-degree and the node out-degree of the malicious node; and sequentially adding all malicious nodes in the malicious code attribute graph to a matching sequence through comparison.
Optionally, the parent node of the malicious node is an adjacent node appearing earliest before the malicious node in the matching sequence, and the current state space determining module is configured to obtain a previous state space, where the previous state space includes matched node pairs, where the matched node pairs include a previous matched node pair, and the previous matched node pair includes a previous matched malicious node and a previous matched target node; determining a next matching malicious node of the last matching malicious node, wherein the next matching malicious node is a next malicious node corresponding to the last matching malicious node in the matching sequence; determining a candidate matching target node of the last matching target node; the candidate matching target node is a target node which is not in the last state space in the target code graph and has the same node information as the next matching malicious node; when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a successor node of the father node, randomly selecting a successor node of the node corresponding to the last matching malicious node from the candidate matching target nodes, and taking the node with the same node information and edge information as the next matching target node; when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a precursor node of the father node, randomly selecting a node which is the precursor node of the node corresponding to the last matching malicious node and has the same node information and edge information as the next matching malicious node from the candidate matching target nodes as a next matching target node; and adding the next matching malicious node and the next matching target node as a next matching node pair to the previous state space to obtain the current state space.
Optionally, the current state space determining module is configured to randomly select a node with matching node information from the candidate matching target nodes as a next matching target node when it is determined that the parent node of the next matching malicious node is empty according to the malicious parent node information.
Optionally, the script matching determining module is configured to determine that the malicious script is matched with the target script when the current state space meets a preset semantic information rule and preset topology information, and a next matching malicious node in the current state space is a last malicious node in the matching sequence.
The embodiment of the application also discloses an electronic device, which comprises: a processor; and a memory having executable code stored thereon, which when executed, causes the processor to perform a script detection method as described in one or more of the embodiments of the present application.
One or more machine-readable media having executable code stored thereon, which when executed, causes a processor to perform a script detection method as described in one or more of the embodiments of the present application, are also disclosed.
Compared with the prior art, the embodiment of the application has the following advantages:
in the embodiment of the application, an object code attribute graph of an object script to be detected and a malicious code attribute graph of a known malicious script are obtained, a matching sequence is determined according to the malicious code attribute graph, corresponding father node information is obtained according to the malicious code attribute graph preprocessing, the father node information combines the connection information between the matching sequence and the malicious node, a next matching node pair is determined according to the matching sequence and the father node information and is added to a current state space, and when the current state space meets a preset condition, the malicious script is determined to be matched with the object script. The embodiment of the application prunes the current state space based on the father node information, reduces the matching content, and accordingly improves the script matching accuracy and the script matching detection efficiency. In addition, the embodiment of the invention has expandability.
Drawings
FIG. 1 is a flow chart of the steps of one embodiment of a script detection method of the present application;
FIG. 2 is a diagram of a code property based on shell script composition of the present application;
FIG. 3 is a code diagram of one embodiment of the present application for obtaining next matching node pairs;
FIG. 4 is a schematic diagram of a matching node acquisition of the present application;
FIG. 5 is a code diagram of one match of the present application;
FIG. 6 is a flow diagram of a conversion of a shell script of the present application into a code property diagram;
FIG. 7 is a flow chart of a match of the present application;
FIG. 8 is a block diagram of an embodiment of a script detection apparatus of the present application;
fig. 9 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
In the related art, detection methods commonly used for malicious scripts include a detection method based on code similarity and a detection method based on machine learning, wherein the detection method based on code similarity detects malicious codes by comparing codes to be detected with a malicious code library, and common methods based on code representation include representation methods based on texts, trees, graphs and the like. Of these characterizations, the code information characterized is most comprehensive in graph-based characterizations, where the nodes of the graph represent expressions or statements and the edges represent control flow, control dependencies, or data dependencies. And (3) constructing a program dependency graph by analyzing the grammatical structure of the source code, the function call relation, the control dependency relation, the data stream and the like, and carrying out subgraph matching to find the malicious code. The existing sub-graph matching vulnerability detection method needs to comprehensively consider grammatical and semantic features of a program, has good detection capability, but has very high cost for establishing a graph structure, high complexity for searching a matching algorithm with similar graphs and low space-time efficiency.
The detection method based on machine learning needs to manually define the characteristic attributes, and then adopts a machine learning method, such as a support vector machine, k nearest neighbor and the like, to classify. The method depends on characteristic attributes defined manually by experts, and the code granularity input into a machine learning model is generally coarse, so that the exact position of a vulnerability row cannot be determined, and the detection result is not intuitive enough. Such as: a malicious script static detection method based on a support vector machine comprises the following steps: 1. capturing a webpage from the Internet to obtain a webpage link; 2. acquiring Javascript content corresponding to the link; 3. analyzing characteristics of script-based web intrusion such as sql injection and the like to obtain intrusion-related characteristics, extracting characteristics of the obtained script content according to the intrusion characteristics, and converting each script into a characteristic-based vector; 4. and obtaining a classification model by using a classification algorithm svm, and classifying the obtained feature vectors by using the model.
Therefore, the embodiment of the application provides a script detection method based on sub-graph matching, and the method improves script matching accuracy and detection efficiency by pruning the state space.
Referring to fig. 1, a flowchart of steps of an embodiment of a script detection method of the present application includes the following steps:
102, acquiring a target code attribute diagram of a target script to be detected and a malicious code attribute diagram of a known malicious script; the object code attribute graph comprises an object node and an edge connected with the object node, and the malicious code attribute graph comprises a malicious node and an edge connected with the malicious node, wherein the node has corresponding node information, and the edge has corresponding edge information.
In specific implementation, the script detection method of the embodiment of the present application may be implemented in a terminal device or a server. The terminal device may be a terminal specially used for script detection, or may be a common computer terminal on which an application program for script detection is installed. The terminal device may be embodied in a desktop computer, a portable computer, a mobile phone, a Personal Digital Assistant (PDA), or a vehicle-mounted device. The server may be an independent server or a server cluster composed of a plurality of servers.
Wherein the script (script code/code) may be a shell script. A code property graph (code property graph) is a data structure for describing codes and combines three parts of information of an abstract syntax tree, a control flow chart and a program dependency graph of the codes. The code attribute graph comprises nodes and edges for connecting the nodes, wherein the nodes have corresponding node information, the edges have corresponding edge information, the node information comprises node labels, and the edge information comprises edge labels. Specifically, a node in the code attribute graph is an intersection of one or more edges, the node is connected to a neighboring node through an edge (e.g., the node is connected to its parent node or its child node through an edge), and the edge represents an association between the node connected to the edge and the neighboring node of the node.
In the embodiment of the application, the code attribute graph of the target script to be detected is a target code attribute graph, and the code attribute graph of the known malicious script is a malicious code attribute graph. As an alternative example, the user may upload the target code property graph and the malicious code property graph to the terminal device or the server, or the terminal device or the server may grab the target code property graph and the malicious code property graph from a specified location. The object code attribute graph is an object in which the same composition of the malicious code attribute graph is searched.
In the embodiment of the application, a code attribute graph is respectively constructed for a malicious code library and a target detection code, and the specific analysis process comprises the following steps: analyzing a script, constructing a syntax analysis tree, a function flow diagram and a program dependency diagram, and constructing a code attribute diagram by combining three parts of information, wherein nodes in the code attribute diagram mainly comprise shell command nodes, function nodes, variable nodes, operator nodes and the like, and edges mainly comprise syntax tree edges, function dependency edges, control flow edges and the like.
Illustratively, the following shell scripts:
referring to fig. 2, the code attribute diagram is constructed based on shell scripts, wherein the edges 202 represent data streams, the edges 204 represent control relationships, and the rest represent connections in a syntax tree. Specifically, FunDecl represents a function definition node in a syntax tree, Assign represents an assignment node, forclass represents a For Loop statement, Loop represents a judgment statement in the For statement, Do represents an execution body part in the For statement, and CallExpr represents method invocation. Of course, in practice, there are many nodes and edges in the syntax tree, which are not listed here, but it should be understood that the embodiments of the present application are not limited to the above examples.
And step 108, determining a next matching node pair according to the matching sequence and the father node information, and adding the next matching node pair to the current state space.
Wherein the matching sequence is a sequence list of all malicious nodes comprising the malicious code property graph. The parent node information is connection information between malicious nodes in the malicious code attribute map, and for example, for a malicious node, the parent node can be determined based on the parent node information.
When the script detection is started, a state space is created, and in the process of the script detection, matching node pairs formed by combining malicious nodes of the malicious code attribute graph and target nodes of the target code attribute graph are added to the state space continuously. In the embodiment of the application, the father node information of each malicious node in the malicious code attribute graph is constructed, so that the matching node to be added to the state space can be quickly obtained conveniently in the script detection process.
And step 110, when the current state space meets a preset condition, determining that the malicious script is matched with the target script.
In the embodiment of the present invention, when the current state space satisfies the preset condition, it may be determined that the malicious script matches the target script, and then the target script may also be determined as the malicious script. Of course, if the current state space does not meet the preset condition, it may be determined that the malicious script is not matched with the target script, and the target script may also be determined as a normal script
According to the subgraph-based script detection method, the code to be detected and the malicious code library are matched through an automatic process, script features do not need to be extracted in the whole process, subjective experience does not need to be relied on, the result interpretability is strong, and the accuracy is higher.
In the script detection method, a target code attribute graph of a target script to be detected and a malicious code attribute graph of a known malicious script are obtained, a matching sequence is determined according to the malicious code attribute graph, corresponding father node information is obtained according to the malicious code attribute graph preprocessing, the father node information combines the connection information between the matching sequence and the malicious node, a next matching node pair is determined according to the matching sequence and the father node information and is added to a current state space, and when the current state space meets a preset condition, the malicious script is determined to be matched with the target script. According to the embodiment of the application, the current state space is pruned based on the father node information, the matching content is reduced, and therefore the script matching accuracy and the script matching detection efficiency are improved. In addition, the embodiment of the invention has expandability.
In an exemplary embodiment, the method may further include the steps of:
acquiring a script to be detected;
performing confusion conversion processing on the script to obtain a target script after confusion conversion; the obfuscation transformation process includes at least variable transformation, alias transformation, relative path transformation to absolute path, and obfuscation semantic transformation.
In the specific implementation, a great number of malicious scripts adopt a changeable script obfuscation technology to disguise a really executed command, and therefore, in the embodiment of the application, a sandbox is built for analyzing the script to obtain the really executed command.
Specifically, the target script can be obtained by executing the script to be detected in the sandbox, wherein the target script code is the script which is analyzed and converted by the grammar interpreter and has confusion and clear logic, and the subsequent script detection process is performed on the converted target script, so that the subsequent matching is performed based on the target script, and the accuracy can be improved.
As an alternative example, the step of obfuscating the transformation performed in the sandbox against the script to be detected may comprise at least: 1. lexical analysis; syntax analysis, namely obtaining an abstract syntax tree through analysis; 2. replacing variables; 3. alias replacement; 4. converting the relative path into an absolute path; 5. and (4) carrying out individual confusion semantic replacement, such as echo "/fr-mr" | rev | bash, and removing rev commands in the substitution.
In an exemplary embodiment, the step 104 of determining a matching sequence according to the target code attribute map and the malicious code attribute map may include the following steps:
comparing the node mapping degrees of the malicious nodes in the malicious code attribute graph;
if the node mapping degrees are the same, comparing the node probability of the malicious node; the node probability is generated according to node information, side information, node in degree and node out degree;
if the node probabilities are the same, comparing the node in-degree and the node out-degree of the malicious node;
and sequentially adding all malicious nodes in the malicious code attribute graph to a matching sequence through comparison.
In the embodiment of the application, before script detection is carried out, the matching sequence N is calculatedG. Specifically, first, the node mapping degrees d of all malicious nodes in the malicious code attribute graph are comparedMFor a node, the mapping degree represents the number of connections between the node and the matched node, and the mapping degree of the node needs to be recalculated when a node is newly matched each time; if the node mapping degrees of the malicious nodes are the same, comparing the node probability P of the malicious nodesf(u) wherein the node probability PfAnd (u) calculating through information such as node labels, edge labels, node in-degree and node out-degree. And if the node mapping degree and the node probability of the malicious node are the same, comparing the node in degree and the node out degree of the malicious node, and finally sequentially sequencing and adding the node in degree and the node out degree to the matching sequence through comparison.
As a specific example, the formula for the node probability may be:
wherein u represents a node, P in the formulaf(u) denotes the probability of node u, λv1(u) denotes a node label, λ, of the obtained node ue1(e) An edge label indicating the found edge e, Fl(l) Probability of label 1, P, representing node ut(t) represents the probability that edge e has label t. e adjedge (u) represents all adjacent edges of node u,
representing the probability of the node in-degree being (d'),
representing the probability that the node out-degree is (d').
dM(u)=Count(un),(u,un)∈EG|(un,u)∈EG
Wherein d isM(u) represents the sum of node out-degree and node in-degree of node u.
In an exemplary embodiment, the parent node of the malicious node is a neighboring node that appears earliest before the malicious node in the matching sequence, and the step 108 of determining a next matching node pair according to the matching sequence and the malicious parent node information may include the steps of:
obtaining a previous state space, wherein the previous state space comprises matched node pairs, the matched node pairs comprise previous matched node pairs, and the previous matched node pairs comprise previous matched malicious nodes and previous matched target nodes;
determining a next matching malicious node of the last matching malicious node, wherein the next matching malicious node is a next malicious node corresponding to the last matching malicious node in the matching sequence;
determining a candidate matching target node of the last matching target node; the candidate matching target node is a target node which is not in the last state space in the target code graph and has the same node information as the next matching malicious node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a successor node of the father node, randomly selecting a successor node of the node corresponding to the last matching malicious node from the candidate matching target nodes, and taking the node with the same node information and edge information as the next matching target node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a precursor node of the father node, randomly selecting a node which is the precursor node of the node corresponding to the last matching malicious node and has the same node information and edge information as the next matching malicious node from the candidate matching target nodes as a next matching target node;
and adding the next matching malicious node and the next matching target node as a next matching node pair to the previous state space to obtain the current state space.
In the embodiment of the application, father node information of each malicious node in the malicious script is constructed, so that candidate nodes of a state space can be conveniently and quickly obtained in the subsequent matching process, wherein the father node of the malicious node is an adjacent node which appears earliest before the malicious node in the matching sequence. It should be noted that, in addition to the parent node of each malicious node being recorded in the parent node information, the type information of the relevant connection edge is also recorded, which facilitates further pruning of the state space.
In particular, assume that multiple matched node pairs have been saved in the last state space, with the matched node pairs including the last matched node pair (u)c,vc) Wherein, the node ucRepresents the last matching malicious node, node vcRepresenting the last matching target node, the embodiment of the present application will be based on the last state space ScMatching sequence NGGraph G1 (malicious code property graph) and graph G2 (target code property graph), the next matching node pair (u) added to the state space is obtainedn,vn) Wherein node unRepresents the next matching malicious node, node vnRepresenting the next matching target node.
Wherein, the node unThe node u in the matching sequence is selectedcNext malicious node of R2(Sc,ψ(un) Represents node v)nIn particular, the candidate matching target node is G2 which is not in the last state space and is vnThe node information of (2) is the same as that of the target node. As an example, the candidate matching target node is represented as:
wherein M is2(Sc) Indicating the target node, ψ (v), in G2 that has been matchedn)=ψ(un) Representing a node vnNode label of and node unThe node labels of (a) are the same.
Wherein, the first and the second end of the pipe are connected with each other,
the representation is a set of candidate matching target nodes that combine node information and side information, wherein,
is unIs a node corresponding to the parent node of (c) in the state space, e is unAnd unOf the parent node of the node (c),
the formula of (1) is as follows:
wherein λ ise1(uc,un) It is shown that node u in G1cAnd node unEdge label of side between, P2(v) A set of successor nodes to the represented node v.
In an exemplary embodiment, the method may further include the steps of:
and when the father node of the next matching malicious node is determined to be empty according to the malicious father node information, randomly selecting the node matched with the node information from the candidate matching target nodes as a next matching target node.
Of course, if the parent node of the next matching malicious node is determined to be empty according to the parent node information, the node information can be randomly selected from the candidate matching target nodes, that is, the node matched with the node label is the next matching target node, so that the next matching node pair can be formed with the next matching malicious node and added to the state space.
As a specific example, referring to FIG. 3, the next matching node pair (u) is obtainedn,vn) The specific process comprises the following steps:
inputting data: last state space ScLast matching node pair (u)c,vc) Matching sequence NGFig. G1 and G2:
and outputting a result: next matching node pair (u)n,vn);
If u isnIs the last node in the matching sequence, and finishes obtaining the next matching node pair (u)n,vn):
If u isnIs empty, then can be selected from R2(Sc,ψ(un) In) randomly find a node vnAnd returns (u)n,vn);
If u isnIs not empty, and unIs the successor node of the father node, then the slave ucCorresponding to successor nodes of the corresponding node
Namely, it is
Randomly finding a node v with the same node information and side informationnAnd returns (u)n,vn);
If u isnIs not empty, and unIs a precursor node of the father node, then the slave ucCorresponding to a predecessor node of the corresponding node
Namely, it is
Randomly finding a node v with the same node information and side informationnAnd returns (u)n,vn)。
Referring to fig. 4, a schematic diagram of obtaining matching nodes according to the present application includes matching node pairs (u) in a matched state space3,v3) And (u)4,v14) Wherein u is2Is u3Then from u3Corresponding node v3Corresponding to
In the method, a node v with an edge label of e1 is found11。
In an exemplary embodiment, the step 110 of determining that the malicious script matches the target script when the current state space satisfies a preset condition may include the following steps:
and when the current state space meets a preset semantic information rule and preset topological structure information and the next matching malicious node in the current state space is the last malicious node in the matching sequence, determining that the malicious script is matched with the target script.
In the embodiment of the application, a command vectorization model is constructed. Taking a shell command as an example, firstly converting the shell command into a function description short text, wherein the short text is obtained from a man manual, then extracting a key verb in the text by adopting TFI-DF (term frequency inverse document frequency index), and vectorizing and representing the key verb by using a word2vec model to finally obtain the vectorized representation of the shell command.
As an alternative example of the present application, a feasible rule is constructed, which mainly considers two aspects: semantic information rule of node Fs(sc,un,vn) And topology information F of nodest(sc,un,vn). The feasible rule related to the semantics mainly considers that the similarity is calculated through the node feature vector and compared with a preset threshold value, if the similarity is greater than the preset threshold value of the algorithm attribute graph, the single-node semantics are matched, and if the similarity is less than the preset threshold value of the algorithm attribute graph, the table is representedIndicating that the node semantics do not match; the feasible rules related to the structure comprise feasibility test of the current state space, a one-step look-ahead rule and a two-step look-ahead rule, and the formula is as follows:
IsFeasible(sc,un,vn)=Fs(sc,un,vn)∩Ft(sc,un,vn)
Ft(sc,un,vn)=Fc(sc,un,vn)∩Fla1(sc,un,vn)∩Fla2(sc,un,vn)
wherein s iscRepresents the current state space, unRepresenting nodes of the target graph to be added to the state space, vnRepresenting nodes in the attribute graph of malicious code to be added to the state space. Fla1(sc,un,vn) Examination unMust be less than or equal to vnThe number of the same category. Fla2(sc,un,vn) Examination unMust be less than or equal to vnThe number of the same category.
Performing sub-graph matching in the embodiment of the application, wherein the sub-graph matching process is to perform state space search, initialize the state space to be empty, add candidate node pairs to the current state space according to the matching sequence in each step, judge the validity of the state space according to a feasible rule, recursively search the next state space if the state space is valid, and return if the state space is invalid; when the number of the node pairs in the state space is equal to that of the node pairs in the attribute graph of the malicious script, the fact that the function attribute graph isomorphic with the script in the malicious script library exists in the script to be detected is indicated.
As a specific example, referring to fig. 5, the sub-graph matching specific process is as follows:
inputting data: current state space ScMatching sequence NGFIG. G1 and FIG. G2;
and (3) outputting a result: whether it is matched, true or false;
if the current state space ScIf the preset condition is met and the state space is the target state space, adding the state space into the result set and returning to true;
if the current state space ScIf the preset condition is not met, false is returned.
Referring to fig. 6, which is a flowchart for converting a shell script into a code attribute diagram in the present application, the conversion of a shell script into a code attribute diagram specifically includes: 1. the simple sandbox executes the shell script to obtain a target script; 2. analyzing a target script and constructing a code attribute graph; 3. constructing a shell command vectorization model; 4. and preprocessing the code attribute graph.
In the embodiment of the application, after the code attribute graph is obtained, the code attribute graph can be preprocessed, so that the script matching efficiency is further improved. The method comprises the following steps: 1. deleting node information of the common text nodes, and only keeping node types, thereby eliminating the influence of the common text information on a matching link; 2. performing word vector representation on command nodes of the shell script, and calculating the similarity of the shell commands in the subsequent matching process; 3. function nodes, variable nodes and the like are combined, and the uniqueness of the same node in the graph is ensured (namely the same node can only appear once in the code attribute graph); and performing serialization representation on codes in the processed malicious code library, and storing to obtain the processed malicious code library, so that the processed malicious code library is convenient to use in a subsequent sub-graph matching process.
Referring to fig. 7, the sub-graph matching process specifically includes: 1. the malicious script is serialized, expressed and stored; 2. loading a malicious script; 3. acquiring a target script to be detected; 4. converting the target script into a code attribute graph; 5. calculating a matching sequence; 6. constructing parent node information of a malicious script of the malicious script; 7. and performing sub-graph matching based on the matching sequence, the father node information and the state space.
In summary, 1, a new malicious script detection method is provided, which mainly comprises three stages, namely, firstly, converting a shell script into a target script, then, constructing a code attribute graph, and finally, performing isomorphic sub-graph matching with a malicious code library; 2. a vectorization method is provided for a shell command, the shell command is converted into a function description short text, and the short text is obtained from a man manual; then, extracting a key verb in the text by adopting TF-IDF, and performing vectorization representation on the key verb by using word2 vec; finally, vectorization representation of the shell command is obtained; aiming at isomorphic sub-graph matching, a new matching method VF3+ is provided, and VF3+ combines edge information to trim a state space on the basis of VF3, and the matching speed is improved by trimming the state space.
It should be noted that for simplicity of description, the method embodiments are described as a series of acts, but those skilled in the art should understand that the embodiments are not limited by the described order of acts, as some steps can be performed in other orders or simultaneously according to the embodiments. Further, those of skill in the art will recognize that the embodiments described in this specification are presently preferred embodiments and that no particular act is required to implement the embodiments of the disclosure.
On the basis of the above embodiments, the present embodiment further provides a script detection apparatus, which is applied to electronic devices such as a terminal device and a server.
Referring to fig. 8, a block diagram of a structure of an embodiment of a script detecting apparatus according to the present application is shown, which may specifically include the following modules:
a code attribute map obtaining module 802, configured to obtain a target code attribute map of a target script to be detected and a malicious code attribute map of a known malicious script; the object code attribute graph comprises an object node and an edge connected with the object node, and the malicious code attribute graph comprises a malicious node and an edge connected with the malicious node, wherein the node has corresponding node information, and the edge has corresponding edge information;
a matching sequence determination module 804, configured to determine a matching sequence for the malicious code attribute map; all malicious nodes of the malicious code attribute graph are included in the matching sequence;
a father node information obtaining module 806, configured to obtain, according to the malicious code attribute map, corresponding father node information through preprocessing; the parent node information incorporates connection information between the matching sequence and the malicious node;
a current state space determining module 808, configured to determine a next matching node pair according to the matching sequence and the parent node information, and add the next matching node pair to a current state space;
and the script matching determining module 810 is configured to determine that the malicious script is matched with the target script when the current state space meets a preset condition.
In an exemplary embodiment, the apparatus further comprises: the confusion conversion module is used for acquiring a script to be detected; performing confusion conversion processing on the script to obtain a target script after confusion conversion; the confusion transformation process at least comprises variable transformation, alias transformation, relative path transformation into absolute path and confusion semantic transformation.
In an exemplary embodiment, the matching sequence determining module is configured to compare node mapping degrees of malicious nodes in the malicious code property map; if the node mapping degrees are the same, comparing the node probability of the malicious node; the node probability is generated according to node information, side information, node in degree and node out degree; if the node probabilities are the same, comparing the node in-degree and the node out-degree of the malicious node; and sequentially adding all malicious nodes in the malicious code attribute graph to a matching sequence through comparison.
In an exemplary embodiment, the parent node of the malicious node is a neighboring node that appears earliest before the malicious node in the matching sequence, and the current state space determining module is configured to obtain a previous state space, where the previous state space includes a matched node pair, where the matched node pair includes a previous matched node pair, and the previous matched node pair includes a previous matched malicious node and a previous matched target node; determining a next matching malicious node of the last matching malicious node, wherein the next matching malicious node is a next malicious node corresponding to the last matching malicious node in the matching sequence; determining a candidate matching target node of the last matching target node; the candidate matching target node is a target node which is not in the last state space in the target code graph and has the same node information as the next matching malicious node; when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a successor node of the father node, randomly selecting a successor node of the node corresponding to the last matching malicious node from the candidate matching target nodes, and taking the node with the same node information and edge information as the next matching target node; when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a precursor node of the father node, randomly selecting a node which is the precursor node of the node corresponding to the last matching malicious node and has the same node information and edge information as the next matching malicious node from the candidate matching target nodes as a next matching target node; and adding the next matching malicious node and the next matching target node as a next matching node pair to the previous state space to obtain the current state space.
In an exemplary embodiment, the current state space determining module is configured to randomly select a node whose node information is matched from the candidate matching target nodes as a next matching target node when it is determined that the parent node of the next matching malicious node is empty according to the malicious parent node information.
In an exemplary embodiment, the script matching determining module is configured to determine that the malicious script is matched with the target script when the current state space satisfies a preset semantic information rule and preset topology information, and a next matching malicious node in the current state space is a last malicious node in the matching sequence.
In an exemplary embodiment, the node information includes a node label and the side information includes an edge label.
The embodiments of the present application also provide a non-volatile readable storage medium, where one or more modules (programs) are stored in the storage medium, and when the one or more modules are applied to a device, the one or more modules may cause the device to execute instructions (instructions) of method steps in the embodiments of the present application.
Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform the methods as described in one or more of the above embodiments. In the embodiment of the present application, the electronic device includes various types of devices such as a terminal device and a server (cluster).
Embodiments of the present disclosure may be implemented as an apparatus, which may include electronic devices such as a terminal device, a server (cluster), etc., using any suitable hardware, firmware, software, or any combination thereof, to perform a desired configuration. Fig. 9 schematically illustrates an example apparatus 900 that may be used to implement various embodiments described herein.
For one embodiment, fig. 9 illustrates an example apparatus 900 having one or more processors 902, a control module (chipset) 904 coupled to at least one of the processor(s) 902, a memory 906 coupled to the control module 904, a non-volatile memory (NVM)/storage 908 coupled to the control module 904, one or more input/output devices 910 coupled to the control module 904, and a network interface 912 coupled to the control module 904.
The processor 902 may include one or more single-core or multi-core processors, and the processor 902 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 900 can be used as a terminal device, a server (cluster), or the like in this embodiment.
In some embodiments, apparatus 900 may include one or more computer-readable media (e.g., memory 906 or NVM/storage 908) having instructions 914 and one or more processors 902 in combination with the one or more computer-readable media and configured to execute instructions 914 to implement modules to perform the actions described in this disclosure.
For one embodiment, control module 904 may include any suitable interface controllers to provide any suitable interface to at least one of the processor(s) 902 and/or any suitable device or component in communication with control module 904.
The memory 906 may be used, for example, to load and store data and/or instructions 914 for the device 900. For one embodiment, memory 906 may comprise any suitable volatile memory, such as suitable DRAM. In some embodiments, the memory 906 may comprise a double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).
For one embodiment, control module 904 may include one or more input/output controllers to provide an interface to NVM/storage 908 and input/output device(s) 910.
For example, NVM/storage 908 may be used to store data and/or instructions 914. NVM/storage 908 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).
The NVM/storage 908 may include storage resources that are physically part of the device on which the apparatus 900 is installed or it may be accessible by the device and may not be necessary as part of the device. For example, NVM/storage 908 may be accessible over a network via input/output device(s) 910.
Input/output device(s) 910 may provide an interface for apparatus 900 to communicate with any other suitable device, input/output devices 910 may include communication components, audio components, sensor components, and so forth. Network interface 912 may provide an interface for device 900 to communicate over one or more networks, and device 900 may wirelessly communicate with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as to access a wireless network based on a communication standard, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.
For one embodiment, at least one of the processor(s) 902 may be packaged together with logic for one or more controller(s) (e.g., memory controller module) of the control module 904. For one embodiment, at least one of the processor(s) 902 may be packaged together with logic for one or more controller(s) of the control module 904 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 902 may be integrated on the same die with logic for one or more controller(s) of the control module 904. For one embodiment, at least one of the processor(s) 902 may be integrated on the same die with logic of one or more controllers of the control module 904 to form a system on a chip (SoC).
In various embodiments, the apparatus 900 may be, but is not limited to being: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, apparatus 900 may have more or fewer components and/or different architectures. For example, in some embodiments, device 900 includes one or more cameras, keyboards, Liquid Crystal Display (LCD) screens (including touch screen displays), non-volatile memory ports, multiple antennas, graphics chips, Application Specific Integrated Circuits (ASICs), and speakers.
The detection device may adopt a main control chip as a processor or a control module, the sensor data, the position information and the like are stored in a memory or an NVM/storage device, the sensor group may serve as an input/output device, and the communication interface may include a network interface.
For the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable script detection terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable script detection terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable script detection terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable script detection terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present application.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or terminal equipment comprising the element.
The above detailed description is given to a script detection method and apparatus, an electronic device and a storage medium, and specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A method for script detection, the method comprising:
acquiring a target code attribute diagram of a target script to be detected and a malicious code attribute diagram of a known malicious script; the object code attribute graph comprises an object node and an edge connected with the object node, and the malicious code attribute graph comprises a malicious node and an edge connected with the malicious node, wherein the node has corresponding node information, and the edge has corresponding edge information;
determining a matching sequence for the malicious code attribute map; all malicious nodes of the malicious code attribute graph are included in the matching sequence;
preprocessing according to the malicious code attribute graph to obtain corresponding father node information; the parent node information combines connection information between the matching sequence and the malicious node;
determining a next matching node pair according to the matching sequence and the father node information, and adding the next matching node pair to the current state space;
and when the current state space meets a preset condition, determining that the malicious script is matched with the target script.
2. The method of claim 1, further comprising:
acquiring a script to be detected;
performing confusion conversion processing on the script to obtain a target script after confusion conversion; the confusion transformation process at least comprises variable transformation, alias transformation, relative path transformation into absolute path and confusion semantic transformation.
3. The method of claim 1, wherein determining a matching sequence for the malicious code property graph comprises:
comparing the node mapping degrees of the malicious nodes in the malicious code attribute graph;
if the node mapping degrees are the same, comparing the node probability of the malicious node; the node probability is generated according to node information, side information, node in degree and node out degree;
if the node probabilities are the same, comparing the node in-degree and the node out-degree of the malicious node;
and sequentially adding all malicious nodes in the malicious code attribute graph to a matching sequence through comparison.
4. The method of claim 1, wherein the parent node of the malicious node is a neighboring node that occurs earliest before the malicious node in the matching sequence, and wherein determining a next matching node pair from the matching sequence and the malicious parent node information comprises:
obtaining a previous state space, wherein the previous state space comprises matched node pairs, the matched node pairs comprise previous matched node pairs, and the previous matched node pairs comprise previous matched malicious nodes and previous matched target nodes;
determining a next matching malicious node of the last matching malicious node, wherein the next matching malicious node is a next malicious node corresponding to the last matching malicious node in the matching sequence;
determining a candidate matching target node of the last matching target node; the candidate matching target node is a target node which is not in the last state space in the target code graph and has the same node information as the next matching malicious node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is the successor node of the father node, the successor node of the node corresponding to the last matching malicious node is randomly selected from the candidate matching target nodes, and the node with the same node information and the same side information as the next matching malicious node is used as the next matching target node;
when the father node of the next matching malicious node is determined not to be empty according to the malicious father node information, if the next matching malicious node is a precursor node of the father node, randomly selecting a node which is the precursor node of the node corresponding to the last matching malicious node and has the same node information and edge information as the next matching malicious node from the candidate matching target nodes as a next matching target node;
and adding the next matching malicious node and the next matching target node as a next matching node pair to the previous state space to obtain the current state space.
5. The method of claim 4, further comprising:
and when the father node of the next matching malicious node is determined to be empty according to the malicious father node information, randomly selecting a node matched with the node information from the candidate matching target nodes as a next matching target node.
6. The method according to claim 1, wherein the determining that the malicious script matches the target script when the current state space satisfies a preset condition comprises:
and when the current state space meets a preset semantic information rule and preset topological structure information and the next matching malicious node in the current state space is the last malicious node in the matching sequence, determining that the malicious script is matched with the target script.
7. The method of claim 1, wherein the node information comprises a node label and the side information comprises an edge label.
8. A script detection apparatus, wherein the apparatus comprises:
the code attribute graph acquisition module is used for acquiring a target code attribute graph of a target script to be detected and a malicious code attribute graph of a known malicious script; the object code attribute graph comprises object nodes and edges connected with the object nodes, and the malicious code attribute graph comprises malicious nodes and edges connected with the malicious nodes, wherein the nodes have corresponding node information, and the edges have corresponding edge information;
a matching sequence determination module for determining a matching sequence for the malicious code attribute map; the matching sequence comprises all malicious nodes of the malicious code attribute graph;
the father node information acquisition module is used for acquiring corresponding father node information according to the malicious code attribute graph preprocessing; the parent node information combines connection information between the matching sequence and the malicious node;
the current state space determining module is used for determining a next matching node pair according to the matching sequence and the father node information and adding the next matching node pair to a current state space;
and the script matching determination module is used for determining that the malicious script is matched with the target script when the current state space meets a preset condition.
9. An electronic device, comprising: a processor; and
memory having stored thereon executable code which, when executed, causes the processor to perform a script detection method as claimed in one or more of claims 1-7.
10. One or more machine-readable media having executable code stored thereon that, when executed, causes a processor to perform a script detection method as recited in one or more of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210288602.6A CN114780957A (en) | 2022-03-23 | 2022-03-23 | Script detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210288602.6A CN114780957A (en) | 2022-03-23 | 2022-03-23 | Script detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114780957A true CN114780957A (en) | 2022-07-22 |
Family
ID=82425892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210288602.6A Pending CN114780957A (en) | 2022-03-23 | 2022-03-23 | Script detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114780957A (en) |
-
2022
- 2022-03-23 CN CN202210288602.6A patent/CN114780957A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110489345B (en) | Crash aggregation method, device, medium and equipment | |
| US10318595B2 (en) | Analytics based on pipes programming model | |
| US20160171373A1 (en) | Training a Question/Answer System Using Answer Keys Based on Forum Content | |
| JP2020027649A (en) | Method, apparatus, device and storage medium for generating entity relationship data | |
| US8243988B1 (en) | Clustering images using an image region graph | |
| US10489127B2 (en) | Mapping of software code via user interface summarization | |
| US11651014B2 (en) | Source code retrieval | |
| CN113128209B (en) | Method and device for generating word stock | |
| EP2707808A2 (en) | Exploiting query click logs for domain detection in spoken language understanding | |
| CN116209997A (en) | System and method for classifying software vulnerabilities | |
| Thomas et al. | Applications of decision trees | |
| CN115358397A (en) | Parallel graph rule mining method and device based on data sampling | |
| WO2022126962A1 (en) | Knowledge graph-based method for detecting guiding and abetting corpus and related device | |
| US11625630B2 (en) | Identifying intent in dialog data through variant assessment | |
| US20220036200A1 (en) | Rules and machine learning to provide regulatory complied fraud detection systems | |
| US10296527B2 (en) | Determining an object referenced within informal online communications | |
| US20180046712A1 (en) | Artificial intelligence content detection system | |
| CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
| US20220400121A1 (en) | Performance monitoring in the anomaly detection domain for the it environment | |
| CN115859273A (en) | Method, device and equipment for detecting abnormal access of database and storage medium | |
| CN114780957A (en) | Script detection method, device, equipment and storage medium | |
| US11880405B2 (en) | Method for searching similar images in an image database using global values of a similarity measure for discarding partitions of the image database | |
| CN114492364A (en) | Same vulnerability judgment method, device, equipment and storage medium | |
| CN111143203B (en) | Machine learning method, privacy code determination method, device and electronic equipment | |
| CN112363814A (en) | Task scheduling method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |