CN115964708A - Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium - Google Patents

Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium Download PDF

Info

Publication number
CN115964708A
CN115964708A CN202211656879.6A CN202211656879A CN115964708A CN 115964708 A CN115964708 A CN 115964708A CN 202211656879 A CN202211656879 A CN 202211656879A CN 115964708 A CN115964708 A CN 115964708A
Authority
CN
China
Prior art keywords
extracted
file
target file
malicious
tail
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211656879.6A
Other languages
Chinese (zh)
Inventor
吕经祥
李石磊
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202211656879.6A priority Critical patent/CN115964708A/en
Publication of CN115964708A publication Critical patent/CN115964708A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the invention discloses a method and a device for extracting automatic features for preventing false alarm, electronic equipment and a storage medium, which relate to the field of anti-malicious codes, can avoid the situation that false alarm is a white file, and improve the accuracy of automatic feature extraction. The method comprises the following steps: for the automatic feature sample to be extracted which is judged as a malicious sample by the malicious judgment standard library, acquiring actual file tail information of the automatic feature sample file to be extracted and target file tail information acquired by the automatic feature sample structure to be extracted; judging whether the tail information of the actual file is consistent with the tail information of the target file or not; if the malicious codes are inconsistent with the target file tail information, further determining the area of the malicious codes in the characteristic sample to be extracted according to the target file tail information; and if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file, extracting the features of the feature sample to be extracted. The method is suitable for detecting the sample carrying the malicious code.

Description

Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium
Technical Field
The invention relates to the field of anti-malicious codes, in particular to an automatic feature extraction method and device for preventing false alarm, electronic equipment and a storage medium.
Background
In order to improve the detection efficiency, the antivirus engine can make a judgment standard based on an external detection strategy, and for a sample meeting the standard, the sample is determined to be a black sample, and features are extracted according to the file structure of the sample, so that the sample and similar samples thereof can be detected.
Hackers (attackers) often put malicious code b at the end of normal file a to escape detection. For the samples carrying malicious codes, the current automatic detection strategy generally adopts a feature matching mode to detect the samples, and usually can perform automatic detection feature extraction action on the samples (a + b) of the tail black malicious codes of the head normal files, because the tail black malicious codes b do not influence the file structure of the head normal files a, the extracted features (the features of the a + b) can be the same as the features (the features of the a) of the head normal files, and further can be misinformed as normal files to influence the detection accuracy.
Disclosure of Invention
In view of this, embodiments of the present invention provide an automatic feature extraction method, an apparatus, an electronic device, and a storage medium for preventing false alarm, which are convenient for detecting an area where malicious codes carried by a sample of this type are located, and avoid the situation that false alarm is a white file, thereby improving accuracy of automatic feature extraction for preventing false alarm.
In a first aspect, an embodiment of the present invention provides an automatic feature extraction method for preventing false alarm, including: for an automatic feature sample to be extracted, which is judged as a malicious sample by a malicious judgment standard library, acquiring actual file tail information of the automatic feature sample file to be extracted and target file tail information obtained by an automatic feature sample structure to be extracted; judging whether the tail information of the actual file is consistent with the tail information of the target file; if the target file tail information is inconsistent with the malicious code tail information, further determining the area of the malicious code in the characteristic sample to be extracted; and if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file, performing feature extraction operation on the feature sample to be extracted.
Optionally, the further determining, according to the tail information of the target file, an area where the malicious code is located in the feature sample to be extracted includes: splicing the head of the automatic feature sample to be extracted and the tail information of the target file to generate a target file to be detected; judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library; and if so, determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
Optionally, the further determining, according to the tail information of the target file, an area where the malicious code is located in the feature sample to be extracted includes: based on the tail information of the target file of the automatic feature sample to be extracted, splicing binary data between the tail of the target file of the automatic feature sample to be extracted and the tail of the actual file to the tail of the known white file to generate a target file to be detected; judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library; if not, determining the area of the malicious code as the space between the head of the automatic feature sample to be extracted and the tail of the target file.
Optionally, after determining the area where the malicious code is located in the feature sample to be extracted, the method further includes: and determining whether to execute automatic feature extraction operation according to the region of the malicious code in the feature sample to be extracted.
Optionally, the inconsistency comprises: the actual file tail information is larger than the target file tail information.
In a second aspect, an embodiment of the present invention further provides an automatic feature extraction apparatus for preventing false alarm, including: the acquisition program unit is used for acquiring the actual file tail information of the automatic feature sample file to be extracted and the target file tail information obtained by the automatic feature sample structure to be extracted for the automatic feature sample to be extracted which is judged as a malicious sample by the malicious judgment standard library; a judging program unit, configured to judge whether the actual file tail information is consistent with the target file tail information; the determining program unit is used for further determining the area of the malicious code in the feature sample to be extracted according to the tail information of the target file if the malicious code is inconsistent with the tail information of the target file; and the extraction program unit is used for performing feature extraction operation on the feature sample to be extracted if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
Optionally, the determining program unit includes: the splicing program module is used for splicing and generating a target file to be detected based on the head of the automatic feature sample file to be extracted and the tail information of the target file; the judging program module is used for judging whether the target file to be detected is a malicious file or not according to a malicious judging standard library; and the program determining module is used for determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file if the malicious code is located.
Optionally, the extraction program unit is further configured to determine whether to execute an automatic feature extraction operation according to the area of the malicious code in the feature sample to be extracted after determining the area of the malicious code in the feature sample to be extracted.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the automatic feature extraction method for preventing false alarm in any one of the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the method for automatic feature extraction against false alarms according to any of the first aspects.
The embodiment of the invention provides an automatic feature extraction method and device for preventing false alarm, electronic equipment and a storage medium, and the method comprises the following steps: for the automatic feature sample to be extracted which is judged as a malicious sample by the malicious judgment standard library, acquiring actual file tail information of the automatic feature sample file to be extracted and target file tail information acquired by the automatic feature sample structure to be extracted; judging whether the tail information of the actual file is consistent with the tail information of the target file; if the target file tail information is inconsistent with the malicious code tail information, further determining the area of the malicious code in the characteristic sample to be extracted; and if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file, performing feature extraction operation on the feature sample to be extracted. The malicious code detection method has the advantages that the malicious code detection method is convenient to detect the area of the malicious code in the sample carrying the malicious code, the condition that the false alarm is a white file is avoided, and therefore the accuracy of automatic feature extraction for preventing the false alarm is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of an automated feature extraction method for preventing false alarms according to an embodiment of the present invention;
FIG. 2 is a detailed flowchart of the automatic feature extraction method for preventing false alarm according to the embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an automatic feature extraction apparatus for preventing false alarm according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Hackers often put malicious code at the end of a normal file, i.e. using samples where there is additional data to escape detection, where the additional data is: and a section of binary code is added at the tail part of the corresponding file structure of the format.
In order to solve the above problems, and to prevent false alarm from being a white file and improve the efficiency of automatic feature detection, the method for extracting automatic features for preventing false alarm provided in the embodiments of the present invention forms a malicious decision criterion library based on the decision criteria of the collected external detection policies, where the external detection policies are detection policies that are separate from the current detection engine, for example: the detection result of the friend, the collected malicious intelligence, or some open source detection systems provide detection schemes, etc. And determining that the automatic feature sample to be extracted which meets the judgment standard is a black sample, splicing the file to be detected again according to the file information of the automatic feature sample to be extracted, and further detecting according to the detection judgment standard to avoid false alarm of the file to be a white file, so that the detection of the area where the malicious code is located in the sample is achieved, and further, judging whether to execute the operation of extracting the automatic detection feature, thereby improving the accuracy of automatic feature extraction.
Example one
Fig. 1 is a schematic flow chart of an embodiment of an automatic feature extraction method for preventing false alarm according to the present invention, please refer to fig. 1, where the automatic feature extraction method for preventing false alarm includes the following steps:
s110, for an automatic feature sample to be extracted, which is judged as a malicious sample by a malicious judgment standard library, acquiring actual file tail information of the automatic feature sample file to be extracted and target file tail information acquired by the automatic feature sample structure to be extracted;
specifically, in step S110, for the automatic feature sample a to be extracted, which is determined as a malicious sample by the malicious determination standard library, actual file tail information of the automatic feature sample file a to be extracted is first obtained, and by analyzing the structural information of the automatic feature sample a to be extracted, a structural file tail of the automatic feature sample a to be extracted, that is, file tail information of the target file a, is obtained according to the structural information of the automatic feature sample a to be extracted. The file tail information is used for representing the size of the file.
And S120, judging whether the tail information of the actual file is consistent with the tail information of the target file.
Specifically, judgment is carried out according to the acquired tail information of the actual file and the tail information of the target file, and the area of the malicious code in the to-be-extracted feature sample is further determined by judging whether the tail information of the actual file of the to-be-extracted automatic feature sample is consistent with the tail information of the target file.
Exemplarily, the following steps are carried out: for an automatic feature sample A to be extracted, which carries a PE file as a target file a, the automatic feature sample to be extracted is generally consistent with the file type of the target file. The PE file structure is generally: starting from the start position, there are DOS header, NT header, section table and specific section in this order. According to the file structure information of the PE file, for example, the end of the last section, the structure file end of the target file is located, and the end information of the target file is obtained (for convenience of description, according to a chinese abbreviated expression manner, referred to as target file end for short), or the end information is determined by querying the structure information table corresponding to the target file, for example, 0x1000. Assuming that the automatic feature sample to be extracted is a PE file, the tail information of the actual file of the PE sample file is 0x2000, and the tail information of the target file is 0x1000, and the two are inconsistent, it is indicated that additional data exists in the automatic feature sample to be extracted, so that the position of the malicious code is further determined.
It should be understood that, in the conventional method, matching is directly performed according to the structural features of the sample file, and since the structural features of the sample file and the target file carried by the sample file have the same part, a result is misjudged, so that the malicious code cannot be detected. In the present application, it can be determined whether the actual file tail information of the automatic feature sample to be extracted is consistent with the target file tail information, and step S130 is further executed to cooperatively prevent the malicious code from escaping from the detection.
And S130, if the malicious codes are not consistent, further determining the area of the malicious codes in the characteristic sample to be extracted according to the tail information of the target file.
Specifically, when the actual file tail information of the automatic feature sample file to be extracted is inconsistent with the target file tail information, for example, the actual file tail information is greater than the target file tail information; the area where malicious codes in the automatic feature sample to be extracted are located is further determined according to the tail information of the target file, so that the condition that the malicious samples escape from detection can be avoided, and the detection rate and accuracy of the malicious codes are improved.
And S140, if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file, performing feature extraction operation on the feature sample to be extracted.
Specifically, after the area of the malicious code in the feature sample to be extracted is further determined, if the area of the malicious code is between the head of the automatic feature sample to be extracted and the tail of the target file, the features of the feature sample to be extracted are extracted.
According to the embodiment of the invention, malicious viruses existing in the automatic feature sample to be extracted are detected, the target file to be detected is further spliced according to the automatic feature sample information to be extracted, the position of the malicious viruses is obtained according to the automatic engine judgment standard in the malicious judgment standard library, then the automatic detection features are extracted from the automatic feature sample to be extracted, and after the automatic detection features are extracted, the automatic detection features can be stored so as to rapidly detect the same or similar sample files which appear subsequently.
Referring to fig. 2, in some embodiments, in step S130, the further determining, according to the tail information of the target file, an area where malicious code is located in the feature sample to be extracted includes: splicing the head of the automatic feature sample to be extracted and the tail information of the target file to generate a target file to be detected; judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library; and if so, determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
The malicious decision criterion library can be composed of one or a plurality of, dozens of or even hundreds of malicious sample decision criteria.
Specifically, when it is determined that the actual file tail information of the to-be-extracted automatic feature sample file is inconsistent with the target file tail information, that is, the actual file tail information of the to-be-extracted automatic feature sample file is greater than the target file tail information, the head of the to-be-extracted automatic feature sample file and the target file tail information can be spliced to generate a to-be-detected target file, where it can be understood that the head of the to-be-extracted automatic feature sample file is the head of the target file, that is, the head of the to-be-extracted automatic feature sample file is the same as the head of the target file, that is, the to-be-detected target file in this embodiment is the target file, whether the to-be-detected target file is a malicious file is determined according to a malicious determination standard library, and when the to-be-detected target file is a malicious file, it is determined that malicious code exists in the to-be-extracted automatic feature sample, and the malicious code exists in the target file, that an area where the malicious code exists is between the head of the to-be-extracted automatic feature sample and the tail of the target file is stated.
In this embodiment, the target file is substantially the target file to be tested, and the two are the same file.
When it is determined that the malicious code is between the file head and the structure file tail of the automatic feature sample A to be extracted, exemplarily, the automatic feature is extracted from 0x0 to 0x1000 of the automatic feature sample A to be extracted, that is, the automatic feature is extracted from the automatic feature sample A to be extracted.
If the automatic judgment standard in the malicious judgment standard library is not met, the binary codes from the structural file tail to the actual file tail of the automatic feature sample A to be extracted by the malicious codes are shown, and for example, the automatic features are not extracted from the automatic feature sample A to be extracted at 0x1000-0x2000 of the automatic feature sample A to be extracted.
Therefore, specifically, after determining the region where the malicious code is located in the feature sample to be extracted, the method further includes: and determining whether to execute automatic feature extraction operation according to the region of the malicious code in the feature sample to be extracted.
In this way, after the area of the malicious code in the feature sample to be extracted is determined, whether the automatic feature extraction operation is executed is determined according to the area of the malicious code in the feature sample to be extracted.
And taking the extracted automatic features as automatic detection features, wherein the automatic detection features are based on structures and are used for realizing automatic detection of samples with the same or similar structures.
For example, taking the length of the section head 4k of the section where the entry point of the pe sample is located to calculate the hash, the automatic detection feature is to extract the length of the section head 4k of the section where the entry point of the sample to be detected is located to calculate the hash as the automatic detection feature, because the entry point is the position of the action executed by the pe sample. If there is an action performed by the entry point of other pe samples, it can be stated that the other pe samples are the same as or similar to the current sample, and are all malicious samples, and thus are detected.
Referring to fig. 2, in another embodiment, in step S130, the further determining, according to the tail information of the target file, an area where the malicious code is located in the feature sample to be extracted includes: based on the tail information of the target file of the automatic feature sample to be extracted, splicing binary data between the tail of the target file of the automatic feature sample to be extracted and the tail of the actual file to the tail of the known white file to generate a target file to be detected; judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library; if not, determining the area of the malicious code as the space between the head of the automatic feature sample to be extracted and the tail of the target file.
Exemplarily, step S130 includes: step 1: and (3) splicing a known white file, such as a white pe file, with the size of 0x0-0x100, and a structural file tail of the automatic feature sample A to be extracted to an actual file tail binary code, such as: the file C to be detected is generated from the structure file tail of the automatic characteristic sample A to be extracted to the actual file tail of 0x1000-0x2000, for example, 0x0-0x100 of the known white pe and 0x1000-0x2000 of the automatic characteristic sample A to be extracted, and the total size is 0x1100;
step 2: the file C to be detected is rescanned according to the malicious judgment standard library so as to carry out automatic judgment;
and 3, step 3: judging whether the file C to be detected meets an engine automatic judgment standard in a malicious judgment standard library or not;
and 4, step 4: if the result is consistent, the result indicates that the malicious code is in a binary code from the tail of the structural file of the automatic feature sample A to be extracted to the tail of the actual file, for example, 0x1000-0x2000 of the automatic feature sample A to be extracted, that is, the automatic detection feature is not extracted from the automatic feature sample A to be extracted.
If the malicious codes do not meet the requirements, the malicious codes are between the file head and the structure file tail of the automatic feature sample A to be extracted, for example, between 0x0 and 0x1000 of the automatic feature sample A to be extracted, namely, the automatic detection features of the automatic feature sample A to be extracted are extracted.
In this embodiment, when it is determined that the actual file tail information of the to-be-extracted automatic feature sample file is inconsistent with the target file tail information, for example, when the actual file tail information of the to-be-extracted automatic feature sample file is greater than the target file tail information, the to-be-detected target file is generated by splicing binary data between the target file tail information and the actual file tail information of the to-be-extracted automatic feature sample file and a known white file, whether the to-be-detected target file is a malicious file is determined according to a malicious determination standard library, and if the to-be-detected target file is not a malicious file, it is determined that an area where a malicious code is located is between the head of the to-be-extracted automatic feature sample and the tail of the target file.
In this embodiment, after determining the region where the malicious code is located in the feature sample to be extracted, the method further includes: and determining whether to execute automatic feature extraction operation according to the region of the malicious code in the feature sample to be extracted.
Specifically, after determining the area of the malicious code in the feature sample to be extracted, determining whether to execute an automatic feature extraction operation according to the area of the malicious code in the feature sample to be extracted; when the area where the malicious code is located is determined to be between the head of the automatic feature sample to be extracted and the tail of the target file, performing automatic feature extraction on the automatic feature sample to be extracted; further, the extracted automatic features are used as automatic detection features for automatically detecting samples with the same or similar structures.
To help understand the technical solution and the technical effect thereof provided by the embodiments of the present invention, a specific embodiment and the method flow illustrated in fig. 2 are specifically described as follows:
the example is illustrated in a pe file for ease of explanation. Wherein, the tail of the target file of the automatic characteristic sample to be extracted is 0x1000; actual file tail 0x2000; header 0x0.
Firstly, acquiring a target file tail of an automatic feature sample A to be extracted, which meets the engine automatic judgment standard, according to file structure information (such as a section tail of the last section) of the automatic feature sample A to be extracted, and if the actual file tail of the automatic feature sample A to be extracted is larger than the target file tail (the actual file tail is 0x2000> the structure file tail is 0x 1000). The following scheme is performed to detect malicious codes and avoid false positives.
The first scheme is as follows:
step 1: splicing a file header of an automatic feature sample A to be extracted, such as a file header 0x0, to a target file tail of the automatic feature sample A to be extracted, such as a target file tail 0x1000, and generating a file B to be detected, wherein the file B to be detected is 0x0-0x1000 of the automatic feature sample A to be extracted;
step 2: rescanning the file B to be detected;
and step 3: judging whether the file B to be detected meets the engine automation judgment standard or not;
if the automatic feature sample A to be extracted is matched with the malicious code, the malicious code is extracted from the file head of the automatic feature sample A to be extracted to the target file tail, namely from 0x0-0x1000 of the automatic feature sample A to be extracted, so that whether the malicious code exists in the automatic feature sample A to be extracted can be effectively detected, and the position of the malicious code can be determined.
If the malicious codes do not accord with the automatic feature sample A, the malicious codes are from the target file tail of the automatic feature sample A to be extracted to the actual file tail binary codes, namely 0x1000-0x2000 of the automatic feature sample A to be extracted, namely, the automatic features of the automatic feature sample A to be extracted are not extracted.
Scheme two is as follows:
step 1: and splicing a known white file, such as a white pe file, with the size of 0x0-0x100, and a target file tail to actual file tail binary code of the automatic feature sample A to be extracted, such as: and generating a file C to be detected, for example, 0x0-0x100 of the known white pe and 0x1000-0x2000 of the automatic feature sample A to be extracted, wherein the total size of the file C to be detected is 0x1000-0x2000 from the tail of the target file to be extracted to the tail of the actual file of the automatic feature sample A to be extracted.
Step 2: the file C to be detected is rescanned according to the malicious judgment standard library so as to carry out automatic judgment;
and step 3: judging whether the file C to be detected meets an engine automatic judgment standard in a malicious judgment standard library or not;
and 4, step 4: if the malicious codes are matched with the binary codes, the malicious codes are located at the tail of the target file of the automatic feature sample A to be extracted to the tail of the actual file, for example, at 0x1000-0x2000 of the automatic feature sample A to be extracted, that is, the automatic detection features are not extracted from the automatic feature sample A to be extracted.
If the malicious codes do not meet the requirements, the malicious codes are extracted from the file head to the target file tail of the automatic feature sample A to be extracted, for example, 0x0-0x1000 of the automatic feature sample A to be extracted, namely, 0x0-0x1000 of the automatic feature sample A to be extracted, so that whether the malicious codes exist in the automatic feature sample A to be extracted can be effectively detected, and the position of the malicious codes can be determined.
According to the disclosure, the automatic feature extraction method for preventing false alarm provided by the embodiment of the invention splices a new to-be-detected file again according to the file information of the to-be-extracted automatic feature sample which is determined to be a black sample and accords with the judgment standard, and then carries out further detection according to the detection judgment standard to determine the position of the malicious code, so that the situation that false alarm is a white file is avoided, and the accuracy of automatic feature extraction for preventing false alarm is improved.
Further, after the position of the malicious code existing in the automatic feature sample file to be extracted is detected, automatic detection features can be extracted from the automatic feature sample file to be extracted, so that the subsequent rapid detection of the sample and similar malicious samples can be achieved according to the automatic detection features.
Example two
As shown in fig. 3, an embodiment of the present invention further provides an automatic feature extraction apparatus 200 for preventing false alarm, including:
the obtaining program unit 210 is configured to obtain, for an automatic feature sample to be extracted, which is determined as a malicious sample by the malicious determination standard library, actual file tail information of the automatic feature sample file to be extracted, and target file tail information obtained by the automatic feature sample structure to be extracted;
a determining program unit 220, configured to determine whether the tail information of the actual file is consistent with the tail information of the target file;
a determining program unit 230, configured to further determine, according to the tail information of the target file, an area where a malicious code is located in the feature sample to be extracted if the malicious code is inconsistent with the tail information of the target file;
and the extraction program unit 240 is configured to perform feature extraction operation on the feature sample to be extracted if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
The determining program unit 230 includes:
the splicing program module is used for splicing and generating a target file to be detected based on the head of the automatic feature sample file to be extracted and the tail information of the target file;
the judging program module is used for judging whether the target file to be detected is a malicious file or not according to a malicious judging standard library;
and the program determining module is used for determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file if the malicious code is located.
The extraction program unit 240 is further configured to determine whether to execute an automatic feature extraction operation according to the area of the malicious code in the feature sample to be extracted after determining the area of the malicious code in the feature sample to be extracted.
The apparatus of this embodiment may be configured to implement the technical solution of the method embodiment shown in the first embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
EXAMPLE III
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present invention, and based on the method provided in the first embodiment and the apparatus provided in the second embodiment, an embodiment of the present invention further provides an electronic device, as shown in fig. 4, which can implement the step flow of any one of the embodiments in the first embodiment of the present invention.
The electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to execute the automatic feature extraction method for preventing false alarm according to any of the foregoing embodiments.
For the specific implementation process of the above steps by the processor 42 and the steps further implemented by the processor 42 by running the executable program code, reference may be made to the description of the foregoing embodiments, and details are not repeated here.
The electronic device exists in a variety of forms, including but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Example four
An embodiment of the present invention further provides a computer-readable storage medium, where one or more programs are stored, and the one or more programs can be executed by one or more processors to implement any method for extracting an automatic feature that prevents false alarms, which is provided in the foregoing embodiment, so that corresponding technical effects can also be achieved.
To sum up, the method, the device, the electronic device, and the storage medium for extracting the automatic features for preventing the false alarm provided by the embodiments of the present invention can determine whether a sample file with malicious codes is an automatic feature sample file to be extracted that carries the malicious codes, and if so, further concatenate the target file to be detected according to the automatic feature sample information to be extracted, determine the target file to be detected according to the automatic engine determination standard in the malicious determination standard library, determine the location of the malicious virus, and avoid the occurrence of the situation that the false alarm is a white file, thereby improving the accuracy of the automatic feature extraction for preventing the false alarm.
Furthermore, the automatic feature sample file to be extracted is spliced again to reconstruct a new target file to be detected, the target file to be detected is subjected to rescanning detection based on the malicious judgment standard library, whether malicious codes exist in the automatic feature sample file to be extracted or not can be accurately determined, and the positions of the malicious codes in the automatic feature sample file to be extracted can be located.
Furthermore, an automatic detection feature library can be constructed based on the extracted automatic detection features and applied to updating a malicious judgment standard library, so that the same or similar malicious samples can be conveniently and quickly detected in the follow-up process.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the various units/modules may be implemented in the same software and/or hardware in the implementation of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An automatic feature extraction method for preventing false alarm is characterized by comprising the following steps:
for the automatic feature sample to be extracted which is judged as a malicious sample by the malicious judgment standard library, acquiring actual file tail information of the automatic feature sample file to be extracted and target file tail information acquired by the automatic feature sample structure to be extracted;
judging whether the tail information of the actual file is consistent with the tail information of the target file;
if the target file tail information is inconsistent with the malicious code tail information, further determining the area of the malicious code in the characteristic sample to be extracted;
and if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file, performing feature extraction operation on the feature sample to be extracted.
2. The automatic feature extraction method for preventing false alarm according to claim 1, wherein the further determining, according to the tail information of the target file, an area where a malicious code is located in a feature sample to be extracted comprises:
splicing the head of the automatic feature sample to be extracted and the tail information of the target file to generate a target file to be detected;
judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library;
and if so, determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
3. The automatic feature extraction method for preventing false alarm according to claim 1, wherein the further determining, according to the tail information of the target file, an area where a malicious code is located in a feature sample to be extracted comprises:
based on the tail information of the target file of the automatic feature sample to be extracted, splicing binary data between the tail of the target file of the automatic feature sample to be extracted and the tail of the actual file to the tail of the known white file to generate a target file to be detected;
judging whether the target file to be detected is a malicious file or not according to a malicious judgment standard library;
if not, determining the area where the malicious code is located as the space between the head of the automatic feature sample to be extracted and the tail of the target file.
4. The automatic feature extraction method for preventing false alarm according to any one of claims 1 to 3, wherein after determining the area where the malicious code is located in the feature sample to be extracted, the method further comprises:
and determining whether to execute automatic feature extraction operation according to the region of the malicious code in the feature sample to be extracted.
5. The automated feature extraction method against false positives of claim 1, wherein the inconsistency comprises: the actual file tail information is larger than the target file tail information.
6. The utility model provides an automatic feature extraction device of preventing wrong report which characterized in that includes:
the acquisition program unit is used for acquiring the actual file tail information of the automatic feature sample file to be extracted and the target file tail information obtained by the automatic feature sample structure to be extracted for the automatic feature sample to be extracted which is judged as the malicious sample by the malicious judgment standard library;
a judging program unit, configured to judge whether the actual file tail information is consistent with the target file tail information;
the determining program unit is used for further determining the area of the malicious code in the feature sample to be extracted according to the tail information of the target file if the malicious code is inconsistent with the tail information of the target file;
and the extraction program unit is used for performing feature extraction operation on the feature sample to be extracted if the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file.
7. The automated feature extraction device against false alarms according to claim 6, wherein the determination program unit comprises:
the splicing program module is used for splicing and generating a target file to be detected based on the head of the automatic feature sample file to be extracted and the tail information of the target file;
the judging program module is used for judging whether the target file to be detected is a malicious file or not according to a malicious judging standard library;
and the program determining module is used for determining that the area where the malicious code is located is between the head of the automatic feature sample to be extracted and the tail of the target file if the malicious code is located.
8. The automatic feature extraction device of claim 6, wherein the extraction program unit is further configured to determine whether to perform an automatic feature extraction operation according to an area of a malicious code in the feature sample to be extracted after determining the area of the malicious code in the feature sample to be extracted.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the automatic feature extraction method for preventing false alarm in any one of the preceding claims 1 to 5.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the automated feature extraction method against false positives as claimed in any one of the preceding claims 1 to 5.
CN202211656879.6A 2022-12-22 2022-12-22 Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium Pending CN115964708A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211656879.6A CN115964708A (en) 2022-12-22 2022-12-22 Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211656879.6A CN115964708A (en) 2022-12-22 2022-12-22 Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115964708A true CN115964708A (en) 2023-04-14

Family

ID=87352352

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211656879.6A Pending CN115964708A (en) 2022-12-22 2022-12-22 Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115964708A (en)

Similar Documents

Publication Publication Date Title
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
CN108875364B (en) Threat determination method and device for unknown file, electronic device and storage medium
CN110868377B (en) Method and device for generating network attack graph and electronic equipment
CN108804918B (en) Security defense method, security defense device, electronic equipment and storage medium
US10255431B2 (en) System and method of detecting unwanted software
CN111030968A (en) Detection method and device capable of customizing threat detection rule and storage medium
CN110737894B (en) Composite document security detection method and device, electronic equipment and storage medium
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN108804917B (en) File detection method and device, electronic equipment and storage medium
CN115964708A (en) Automatic feature extraction method and device for preventing false alarm, electronic equipment and storage medium
CN115906081A (en) Malicious sample file detection method and device, server, electronic device and storage medium
CN114338102A (en) Security detection method and device, electronic equipment and storage medium
CN113987489A (en) Method and device for detecting unknown threat of network, electronic equipment and storage medium
CN114357454A (en) Binary executable file dependency library analysis method and device, electronic equipment and storage medium
CN108875363B (en) Method and device for accelerating virtual execution, electronic equipment and storage medium
CN114168953A (en) Malicious code detection method and device, electronic equipment and storage medium
CN112580038A (en) Anti-virus data processing method, device and equipment
CN111800391A (en) Method and device for detecting port scanning attack, electronic equipment and storage medium
CN114329464A (en) Anti-virus engine detection method and device, electronic equipment and storage medium
CN114417331A (en) Method and device for determining virus characteristic credibility, electronic equipment and storage medium
CN115758358A (en) Automatic virus detection method and device and electronic equipment
CN114168956A (en) Text infection sample detection method and device and electronic equipment
KR101726360B1 (en) Method and server for generating suffix tree, method and server for detecting malicious code with using suffix tree
CN110866252A (en) Malicious code detection method and device, electronic equipment and storage medium
CN115987647A (en) Web vulnerability detection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination