CN116127455B - Virus defense method and device and cloud browser - Google Patents
Virus defense method and device and cloud browser Download PDFInfo
- Publication number
- CN116127455B CN116127455B CN202211737917.0A CN202211737917A CN116127455B CN 116127455 B CN116127455 B CN 116127455B CN 202211737917 A CN202211737917 A CN 202211737917A CN 116127455 B CN116127455 B CN 116127455B
- Authority
- CN
- China
- Prior art keywords
- instruction
- encryption algorithm
- matching
- instruction set
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 117
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000007123 defense Effects 0.000 title claims abstract description 18
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 139
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012549 training Methods 0.000 claims description 8
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000011022 operating instruction Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 abstract description 9
- 230000002265 prevention Effects 0.000 abstract description 5
- 230000006399 behavior Effects 0.000 description 12
- 239000011159 matrix material Substances 0.000 description 10
- 230000008569 process Effects 0.000 description 9
- 230000002093 peripheral effect Effects 0.000 description 7
- 238000006467 substitution reaction Methods 0.000 description 6
- 238000006073 displacement reaction Methods 0.000 description 5
- 238000002955 isolation Methods 0.000 description 5
- 238000002360 preparation method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000013515 script Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a virus defense method, a device, a password device, a service platform, a system and a storage medium, wherein the virus defense method comprises the following steps: acquiring an operation instruction stream; identifying the operation instruction stream, and matching the identified instruction characteristics with a preset instruction set corresponding to a known encryption algorithm, wherein the preset instruction set is also provided with an instruction set label; if the matching is successful, allowing the operation instruction stream to be executed according to the instruction set label; if the matching is unsuccessful, the execution of the operation instruction stream is blocked to defend against viruses. According to the method, the instruction set of the known encryption algorithm is preset, and the instruction set is utilized to identify the real-time operation instruction stream, so that the characteristic analysis is carried out on the core attack behavior of the virus, the accuracy of virus identification is improved, the attack behavior of the virus can be blocked in time, and the pertinence and the effectiveness of virus monitoring, prevention and control are fundamentally improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a virus defense method, a device, a cloud browser, corresponding electronic equipment and a storage medium.
Background
Virus defense is a key link for guaranteeing system safety, and virus is a novel computer virus and is mainly transmitted in the forms of mail, program Trojan horse and webpage Trojan horse. Such viruses encrypt important files using various encryption algorithms, and the infected person is generally unable to decrypt. The virus is harsh in nature and extremely dangerous, and once infected, would bring immeasurable losses to the user. In the related art, viruses are defended by monitoring suspicious processes in a system memory, unauthorized file traversal and retrieval, abnormal API interface calling, analyzing and identifying certain virus models or code features and the like. However, these methods are all based on the traditional network security, and are all based on the peripheral operation characteristics of viruses, and in order to enhance the concealment and confusion, viruses usually have different varieties in the propagation and attack processes, such as: when analyzing and identifying the viruses aiming at the behavior characteristics in the execution process of the virus program, if the viruses are added with mixed codes, instruction jumps or interference steps to cause code characteristic variation, the identification precision is insufficient, and the accurate judgment and the defense are difficult; or, the method for judging the suspicious process in the memory aiming at the unauthorized file retrieval can fail because viruses adjust the file searching and attack sequence; for another example, for the method of analyzing the abnormal API call of the virus, statistical analysis is required for the encountered or known virus, but it is only effective for the known virus, and has one-sided property and hysteresis, if the unknown virus is improved in the API call mode, it cannot be identified, so that the defending mode based on the peripheral operation characteristics of the virus cannot identify the virus in time, and the purpose of protecting the virus cannot be achieved.
Disclosure of Invention
The invention provides a virus defending method, a device, password equipment, a service platform, a system and a storage medium, which are used for solving the defect that some viruses based on an encryption algorithm are defended according to peripheral operation characteristics and cannot be timely identified for virus protection.
The invention provides a virus defense method, which comprises the following steps:
acquiring an operation instruction stream;
identifying the operation instruction stream, and matching the identified instruction characteristics with a preset instruction set corresponding to a known encryption algorithm, wherein the preset instruction set is also provided with an instruction set label;
if the matching is successful, allowing the operation instruction stream to be executed according to the instruction set label;
if the matching is unsuccessful, the execution of the operation instruction stream is blocked to defend against viruses.
Optionally, the method further comprises: different matching strategies are preset according to different known encryption algorithms;
correspondingly, the identified instruction features are matched with a preset instruction set corresponding to the known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm.
Optionally, matching the identified encryption algorithm feature with a preset instruction set corresponding to a known encryption algorithm, including:
matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
under the condition that the instruction characteristics are matched with the specific instructions in the instruction set, acquiring the number of loop rounds executed by the matched specific instructions;
and determining whether the matching is successful or not according to the number of the circulating wheels.
Optionally, the operation instruction stream is identified by using an encryption algorithm identification model, and the identified instruction features are matched with a preset instruction set corresponding to a known encryption algorithm, wherein the encryption algorithm identification model is obtained based on instruction feature training when the known encryption algorithm is executed.
Optionally, the encryption algorithm recognition model is further trained based on different system architectures, and the operation instructions and the scheduling manners of the operation instructions are different when the same known encryption algorithm is executed by the different system architectures.
The invention also provides a virus defending device, which comprises:
the acquisition module is used for acquiring an operation instruction stream;
the identification module is used for identifying the operation instruction stream;
the matching module is used for matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm, and the instruction set is provided with an instruction set label; the method comprises the steps of carrying out a first treatment on the surface of the
And the calling module is used for allowing the operation instruction stream to execute according to the instruction set label under the condition that the matching is successful, and blocking the execution of the operation instruction stream to defend viruses under the condition that the matching is unsuccessful.
Optionally, the device further comprises a preset module, wherein the preset module pre-generates a corresponding instruction set according to different known encryption algorithms and correspondingly presets different matching strategies;
correspondingly, the matching module matches the identified instruction features with a preset instruction set corresponding to the known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm.
Optionally, the matching module includes:
the instruction set matching submodule is used for matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
the instruction cycle number acquisition sub-module is used for acquiring the cycle number executed by the matched specific instruction under the condition that the instruction characteristic is matched with the specific instruction in the instruction set;
and the circulation round number matching sub-module is used for determining whether the matching is successful or not according to the circulation round number.
Optionally, the identification module and the matching module are implemented by using an encryption algorithm identification model, wherein the encryption algorithm identification model is obtained based on instruction feature training when the encryption algorithm is executed.
Optionally, the encryption algorithm recognition model is further trained based on different system architectures, and the operation instructions or/and scheduling modes of the operation instructions are different when the same encryption algorithm is executed by the different system architectures.
Optionally, the virus defending device is arranged at the server side, and the server further comprises a special password device for encrypting the data layer based on the called encryption algorithm, wherein the special password device comprises a special password card.
Optionally, the virus defending device is arranged at the server side, and the virus defending device comprises an encryption instruction generating module, wherein the encryption instruction generating module generates an encryption instruction based on a called encryption algorithm, and the encryption instruction is executed by a special password device at the user side, wherein the special password device comprises a special FPGA.
The invention also provides a cloud browser, which executes the virus defense method when accessing the link address, encrypts and decrypts the data layer according to an encryption algorithm corresponding to the operation instruction stream, and does not execute encryption or decryption on the data layer by a local browser corresponding to the cloud browser.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, the computer program performing the virus protection method as described above.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the aforementioned virus protection method.
According to the virus defense method and device provided by the invention, the encryption algorithm is utilized to refine the data encryption modes to the corresponding rules and characteristics of the operating systems and CPU operating instructions of various architectures, and the illegal encryption instruction is judged by identifying the matching condition of the instruction characteristics in the operating instruction stream and the instruction set of the preset encryption algorithm, so that the virus can be effectively identified, the identification accuracy is high, the attack action of the virus can be blocked in time, and the monitoring and prevention and control capability for the virus is fundamentally improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a virus defense method provided by the invention;
FIG. 2 is a schematic diagram of the functional structure of the virus protection device provided by the invention;
fig. 3 is a schematic functional structure diagram of the virus protection system provided by the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the invention, by analyzing the attack process of viruses, the behaviors such as permeation diffusion, traversal search, code camouflage and the like in the early stage of virus attack are peripheral preparation and self-protection processes, and finally encryption is completed on the data to be core operation. The peripheral preparation and protection can be adjusted and changed according to the requirements, and the peripheral preparation and protection can be changed in a lot, and a few accepted encryption algorithms are used for encrypting the data, so that the peripheral preparation and protection are relatively fixed.
From the analysis of the data encryption behavior characteristics, it is known that a specific encryption algorithm refines the data encryption mode to have corresponding rules and characteristics of operation instructions, such as: the characteristics of a symmetric encryption algorithm (such as key expansion, byte substitution, row displacement, column mixing, round key addition and the like) are the transformation mode, the data block with fixed size, the round iteration with fixed times and the like. The method is characterized by regular instruction characteristics in a CPU operation instruction stream and an FPGA operation instruction stage. The invention starts from the known encryption algorithm and creatively provides a virus defending method and device. The method and the device track and analyze the command characteristics of the final data encryption behavior, and realize timely monitoring and early warning and effective protection of viruses.
Fig. 1 is a flowchart of a virus defense method provided by the present invention, and as shown in fig. 1, the virus defense method provided by the present invention includes:
step 101, obtaining an operation instruction stream;
102, identifying the operation instruction stream, and matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm, wherein the preset instruction set is also provided with an instruction set tag;
step 103, if the matching is successful, allowing the operation instruction stream to be executed according to the instruction set tag;
and 104, if the matching is unsuccessful, blocking the execution of the operation instruction stream to defend viruses.
According to the method, an instruction set is formed and an instruction set label is set according to the rules and the characteristics of the operation instructions of the known encryption algorithm, and the identification and the early warning of illegal encryption behaviors can be effectively realized and which known encryption algorithm the legal encryption line corresponds to can be judged by matching the operation instruction stream with the instruction set provided with the instruction set label; the invention improves the accuracy of analysis and monitoring by carrying out characteristic analysis on the encrypted core behaviors, and can effectively block the attack completion of viruses.
In step 101, an operation instruction stream of a processor is obtained, and then identification and early warning of core encryption behavior can be directly implemented through analysis of the operation instruction stream.
In step 102, matching the identified encryption algorithm features with a preset instruction set corresponding to a known encryption algorithm, including:
matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
under the condition that the instruction characteristics are matched with the specific instructions in the instruction set, acquiring the number of loop rounds executed by the matched specific instructions;
and determining whether the matching is successful or not according to the number of the circulating wheels.
As a first embodiment, analysis of the CPU instructions of the SM4 encryption algorithm may find that the following specific instructions occur in a certain period of time:
(1) Four byte misplacement exclusive OR operations of successive 32 rounds are implemented;
(2) Performing one-time reverse order transformation;
(3) Byte substitution is performed and the correspondence of the substitution S-boxes conforms to the S-box table of the known SM4.
The above instruction operations continuously occur in a fixed period set, and then the SM4 encryption algorithm can be preliminarily determined.
In this embodiment, the above three specific instructions are taken as the instruction set of the SM4 encryption algorithm, and the instruction set tag SM4 is set for them. If the instruction sets formed by the three specific instructions are continuously matched in a concentrated manner in the obtained operation instruction stream within a fixed period, the matching is considered to be successful.
As a second specific embodiment, analysis of the CPU instructions of the AES encryption algorithm may find that the following four specific instructions occur in a certain period:
(1) Byte substitution operation is implemented, and the corresponding relation of the substitution S boxes accords with the S box table of the known AES;
(2) Performing row displacement operation on the state matrix, wherein the 0 th row of the state matrix is shifted leftwards by 0 byte, the 1 st row is shifted leftwards by 1 byte, the 2 nd row is shifted leftwards by 2 bytes, and the 3 rd row is shifted leftwards by 3 bytes;
(3) Multiplying the state matrix after the line displacement with the following fixed matrix to perform line-line mixing operation;
(4) And performing key bitwise exclusive OR operation on the matrix after column mixing.
If the above four instructions occur continuously in a fixed period set, a preliminary decision may be made as to the AES encryption algorithm. Further, if the same operation is performed for 10 rounds, it may be denoted as AES128; if 12 rounds are performed, it may be noted as AES 192; if 14 rounds are performed, it may be noted as AES256.
According to the specific technical means, the matching of the number of the circulation rounds is used for further assisting in identifying the characteristics of the instruction stream, so that the matched encryption algorithm can be accurately identified.
As can be seen from studying the implementation process of known encryption algorithms, the implementation process of each encryption algorithm is often different from one another, and the operation instruction feature tag may include an instruction name, an instruction execution sequence, and the number of times that a plurality of instruction loops occur. Thus, the instruction feature recognition and matching cannot be judged in percentage, but the matching strategy is specifically arranged for the features of different algorithms. Thus, preferably, in step 102, further comprising: different matching strategies are preset according to different known encryption algorithms; correspondingly, the identified instruction features are matched with a preset instruction set corresponding to the known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm. By adapting different matching strategies, the identification and matching efficiency can be improved, and the monitoring accuracy can be effectively improved.
For example, in the above explanation taking AES algorithm as an example, it is necessary to satisfy at least four specific instruction features to primarily determine that matching is successful, and further determine the matching by assisting in cases such as number of rounds. For the SM4 algorithm, the matching is judged to be successful if at least the three operation instruction features are satisfied within a fixed time period.
As a specific implementation, the encryption algorithm recognition model may be used to complete step 102, and directly output the result of the determination of whether the matching is successful.
And identifying the operation instruction stream by using an encryption algorithm identification model, and matching the identified instruction characteristics with a preset instruction set corresponding to a known encryption algorithm, wherein the encryption algorithm identification model is obtained based on instruction characteristic training when the known encryption algorithm is executed.
Machine learning is a method for quickly and efficiently judging whether an encryption request is legal or not through known encryption behaviors. The input of the encryption algorithm identification model is a continuous CPU operation instruction stream, and the output is a certain determined judgment result of the encryption algorithm.
Often the different system architectures operate in different ways and/or schedule of operating instructions when executing the same known encryption algorithm. The encryption algorithm recognition model is trained based on different system architectures, and by the technical means, the adaptation of the encryption algorithm recognition model to processors of different architectures can be realized, so that the quick and efficient recognition is facilitated.
Because the instruction sets of the CPUs with different architectures are different, the instruction scheduling modes are also different, and therefore, the instruction continuity and the effectiveness of the CPUs with different architectures are required to be identified when the operation instruction stream is identified, the uniqueness of an instruction main body, the distinction between an operation instruction and a data variable and other complex conditions are also required, so that the model training data comprises the operation instructions corresponding to various encryption algorithms under the CPUs with different architectures, the scheduling modes of the operation instruction, the instruction execution main body and the data variable, and the encryption algorithm identification model is fully trained by the model training data, and finally, the automatic identification precision meeting the requirements is gradually achieved.
In one embodiment, the encryption algorithm identification model identifies that the stream of operational instructions includes four specific instructions:
(1) The byte replaces the operation instruction, and the corresponding relation of the replaced S box accords with the S box table of the known AES;
(2) A line displacement operation instruction is implemented on the state matrix, and the 0 th line of the state matrix is shifted leftwards by 0 byte, the 1 st line is shifted leftwards by 1 byte, the 2 nd line is shifted leftwards by 2 bytes, and the 3 rd line is shifted leftwards by 3 bytes;
(3) Multiplying the state matrix after the line displacement with a preset fixed matrix to carry out a line-line mixing operation instruction;
(4) And performing a key bitwise exclusive OR operation instruction on the matrix after column mixing.
If the above four instructions are recognized to continuously appear in the fixed period set, it may be preliminarily determined that the CPU is currently performing the AES encryption operation. Further, if it is recognized that the instruction cycle operation is performed for 10 rounds, the model output operation instruction feature tag is AES128.
In another embodiment of the present invention, the encryption algorithm identification model identifies that the stream of operational instructions includes the following specific instructions:
(1) A four byte misplaced exclusive or operation instruction for successive 32 rounds;
(2) An operation instruction is converted in an inverse sequence;
(3) The byte replaces the operation instruction, and the corresponding relation of the replaced S box accords with the S box table of the known SM4.
If the instruction operation is identified to continuously appear in the fixed period set, the model outputs an operation instruction feature label as an SM4 encryption algorithm.
It can be seen from the above embodiments that, for different known encryption algorithms, when matching the characteristics of the operation instruction stream with the instruction set, different matching strategies are applied, so as to save processing resources and accurately identify.
The encryption algorithm identification model can be used for identifying various complex conditions such as instruction main body, operation instruction, data variable and the like of continuous occurrence times of instructions of CPUs with different structures, so that an intelligent virus defense method is realized.
As a specific embodiment, the instruction set and the matching policy corresponding to each known encryption algorithm are stored in an encryption algorithm feature library, and the encryption algorithm feature library preferably maintains a continuously updated state, so as to ensure that the known encryption algorithm is comprehensively covered to avoid misjudgment. The known encryption algorithms include, but are not limited to: symmetric encryption algorithm, asymmetric encryption algorithm, international encryption algorithm, etc., wherein the asymmetric encryption algorithm comprises SM2 algorithm, SM3 algorithm, SM4 algorithm, etc.
In the specific embodiment, an encryption algorithm white list is stored in advance in an encryption algorithm feature library, and by matching the identified operation instruction features with the encryption algorithm instruction set white list, if the matching is successful, the operation instruction executed by the current CPU is a legal encryption algorithm instruction, blocking is not performed, and the operation instruction stream is allowed to be executed so as to encrypt the data layer.
If the matching of the instruction name, the instruction execution sequence and the number of times of occurrence of a plurality of instruction loops of the operation instruction stream with any one of the instruction name, the instruction execution sequence and the number of times of occurrence of a plurality of instruction loops of each known encryption algorithm in the encryption algorithm feature library (corresponding to the storage data structure of the instruction set of each known encryption algorithm) is unsuccessful, the fact that the operation instruction executed by the current CPU is not a legal encryption algorithm instruction is indicated, and in order to prevent virus attack, blocking operation is carried out on the currently executed operation instruction stream, so that effective protection on viruses is achieved.
As a preferred embodiment, the present invention further comprises: after the operation instruction which is not successfully matched is prevented from being executed, if the operation instruction is not virus through later feedback, the encryption algorithm feature library is required to be updated, and a new instruction set label corresponding to the operation instruction feature is added to the encryption algorithm feature library, so that the encryption algorithm feature library is continuously updated, and the virus identification accuracy is improved.
For viruses designed by using an unknown encryption algorithm, the viruses are not evaluated by actual combat under normal conditions, so that even if the virus monitoring method provided by the embodiment is unsuccessful in prevention and control, a violent cracking method can be adopted for dealing with the viruses so as to reduce loss.
According to the virus defense method of the embodiments, the real-time operation instruction stream is subjected to characteristic analysis on the core attack behaviors of the viruses by utilizing the instruction set embodying the characteristics of the known encryption algorithm, so that the accuracy of virus identification is improved, the attack behaviors of the viruses can be blocked in time, and the pertinence and the effectiveness of virus monitoring, prevention and control are fundamentally improved.
It should be noted that, no matter what way is used to verify and identify the encryption algorithm, any related technology that identifies and protects the instruction features of the encryption algorithm used by the virus is within the protection scope of the present invention.
The following describes the virus protection device provided by the present invention, and the virus protection device described below and the virus protection method described above can be referred to correspondingly to each other.
Fig. 2 is a functional block diagram of a virus protection device according to an embodiment of the present invention, and as shown in fig. 2, the virus protection device according to an embodiment of the present invention includes:
an obtaining module 201, configured to obtain an operation instruction stream;
an identification module 202, configured to identify the operation instruction stream;
the matching module 203 is configured to match the identified instruction feature with a preset instruction set corresponding to a known encryption algorithm, where the instruction set is provided with an instruction set tag;
and a calling module 204, which allows the execution of the operation instruction stream according to the instruction set label under the condition that the matching is successful, and blocks the execution of the operation instruction stream to defend viruses under the condition that the matching is unsuccessful.
The virus defending device provided by the invention obtains the operation instruction stream; identifying an operation instruction feature tag in the operation instruction stream; matching the operation instruction feature tag with a preset encryption algorithm feature library; if the matching is unsuccessful, the execution process of the operation instruction stream is blocked, and the characteristic labels of the operation instructions corresponding to the operation instructions are identified, so that the characteristic analysis is carried out on the core attack behaviors of the viruses, the accuracy of virus identification is improved, the attack behaviors of the viruses can be blocked in time, and the pertinence and the effectiveness of virus monitoring, prevention and control are fundamentally improved.
Optionally, the device further comprises a preset module, wherein the preset module pre-generates a corresponding instruction set according to different known encryption algorithms and correspondingly presets different matching strategies. Correspondingly, the matching module matches the identified instruction features with a preset instruction set corresponding to the known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm.
Optionally, the matching module includes:
the instruction set matching submodule is used for matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
the instruction cycle number acquisition sub-module is used for acquiring the cycle number executed by the matched specific instruction under the condition that the instruction characteristic is matched with the specific instruction in the instruction set;
and the circulation round number matching sub-module is used for determining whether the matching is successful or not according to the circulation round number.
Optionally, the identification module and the matching module are implemented by using an encryption algorithm identification model, wherein the encryption algorithm identification model is obtained based on instruction feature training when the encryption algorithm is executed.
Optionally, the encryption algorithm recognition model is further trained based on different system architectures, and the operation instructions executed by the different system architectures or/and the scheduling modes of the operation instructions are different.
In order to cope with Web attacks, the present invention provides a cloud browser, which executes the aforementioned virus protection method when accessing a link address, wherein the cloud browser encrypts and decrypts a data layer according to an encryption algorithm corresponding to an operation instruction stream, and a local browser corresponding to the cloud browser does not encrypt or decrypt the data layer.
The cloud browser isolation technology (RBI) has been verified, and can have a very safe and efficient protection effect on the information system of the client in a plurality of safety fields such as an application server, a terminal, mails, documents and the like.
And accessing the links by using a cloud browser isolation technology, wherein the local browser does not execute any dynamic script, and only re-renders the absolute safe webpage visual code. Because the local browser does not execute dynamic scripts, malicious scripts cannot acquire the credential information of the local browser and cannot utilize the 0day vulnerability of the local terminal environment. Constructing a processing center under the containerized environment of the isolation platform by utilizing the remote browser technology of the isolation platform, and transmitting the simulated image to a user side browser; and transmitting an image by using a VDI technology, converting the executed result into a DOM tree visual code, and re-rendering the DOM tree visual code into a webpage mirror image in a local browser by using an Html5 technology, so that zero source code interaction is realized, and the service website is 100% isolated.
In the embodiment, an 'irregular detection' protection means is innovatively applied, namely, an end user Internet browsing session can be isolated from an enterprise endpoint and an enterprise network by using an isolated browsing function of a remote browser isolation technology, so that malicious software is far away from an end user system, an enterprise greatly reduces the area under virus attack, and the risk of attack is transferred to a server session, thereby avoiding damage.
As another implementation mode, the virus defending device is arranged at the server side, and the server further comprises a special password device for encrypting the data layer based on the called encryption algorithm, wherein the special password device comprises a special password card. In this embodiment, the malware is kept away from the end user's system, and the user side greatly reduces the area under virus attack, and shifts the risk of attack to the server, thereby avoiding damage.
As a third embodiment, the virus protection device is disposed at a server, and the virus protection device includes an encryption instruction generation module, where the encryption instruction generation module generates an encryption instruction based on a called encryption algorithm, and the encryption instruction is executed by a dedicated cryptographic device at a user side, where the dedicated cryptographic device includes a dedicated FPGA. In this embodiment, the server side provided with the virus protection device forms a cryptographic service platform, and only the cryptographic instruction sent by the cryptographic service platform is executed by the dedicated cryptographic device, thereby avoiding the client side from being attacked by the virus.
As a specific embodiment, the present invention also proposes a virus defense system, as shown in fig. 3, and in terms of a functional architecture, the system includes: the system comprises an application layer, a password service platform, special password hardware equipment and a data layer, wherein the application layer comprises a plurality of systems (application software), the password service platform comprises a password service interface, the password service platform is in butt joint with each system to obtain operation instruction streams of each system, the operation instruction streams are identified, the identified instruction features are matched with preset instruction sets (the preset instruction sets are also provided with instruction set labels) corresponding to known encryption algorithms, under the condition that the matching is successful, the special encryption equipment (comprising a special encryption instruction suite) is called according to the identified known encryption algorithm to execute the operation instruction streams so as to encrypt corresponding data of the data layer, under the condition that the matching is failed, the operation instruction streams are judged to be virus, and the execution of the operation instruction streams is blocked so as to defend the virus. The virus defense system can be integrally realized at the server side or at the user terminal, and can identify the operation instruction flow initiated by each system at the application layer and judge based on a preset instruction set so as to determine whether the virus attack is carried out or not and protect the data layer from the virus attack.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, the computer program performing the virus protection method as described above.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the aforementioned virus protection method.
The apparatus embodiments described above are merely illustrative, in that the modules illustrated as separate components may or may not be physically separate, i.e., may be located in one place, or may be distributed over a network system. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (13)
1. A method of protecting against viruses, comprising:
different matching strategies are preset according to different known encryption algorithms;
acquiring an operation instruction stream;
identifying the operation instruction stream, and matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm, wherein the preset instruction set is also provided with an instruction set tag;
if the matching is successful, allowing the operation instruction stream to be executed according to the instruction set label;
if the matching is unsuccessful, blocking the execution of the operation instruction stream to defend viruses;
the matching of the identified instruction features with a preset instruction set corresponding to a known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm comprises the following steps:
matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
under the condition that the instruction characteristics are matched with the specific instructions in the instruction set, acquiring the number of loop rounds executed by the matched specific instructions;
and determining whether the matching is successful or not according to the number of the circulating wheels.
2. The virus defense method according to claim 1, wherein the operation instruction stream is identified by an encryption algorithm identification model and the identified instruction features are matched with a preset instruction set corresponding to a known encryption algorithm, wherein the encryption algorithm identification model is obtained based on instruction feature training when the known encryption algorithm is executed.
3. The method of claim 2, wherein the encryption algorithm identification model is further trained based on different system architectures that operate on different operating instructions or/and scheduling of operating instructions when executing the same known encryption algorithm.
4. A virus protection device, the device comprising:
the preset module is used for generating a corresponding instruction set in advance according to different known encryption algorithms and presetting different matching strategies correspondingly;
the acquisition module is used for acquiring an operation instruction stream;
the identification module is used for identifying the operation instruction stream;
the matching module is used for matching the identified instruction features with a preset instruction set corresponding to the known encryption algorithm according to a matching strategy corresponding to the known encryption algorithm, and the instruction set is provided with an instruction set tag;
the calling module is used for allowing the operation instruction stream to execute according to the instruction set label under the condition that the matching is successful, and blocking the execution of the operation instruction stream to defend viruses under the condition that the matching is unsuccessful;
the matching module comprises:
the instruction set matching submodule is used for matching the identified instruction features with a preset instruction set corresponding to a known encryption algorithm;
the instruction cycle number acquisition sub-module is used for acquiring the cycle number executed by the matched specific instruction under the condition that the instruction characteristic is matched with the specific instruction in the instruction set;
and the circulation round number matching sub-module is used for determining whether the matching is successful or not according to the circulation round number.
5. The virus protection device of claim 4, wherein the identification module and the matching module are implemented using an encryption algorithm identification model, wherein the encryption algorithm identification model is based on instruction feature training when the encryption algorithm is executed.
6. The virus protection device of claim 5, wherein the encryption algorithm identification model is further trained based on different system architectures that operate on different instructions or/and schedule the instructions when executing the same encryption algorithm.
7. The virus protection device according to claim 4, wherein the virus protection device is disposed at a server side, and the server further comprises a dedicated cryptographic device for encrypting the data layer based on the invoked encryption algorithm.
8. The virus protection apparatus of claim 7, wherein the dedicated cryptographic device comprises a dedicated cryptographic card.
9. The virus protection device according to claim 4, wherein the virus protection device is provided at a server side, and the virus protection device includes an encryption instruction generation module that generates an encryption instruction based on a called encryption algorithm, the encryption instruction being executed by a dedicated cryptographic apparatus at a user side.
10. The virus protection apparatus of claim 9, wherein the dedicated cryptographic device comprises a dedicated FPGA.
11. The method for defending viruses according to any one of claims 1 to 3 is performed when the cloud browser accesses the link address, the cloud browser encrypts and decrypts the data layer according to an encryption algorithm corresponding to the operation instruction stream, and a local browser corresponding to the cloud browser does not encrypt or decrypt the data layer.
12. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, the computer program performing the virus protection method of any one of claims 1-3.
13. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the virus protection method according to any one of claims 1 to 3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211737917.0A CN116127455B (en) | 2022-12-31 | 2022-12-31 | Virus defense method and device and cloud browser |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211737917.0A CN116127455B (en) | 2022-12-31 | 2022-12-31 | Virus defense method and device and cloud browser |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116127455A CN116127455A (en) | 2023-05-16 |
CN116127455B true CN116127455B (en) | 2024-03-15 |
Family
ID=86304048
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211737917.0A Active CN116127455B (en) | 2022-12-31 | 2022-12-31 | Virus defense method and device and cloud browser |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116127455B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
CN111460472A (en) * | 2020-03-20 | 2020-07-28 | 西北大学 | Encryption algorithm identification method based on deep learning graph network |
CN111726774A (en) * | 2020-06-28 | 2020-09-29 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for defending attack |
-
2022
- 2022-12-31 CN CN202211737917.0A patent/CN116127455B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
CN111460472A (en) * | 2020-03-20 | 2020-07-28 | 西北大学 | Encryption algorithm identification method based on deep learning graph network |
CN111726774A (en) * | 2020-06-28 | 2020-09-29 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for defending attack |
Also Published As
Publication number | Publication date |
---|---|
CN116127455A (en) | 2023-05-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9892261B2 (en) | Computer imposed countermeasures driven by malware lineage | |
RU2680736C1 (en) | Malware files in network traffic detection server and method | |
RU2606564C1 (en) | System and method of blocking script execution | |
CN109845228B (en) | Network flow recording system and method for detecting network hacker attack in real time | |
WO2014112185A1 (en) | Attack analysis system, coordination device, attack analysis coordination method, and program | |
JP2017538376A (en) | System and method for detecting coverage channel network intrusion based on offline network traffic | |
US20150082424A1 (en) | Active Web Content Whitelisting | |
EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
Kaur et al. | Automatic attack signature generation systems: A review | |
WO2017056121A1 (en) | Method for the identification and prevention of client-side web attacks | |
CN106576051B (en) | It is a kind of to detect the method threatened for 1st, the network equipment, non-transitory machine-readable media | |
Ou et al. | Attack graph techniques | |
CN110602044A (en) | Network threat analysis method and system | |
CN113722683B (en) | Model protection method, device, equipment, system and storage medium | |
Deng et al. | Lexical analysis for the webshell attacks | |
KR101143998B1 (en) | Database security apparatus and method | |
Zou et al. | Automatic recognition of advanced persistent threat tactics for enterprise security | |
CN116127455B (en) | Virus defense method and device and cloud browser | |
Nguyen et al. | Malware analysis reverse engineering (MARE) methodology & malware defense (MD) timeline | |
Blanc et al. | Term-rewriting deobfuscation for static client-side scripting malware detection | |
US11562095B2 (en) | Reinforcing SQL transactions dynamically to prevent injection attacks | |
CN111049794A (en) | Page reverse crawling method and device, storage medium and gateway equipment | |
Foukarakis et al. | Deep packet anonymization | |
Ashlam et al. | Data-mining and hashing to prevent application-layer DDoS and SQL injection attacks | |
CN113965366B (en) | Method, system and computer equipment for defending reverse proxy phishing attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |