CN114996698A - Method, device and equipment for determining virus file and storage medium - Google Patents

Method, device and equipment for determining virus file and storage medium Download PDF

Info

Publication number
CN114996698A
CN114996698A CN202110232983.1A CN202110232983A CN114996698A CN 114996698 A CN114996698 A CN 114996698A CN 202110232983 A CN202110232983 A CN 202110232983A CN 114996698 A CN114996698 A CN 114996698A
Authority
CN
China
Prior art keywords
file
virus
target
determining
executable files
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110232983.1A
Other languages
Chinese (zh)
Inventor
韩磊
吴浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202110232983.1A priority Critical patent/CN114996698A/en
Publication of CN114996698A publication Critical patent/CN114996698A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for determining a virus file, wherein the method comprises the following steps: when a scanning file starting instruction is received, starting a scanning process according to the scanning file starting instruction, and obtaining the starting time of the scanning process; when the scanning process is stopped, acquiring a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files; selecting a target file from the executable files according to the identification information, and determining an associated file according to the target file; and detecting the associated file according to a preset virus detection rule to determine the virus file. Compared with the prior art, only the mutual relation among the processes can be checked, the target file is determined according to the executable files corresponding to the starting time of the scanning process, the associated file is determined according to the target file, the associated file is detected according to the preset virus detection rule, the virus file is determined, and therefore the working efficiency of searching the virus file is improved.

Description

Method, device and equipment for determining virus file and storage medium
Technical Field
The invention relates to the technical field of computer security, in particular to a method, a device, equipment and a storage medium for determining a virus file.
Background
Currently, user process behavior analysis is a common method for analyzing malicious software in the industry. In the prior art, when malicious software is analyzed, running files in a static process tree are analyzed, and the static process tree can only see the interrelation among processes and cannot detect viruses of associated files, so that the work efficiency of searching for the virus files is reduced.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for determining a virus file, and aims to solve the technical problem of improving the work efficiency of searching the virus file.
In order to achieve the above object, the present invention provides a method for determining a virus file, including:
when a scanning file starting instruction is received, starting a scanning process according to the scanning file starting instruction, and obtaining the starting time of the scanning process;
when a scanning process stops, acquiring a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files;
selecting a target file from a plurality of executable files according to the identification information, and determining a related file according to the target file;
and detecting the associated file according to a preset virus detection rule to determine a virus file.
Optionally, the step of selecting a target file from a plurality of executable files according to the identification information includes:
determining a virus scoring result according to the identification information, and determining a target virus identification grade according to the virus scoring result;
and selecting a target file from the executable files according to the target virus identification level.
Optionally, the step of determining a target virus identification level according to the virus scoring result includes:
and searching a sample virus identification grade from a virus identification grade mapping relation table according to the virus grading result, and taking the sample virus identification grade as a target virus identification grade corresponding to the identification information, wherein the virus identification grade mapping relation table has a plurality of identification information and a plurality of sample virus identification grades.
Optionally, the step of selecting a target file from a plurality of executable files according to the target virus identification level includes:
judging whether the target virus identification level is higher than a preset safety identification level or not;
when the target virus identification level is higher than the preset safety identification level, determining a preset virus file selection rule according to the target virus identification level;
and selecting a target file from the executable files according to the preset virus file selection rule.
Optionally, the step of determining an associated file according to the target file includes:
determining target node information of the target file;
and determining an associated file according to the target virus identification level and the target node information.
Optionally, the step of determining an associated file according to the target virus identification level and the target node information includes:
determining a preset associated file selection rule according to the target virus identification grade;
and selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the target node information.
Optionally, the step of selecting an associated file from a plurality of executable files according to the preset associated file selection rule and the target node information includes:
acquiring node information corresponding to a plurality of executable files;
determining associated node information according to the plurality of node information and the target node information;
and selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the associated node information.
Optionally, after the step of selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the associated node information, the method further includes:
analyzing the content of the associated file to obtain the type information of the associated file;
judging whether the associated file type information meets a preset type condition or not;
and when the associated file type information meets the preset type condition, executing the step of detecting the associated file according to a preset virus detection rule to determine a virus file.
Optionally, before the step of analyzing the content of the associated file to obtain the associated file type information, the method further includes:
acquiring associated file name information of the associated file;
judging whether the associated file name information meets a preset naming condition or not;
and when the associated file name information meets the preset naming condition, executing the step of analyzing the file content of the associated file to obtain associated file type information.
Optionally, the step of detecting the associated file according to a preset virus detection rule to determine a virus file includes:
acquiring an MD5 code corresponding to the associated file;
detecting the MD5 code according to a preset virus detection rule to obtain an MD5 code detection result;
and determining the virus file according to the MD5 code detection result.
Optionally, the step of determining a virus file according to the MD5 code detection result includes:
obtaining a dangerous virus score according to the MD5 code detection result;
performing identification processing on the associated file according to the dangerous virus scores to obtain associated identification information;
and determining a virus file according to the associated identification information and the associated file.
Optionally, the step of obtaining a plurality of executable files and identification information of the plurality of executable files corresponding to the starting time of the scanning process includes:
acquiring a plurality of initial files corresponding to the starting time of the scanning process, and acquiring file key information of the plurality of initial files;
and selecting a plurality of executable files from the plurality of initial files according to a preset executable file selection rule and the file key information, and acquiring identification information of the plurality of executable files.
In addition, in order to achieve the above object, the present invention further provides a virus file determination apparatus, including:
the acquisition module is used for starting a scanning process according to a scanning file starting instruction when the scanning file starting instruction is received, and acquiring the starting time of the scanning process;
the obtaining module is further configured to obtain, when the scanning process is stopped, a plurality of executable files and identification information of the plurality of executable files corresponding to the starting time of the scanning process;
the selecting module is used for selecting a target file from a plurality of executable files according to the identification information and determining a related file according to the target file;
and the determining module is used for detecting the associated file according to a preset virus detection rule so as to determine the virus file.
Optionally, the selecting module is further configured to determine a virus scoring result according to the identification information, and determine a target virus identification level according to the virus scoring result;
the selecting module is further configured to select a target file from the plurality of executable files according to the target virus identification level.
Optionally, the selecting module is further configured to search a sample virus identification level from a virus identification level mapping relationship table according to the virus scoring result, and use the sample virus identification level as a target virus identification level corresponding to the identification information, where the virus identification level mapping relationship table includes multiple identification information and multiple sample virus identification levels.
Optionally, the selecting module is further configured to determine whether the target virus identifier level is higher than a preset security identifier level;
the selecting module is further used for determining a preset virus file selecting rule according to the target virus identification grade when the target virus identification grade is higher than the preset safety identification grade;
the selection module is further used for selecting a target file from the executable files according to the preset virus file selection rule.
Optionally, the selecting module is further configured to determine target node information of the target file;
and the selection module is also used for determining an associated file according to the target virus identification level and the target node information.
Optionally, the selecting module is further configured to determine a preset associated file selecting rule according to the target virus identification level;
the selecting module is further configured to select a related file from the plurality of executable files according to the preset related file selecting rule and the target node information.
In addition, to achieve the above object, the present invention further provides a device for determining a virus file, including: a memory, a processor and a program for determining a virus file stored on said memory and executable on said processor, said program for determining a virus file being configured to implement the steps of the method for determining a virus file as described above.
Furthermore, in order to achieve the above object, the present invention further proposes a storage medium having stored thereon a virus file determination program that, when executed by a processor, implements the steps of the virus file determination method as described above.
The method comprises the steps of starting a scanning process according to a scanning file starting instruction when the scanning file starting instruction is received, obtaining the starting time of the scanning process, then obtaining a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files when the scanning process is stopped, then selecting a target file from the executable files according to the identification information, determining a related file according to the target file, and finally detecting the related file according to a preset virus detection rule so as to determine the virus file. Compared with the prior art, only the mutual relation among the processes can be checked, and the virus file cannot be accurately determined, in the application, the target file is determined according to the executable files corresponding to the starting time of the scanning process, then the associated file is determined according to the target file, and the associated file is detected according to the preset virus detection rule to determine the virus file, so that the virus file can be accurately determined, and the work efficiency of searching the virus file is improved.
Drawings
Fig. 1 is a schematic structural diagram of a device for determining a virus file of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for determining a virus file according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for determining a virus file according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for determining a virus file according to a third embodiment of the present invention;
fig. 5 is a block diagram showing a configuration of a first embodiment of the apparatus for determining a virus file according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a device for determining a virus file of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the determining device of the virus file may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., a wireless FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of the determination facility for the virus file, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and a virus file determination program.
In the virus file determination device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 of the virus file determination device of the present invention may be disposed in a virus file determination device, and the virus file determination device calls the determination program of the virus file stored in the memory 1005 through the processor 1001 and executes the virus file determination method provided by the embodiment of the present invention.
An embodiment of the present invention provides a method for determining a virus file, and referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of the method for determining a virus file according to the present invention.
In this embodiment, the method for determining the virus file includes the following steps:
step S10: and when a scanning file starting instruction is received, starting a scanning process according to the scanning file starting instruction, and obtaining the starting time of the scanning process.
It is easy to understand that the execution subject of this embodiment may be a determination device for a virus file having functions of data processing, network communication, program operation, and the like, or may be other computer devices having similar functions, and the present embodiment is not limited thereto.
It can be understood that the scan file start instruction may be a process start instruction triggered by a user, and then the scan process may be started according to the process start instruction, where the scan process may be a behavior process of using software by the user, and when the process start instruction is triggered by the user, the start time of the scan process, which corresponds to the start time of the scan process, is recorded, and the start time of the scan process may be 09:00 No. 8/month 3 in 2020, or 09:07 No. 8/month 3 in 2020, and the present embodiment is not limited.
It should be noted that, when each user performs behavior process analysis on software, a software behavior analysis program is installed in advance on the user mobile terminal, and then the software behavior analysis program may analyze software operated by the current user on the mobile terminal, and the software behavior analysis program may also view all behavior process analysis lists and the like of the user.
In a specific implementation, a user analyzes a program on a mobile terminal according to software behavior, and then the software behavior analysis program can scan an executable file corresponding to newly installed or newly downloaded software on the mobile terminal of the user, and can also periodically scan the executable file on the mobile terminal of the user according to a preset cycle time.
The preset period time may be set by a user in a customized manner, and may be 30 days, or 15 days, and the embodiment is not limited.
Step S20: when the scanning process is stopped, acquiring a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files.
The executable file may be a file that may be run when the user behavior process is started, such as a file with the suffix name. exe.
The identification information of the executable file is identification information corresponding to the security degree of the executable file, and the identification information may be an identification added by a color identification or an identification added by a character identification for automatically analyzing the executable file by a software behavior analysis program, which is not limited in this embodiment.
Assuming that the color identifier is used to determine the security degree corresponding to the executable file, gray and green may be used as the security file identifier, red may be used as the complete virus file identifier, yellow may be used as the severe virus file identifier, and blue may be used as the moderate virus file identifier, which is not limited in this embodiment.
In order to obtain an accurate executable file, the multiple executable files corresponding to the starting time of the scanning process and the identification information of the multiple executable files may be obtained by obtaining multiple initial files corresponding to the starting time of the scanning process, obtaining file key information of the multiple initial files, selecting the multiple executable files from the multiple initial files according to a preset executable file selection rule and the file key information, and obtaining the identification information of the multiple executable files.
The initial file may be understood as a file operated by the mobile terminal of the current user, and the key information of the file may be the file operation duration, which may be 2s, or 3s, and the like.
The preset executable file selection rule may be a preset reference operation duration of the current operation file, may be 5s, may also be 1min, and the like, which is not limited in this embodiment.
Assuming that A, B, C and D exist in the initial file, the preset reference operation time length can be 3s, if the operation time length of the initial file A is 1s, the operation time length of the initial file B is 2s, the operation time length of the initial file C is 5s and the operation time length of the initial file D is 6s, the operation time lengths of the initial files A and B are lower than the preset reference operation time length, and scanning monitoring and virus file analysis can be not performed on the initial files A and B; the initial files C and D are higher than the preset reference running time, the initial files C and D can be used as executable files, and identification information and the like corresponding to the executable files C and D are obtained.
Step S30: and selecting a target file from the executable files according to the identification information, and determining an associated file according to the target file.
The target file may be a virus file with identification information, a complete virus file, a severe virus file, a moderate virus file, or the like, which is not limited in this embodiment.
It is assumed that the multiple executable files are executable file 1, executable file 2, executable file 3, and executable file 4, respectively, the identification information in executable file 1 is a green identification, the identification information in executable file 2 is a gray identification, the identification information in executable file 3 is a red identification, the identification information in executable file 4 is a yellow identification, the red identification and the yellow identification are both virus file identifications, and executable file 3 and executable file 4 are virus files, i.e., target files, and the like.
In order to accurately acquire the target file, the step of selecting the target file from the executable files according to the identification information may be to determine a virus scoring result according to the identification information, determine a target virus identification grade according to the virus scoring result, and finally select the target file from the executable files according to the target virus identification grade.
The virus scoring result can be a virus evaluation score of the executable file, and the score from safe to complete virus can be set to be 1-10, 1-4 can be set to be a safe file, and 5-10 can be set to be a virus file.
The step of determining the target virus identification level according to the virus scoring result may be to search a sample virus identification level from a virus identification level mapping relation table according to the virus scoring result, and use the sample virus identification level as a target virus identification level corresponding to the identification information, where the virus identification level mapping relation table has a plurality of identification information and a plurality of sample virus identification levels.
The sample virus identification level can be a safety level, a moderate virus level, a severe virus level and the like, and if the virus scoring result is 1-4, the corresponding sample virus identification level in the virus identification level mapping relation table is the safety level; if the virus scoring result is 5-6, the corresponding sample virus identification grade in the virus identification grade mapping relation table is a moderate virus grade; if the virus scoring result is 7-8, the corresponding sample virus identification level in the virus identification level mapping relation table is a severe virus level; and if the virus scoring result is 9-10, the corresponding sample virus identification level in the virus identification level mapping relation table is a complete virus level, and the like.
The step of selecting the target file from the plurality of executable files according to the target virus identification level includes determining whether the target virus identification level is higher than a preset security identification level, determining a preset virus file selection rule according to the target virus identification level when the target virus identification level is higher than the preset security identification level, and then selecting the target file from the plurality of executable files according to the preset virus file selection rule.
The preset security identification level may be a security level or the like, and assuming that the multiple executable files are executable file 1, executable file 2, executable file 3 and executable file 4 respectively, where executable file 1 is a security level, executable file 2 is a security level, executable file 3 is a full virus level, and executable file 4 is a severe virus level, and both the full virus level and the severe virus level are higher than the security level, executable file 3 and executable file 4 are extracted from the multiple executable files, and executable file 3 and executable file 4 are used as target files or the like.
In order to accurately detect the virus file, the step of determining the associated file according to the target file may be to determine target node information of the target file, and then determine the associated file according to the target virus identification level and the target node information.
The step of determining the associated file according to the target virus identification level and the target node information comprises the steps of determining a preset associated file selection rule according to the target virus identification level, and selecting the associated file from a plurality of executable files according to the preset associated file selection rule and the target node information, wherein the preset associated file selection rule can be set by a user in a self-defined mode.
The step of selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the target node information may be to acquire node information corresponding to the plurality of executable files, then determine associated node information according to the plurality of node information and the target node information, and finally select the associated file from the plurality of executable files according to the preset associated file selection rule and the associated node information.
In this embodiment, when performing user behavior analysis, a time dimension introduced by a user process tree is added to each process to form a dynamic process tree, and one-dimensional data is converted into two-dimensional data to perform related analysis, so as to determine a virus file. It is assumed that the executable files corresponding to the process start time are executable files a0, a1 and a2, executable files B0, B1 and B2, and executable files C0, C1 and C2, respectively, where executable file a0 is a parent node of a1, a2 is a child node of a1, executable file B0 is a parent node of B1, B2 is a child node of B1, executable file C0 is a parent node of C1, and C2 is a child node of C1, if B1 is a virus file, the associated file of B1 may be B0 and B2, and the associated file of B1 may be executable files a0, a1 and a2, executable files B0 and B2, executable files C0, C1 and C2, etc.
Assuming that B1 is a complete virus file, the associated files of B1 may be executable files a0, a1, and a2, executable files B0 and B2, and executable files C0, C1, and C2; assuming that B1 is a moderate virus file or a severe virus file, the associated files of executable file B1 may be B0, B2, and so on.
After the step of selecting the associated file from the executable files according to the preset associated file selection rule and the associated node information, associated file name information of the associated file is required to be obtained, whether the associated file name information meets a preset naming condition or not is judged, when the associated file name information meets the preset naming condition, file content analysis is carried out on the associated file, associated file type information is obtained, whether the associated file type information meets a preset type condition or not is judged, and when the associated file type information meets the preset type condition, the associated file is judged to meet a virus detection condition and the like.
Step S40: and detecting the associated file according to a preset virus detection rule to determine a virus file.
The preset virus detection rule may be set by a user in a self-defined manner, may be used for virus detection on the associated file by a professional, and may also be used for virus detection by obtaining key information corresponding to the associated file, and the like.
In order to accurately locate the virus file, the step of detecting the associated file according to the preset virus detection rule to determine the virus file may be to obtain an MD5 code corresponding to the associated file for detection to obtain an MD5 code detection result, and then determine the virus file according to the MD5 code detection result.
The step of determining the virus files according to the MD5 code detection result may be to obtain a dangerous virus score according to the MD5 code detection result, perform identification processing on the associated files according to the dangerous virus score to obtain associated identification information, and finally determine the virus files according to the associated identification information and the associated files.
Assuming that executable files a0, a1 and a2 security files corresponding to the process starting time and identification information are green identifiers, executable files B0 and B2 are security files and identification information are gray identifiers, B1 is a virus file and identification information is a red identifier, executable file a0 thereof is a parent node of a1, a2 is a child node of a1, executable file B0 is a parent node of B1, B2 is a child node of B1, it is known that B1 is a virus file, the associated files of B1 may be B0 and B2, the associated files of B1 are executable files a0, a1 and a2 and executable files B0 and B2, MD 0 codes corresponding to executable files a0, a1 and a2 and B0 need to be obtained, and MD 0 codes corresponding to MD 0 codes are compared with MD scores of MD codes 0 in MD 0, and when MD scores of MD 0 a0 are pre-stored in MD 0, MD 0 is a0 score which is successfully found, and a0 is a risk score is pre-stored in MD 0, MD5 codes corresponding to executable files a1, a2, B0 and B2 cannot be found in MD5 codes in a pre-stored virus library, a green identifier of a0 needs to be converted into a red identifier, a0 needs to be used as a virus file, then virus detection is performed on executable files a1, a2, B0 and B2 by professional analysts, when viruses are detected by professional analysts in executable files a1 and a2, the green identifiers of executable files a1 and a2 are converted into red identifiers, and then the final virus files are a0, a1, a2 and B1.
In this embodiment, first, when a scan file start instruction is received, a scan process is started according to the scan file start instruction, and a scan process start time is obtained, then, when the scan process is stopped, a plurality of executable files corresponding to the scan process start time and identification information of the executable files are obtained, then, a target file is selected from the executable files according to the identification information, an associated file is determined according to the target file, and finally, the associated file is detected according to a preset virus detection rule, so as to determine a virus file. Compared with the prior art, only the correlation among the processes can be checked, and the virus file cannot be accurately determined, but in the embodiment, the target file is determined according to the executable files corresponding to the starting time of the scanning process, then the associated file is determined according to the target file, and the associated file is detected according to the preset virus detection rule to determine the virus file, so that the accuracy and the efficiency of searching the virus file are realized, and the user experience is further improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for determining a virus file according to a second embodiment of the present invention.
Based on the first embodiment, in this embodiment, the step S30 further includes:
step S301: and determining a virus scoring result according to the identification information, and determining a target virus identification grade according to the virus scoring result.
The identification information of the executable file is identification information corresponding to the security degree of the executable file, and the identification information may be an identification added by a color identification or an identification added by a character identification for automatically analyzing the executable file by a software behavior analysis program, which is not limited in this embodiment.
Assuming that the color identifier is used to determine the security level corresponding to the executable file, gray and green may be used as the security file identifier, red may be used as the complete virus file identifier, yellow may be used as the severe virus file identifier, and blue may be used as the moderate virus file identifier, which is not limited in this embodiment.
The virus scoring result can be a virus evaluation score of the executable file, and the score from safe to complete virus can be set to be 1-10, 1-4 can be set to be a safe file, and 5-10 can be set to be a virus file.
The step of determining the target virus identification level according to the virus scoring result may be to search a sample virus identification level from a virus identification level mapping relation table according to the virus scoring result, and use the sample virus identification level as a target virus identification level corresponding to the identification information, where the virus identification level mapping relation table has a plurality of identification information and a plurality of sample virus identification levels.
The sample virus identification level can be a safety level, a moderate virus level, a severe virus level and the like, and if the virus scoring result is 1-4, the corresponding sample virus identification level in the virus identification level mapping relation table is the safety level; if the virus scoring result is 5-6, the corresponding sample virus identification grade in the virus identification grade mapping relation table is a moderate virus grade; if the virus scoring result is 7-8, the corresponding sample virus identification level in the virus identification level mapping relation table is a severe virus level; and if the virus scoring result is 9-10, the corresponding sample virus identification level in the virus identification level mapping relation table is a complete virus level, and the like.
Step S302: and selecting a target file from the executable files according to the target virus identification level, and determining a related file according to the target file.
The step of selecting the target file from the plurality of executable files according to the target virus identification level includes determining whether the target virus identification level is higher than a preset security identification level, determining a preset virus file selection rule according to the target virus identification level when the target virus identification level is higher than the preset security identification level, and then selecting the target file from the plurality of executable files according to the preset virus file selection rule.
The preset security identification level may be a security level or the like, and assuming that the multiple executable files are executable file 1, executable file 2, executable file 3 and executable file 4 respectively, where executable file 1 is a security level, executable file 2 is a security level, executable file 3 is a full virus level, and executable file 4 is a severe virus level, and both the full virus level and the severe virus level are higher than the security level, executable file 3 and executable file 4 are extracted from the multiple executable files, and executable file 3 and executable file 4 are used as target files or the like.
In order to accurately detect the virus file, the step of determining the associated file according to the target file may be to determine target node information of the target file, and then determine the associated file according to the target virus identification level and the target node information.
The step of determining the associated file according to the target virus identification level and the target node information comprises the steps of determining a preset associated file selection rule according to the target virus identification level, and selecting the associated file from a plurality of executable files according to the preset associated file selection rule and the target node information, wherein the preset associated file selection rule can be set by a user in a self-defined mode.
The step of selecting the associated file from the multiple executable files according to the preset associated file selection rule and the target node information may be to acquire node information corresponding to the multiple executable files, then determine associated node information according to the multiple node information and the target node information, and finally select the associated file from the multiple executable files according to the preset associated file selection rule and the associated node information.
In this embodiment, when performing user behavior analysis, a time dimension introduced by a user process tree is added to each process to form a dynamic process tree, and one-dimensional data is converted into two-dimensional data to perform related analysis, so as to determine a virus file. It is assumed that the multiple executable files corresponding to the process start time are executable files a0, a1, and a2, executable files B0, B1, and B2, and executable files C0, C1, and C2, respectively, where executable file a0 is a parent node of a1, a2 is a child node of a1, executable file B0 is a parent node of B1, B2 is a child node of B1, executable file C0 is a parent node of C1, C2 is a child node of C1, if B1 is a virus file, the associated file of B1 may be B0 and B2, the associated file of B1 may also be executable files a0, a1, and a2, executable files B0, B2, executable files C0, C1, and C2, etc.
Assuming that B1 is a complete virus file, the associated files of B1 may be executable files a0, a1, and a2, executable files B0 and B2, and executable files C0, C1, and C2; assuming that B1 is a moderate virus file or a severe virus file, the associated files of executable file B1 may be B0, B2, and so on.
After the step of selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the associated node information, acquiring associated file name information of the associated file, judging whether the associated file name information meets a preset naming condition, when the associated file name information meets the preset naming condition, performing file content analysis on the associated file to obtain associated file type information, judging whether the associated file type information meets a preset type condition, and when the associated file type information meets the preset type condition, judging that the associated file meets a virus detection condition and the like.
In this embodiment, a virus scoring result is determined according to the identification information, a target virus identification grade is determined according to the virus scoring result, a target file is selected from the executable files according to the target virus identification grade, and a related file is determined according to the target file. Compared with the prior art, only the current target file can be analyzed, and the associated virus file cannot be accurately searched, in the embodiment, the associated file is determined according to the target file and analyzed, so that the working efficiency of searching the virus file is improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for determining a virus file according to a third embodiment of the present invention.
Based on the first embodiment, in this embodiment, the step S40 further includes:
step S401: and acquiring the MD5 code corresponding to the associated file.
It should be understood that each executable file has a corresponding MD5 code, and that when a virus occurs in an executable file, the MD5 corresponding to the executable file will also change.
In a specific implementation, in order to accurately perform virus detection on a related file corresponding to a target file, an MD5 code or the like corresponding to each related file at the current time needs to be acquired first.
Step S402: and detecting the MD5 code according to a preset virus detection rule to obtain an MD5 code detection result.
The preset virus detection rule may be set by a user in a self-defined manner, may be used for virus detection on the associated file by a professional, and may also be used for virus detection by obtaining key information corresponding to the associated file, and the like.
It should be noted that the MD5 code detection result may be MD5 code detection success information or MD5 code detection failure information, and the MD5 code detection result may further include a dangerous virus score, etc.
Suppose executable files a0, a1 and a2 security files corresponding to the process starting time and the identification information are green identification, executable files B0 and B2 are security files and the identification information are gray identification, B1 is virus file and the identification information is red identification, executable file A0 is the parent node of A1, A2 is the child node of A1, executable file B0 is the parent node of B1, B2 is the child node of B1, it is known that B1 is a virus file, the associated files of B1 may be B0 and B2, the associated files of B1 are executable files a0, a1 and a2 and executable files B0 and B2, MD5 codes corresponding to executable files a0, a1 and a2 and executable files B0 and B2 need to be obtained, and then the MD5 codes are compared with MD5 codes in a pre-stored virus library, when the MD5 code of the executable file A0 is successfully searched in the MD5 code in the pre-stored virus library, information that the dangerous virus score of A0 is 1 score, the MD5 code detection is successful and the like is output; when the MD5 codes of the executable files a1, a2, B0 and B2 are not successfully searched in the MD5 codes in the pre-stored virus library, 0 scores of dangerous viruses of a1, a2, B0 and B2, information of MD5 code detection failure and the like are output.
Step S403: and determining the virus file according to the MD5 code detection result.
The step of determining the virus file according to the MD5 code detection result may be to obtain a dangerous virus score according to the MD5 code detection result, then perform identification processing on the associated file according to the dangerous virus score to obtain associated identification information, and finally determine the virus file according to the associated identification information and the associated file.
Assuming that the detection result of MD5 code of a0 is that the dangerous virus score is 1 and the MD5 code detection success information, a0 is used as a virus file, and MD5 codes corresponding to executable files a1, a2, B0 and B2 cannot be found in MD5 code in the pre-stored virus library, the detection result of MD5 code corresponding to executable files a1, a2, B0 and B2 is dangerous virus score 0 and MD5 code detection failure information, then virus detection is performed on executable files a1, a2, B0 and B2 by a professional analyst, when viruses are detected by the professional analyst in executable files a1 and a2, the green identifiers of executable files a1 and a2 are converted into red identifiers, and the final virus files are a0, a1 and a 2.
In this embodiment, the MD5 code corresponding to the associated file is first obtained, then the MD5 code is detected according to the preset virus detection rule to obtain the MD5 code detection result, and finally the virus file is determined according to the MD5 code detection result, so that the virus file is accurately searched, and the user experience is improved.
Referring to fig. 5, fig. 5 is a block diagram illustrating a first embodiment of the apparatus for determining a virus file according to the present invention.
As shown in fig. 5, the apparatus for determining a virus file according to the embodiment of the present invention includes:
an obtaining module 5001, configured to start a scanning process according to a scan file start instruction when the scan file start instruction is received, and obtain a start time of the scanning process;
the obtaining module 5001 is further configured to obtain, when the scanning process is stopped, a plurality of executable files and identification information of the plurality of executable files corresponding to the starting time of the scanning process;
a selecting module 5002, configured to select a target file from the multiple executable files according to the identification information, and determine an associated file according to the target file;
a determining module 5003, configured to detect the associated file according to a preset virus detection rule, so as to determine a virus file.
In this embodiment, first, when a scan file start instruction is received, a scan process is started according to the scan file start instruction, and a scan process start time is obtained, then, when the scan process is stopped, a plurality of executable files corresponding to the scan process start time and identification information of the executable files are obtained, then, a target file is selected from the executable files according to the identification information, an associated file is determined according to the target file, and finally, the associated file is detected according to a preset virus detection rule, so as to determine a virus file. Compared with the prior art, only the correlation among the processes can be checked, and the virus file cannot be accurately determined, but in the embodiment, the target file is determined according to the executable files corresponding to the starting time of the scanning process, then the associated file is determined according to the target file, and the associated file is detected according to the preset virus detection rule to determine the virus file, so that the accuracy and the efficiency of searching the virus file are realized, and the user experience is further improved.
Further, the selecting module 5002 is further configured to determine a virus scoring result according to the identification information, and determine a target virus identification level according to the virus scoring result;
the selecting module 5002 is further configured to select a target file from the plurality of executable files according to the target virus identification level.
Further, the selecting module 5002 is further configured to search a sample virus identification level from a virus identification level mapping relation table according to the virus scoring result, and use the sample virus identification level as a target virus identification level corresponding to the identification information, where the virus identification level mapping relation table includes a plurality of identification information and a plurality of sample virus identification levels.
Further, the selecting module 5002 is further configured to determine whether the target virus identifier level is higher than a preset security identifier level;
the selecting module 5002 is further configured to determine a preset virus file selecting rule according to the target virus identification level when the target virus identification level is higher than the preset security identification level;
the selecting module 5002 is further configured to select a target file from the multiple executable files according to the preset virus file selecting rule.
Further, the selecting module 5002 is further configured to determine target node information of the target file;
the selecting module 5002 is further configured to determine an associated file according to the target virus identification level and the target node information.
Further, the selecting module 5002 is further configured to determine a preset associated file selecting rule according to the target virus identification level;
the selecting module 5002 is further configured to select an associated file from the multiple executable files according to the preset associated file selecting rule and the target node information.
Further, the selecting module 5002 is further configured to obtain node information corresponding to the plurality of executable files;
the selecting module 5002 is further configured to determine associated node information according to the multiple node information and the target node information;
the selecting module 5002 is further configured to select an associated file from the plurality of executable files according to the preset associated file selecting rule and the associated node information.
Further, the selecting module 5002 is further configured to perform file content analysis on the associated file to obtain associated file type information;
the selecting module 5002 is further configured to determine whether the associated file type information meets a preset type condition;
the selecting module 5002 is further configured to, when the associated file type information meets the preset type condition, execute the operation of detecting the associated file according to a preset virus detection rule to determine a virus file.
Further, the selecting module 5002 is further configured to obtain associated file name information of the associated file;
the selecting module 5002 is further configured to determine whether the associated file name information meets a preset naming condition;
the selecting module 5002 is further configured to execute the operation of performing file content analysis on the associated file to obtain associated file type information when the associated file name information meets the preset naming condition.
Further, the determining module 5003 is further configured to obtain an MD5 code corresponding to the associated file;
the determining module 5003 is further configured to detect the MD5 code according to a preset virus detection rule to obtain an MD5 code detection result;
the determining module 5003 is further configured to determine a virus file according to the MD5 code detection result.
Further, the determining module 5003 is further configured to obtain a dangerous virus score according to the MD5 code detection result;
the determining module 5003 is further configured to perform identification processing on the associated file according to the dangerous virus scores to obtain associated identification information;
the determining module 5003 is further configured to determine a virus file according to the association identifier information and the association file.
Further, the obtaining module 5001 is further configured to obtain a plurality of initial files corresponding to the starting time of the scanning process, and obtain file key information of the plurality of initial files;
the obtaining module 5001 is further configured to select multiple executable files from multiple initial files according to a preset executable file selection rule and the file key information, and obtain identification information of the multiple executable files
Other embodiments or specific implementation manners of the apparatus for determining a virus file according to the present invention may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a rom/ram, a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.
The invention also discloses A1 and a method for determining the virus file, wherein the method for determining the virus file comprises the following steps:
when a scanning file starting instruction is received, starting a scanning process according to the scanning file starting instruction, and obtaining the starting time of the scanning process;
when a scanning process stops, acquiring a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files;
selecting a target file from a plurality of executable files according to the identification information, and determining a related file according to the target file;
and detecting the associated file according to a preset virus detection rule to determine a virus file.
A2, the method of claim a1, wherein the step of selecting the target file from the plurality of executable files based on the identification information comprises:
determining a virus scoring result according to the identification information, and determining a target virus identification grade according to the virus scoring result;
and selecting a target file from the executable files according to the target virus identification level.
A3, the method of claim A2, the step of determining a target virus identification rating based on the virus scoring results, comprising:
and searching a sample virus identification grade from a virus identification grade mapping relation table according to the virus grading result, and taking the sample virus identification grade as a target virus identification grade corresponding to the identification information, wherein the virus identification grade mapping relation table has a plurality of identification information and a plurality of sample virus identification grades.
A4, the method of claim A2, wherein the step of selecting the target file from a plurality of executable files according to the target virus identification level comprises:
judging whether the target virus identification level is higher than a preset safety identification level or not;
when the target virus identification level is higher than the preset safety identification level, determining a preset virus file selection rule according to the target virus identification level;
and selecting a target file from the executable files according to the preset virus file selection rule.
A5, the method of any one of claims a2-a4, the step of determining associated files from the target files comprising:
determining target node information of the target file;
and determining an associated file according to the target virus identification level and the target node information.
A6, the method of claim A5, the step of determining an associated file based on the target virus identification level and the target node information, comprising:
determining a preset associated file selection rule according to the target virus identification level;
and selecting the associated file from the executable files according to the preset associated file selection rule and the target node information.
A7, the method of claim A6, wherein the step of selecting the associated file from the executable files according to the preset associated file selection rule and the target node information comprises:
acquiring node information corresponding to a plurality of executable files;
determining associated node information according to the plurality of node information and the target node information;
and selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the associated node information.
A8, the method according to claim A7, wherein the step of selecting the associated file from the executable files according to the preset associated file selecting rule and the associated node information further comprises:
analyzing the content of the associated file to obtain the type information of the associated file;
judging whether the associated file type information meets a preset type condition or not;
and when the associated file type information meets the preset type condition, executing the step of detecting the associated file according to a preset virus detection rule to determine a virus file.
A9, the method of claim A8, wherein the step of analyzing the content of the associated file to obtain the associated file type information further comprises:
acquiring associated file name information of the associated file;
judging whether the associated file name information meets a preset naming condition or not;
and when the associated file name information meets the preset naming condition, executing the step of analyzing the file content of the associated file to obtain associated file type information.
A10, the method of claim A1, wherein the step of detecting the associated file according to the preset virus detection rule to determine the virus file comprises:
acquiring an MD5 code corresponding to the associated file;
detecting the MD5 code according to a preset virus detection rule to obtain an MD5 code detection result;
and determining the virus file according to the MD5 code detection result.
A11, the method of claim A10, the step of determining virus files based on the MD5 code test result includes:
obtaining a dangerous virus score according to the MD5 code detection result;
performing identification processing on the associated file according to the dangerous virus scores to obtain associated identification information;
and determining a virus file according to the associated identification information and the associated file.
A12, the method according to claim A1, wherein the step of obtaining the executable files and the identification information of the executable files corresponding to the starting time of the scanning process includes:
acquiring a plurality of initial files corresponding to the starting time of the scanning process, and acquiring file key information of the plurality of initial files;
and selecting a plurality of executable files from the plurality of initial files according to a preset executable file selection rule and the file key information, and acquiring identification information of the plurality of executable files.
The invention also discloses B13, a virus file determining device, which comprises:
the acquisition module is used for starting a scanning process according to a scanning file starting instruction when the scanning file starting instruction is received, and acquiring the starting time of the scanning process;
the obtaining module is further configured to obtain, when the scanning process is stopped, a plurality of executable files and identification information of the plurality of executable files corresponding to the starting time of the scanning process;
the selecting module is used for selecting a target file from a plurality of executable files according to the identification information and determining a related file according to the target file;
and the determining module is used for detecting the associated file according to a preset virus detection rule so as to determine the virus file.
B14, the apparatus according to claim B13, wherein the selecting module is further configured to determine a virus scoring result according to the identification information, and determine a target virus identification level according to the virus scoring result;
the selecting module is further configured to select a target file from the plurality of executable files according to the target virus identification level.
B15, the apparatus according to claim B14, wherein the selecting module is further configured to search a sample virus identification level from a virus identification level mapping relationship table according to the virus scoring result, and use the sample virus identification level as a target virus identification level corresponding to the identification information, where the virus identification level mapping relationship table includes a plurality of identification information and a plurality of sample virus identification levels.
B16, the apparatus of claim B14, the selecting module further configured to determine whether the target virus ID level is higher than a preset security ID level;
the selecting module is further used for determining a preset virus file selecting rule according to the target virus identification grade when the target virus identification grade is higher than the preset safety identification grade;
the selection module is further used for selecting a target file from the executable files according to the preset virus file selection rule.
B17 the apparatus of any one of claims B14-B16, the selecting module further for determining target node information of the target file;
and the selection module is also used for determining an associated file according to the target virus identification level and the target node information.
B18, the apparatus of claim B17, the selecting module further configured to determine a preset associated file selecting rule according to the target virus identification level;
the selecting module is further configured to select a related file from the plurality of executable files according to the preset related file selecting rule and the target node information.
The invention also discloses C19, a virus file determining device, which comprises: a memory, a processor and a virus file determination program stored on the memory and executable on the processor, the virus file determination program being configured to implement the steps of the virus file determination method as described above.
The invention also discloses D20, a storage medium having stored thereon a virus file determination program which, when executed by a processor, implements the steps of the virus file determination method as described above.

Claims (10)

1. A method for determining a virus file is characterized by comprising the following steps:
when a scanning file starting instruction is received, starting a scanning process according to the scanning file starting instruction, and obtaining the starting time of the scanning process;
when a scanning process stops, acquiring a plurality of executable files corresponding to the starting time of the scanning process and identification information of the executable files;
selecting a target file from a plurality of executable files according to the identification information, and determining a related file according to the target file;
and detecting the associated file according to a preset virus detection rule to determine a virus file.
2. The method of claim 1, wherein the step of selecting a target file from a plurality of executable files based on the identification information comprises:
determining a virus scoring result according to the identification information, and determining a target virus identification grade according to the virus scoring result;
and selecting a target file from the executable files according to the target virus identification level.
3. The method of claim 2, wherein the step of selecting a target file from a plurality of executable files based on the target virus identification level comprises:
judging whether the target virus identification level is higher than a preset safety identification level or not;
when the target virus identification level is higher than the preset safety identification level, determining a preset virus file selection rule according to the target virus identification level;
and selecting a target file from the executable files according to the preset virus file selection rule.
4. A method according to any of claims 2-3, wherein the step of determining an associated file from the object file comprises:
determining target node information of the target file;
and determining an associated file according to the target virus identification level and the target node information.
5. The method of claim 4, wherein the step of determining an association file based on the target virus identification level and the target node information comprises:
determining a preset associated file selection rule according to the target virus identification grade;
and selecting the associated file from the plurality of executable files according to the preset associated file selection rule and the target node information.
6. The method of claim 1, wherein the step of detecting the associated file according to a preset virus detection rule to determine a virus file comprises:
acquiring an MD5 code corresponding to the associated file;
detecting the MD5 code according to a preset virus detection rule to obtain an MD5 code detection result;
and determining the virus file according to the MD5 code detection result.
7. The method of claim 1, wherein the step of obtaining the executable files and the identification information of the executable files corresponding to the starting time of the scanning process comprises:
acquiring a plurality of initial files corresponding to the starting time of the scanning process, and acquiring file key information of the plurality of initial files;
and selecting a plurality of executable files from the plurality of initial files according to a preset executable file selection rule and the file key information, and acquiring identification information of the plurality of executable files.
8. An apparatus for determining a virus file, comprising:
the acquisition module is used for starting a scanning process according to a scanning file starting instruction when the scanning file starting instruction is received, and acquiring the starting time of the scanning process;
the acquisition module is further configured to acquire a plurality of executable files and identification information of the executable files corresponding to the starting time of the scanning process when the scanning process is stopped;
the selecting module is used for selecting a target file from a plurality of executable files according to the identification information and determining a related file according to the target file;
and the determining module is used for detecting the associated file according to a preset virus detection rule so as to determine the virus file.
9. An apparatus for determining a virus file, the apparatus comprising: memory, a processor and a program for determining a virus file stored on said memory and executable on said processor, said program for determining a virus file being configured to implement the steps of the method for determining a virus file according to any one of claims 1 to 7.
10. A storage medium having stored thereon a virus file determination program which, when executed by a processor, implements the steps of the virus file determination method according to any one of claims 1 to 7.
CN202110232983.1A 2021-03-02 2021-03-02 Method, device and equipment for determining virus file and storage medium Pending CN114996698A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110232983.1A CN114996698A (en) 2021-03-02 2021-03-02 Method, device and equipment for determining virus file and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110232983.1A CN114996698A (en) 2021-03-02 2021-03-02 Method, device and equipment for determining virus file and storage medium

Publications (1)

Publication Number Publication Date
CN114996698A true CN114996698A (en) 2022-09-02

Family

ID=83018378

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110232983.1A Pending CN114996698A (en) 2021-03-02 2021-03-02 Method, device and equipment for determining virus file and storage medium

Country Status (1)

Country Link
CN (1) CN114996698A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861428A (en) * 2023-09-04 2023-10-10 北京安天网络安全技术有限公司 Malicious detection method, device, equipment and medium based on associated files

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861428A (en) * 2023-09-04 2023-10-10 北京安天网络安全技术有限公司 Malicious detection method, device, equipment and medium based on associated files
CN116861428B (en) * 2023-09-04 2023-12-08 北京安天网络安全技术有限公司 Malicious detection method, device, equipment and medium based on associated files

Similar Documents

Publication Publication Date Title
CN111625839A (en) Third-party component vulnerability detection method, device, equipment and computer storage medium
CN111045944B (en) Regression testing method, device, system and computer readable storage medium
CN106295348B (en) Vulnerability detection method and device for application program
CN106815135B (en) Vulnerability detection method and device
KR101582601B1 (en) Method for detecting malignant code of android by activity string analysis
CN112580047A (en) Industrial malicious code marking method, equipment, storage medium and device
CN112615873B (en) Internet of things equipment safety detection method, equipment, storage medium and device
CN110968874B (en) Vulnerability detection method, device, server and storage medium
CN112507087A (en) Terminal equipment identification method, equipment, storage medium and device
CN114996698A (en) Method, device and equipment for determining virus file and storage medium
CN107766342B (en) Application identification method and device
CN113468524B (en) RASP-based machine learning model security detection method
CN113206849B (en) Vulnerability scanning method and device based on ghidra and related equipment
CN113127868A (en) Script identification method, device, equipment and storage medium
CN110691090B (en) Website detection method, device, equipment and storage medium
CN114201759A (en) Software vulnerability identification method and system based on software package naming matrix
CN110941814B (en) Behavior verification compatible method, device, storage medium and apparatus
CN112580048A (en) Malicious file static discrimination method, device, equipment and storage medium
CN109284097B (en) Method, device, system and storage medium for realizing complex data analysis
CN111225079B (en) Method, device, storage medium and device for positioning geographical position of malicious software author
CN113778841A (en) Detection method, device and equipment for file to be tested and storage medium
CN114238110A (en) Software application testing method, device, equipment and storage medium
CN110377499B (en) Method and device for testing application program
CN113127867A (en) Document identification method, device, equipment and storage medium
CN113901459A (en) Firmware internal binary program vulnerability discovery method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination