CN114928476A - Target file security detection method and detection device - Google Patents
Target file security detection method and detection device Download PDFInfo
- Publication number
- CN114928476A CN114928476A CN202210452483.3A CN202210452483A CN114928476A CN 114928476 A CN114928476 A CN 114928476A CN 202210452483 A CN202210452483 A CN 202210452483A CN 114928476 A CN114928476 A CN 114928476A
- Authority
- CN
- China
- Prior art keywords
- intelligent
- blacklist
- detection
- security
- target file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 181
- 238000000034 method Methods 0.000 claims abstract description 37
- 230000007246 mechanism Effects 0.000 claims description 14
- 230000005540 biological transmission Effects 0.000 abstract description 13
- 230000007547 defect Effects 0.000 abstract description 9
- 239000002699 waste material Substances 0.000 abstract description 8
- 238000004458 analytical method Methods 0.000 description 10
- 238000007689 inspection Methods 0.000 description 10
- 241000700605 Viruses Species 0.000 description 9
- 230000006399 behavior Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241001377938 Yara Species 0.000 description 2
- 238000012351 Integrated analysis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for detecting the security of a target file, wherein the detection method comprises the following steps: updating an intelligent blacklist based on malicious files detected within a preset time; and when the target file is detected, judging whether an intelligent blacklist detection strategy is started, and when the intelligent blacklist detection strategy is started, matching the target file to be detected with data in the intelligent blacklist so as to detect the security of the target file. According to the security detection method of the target file, the detection judgment result of the depth mode is counted to form an intelligent blacklist of the user network transmission file, so that the defects of low detection efficiency and resource waste of the repeatedly detected malicious program are overcome; and moreover, the intelligent blacklist is updated through the real transmission ranking of the malicious files in the user network, so that the problem of slow matching caused by excessively large length of an intelligent blacklist queue is effectively solved.
Description
Technical Field
The invention relates to the technical field of security detection, in particular to a method and a device for detecting the security of a target file.
Background
At present, malicious programs such as viruses, worms, trojan horse programs and the like have high propagation speed and wide influence range and seriously threaten the network environment safety.
Behavior analysis is an important means in malicious program detection, but because a malicious program can release malicious behaviors relatively comprehensively in a running environment within a certain time (about 3 minutes), a certain delay is caused for a linkage system with a high requirement on timeliness.
In the related art, the virtual machine resources are also allocated to the target program for repeated detection to perform dynamic behavior analysis, so that the resource utilization rate and the detection efficiency of the detection system are low.
Disclosure of Invention
The invention provides a method and a device for detecting the security of a target file, aiming at solving the technical problem of improving the detection efficiency of a malicious program.
The method for detecting the security of the target file comprises the following steps:
updating an intelligent blacklist based on malicious files detected within a preset time;
and when the target file is detected, judging whether to start an intelligent blacklist detection strategy, and when the intelligent blacklist detection strategy is started, matching the target file to be detected with data in the intelligent blacklist so as to detect the security of the target file.
According to the method for detecting the security of the target file, disclosed by the embodiment of the invention, the detection judgment result of the depth mode is counted to form the intelligent blacklist of the user network transmission file, so that the defects of low detection efficiency and resource waste of the repeatedly detected malicious program are overcome; and moreover, the intelligent blacklist is updated through the real transmission ranking of the malicious files in the user network, so that the problem of slow matching caused by excessively large length of an intelligent blacklist queue is effectively solved.
According to some embodiments of the invention, the detection method further comprises:
sorting according to the time and/or frequency detected by the malicious files, and sorting the data in the intelligent blacklist;
and when the security of the target file is detected, sequentially performing matching detection according to the data sequence of the malicious files in the intelligent blacklist.
In some embodiments of the invention, updating the detected malicious files to the intelligent blacklist comprises:
acquiring a characteristic value of the malicious file, and judging whether the same characteristic value exists in the intelligent blacklist or not;
under the condition that the same characteristic value exists, the detection times of the corresponding malicious software are increased once, and the data sequence in the intelligent blacklist is adjusted; and under the condition that the same characteristic value does not exist, adding the corresponding characteristic value of the malicious software into the intelligent blacklist.
According to some embodiments of the present invention, when the intelligent blacklist detection policy is turned on, parameter item setting is performed, including:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading emptying is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are emptied or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, wherein the artificial white list conflict mechanism is used for determining whether to take a preset artificial white list as a priority detection strategy or not.
In some embodiments of the present invention, when the intelligent blacklist detection policy is not turned on, the security of the target file is detected through a depth detection mode.
The security detection device for the target file according to the embodiment of the invention comprises:
the blacklist updating module is used for updating an intelligent blacklist based on malicious files detected within preset time;
the judging module is used for judging whether to start an intelligent blacklist detection strategy or not when detecting the target file;
and the intelligent detection module is used for matching the target file to be detected with the data in the intelligent blacklist when the intelligent blacklist detection strategy is started so as to detect the security of the target file.
According to the security detection device for the target file, disclosed by the embodiment of the invention, the detection judgment result of the depth mode is counted to form the intelligent blacklist of the user network transmission file, so that the defects of low detection efficiency and resource waste of the malicious program repeatedly detected are overcome; and moreover, the intelligent blacklist is updated through the real transmission ranking of the malicious files in the user network, so that the problem of slow matching caused by excessively large length of an intelligent blacklist queue is effectively solved.
According to some embodiments of the invention, the blacklist update module comprises:
the sorting module is used for sorting according to the time and/or frequency detected by the malicious files and sorting the data in the intelligent blacklist;
and when the intelligent detection module detects the security of the target file, the intelligent detection module performs matching detection in sequence according to the data sequence of the malicious files in the intelligent blacklist.
In some embodiments of the invention, the blacklist update module comprises:
the searching module is used for acquiring the characteristic value of the malicious file and judging whether the same characteristic value exists in the intelligent blacklist or not;
the sorting module is used for increasing the detection times of the corresponding malicious software once under the condition that the same characteristic value exists, and adjusting the data sorting in the intelligent blacklist;
and the adding module is used for adding the corresponding characteristic value of the malicious software into the intelligent blacklist under the condition that the same characteristic value does not exist.
According to some embodiments of the present invention, when the intelligent blacklist detection policy is turned on, parameter item setting is performed, including:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading clearing is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are cleared or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, wherein the artificial white list conflict mechanism is used for determining whether to take a preset artificial white list as a priority detection strategy or not.
In some embodiments of the invention, the detection device further comprises: and the depth detection module is used for detecting the security of the target file through a depth detection mode when the intelligent blacklist detection strategy is not started.
Drawings
FIG. 1 is a flowchart of a method for security detection of a target document according to an embodiment of the present invention;
FIG. 2 is a flowchart of a security detection method for a target document according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating an intelligent blacklist determination in a method for security detection of a target document according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating the triggering of an intelligent blacklist update after file detection in a method for detecting security of a target file according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of an apparatus for security detection of a target document according to an embodiment of the present invention;
FIG. 6 is a schematic diagram illustrating malicious file detection results according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating statistics of execution information of malicious files in an analysis engine according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of an intelligent blacklist according to an embodiment of the present invention;
fig. 9 is a schematic diagram illustrating details of a malicious file duplicate detection result according to an embodiment of the present invention.
Reference numerals:
the detection device (100) is provided with a detection device,
a black list updating module 10, a judging module 20, an intelligent detecting module 30,
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined purposes, the present invention is described in detail below with reference to the accompanying drawings and preferred embodiments.
The description of the method flow in the present specification and the steps of the flow chart in the drawings of the present specification are not necessarily strictly performed by the step numbers, and the execution order of the method steps may be changed. Moreover, certain steps may be omitted, multiple steps combined into one step execution, and/or a step broken into multiple step executions.
In order to avoid the problem that long waiting time is still needed when malicious files detected frequently are detected again, the invention provides an auxiliary method for improving the repeated detection efficiency of malicious programs.
As shown in fig. 1, a method for detecting security of a target file according to an embodiment of the present invention includes:
s100, updating an intelligent blacklist based on malicious files detected within preset time;
it should be noted that the "malicious file" described herein may be a malicious program such as a virus, a worm, and a trojan horse program, or may refer to a message, a file, or the like having a security risk.
S200, when the target file is detected, whether an intelligent blacklist detection strategy is started or not is judged, and when the intelligent blacklist detection strategy is started, the target file to be detected is matched with data in the intelligent blacklist so as to detect the safety of the target file.
For example, an ID or a characteristic value of a malicious file may be recorded in the intelligent blacklist, and when security detection of the target file is performed, the ID or the characteristic value of the target file may be matched with corresponding data in the blacklist to detect whether the target file is a malicious file recorded in the blacklist.
According to the method for detecting the security of the target file, disclosed by the embodiment of the invention, the detection judgment result of the depth mode is counted to form the intelligent blacklist of the user network transmission file, so that the defects of low detection efficiency and resource waste of the repeatedly detected malicious program are overcome; and moreover, the intelligent blacklist is updated through the real transmission ranking of the malicious files in the user network, so that the problem of slow matching caused by excessively large length of an intelligent blacklist queue is effectively solved.
According to some embodiments of the invention, the detection method further comprises:
sorting according to the time and/or frequency detected by the malicious files, and sorting the data in the intelligent blacklist;
it should be noted that, the malicious files may be sorted in the intelligent blacklist according to the order of the detected malicious files, for example, the closer the detection time of the malicious files is, the closer the sorting in the intelligent blacklist is; the malicious files can be sorted in the intelligent blacklist according to the detection frequency of the detected malicious files, for example, the more the malicious files are detected, the higher the sorting in the intelligent blacklist is; of course, the malicious files may also be sorted in the intelligent blacklist according to the detection time and frequency of the malicious files, for example, in the case of the same detection frequency, the malicious files with the closer detection time are sorted in the blacklist more closely.
When the security of the target file is detected, matching detection is sequentially performed according to the data sequence of the malicious files in the intelligent blacklist.
Therefore, the repeated malicious files can be detected in time, and the detection efficiency of the repeated malicious software is greatly improved.
In some embodiments of the invention, updating the detected malicious files to the intelligent blacklist comprises:
acquiring a characteristic value of a malicious file, and judging whether the same characteristic value exists in an intelligent blacklist or not;
for example, the obtained characteristic value of the malicious file may be MD5 of the malicious file, and MD5 of the corresponding malicious file is stored in the intelligent blacklist.
Under the condition that the same characteristic value exists, the detection times of the corresponding malicious software are increased once, and the data sequence in the intelligent blacklist is adjusted; and under the condition that the same characteristic value does not exist, adding the corresponding characteristic value of the malicious software into the intelligent blacklist.
Therefore, the intelligent blacklist can be updated in time, the higher the occurrence frequency of the malicious files is, the higher the ranking of the malicious files in the intelligent blacklist is, and the detection efficiency of the malicious files with higher occurrence probability can be realized.
According to some embodiments of the present invention, when the intelligent blacklist detection policy is turned on, parameter item setting is performed, including:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading emptying is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are emptied or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, wherein the artificial white list conflict mechanism is used for determining whether to take a preset artificial white list as a priority detection strategy or not. It should be noted that, if the manual white list conflict mechanism is started, when the detected target file can be matched with both the intelligent black list and the manual white list, the manual white list is used as a priority, and the target file is treated as a security file. Therefore, the method can prevent certain preset target files from being judged as files of malicious files by mistake.
In some embodiments of the present invention, when the intelligent blacklist detection policy is not turned on, the security of the target file is detected through a deep detection mode.
It should be noted that the deep inspection mode can be understood as a security inspection mode that does not use an intelligent blacklist for match inspection, for example, the deep inspection mode can include file security inspection using one or more of a virus engine evaluator, an intelligent analysis evaluator, a dynamic behavior evaluator, an NSRL index evaluator, a YARA rule evaluator, and a certificate reputation evaluator.
In some embodiments of the present invention, the detection method may utilize a virtual machine technology, which may not only effectively obtain an operation record of the target program when executed in the virtual machine, but also protect the security of the computer without affecting the real computer environment, and meanwhile, perform heuristic virus detection based on the operation record of the target program, which is helpful to improve the detection rate of unknown viruses such as new viruses and variant viruses.
As shown in fig. 5, the apparatus 100 for detecting security of a target document according to an embodiment of the present invention includes: the system comprises a blacklist updating module 10, a judgment module 20 and an intelligent detection module 30.
The blacklist updating module 10 is configured to update an intelligent blacklist based on malicious files detected within a preset time;
it should be noted that the "malicious file" described herein may be a malicious program such as a virus, a worm, and a trojan horse program, or may refer to a message, a file, or the like having a security risk.
The judging module 20 is configured to judge whether to start an intelligent blacklist detection policy when detecting the target file;
the intelligent detection module 30 is configured to match the target file to be detected with data in the intelligent blacklist when the intelligent blacklist detection policy is started, so as to detect the security of the target file.
For example, an ID or a characteristic value of a malicious file may be recorded in the intelligent blacklist, and when security detection of the target file is performed, the ID or the characteristic value of the target file may be matched with corresponding data in the blacklist to detect whether the target file is a malicious file recorded in the blacklist.
According to the security detection device 100 for the target file, provided by the embodiment of the invention, the detection judgment result of the depth mode is counted to form an intelligent blacklist of the user network transmission file, so that the defects of low detection efficiency and resource waste of a malicious program repeatedly detected are overcome; and moreover, the intelligent blacklist is updated through the real transmission ranking of the malicious files in the user network, so that the problem of slow matching caused by excessively large length of an intelligent blacklist queue is effectively solved.
According to some embodiments of the invention, the detection apparatus 100 further comprises: the sorting module is used for sorting according to the time and/or frequency detected by the malicious files and sorting the data in the intelligent blacklist;
it should be noted that the sorting module may sort in the intelligent blacklist according to the order of the detected malicious files, for example, the closer the detection time of the malicious files is, the earlier the sorting in the intelligent blacklist is; the sorting module may also sort in the intelligent blacklist according to the number of detection frequencies of the detected malicious files, for example, the more frequent the detection of the malicious files, the more advanced the sorting in the intelligent blacklist; of course, the sorting module may also sort in the intelligent blacklist in combination with the detection time and frequency of the malicious files, for example, in the case that the detection frequency is the same, the more recent malicious file is sorted in the blacklist, the higher the detection time is.
When the intelligent detection module 30 performs security detection on the target file, matching detection is performed in sequence according to the data sequence of the malicious files in the intelligent blacklist.
Therefore, the repeated malicious files can be detected in time, and the detection efficiency of the repeated malicious software is greatly improved.
In some embodiments of the present invention, the blacklist update module 10 further comprises: the device comprises a searching module and an adding module.
The searching module is used for acquiring the characteristic value of the malicious file and judging whether the same characteristic value exists in the intelligent blacklist or not;
for example, the characteristic value of the malicious file obtained by the lookup module may be the MD5 of the malicious file, and the MD5 of the corresponding malicious file is stored in the intelligent blacklist.
The sorting module is used for increasing the detection times of the corresponding malicious software once under the condition that the same characteristic value exists, and adjusting the data sorting in the intelligent blacklist;
the adding module is used for adding the corresponding characteristic value of the malicious software to the intelligent blacklist under the condition that the same characteristic value does not exist.
Therefore, the intelligent blacklist can be updated in time, the higher the occurrence frequency of the malicious files is, the higher the ranking of the malicious files in the intelligent blacklist is, and the detection efficiency of the malicious files with higher occurrence probability can be improved.
According to some embodiments of the present invention, when the intelligent blacklist detection policy is started, parameter item setting is performed, including:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading clearing is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are cleared or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, and determining whether to use a preset artificial white list as a priority detection strategy or not. It should be noted that, if the manual white list conflict mechanism is started, when the detected target file can be matched with both the intelligent black list and the manual white list, the manual white list is used as a priority, and the target file is treated as a security file. Therefore, the method can prevent certain preset target files from being judged as malicious files by mistake.
In some embodiments of the present invention, the detection apparatus 100 further comprises: and the depth detection module is used for detecting the security of the target file through a depth detection mode when the intelligent blacklist detection strategy is not started.
It should be noted that the deep inspection mode can be understood as a security inspection mode that does not use an intelligent blacklist for matching inspection, for example, the deep inspection mode can include document security inspection using one or more of a virus engine evaluator, an intelligent analysis evaluator, a dynamic behavior evaluator, an NSRL index evaluator, a YARA rule evaluator, and a certificate reputation evaluator.
The security detection method and the detection apparatus for an object document according to the present invention are described in detail below with reference to the accompanying drawings. It is to be understood that the following description is only exemplary in nature and should not be taken as a specific limitation on the invention.
In the prior art, virtual machine resources also need to be allocated to a target file for repeated detection to perform dynamic behavior analysis, so that the resource utilization rate and the detection efficiency of a detection system are low.
In order to overcome the defects of the prior art, the invention aims to solve the following technical problems:
(1) the invention provides an auxiliary method for improving the repeated detection efficiency of malicious files, which forms an intelligent blacklist by counting the judgment result of a malicious program subjected to dynamic behavior analysis, and applies the result to the subsequent malicious program detection of a detection system, thereby solving the defects of low detection efficiency and resource waste of the malicious program subjected to repeated detection in the prior art.
(2) The invention provides an auxiliary method for improving the repeated detection efficiency of malicious files, which is used for carrying out intelligent blacklist iteration through the real transmission ranking of the malicious files in a user network, and effectively avoiding slow matching caused by excessively large queue length of an intelligent blacklist.
The invention provides an auxiliary method for improving the repeated detection efficiency of malicious files, which is characterized in that a mode of forming an intelligent blacklist of files transmitted by a user network is formed by counting detection judgment results of a depth mode, so that the defects of low detection efficiency and resource waste of the repeatedly detected malicious files are overcome; meanwhile, iteration is carried out on the intelligent blacklist queue, and the problem that the intelligent blacklist queue is slow in matching due to excessively large length is effectively solved.
As shown in fig. 2, the auxiliary method for improving the efficiency of repeatedly detecting malicious files provided by the present invention mainly includes the following 3 steps:
(1) initializing functions;
(2) judging an intelligent blacklist;
(3) and (5) performing intelligent blacklist iteration.
Specifically, the function initialization of step (1) includes the following steps:
firstly, the function is switched on, and relevant parameters are configured. After the switch is turned on, the file is preferentially matched with the intelligent blacklist identifier during detection, the malicious program which is repeatedly detected is rapidly detected, and the latest detection result is given.
The parameter items involved are:
whether or not to continue depth mode: the option is not selected by default, after selection, the dynamic behavior analysis is continued after the intelligent blacklist is hit, and more proof data are provided for the detection result. This option may be turned on when the user has a need for the test results to be analyzed again or for data enrichment to be presented.
Emptying an early-stage intelligent blacklist: the option is selected by default, and data and statistical information of the early-stage intelligent blacklist are cleared when the switch is turned on after selection.
Whether the system upgrade is empty: the option is selected in a default mode, after selection, data and statistical information of the early-stage intelligent blacklist are cleared when the system firmware version and the threat rule base version are upgraded, the latest logic of the detection system is triggered again when the malicious program is detected, and the latest iteration of the detection result is kept.
Manual white list conflict mechanism: this option is a built-in parameter. The same file MD5 is defaulted to have the highest priority result of the manual white list set by the administrator, and the manual white list data is ignored in the black list learning process.
The flow chart of the intelligent blacklist determination in the step (2) is shown in fig. 3, and the specific steps are as follows:
a) acquiring an MD5 value of a target file for subsequent matching of an intelligent blacklist;
b) hash is used for searching an intelligent blacklist list, if matching is successful, c) is carried out, and if not, d) is carried out;
c) updating the matching frequency and the matching time for subsequent intelligent blacklist iteration; successfully matching and marking a malicious program, judging the mode to be an intelligent blacklist, and reusing the latest detection result of the system when the detection result is displayed;
d) and giving a judgment result, and entering the detection process of other identifiers after the matching fails.
Further, the intelligent blacklist iteration trigger mechanism in the step (3) is divided into two types:
a) triggering iteration after file detection;
b) triggering iteration when the system is upgraded and the function is turned on or off; see the parameter description of 'clear early-stage intelligent blacklist' in the step (1) and 'whether system upgrade is clear' in detail.
A flowchart for triggering iteration after file detection is shown in fig. 4. The method comprises the following specific steps:
entering a file of an intelligent blacklist iteration process, and entering a step b) if the file is marked by the intelligent blacklist in the step (2); if not marked by the intelligent blacklist in step (2), entering step c);
and performing internal iteration of the intelligent blacklist according to the updated matching time and matching frequency. The method aims to put the malicious file MD5 which is transmitted most frequently in the user network in front, and improve the detection efficiency in the next repeated detection according to the trend. Step d) is carried out after the internal iteration is finished;
if the file is marked as a malicious program during the deep mode detection, the matching frequency of the MD5 in the detection result is updated, and the external iteration of the intelligent blacklist is started. And comparing the matching frequency of the file MD5 with the last ranked matching frequency in the intelligent blacklist list, and keeping the MD5 with high matching frequency and the accessory information (matching time, matching frequency and latest detection result). Step d) is carried out after the external iteration is finished;
and the iterated intelligent blacklist acts on the detection flow of the subsequent file in real time.
Fig. 6-9 show a specific embodiment of the security detection of the target document according to the present invention.
The embodiment is based on an advanced threat detection system, and explains that the detection method for the malicious compressed file is used to realize the improvement of the detection capability during the repeated detection of the program.
According to the method in the detailed description of the invention, the specific flow is as follows:
the system starts an intelligent blacklist switch, options are all defaults, and a detection mode is a depth mode.
The malicious file 1 is submitted locally for the first time, and when the detection is finished, the detection result and the judgment basis are checked, as shown in fig. 6. This time an integrated analysis decision, where the detection of the analyzer took 78 seconds, as shown in fig. 7.
Looking up the intelligent blacklist, adding MD5 of the malicious file 1 into the list according to the first judgment: and (4) comprehensive analysis. As shown in fig. 8.
And repeatedly submitting the malicious file 1 again, checking details of the detection result, and judging that the basis is an intelligent blacklist and the execution of the analysis machine is time-consuming in a non-depth mode. As shown in fig. 9.
In summary, the invention forms an intelligent blacklist of the user network transmission files by counting the detection judgment results of the depth mode, so as to solve the defects of low detection efficiency and resource waste of the repeatedly detected malicious programs; moreover, intelligent blacklist iteration is carried out through the real transmission ranking of the malicious programs in the user network, and the problem that the intelligent blacklist queue is slow in matching due to excessively large length is effectively solved.
While the present invention has been described in connection with the preferred embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (10)
1. A method for detecting the security of a target file is characterized by comprising the following steps:
updating an intelligent blacklist based on malicious files detected within a preset time;
and when the target file is detected, judging whether to start an intelligent blacklist detection strategy, and when the intelligent blacklist detection strategy is started, matching the target file to be detected with data in the intelligent blacklist so as to detect the security of the target file.
2. The method for detecting the security of the object file according to claim 1, wherein the detecting method further comprises:
sorting according to the time and/or frequency detected by the malicious files, and sorting the data in the intelligent blacklist;
and when the security of the target file is detected, matching detection is sequentially performed according to the data sequence of the malicious files in the intelligent blacklist.
3. The method of claim 1, wherein updating the detected malicious files to the intelligent blacklist comprises:
acquiring a characteristic value of the malicious file, and judging whether the same characteristic value exists in the intelligent blacklist or not;
under the condition that the same characteristic value exists, the detection times of the corresponding malicious software are increased once, and the data sequence in the intelligent blacklist is adjusted; and if the same characteristic value does not exist, adding the corresponding characteristic value of the malicious software into the intelligent blacklist.
4. The method for detecting the security of the target file according to claim 1, wherein when the intelligent blacklist detection policy is turned on, parameter item setting is performed, which includes:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection is finished;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading emptying is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are emptied or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, wherein the artificial white list conflict mechanism is used for determining whether to take a preset artificial white list as a priority detection strategy or not.
5. The method according to claim 1, wherein when the intelligent blacklist detection policy is not activated, the security of the target file is detected through a deep detection mode.
6. An apparatus for detecting security of a target document, comprising:
the blacklist updating module is used for updating an intelligent blacklist based on malicious files detected within preset time;
the judging module is used for judging whether to start an intelligent blacklist detection strategy when detecting the target file;
and the intelligent detection module is used for matching the target file to be detected with the data in the intelligent blacklist when the intelligent blacklist detection strategy is started so as to detect the security of the target file.
7. The apparatus for detecting security of target document according to claim 6, wherein the blacklist updating module comprises:
the sorting module is used for sorting according to the time and/or frequency detected by the malicious files and sorting the data in the intelligent blacklist;
and when the intelligent detection module detects the security of the target file, the intelligent detection module performs matching detection in sequence according to the data sequence of the malicious files in the intelligent blacklist.
8. The apparatus for detecting security of a target document according to claim 7, wherein the blacklist updating module further comprises:
the searching module is used for acquiring the characteristic value of the malicious file and judging whether the same characteristic value exists in the intelligent blacklist or not;
the sorting module is used for increasing the detection times of the corresponding malicious software once under the condition that the same characteristic value exists, and adjusting the data sorting in the intelligent blacklist;
and the adding module is used for adding the corresponding characteristic value of the malicious software into the intelligent blacklist under the condition that the same characteristic value does not exist.
9. The apparatus for detecting security of a target file according to claim 6, wherein the setting of the parameter item when the intelligent blacklist detection policy is turned on includes:
setting whether to start a depth detection mode or not, and determining whether to enter the depth detection mode or not after the intelligent blacklist matching detection;
setting whether to empty the intelligent blacklist or not, and determining whether to empty existing data of the intelligent blacklist or not;
whether system upgrading clearing is started or not is set, and the method is used for determining whether existing data in the intelligent blacklist are cleared or not when the system is upgraded;
and setting whether to start an artificial white list conflict mechanism or not, and determining whether to use a preset artificial white list as a priority detection strategy or not.
10. The apparatus for detecting security of an object document according to claim 6, wherein the apparatus further comprises: and the depth detection module is used for detecting the security of the target file through a depth detection mode when the intelligent blacklist detection strategy is not started.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210452483.3A CN114928476A (en) | 2022-04-27 | 2022-04-27 | Target file security detection method and detection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210452483.3A CN114928476A (en) | 2022-04-27 | 2022-04-27 | Target file security detection method and detection device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114928476A true CN114928476A (en) | 2022-08-19 |
Family
ID=82806654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210452483.3A Pending CN114928476A (en) | 2022-04-27 | 2022-04-27 | Target file security detection method and detection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928476A (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003216445A (en) * | 2002-01-23 | 2003-07-31 | Hitachi Ltd | Checking method of computer virus |
| US20060117008A1 (en) * | 2004-11-17 | 2006-06-01 | Kabushiki Kaisha Toshiba | File management apparatus and file management program |
| CN101788986A (en) * | 2009-01-23 | 2010-07-28 | 沈阳晨讯希姆通科技有限公司 | Method and corresponding electronic equipment for intelligently sequencing and positioning file lists |
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
| CN105939320A (en) * | 2015-12-02 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
| CN106570394A (en) * | 2016-11-10 | 2017-04-19 | 厦门安胜网络科技有限公司 | Method for detecting rogue programs |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN108989304A (en) * | 2018-07-05 | 2018-12-11 | 北京广成同泰科技有限公司 | A kind of trusted software white list construction method |
| CN109660331A (en) * | 2018-12-31 | 2019-04-19 | 北京广成同泰科技有限公司 | Open internet program white list policy service system, method and terminal |
| CN109951469A (en) * | 2019-03-12 | 2019-06-28 | 中国平安人寿保险股份有限公司 | A kind of method, apparatus, storage medium and server creating domain name black and white lists |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| CN111049842A (en) * | 2019-12-17 | 2020-04-21 | 紫光云(南京)数字技术有限公司 | Method for improving WAF protection efficiency by using dynamic blacklist |
| CN112468512A (en) * | 2020-12-13 | 2021-03-09 | 北京哈工信息产业股份有限公司 | Enterprise safety protection system and method based on white list mechanism |
| CN113452794A (en) * | 2021-06-30 | 2021-09-28 | 深圳鲲鹏无限科技有限公司 | Method, system, server and router for intelligently and dynamically adding blacklist |
-
2022
- 2022-04-27 CN CN202210452483.3A patent/CN114928476A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003216445A (en) * | 2002-01-23 | 2003-07-31 | Hitachi Ltd | Checking method of computer virus |
| US20060117008A1 (en) * | 2004-11-17 | 2006-06-01 | Kabushiki Kaisha Toshiba | File management apparatus and file management program |
| CN101788986A (en) * | 2009-01-23 | 2010-07-28 | 沈阳晨讯希姆通科技有限公司 | Method and corresponding electronic equipment for intelligently sequencing and positioning file lists |
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104580228A (en) * | 2015-01-16 | 2015-04-29 | 北京京东尚科信息技术有限公司 | System and method for generating blacklist for access requests from network |
| CN105939320A (en) * | 2015-12-02 | 2016-09-14 | 杭州迪普科技有限公司 | Message processing method and device |
| CN106570394A (en) * | 2016-11-10 | 2017-04-19 | 厦门安胜网络科技有限公司 | Method for detecting rogue programs |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN108989304A (en) * | 2018-07-05 | 2018-12-11 | 北京广成同泰科技有限公司 | A kind of trusted software white list construction method |
| CN109660331A (en) * | 2018-12-31 | 2019-04-19 | 北京广成同泰科技有限公司 | Open internet program white list policy service system, method and terminal |
| CN109951469A (en) * | 2019-03-12 | 2019-06-28 | 中国平安人寿保险股份有限公司 | A kind of method, apparatus, storage medium and server creating domain name black and white lists |
| CN110381089A (en) * | 2019-08-23 | 2019-10-25 | 南京邮电大学 | Means of defence is detected to malice domain name based on deep learning |
| CN111049842A (en) * | 2019-12-17 | 2020-04-21 | 紫光云(南京)数字技术有限公司 | Method for improving WAF protection efficiency by using dynamic blacklist |
| CN112468512A (en) * | 2020-12-13 | 2021-03-09 | 北京哈工信息产业股份有限公司 | Enterprise safety protection system and method based on white list mechanism |
| CN113452794A (en) * | 2021-06-30 | 2021-09-28 | 深圳鲲鹏无限科技有限公司 | Method, system, server and router for intelligently and dynamically adding blacklist |
Non-Patent Citations (2)
| Title |
|---|
| 徐欢潇: "基于信任模型的URL钓鱼检测机制", 《电脑知识与技术》, pages 259 - 260 * |
| 郭鑫: "《信息安全等级保护测评与整改指导手册》", 31 August 2020, 《北京:机械工业出版社》, pages: 156 - 158 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10891378B2 (en) | Automated malware signature generation | |
| US20220284094A1 (en) | Methods and apparatus for malware threat research | |
| US8407797B1 (en) | Anti-malware emulation systems and methods | |
| US9965630B2 (en) | Method and apparatus for anti-virus scanning of file system | |
| US9916447B2 (en) | Active defense method on the basis of cloud security | |
| RU2613535C1 (en) | Method for detecting malicious software and elements | |
| CN103390130B (en) | Based on the method for the rogue program killing of cloud security, device and server | |
| CN102222192B (en) | Optimizing anti-malicious software treatment by automatically correcting detection rules | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| JP5963008B2 (en) | Computer system analysis method and apparatus | |
| US7540030B1 (en) | Method and system for automatic cure against malware | |
| RU2487405C1 (en) | System and method for correcting antivirus records | |
| WO2012022251A1 (en) | Whitelist-based inspection method for malicious process | |
| US8656494B2 (en) | System and method for optimization of antivirus processing of disk files | |
| CN103607381B (en) | White list generation method, malicious program detection method, client and server | |
| CN103475671B (en) | Malware detection methods | |
| CN114928476A (en) | Target file security detection method and detection device | |
| EP3758330B1 (en) | System and method of determining a trust level of a file | |
| US11822666B2 (en) | Malware detection | |
| RU2747464C2 (en) | Method for detecting malicious files based on file fragments | |
| KR101880689B1 (en) | Apparatus and method for detecting malicious code | |
| CN103501294B (en) | The determining program whether method of malice | |
| KR20190113408A (en) | Emulation based security analysis method for embedded devices | |
| Lin et al. | Mobile malware detection in sandbox with live event feeding and log pattern analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |