CN115688099A - Computer virus retrieval method and device, computer equipment and storage medium - Google Patents
Computer virus retrieval method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN115688099A CN115688099A CN202211357154.7A CN202211357154A CN115688099A CN 115688099 A CN115688099 A CN 115688099A CN 202211357154 A CN202211357154 A CN 202211357154A CN 115688099 A CN115688099 A CN 115688099A
- Authority
- CN
- China
- Prior art keywords
- virus
- retrieval
- detected
- file
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a computer virus retrieval method, a computer virus retrieval device, computer equipment and a storage medium, relates to the technical field of computing security, and is used for improving the retrieval efficiency of computer viruses. The method mainly comprises the following steps: and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a computer virus retrieval method and apparatus, a computer device, and a storage medium.
Background
The virus detection is carried out according to a traditional computer virus feature code detection method, and the virus detection method is characterized in that the features of all viruses are analyzed, the feature codes of the computer viruses are collected and stored in a virus feature database, a file to be detected and virus feature codes in the virus database are compared one by one in a scanning mode during detection, if the same feature codes are found, the file can be judged to be infected by the viruses, then threat data enrichment processing is carried out, the virus feature codes are searched in a threat information database in a traversing mode, more detailed virus description information is obtained, and finally a threat detection result is output.
However, in the conventional data enrichment process for carrying out threat information base retrieval according to the feature codes of computer viruses, the processing efficiency is influenced by the data volume of the threat information base. With the rapid development of the information era, the variety, characteristics, behaviors and other information of viruses are greatly increased, so that the data and the volume of the threat information library are continuously increased, and the retrieval efficiency of the computer viruses in the threat information library is influenced.
Disclosure of Invention
The embodiment of the application provides a computer virus retrieval method and device, computer equipment and a storage medium, which are used for improving the retrieval efficiency of computer viruses.
The embodiment of the invention provides a computer virus retrieval method, which comprises the following steps:
and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
In an optional embodiment, the determining whether virus information of a file to be detected is contained in a threat information library based on the retrieval middle layer includes:
acquiring a virus characteristic code of a file to be detected;
carrying out hash calculation on a plurality of random mapping functions on the virus feature codes of the files to be detected to obtain a plurality of hash subscripts;
and searching whether the retrieval intermediate layer contains the virus characteristic code of the file to be detected or not according to the plurality of Hash subscripts so as to determine whether the threat intelligence library contains the virus intelligence information of the file to be detected or not.
In an optional embodiment, the searching whether the retrieval intermediate layer includes the virus feature code of the file to be detected according to the plurality of hash subscripts to determine whether the threat intelligence library includes the virus intelligence information of the file to be detected includes:
obtaining corresponding values of a plurality of Hash subscripts in a binary bit array of a retrieval middle layer;
if the corresponding values of the hash subscripts are all 1, determining that the threat information library contains virus information of the file to be detected;
and if the corresponding values of the hash subscripts have 0, determining that the threat intelligence library does not contain the virus intelligence information of the file to be detected.
In an optional embodiment, the establishing a retrieval middle layer includes:
initializing a binary digit array, wherein the value of each index position is initially 0;
respectively carrying out hash calculation on a plurality of random mapping functions on the virus characteristic codes of the known viruses to obtain a plurality of hash subscripts respectively corresponding to the virus characteristic codes of the known viruses;
and setting the values of a plurality of hash subscripts respectively corresponding to the virus characteristic codes of a plurality of known viruses at the index positions corresponding to the binary bit array to be 1.
In an optional embodiment, the method further comprises:
if the threat intelligence library is judged to contain the virus intelligence information of the file to be detected, retrieving virus detailed description information corresponding to the virus feature code of the file to be detected from the threat intelligence library;
and if the threat information base does not contain the virus information of the file to be detected, filtering out the virus retrieval of the file to be detected.
In an optional embodiment, the method further comprises:
when the newly added known virus of the threat information library exceeds a preset value, judging whether the newly added known virus is in a storage range which can be accommodated by the current retrieval middle layer;
if the newly added known virus can be contained in the storage range of the current retrieval interlayer, performing hash calculation on the original multiple random mapping functions of the retrieval interlayer on the newly added known virus to obtain multiple hash subscripts corresponding to the virus feature codes of the newly added known virus respectively;
setting the corresponding index positions of a plurality of Hash subscripts respectively corresponding to the virus characteristic codes of the newly added known viruses as 1, and skipping if the value of the corresponding index positions is 1; if the value of the corresponding index position is 0, setting the value of the corresponding index position to be 1, and obtaining a binary digit array corresponding to the virus feature code of the newly added known virus;
and forming an updated retrieval middle layer by the updated binary bit array and the original plurality of random mapping functions.
In an optional embodiment, the method further comprises:
and if the newly added known virus is not in the storage range which can be accommodated by the current retrieval interlayer and the binary digit array of the current retrieval interlayer does not meet the storage requirement, re-determining the digit of the binary digit array and the quantity of the random mapping function according to the quantity of the newly added known virus, and re-establishing the retrieval interlayer.
The embodiment of the invention provides a computer virus retrieval device, which comprises:
the establishing module is used for establishing a retrieval middle layer;
and the judging module is used for judging whether the threat information library contains the virus information of the file to be detected or not based on the retrieval middle layer.
In an optional embodiment, the determining module specifically includes:
the acquisition unit is used for acquiring the virus characteristic code of the file to be detected;
the calculation unit is used for carrying out hash calculation on a plurality of random mapping functions on the virus feature codes of the files to be detected to obtain a plurality of hash subscripts;
and the determining unit is used for searching whether the retrieval intermediate layer contains the virus characteristic code of the file to be detected or not according to the hash subscripts so as to determine whether the threat intelligence library contains the virus intelligence information of the file to be detected or not.
In an optional embodiment, the determining unit is specifically configured to:
obtaining corresponding values of a plurality of Hash subscripts in a binary bit array of a retrieval middle layer;
if the corresponding values of the hash subscripts are all 1, determining that the threat information library contains virus information of the file to be detected;
and if the corresponding values of the hash subscripts have 0, determining that the threat intelligence library does not contain the virus intelligence information of the file to be detected.
In an optional embodiment, the establishing module is specifically configured to:
initializing a binary digit array, wherein the value of each index position is initially 0;
respectively carrying out hash calculation on a plurality of random mapping functions on the virus characteristic codes of the known viruses to obtain a plurality of hash subscripts respectively corresponding to the virus characteristic codes of the known viruses;
and setting the value of a plurality of hash subscripts respectively corresponding to the virus characteristic codes of a plurality of known viruses at the index position corresponding to the binary bit array to be 1.
In an alternative embodiment, the apparatus further comprises:
the retrieval module is used for retrieving the virus detailed description information corresponding to the virus feature code of the file to be detected from the threat intelligence library if the threat intelligence library is judged to contain the virus intelligence information of the file to be detected;
and the filtering module is used for filtering out the virus retrieval of the file to be detected if the threat information library does not contain the virus information of the file to be detected.
In an optional embodiment, when the newly added known virus of the threat information library exceeds a preset value, judging whether the newly added known virus is in a storage range which can be accommodated by a current retrieval middle layer;
if the newly added known virus is in the storage range which can be accommodated by the current retrieval interlayer, performing hash calculation on the original random mapping functions of the retrieval interlayer on the newly added known virus to obtain a plurality of hash subscripts corresponding to the virus feature codes of the newly added known virus;
setting the corresponding index positions of a plurality of Hash subscripts respectively corresponding to the virus characteristic codes of the newly added known viruses as 1, and skipping if the value of the corresponding index positions is 1; if the value of the corresponding index position is 0, setting the value of the corresponding index position to be 1, and obtaining a binary digit array corresponding to the virus feature code of the newly added known virus;
and forming an updated retrieval middle layer by the updated binary bit array and the original plurality of random mapping functions.
And if the newly added known virus is not in the storage range which can be accommodated by the current retrieval interlayer and the binary digit array of the current retrieval interlayer does not meet the storage requirement, re-determining the digit of the binary digit array and the quantity of the random mapping function according to the quantity of the newly added known virus, and re-establishing the retrieval interlayer.
A computer device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, said processor implementing the above computer virus retrieval method when executing said computer program.
A computer-readable storage medium, which stores a computer program that, when executed by a processor, implements the above-described computer virus retrieval method.
A computer program product comprising a computer program which, when executed by a processor, implements the computer virus retrieval method described above.
The invention provides a computer virus retrieval method, a computer virus retrieval device, computer equipment and a storage medium, wherein a retrieval intermediate layer is established, and whether virus information of a file to be detected is contained in a threat information library or not is judged based on the retrieval intermediate layer. The invention designs the retrieval intermediate layer between the virus characteristic code and the threat information library, can realize the quick judgment of whether the virus information of the file to be detected exists in the threat information library, and achieves the purpose of greatly improving the retrieval efficiency of threat data in the virus detection process.
Drawings
FIG. 1 is a flow chart of a computer virus retrieval method provided by the present application;
FIG. 2 is a flowchart of determining whether a threat intelligence library includes a file to be detected according to the present application;
FIG. 3 is a schematic diagram of a binary bit array arrangement provided herein;
FIG. 4 is a flow chart of another method for computer virus retrieval provided herein;
fig. 5 is a schematic structural diagram of a computer virus search apparatus provided in the present application.
Fig. 6 is a schematic diagram of a computer device provided in the present application.
Detailed Description
In order to better understand the technical solutions of the embodiments of the present application, the following detailed descriptions are provided with accompanying drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present application are detailed descriptions of the technical solutions of the embodiments of the present application, but not limitations of the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.
Referring to fig. 1, a computer virus retrieval method according to an embodiment of the present invention includes steps S10 to S20:
and S10, establishing a retrieval middle layer.
The retrieval middle layer is a data structure consisting of a long binary bit array and a series of random mapping functions (unbiased hash functions). The binary digit array is used for storing subscripts corresponding to hash values after hash processing of the data virus feature codes, and the random mapping function is used for carrying out hash operation on sample data to generate uniform hash values, so that the calculated hash values corresponding to the subscripts can be uniformly mapped into the binary digit array.
Specifically, the establishing of the retrieval middle layer comprises the following steps: initializing a binary digit array, wherein the value of each index position is initially 0; performing hash calculation on a plurality of random mapping functions on the virus feature codes of the known viruses respectively to obtain a plurality of hash subscripts corresponding to the virus feature codes of the known viruses respectively; and setting the values of a plurality of hash subscripts respectively corresponding to the virus characteristic codes of a plurality of known viruses at the index positions corresponding to the binary bit array to be 1. And the number of the binary digit array and the number of the random mapping functions are in direct proportion to the judgment accuracy rate of whether the virus information exists in the threat information inventory or not.
For example, 01010101110101101 is a virus signature, the index of 15 is obtained after the hash random mapping function is processed, and the virus signature is stored in the position of index number 15 of the binary bit array of the search intermediate layer and is set to be 1.
And S20, judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval middle layer.
In this embodiment, the hash values of the plurality of random mapping functions corresponding to the virus feature codes of the file to be detected may be calculated, and then the numerical values of the corresponding positions of the binary bit array are queried according to the hash values, and if the numerical values of the corresponding positions are all 1, it is determined that the threat information base includes the virus information of the file to be detected, that is, a data processing flow for retrieving more detailed virus description information from the threat information base according to the detected virus feature codes is used. Among them, threat intelligence inventory is detailed information of many viruses, such as: viruses belong to families, virus behavior, etc.
As shown in fig. 2, in an optional embodiment provided by the present invention, the determining whether the threat intelligence library contains virus intelligence information of a file to be detected based on the search middle layer includes:
s201, acquiring a virus characteristic code of the file to be detected.
Wherein the virus signature is a binary sequence specific to the virus extracted from different positions within the virus. Specifically, the embodiment may determine whether the file to be detected is a virus file through the virus feature library, and if the file to be detected is a virus file, obtain the virus feature code of the file to be detected.
S202, carrying out hash calculation of a plurality of random mapping functions on the virus feature codes of the files to be detected to obtain a plurality of hash subscripts.
As shown in fig. 3, the hash calculation of a plurality of random mapping functions is performed on the virus signatures (corresponding to the element values in the graph) of the file to be detected. Namely, hash calculation of 3 random mapping functions is carried out on the virus feature code of the file to be detected, and the hash value (hash subscript) calculated by the 1 st random mapping function is 0; the hash value (hash index) calculated by the 2 nd random mapping function is 3; the hash value (hash index) calculated by the 3 rd random mapping function is 8.
S203, searching whether the retrieval middle layer contains the virus characteristic code of the file to be detected or not according to the plurality of hash subscripts so as to determine whether the threat intelligence library contains the virus intelligence information of the file to be detected or not.
In an optional embodiment provided by the present invention, the searching for whether the retrieval intermediate layer includes the virus feature code of the file to be detected according to the plurality of hash subscripts to determine whether the threat intelligence library includes the virus intelligence information of the file to be detected includes: obtaining corresponding values of a plurality of Hash subscripts in a binary bit array of a retrieval middle layer; if the corresponding values of the hash subscripts are all 1, determining that the threat information library contains the virus information of the file to be detected; and if the corresponding values of the plurality of hash subscripts have 0, determining that the threat intelligence library does not contain the virus intelligence information of the file to be detected.
For example, there are 3 random mapping functions a, B, and C, and the virus feature code 01010101110101101 is first calculated by the random mapping functions a, B, and C, respectively, to obtain subscripts of 5, 10, and 13, respectively. Then the values of the 5 th, 10 th and 13 th index positions of the binary bit array are all set to 1. In other words, the existence of 01010101110101101 can be represented by 5, 10 and 13. When the feature code 01010101110101101 is read during searching, 5, 10 and 13 are obtained by calculating the feature code through functions A, B and C. Holding 5, 10, 13 the bit array of the de-bloom filter to find that the result is 1 proves that 01010101110101101 exists. If the virus signature 110101111 is changed to obtain 3,5 and 10 after A, B and C, the query result in the intermediate layer binary bit array is searched to be 0,1 and 1, and the fact that the virus signature 110101111 does not exist is proved.
For example, if the hash index obtained by hash calculation of the random mapping function of "virus signature 1" is 5, the value of index position No. 5 of the binary bit array is set to 1. And (3) carrying out hash calculation on the virus feature code 2 through a random mapping function to obtain a hash subscript of 1, and setting the value of the index position No. 1 of the binary bit array as 1. Then the binary bit array for retrieving the middle layer is 0100010000000000000000000000 \8230;. When the virus feature code 1 is obtained, the random mapping function operation is carried out to obtain whether the subscript is positive or 5, and then the index position No. 5 of the binary bit array is searched for the corresponding value 1, so that the existence of the virus feature code 1 is proved, and the virus feature code 2 is in the same way.
In this embodiment, the hash calculation using the plurality of random mapping functions to obtain the plurality of hash subscripts is performed to improve the retrieval accuracy of the virus feature codes. For example, the subscript of "virus signature 3" calculated by the random mapping function is also 5, and the position where the binary bit array finds 5 is also 1, which proves that "virus signature 3" also exists (but "virus signature 3" does not exist when the bloom filter is established), which causes a false judgment. Therefore, the embodiment of the invention uses a plurality of random mapping functions to perform hash calculation.
For example, the subscript obtained by calculating the virus signature 1 through a plurality of random mapping functions is 5,8, and the subscript obtained by calculating the virus signature 2 through a plurality of random mapping functions is 1,2, and then the binary bit array is 011001001000000000000000000 \8230;. Since this time the bloom filter consists of 2 random mapping functions, if "virus signature 3" is judged again, then 5,7 results. Looking up the 5,7 positions of the binary bit array finds that the index 5 indexes 7 positions are 1 and 0, respectively, and not both 1. So that it is indicated that the virus signature 3 is not present. This reduces the recording of false positives.
In an optional embodiment provided by the invention, when the newly added known virus in the threat intelligence library exceeds a preset value, whether the newly added known virus is in a storage range which can be accommodated by a current retrieval middle layer is judged; if the newly added known virus can be contained in the storage range of the current retrieval interlayer, performing hash calculation on the original multiple random mapping functions of the retrieval interlayer on the newly added known virus to obtain multiple hash subscripts corresponding to the virus feature codes of the newly added known virus respectively; setting the corresponding index positions of a plurality of Hash subscripts respectively corresponding to the virus characteristic codes of the newly added known viruses as 1, and skipping if the value of the corresponding index positions is 1; if the value of the corresponding index position is 0, setting the value of the corresponding index position to be 1, and obtaining a binary digit array corresponding to the virus feature code of the newly added known virus; and forming an updated retrieval middle layer by the updated binary bit array and the original plurality of random mapping functions.
And if the newly added known virus is not in the storage range which can be accommodated by the current retrieval interlayer and the binary digit array of the current retrieval interlayer does not meet the storage requirement, re-determining the digit of the binary digit array and the quantity of the random mapping function according to the quantity of the newly added known virus, and re-establishing the retrieval interlayer.
For example, a threat information library has detailed information of virus feature code 1 and virus feature code 2, a search middle layer is established, a subscript obtained after operation of a plurality of random mapping functions of the virus feature code 1 is 5,8, a subscript obtained after operation of a plurality of random mapping functions of the virus feature code 2 is 1,2, and at the moment, a binary bit array is 01100100000000000000 \8230, 8230. After the retrieval of the middle layer is completed, if a user wants to add a virus feature code 3, the detailed information of the virus feature code 3 is added to the threat information library and then added to the retrieval middle layer, and then the virus feature code 3 is calculated by the two random mapping functions to obtain 5,7. Then, looking up the binary bit array, it is found that the value of index 5 is already 1, regardless, and then the value of index 7 is set from 0 to 1. At this point, the "virus signature 3" addition operation is completed. The binary digit array becomes 011001011000000000000000000 \8230 \ 8230;. When the virus signature 3 is acquired again, the two functions are used to calculate affirmatively whether 5 or 7. Then, the value of the positions of indexes 5 and 7 is 1 when the binary bit array is inquired, and the fact that the virus characteristic code 3 exists in the threat intelligence library is proved.
In the embodiment of the invention, all virus feature codes in the current threat information library are taken out, random mapping function (unbiased hash function) operation of the bloom filter is carried out one by one, the obtained hash value corresponding hash subscript is stored in the corresponding position of the binary bit array of the bloom filter, and the virus library retrieval middle layer based on the bloom filter is formed. And then before searching the threat information base according to the virus feature code in the virus detection data processing enriching process, judging by a bloom filter searching intermediate layer so as to obtain whether the feature code exists in the threat information base, if so, searching to obtain detailed description information of the virus, and if not, filtering the searching operation of the feature code in the information base.
In the embodiment, a retrieval intermediate layer is designed by utilizing the characteristics of a bloom filter between the virus characteristic code and the threat information library, the retrieval intermediate layer stores the state of whether a certain virus characteristic value exists in the threat information library, the quick judgment of whether the certain virus characteristic value exists in the threat information library can be realized, the retrieval operation of the virus characteristic code which does not exist in the threat information library is filtered, and the efficiency of the threat data enrichment processing stage in the virus detection can be greatly improved.
The invention provides a computer virus retrieval method, which comprises the steps of firstly establishing a retrieval intermediate layer, and then judging whether virus information of a file to be detected is contained in a threat information library or not based on the retrieval intermediate layer. The invention designs the retrieval intermediate layer between the virus characteristic code and the threat information library, can realize the quick judgment of whether the virus information of the file to be detected exists in the threat information library, and achieves the purpose of greatly improving the retrieval efficiency of threat data in the virus detection process.
As further shown in fig. 4, after determining whether the threat intelligence library contains the virus intelligence information of the file to be detected based on the search middle layer, the method further includes:
and S30, if the threat intelligence library is judged to contain the virus intelligence information of the file to be detected, retrieving the virus detailed description information corresponding to the virus feature code of the file to be detected from the threat intelligence library.
And S40, filtering out virus retrieval of the file to be detected if the threat information library does not contain the virus information of the file to be detected.
In the traditional scheme, when data enrichment processing is carried out on all scanned viruses, retrieval operation of a threat information base is carried out according to virus feature codes, but before a retrieval process is carried out, whether the virus feature codes exist in the threat information base or not is not known, and each virus feature code traverses the threat information base once, so that the problems of low data enrichment processing efficiency and waste of computing resources are caused. The embodiment of the invention establishes the retrieval intermediate layer, and the virus characteristic code stores the state of whether the virus characteristic value exists in the virus characteristic code, so that the existence condition of the virus characteristic value in the threat information library can be judged in advance, namely, the retrieval intermediate layer and the virus characteristic code of the file to be detected are used for determining whether the threat information library contains the virus information of the file to be detected, so that the retrieval operation of the virus characteristic value which is not in the information library is filtered, and the aim of improving the data enrichment processing efficiency is fulfilled.
The invention provides a computer virus retrieval method, which comprises the steps of obtaining virus characteristic codes of files to be detected; determining whether virus information of the file to be detected is contained in a threat information library or not by retrieving virus characteristic codes of the intermediate layer and the file to be detected; if the threat intelligence library is judged to contain the virus intelligence information of the file to be detected, retrieving virus detailed description information corresponding to the virus feature code of the file to be detected from the threat intelligence library; and if the threat information base does not contain the virus information of the file to be detected, filtering out the virus retrieval of the file to be detected. The invention designs the retrieval intermediate layer between the virus characteristic code and the threat information library by utilizing the characteristics of the bloom filter, can realize the quick judgment on whether the virus characteristic code exists in the threat information library, and achieves the purpose of greatly improving the retrieval efficiency of threat data in the virus detection process by filtering out the retrieval operation of the virus characteristic code which does not exist in the threat information library.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by functions and internal logic of the process, and should not limit the implementation process of the embodiments of the present invention in any way.
In one embodiment, a computer virus retrieval device is provided, which corresponds to the computer virus retrieval method in the above embodiments one to one. As shown in fig. 5, the functional modules of the computer virus search device are explained in detail as follows:
an establishing module 51, configured to establish a retrieval middle layer;
and the judging module 52 is configured to judge whether the threat intelligence library contains virus intelligence information of the file to be detected based on the retrieval middle layer.
In an optional embodiment, the determining module 52 specifically includes:
the acquisition unit is used for acquiring the virus characteristic code of the file to be detected;
the calculation unit is used for carrying out hash calculation on a plurality of random mapping functions on the virus characteristic codes of the files to be detected to obtain a plurality of hash subscripts;
and the determining unit is used for searching whether the retrieval intermediate layer contains the virus characteristic code of the file to be detected or not according to the hash subscripts so as to determine whether the threat intelligence library contains the virus intelligence information of the file to be detected or not.
In an optional embodiment, the determining unit is specifically configured to:
obtaining corresponding values of a plurality of Hash subscripts in a binary bit array of a retrieval middle layer;
if the corresponding values of the hash subscripts are all 1, determining that the threat information library contains virus information of the file to be detected;
and if the corresponding values of the plurality of hash subscripts have 0, determining that the threat intelligence library does not contain the virus intelligence information of the file to be detected.
In an optional embodiment, the establishing module 51 is specifically configured to:
initializing a binary digit array, wherein the value of each index position is initially 0;
respectively carrying out hash calculation on a plurality of random mapping functions on the virus characteristic codes of the known viruses to obtain a plurality of hash subscripts respectively corresponding to the virus characteristic codes of the known viruses;
and setting the value of a plurality of hash subscripts respectively corresponding to the virus characteristic codes of a plurality of known viruses at the index position corresponding to the binary bit array to be 1.
In an alternative embodiment, the apparatus further comprises:
the retrieval module 53 is configured to retrieve, if it is determined that the threat intelligence library includes the virus intelligence information of the file to be detected, detailed virus description information corresponding to the virus feature code of the file to be detected from the threat intelligence library;
and the filtering module 54 is configured to filter out virus retrieval of the file to be detected if it is determined that the threat information library does not contain virus information of the file to be detected.
In an optional embodiment, when the newly added known virus of the threat information library exceeds a preset value, judging whether the newly added known virus is in a storage range which can be accommodated by a current retrieval middle layer;
if the newly added known virus can be contained in the storage range of the current retrieval interlayer, performing hash calculation on the original multiple random mapping functions of the retrieval interlayer on the newly added known virus to obtain multiple hash subscripts corresponding to the virus feature codes of the newly added known virus respectively;
setting the corresponding index positions of a plurality of Hash subscripts corresponding to the virus feature codes of the newly added known viruses as 1, and skipping if the value of the corresponding index position is 1; if the value of the corresponding index position is 0, setting the value of the corresponding index position as 1 to obtain a binary digit array corresponding to the virus feature code of the newly added known virus;
and forming an updated retrieval middle layer by the updated binary digit array and the original plurality of random mapping functions.
If the newly added known virus is not in the storage range which can be accommodated by the current retrieval middle layer and the binary digit array of the current retrieval middle layer does not meet the storage requirement, re-determining the digit of the binary digit array and the quantity of the random mapping function according to the quantity of the newly added known virus, and re-establishing the retrieval middle layer.
For specific limitations of the computer virus retrieval device, reference may be made to the above limitations of the computer virus retrieval method, which are not described herein again. The various modules in the above-described apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a computer virus retrieval method.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
In one embodiment, a computer program product is provided, the computer program product comprising a computer program, the computer program being executable by a processor to perform the steps of:
and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional units and modules is only used for illustration, and in practical applications, the above function distribution may be performed by different functional units and modules as needed, that is, the internal structure of the apparatus may be divided into different functional units or modules to perform all or part of the above described functions.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein.
Claims (10)
1. A computer virus retrieval method, the method comprising:
and establishing a retrieval intermediate layer, and judging whether virus information of the file to be detected is contained in the threat information library or not based on the retrieval intermediate layer.
2. The method of claim 1, wherein said determining whether virus intelligence information of a document to be detected is contained in a threat intelligence repository based on said search medium layer comprises:
acquiring a virus characteristic code of a file to be detected;
carrying out hash calculation on a plurality of random mapping functions on the virus feature codes of the files to be detected to obtain a plurality of hash subscripts;
and searching whether the retrieval intermediate layer contains the virus characteristic code of the file to be detected or not according to the plurality of Hash subscripts so as to determine whether the threat intelligence library contains the virus intelligence information of the file to be detected or not.
3. The method according to claim 2, wherein the searching for whether the search intermediate layer includes the virus signature code of the file to be detected according to the hash subscripts to determine whether the threat intelligence library includes the virus intelligence information of the file to be detected comprises:
obtaining corresponding values of a plurality of Hash subscripts in a binary bit array of a retrieval middle layer;
if the corresponding values of the hash subscripts are all 1, determining that the threat information library contains virus information of the file to be detected;
and if the corresponding values of the plurality of hash subscripts have 0, determining that the threat intelligence library does not contain the virus intelligence information of the file to be detected.
4. The method of claim 3, wherein the establishing a retrieval middle layer comprises:
initializing a binary digit array, wherein the value of each index position is initially 0;
respectively carrying out hash calculation on a plurality of random mapping functions on the virus characteristic codes of the known viruses to obtain a plurality of hash subscripts respectively corresponding to the virus characteristic codes of the known viruses;
and setting the value of a plurality of hash subscripts respectively corresponding to the virus characteristic codes of a plurality of known viruses at the index position corresponding to the binary bit array to be 1.
5. The method of claim 4, further comprising:
if the threat intelligence library is judged to contain the virus intelligence information of the file to be detected, retrieving virus detailed description information corresponding to the virus feature code of the file to be detected from the threat intelligence library;
and if the threat information library does not contain the virus information of the file to be detected, filtering out the virus retrieval of the file to be detected.
6. The method of claim 5, further comprising:
when the newly added known virus of the threat information library exceeds a preset value, judging whether the newly added known virus is in a storage range which can be accommodated by the current retrieval middle layer;
if the newly added known virus is in the storage range which can be accommodated by the current retrieval interlayer, performing hash calculation on the original random mapping functions of the retrieval interlayer on the newly added known virus to obtain a plurality of hash subscripts corresponding to the virus feature codes of the newly added known virus;
setting the corresponding index positions of a plurality of Hash subscripts respectively corresponding to the virus characteristic codes of the newly added known viruses as 1, and skipping if the value of the corresponding index positions is 1; if the value of the corresponding index position is 0, setting the value of the corresponding index position to be 1, and obtaining a binary digit array corresponding to the virus feature code of the newly added known virus;
and forming an updated retrieval middle layer by the updated binary bit array and the original plurality of random mapping functions.
7. The method of claim 6, further comprising:
and if the newly added known virus is not in the storage range which can be accommodated by the current retrieval interlayer and the binary digit array of the current retrieval interlayer does not meet the storage requirement, re-determining the digit of the binary digit array and the quantity of the random mapping function according to the quantity of the newly added known virus, and re-establishing the retrieval interlayer.
8. An apparatus for computer virus retrieval, the apparatus comprising:
the establishing module is used for establishing a retrieval middle layer;
and the judging module is used for judging whether the threat information library contains the virus information of the file to be detected or not based on the retrieval middle layer.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the computer virus retrieval method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the computer virus retrieval method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211357154.7A CN115688099A (en) | 2022-11-01 | 2022-11-01 | Computer virus retrieval method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211357154.7A CN115688099A (en) | 2022-11-01 | 2022-11-01 | Computer virus retrieval method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115688099A true CN115688099A (en) | 2023-02-03 |
Family
ID=85049025
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211357154.7A Pending CN115688099A (en) | 2022-11-01 | 2022-11-01 | Computer virus retrieval method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115688099A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201193A (en) * | 2023-11-06 | 2023-12-08 | 新华三网络信息安全软件有限公司 | Virus detection method and device, storage medium and electronic equipment |
-
2022
- 2022-11-01 CN CN202211357154.7A patent/CN115688099A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117201193A (en) * | 2023-11-06 | 2023-12-08 | 新华三网络信息安全软件有限公司 | Virus detection method and device, storage medium and electronic equipment |
| CN117201193B (en) * | 2023-11-06 | 2024-01-26 | 新华三网络信息安全软件有限公司 | Virus detection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2581560C2 (en) | Method of scanning files, client computer and server | |
| AU2013329525C1 (en) | System and method for recursively traversing the internet and other sources to identify, gather, curate, adjudicate, and qualify business identity and related data | |
| US8931092B2 (en) | System and method for computer inspection of information objects for shared malware components | |
| US20160188723A1 (en) | Cloud website recommendation method and system based on terminal access statistics, and related device | |
| CN111368289B (en) | Malicious software detection method and device | |
| CN110263104B (en) | JSON character string processing method and device | |
| CN111752955A (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN115688099A (en) | Computer virus retrieval method and device, computer equipment and storage medium | |
| CN111221742A (en) | Test case updating method and device, storage medium and server | |
| CN110555165B (en) | Information identification method and device, computer equipment and storage medium | |
| CN114328017A (en) | Database backup method, system, computer equipment and storage medium | |
| CN115309796A (en) | Similarity query method, database updating method, device and system | |
| CN116821053B (en) | Data reporting method, device, computer equipment and storage medium | |
| CN111191235B (en) | Suspicious file analysis method, suspicious file analysis device and computer readable storage medium | |
| CN107943849B (en) | Video file retrieval method and device | |
| CN114003685B (en) | Word segmentation position index construction method and device, and document retrieval method and device | |
| CN115421699A (en) | Class inheritance relationship analysis method and device, computer equipment and storage medium | |
| CN110717036A (en) | Method and device for removing duplication of uniform resource locator and electronic equipment | |
| CN111078139B (en) | Method and device for realizing S3 standard object storage interface | |
| CN114266045A (en) | Network virus identification method and device, computer equipment and storage medium | |
| CN106021360A (en) | Method and device for autonomously learning and optimizing MapReduce processing data | |
| CN110990648A (en) | Virus query method, server and computer readable storage medium | |
| CN112883376A (en) | File processing method, device, equipment and computer readable storage medium | |
| CN113765852B (en) | Data packet detection method, system, storage medium and computing device | |
| CN112395377B (en) | Address recognition method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |