CN116361786A - Detection defense method, system, medium and electronic equipment of decompression bomb - Google Patents
Detection defense method, system, medium and electronic equipment of decompression bomb Download PDFInfo
- Publication number
- CN116361786A CN116361786A CN202310633354.9A CN202310633354A CN116361786A CN 116361786 A CN116361786 A CN 116361786A CN 202310633354 A CN202310633354 A CN 202310633354A CN 116361786 A CN116361786 A CN 116361786A
- Authority
- CN
- China
- Prior art keywords
- file
- compressed file
- detection
- decompression
- bomb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a detection defense method, a detection defense system, a computer-readable storage medium and electronic equipment for a decompression bomb. In the method, based on a decompression bomb database, hash detection is carried out on a compressed file according to a received hash value of the compressed file acquired from the front end, and whether the compressed file is a decompression bomb is determined; when the compressed file passes through hash detection, receiving the uploading of the compressed file, and detecting the compression ratio of the compressed file according to a preset compression ratio threshold value to determine whether the compressed file is a file to be observed; when the compressed file is a file to be observed, decompressing the compressed file in an isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb or not; when the compressed file is decompressed and detected in the isolation sandbox, the CPU and the memory of the isolation sandbox are abnormally detected when the compressed file is decompressed and detected according to the preset CPU threshold value and the preset memory threshold value of the isolation sandbox, and whether the compressed file is a decompressed bomb is determined.
Description
Technical Field
The present application relates to the field of security technologies, and in particular, to a detection defense method and system for a decompression bomb, a computer readable storage medium, and an electronic device.
Background
A decompression bomb is a carefully constructed compressed package with a large amount of deliberately repeated data in the bomb file that can be discarded when compressed, thus being small. However, after decompression, the volume of the file is huge, and even reaches PB level, so that a large amount of memory and CPU resources are consumed, and the server is down.
The decompression bomb can also have viruses, so that the cloud server can be avoided from searching and killing common antivirus software, and user information can be automatically stolen in decompression; the decompression bomb may also carry a script, such as a formatting script, that runs when the decompression is completed, and the hard disk is formatted at the same time. In addition, in some actual business scenarios, uploading compressed files occurs, and the uploaded files are automatically decompressed, so that effective detection defense is required for the decompressed bombs to ensure the security of the server and the information.
Thus, there is a need to provide a solution to the above-mentioned deficiencies of the prior art.
Disclosure of Invention
It is an object of the present application to provide a detection defense method, system, computer-readable storage medium and electronic device for a decompression bomb, which solve or alleviate the above-mentioned problems in the prior art.
In order to achieve the above object, the present application provides the following technical solutions:
the application provides a detection defense method of a decompression bomb, which comprises the following steps: step S1, hash detection: based on a pre-constructed decompression bomb database, carrying out hash detection on the compressed file according to the received hash value of the compressed file acquired from the front end, and determining whether the compressed file is a decompression bomb; step S2, compression ratio detection: receiving the compressed file to upload in response to the compressed file passing the hash detection, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold, and determining whether the compressed file is a file to be observed; step S3, decompression detection: responding to the compressed file as the file to be observed, decompressing the compressed file in an isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection; step S4, abnormality detection: in response to decompression detection of the compressed file in the isolation sandbox, performing anomaly detection on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, and determining whether the compressed file is a decompression bomb; wherein the anomaly detection comprises the quarantine sandbox.
Preferably, step S1 includes: and inquiring whether the compressed file exists in the decompression bomb database according to the received hash value of the compressed file acquired by the front end, and determining whether the compressed file is the decompression bomb according to an inquiry result.
Preferably, step S2 includes: receiving the uploaded compressed file and calculating the compression ratio of the compressed file in response to the compressed file not being present in the decompressed bomb database; comparing the compression ratio of the compressed file with the preset compression ratio threshold, and responding to the compression ratio of the compressed file being greater than or equal to the preset compression ratio threshold, wherein the compressed file is the file to be observed.
Preferably, in step S3, in response to the compressed file being the file to be observed, the file number detection, the file content value detection, and the file data repetition rate detection are sequentially performed on the compressed file in the isolation sandbox, to determine whether the compressed file is a decompression bomb.
Preferably, step S3 includes: creating the isolation sandbox according to the size of the compressed file, a preset maximum file number threshold and a maximum decompressed content threshold; decompressing the compressed files in the isolation sandbox, and comparing the number of decompressed files of the compressed files with the preset maximum file number threshold; responding to the number of decompressed files of the compressed files to be greater than or equal to the preset maximum file number threshold, and enabling the compressed files to be decompressed bombs; responding to the fact that the number of the decompressed files of the compressed files is smaller than the preset maximum file number threshold, performing traversal operation on the decompressed content of the compressed files, circularly obtaining the decompressed content, and accumulating the number of the decompressed content obtained each time to obtain accumulated values of the traversal operation; responding to the accumulated value of the traversing operation to be greater than or equal to the maximum decompressed content threshold, and enabling the compressed file to be a decompressed bomb; and reading file data in the compressed file in response to the accumulated value of the traversing operation is smaller than the maximum decompression content threshold, and if the number of files with the same name in the file data is greater than or equal to a preset data repetition threshold, the compressed file is a decompression bomb.
The embodiment of the application also provides a detection defense system of the decompression bomb, which comprises the following steps: the hash detection unit is configured to perform hash detection on the compressed file according to the received hash value of the compressed file acquired by the front end based on a pre-constructed decompression bomb database, and determine whether the compressed file is a decompression bomb; the compression ratio detection unit is configured to respond to the compressed file passing the hash detection, receive the compressed file for uploading, acquire the compression ratio of the compressed file, detect the compression ratio of the compressed file according to a preset compression ratio threshold value and determine whether the compressed file is a file to be observed; the decompression detection unit is configured to respond to the compressed file as the file to be observed, decompress the compressed file in the isolation sandbox, decompress the decompressed file, and determine whether the compressed file is a decompression bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection; the anomaly detection unit is configured to respond to decompression detection of the compressed file in the isolation sandbox, and according to a preset CPU threshold value and a preset content threshold value of the isolation sandbox, anomaly detection is performed on the CPU and the memory of the isolation sandbox when the compressed file is decompressed and detected, so as to determine whether the compressed file is a decompression bomb; the abnormal detection comprises CPU abnormal detection and memory abnormal detection of the isolation sandbox.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which is characterized in that the computer program is the detection defense method of the decompression bomb.
The embodiment of the application also provides electronic equipment, which comprises: the detection defending method for the decompression bomb comprises a memory, a processor and a program which exists in the memory and can run on the processor, wherein the processor realizes the detection defending method for the decompression bomb according to any one of the above when executing the program.
The technical effects are as follows:
in the detection defense technology of the decompression bomb provided by the embodiment of the application, firstly, based on a pre-constructed decompression bomb database, hash detection is carried out on a compressed file according to a received hash value of the compressed file acquired from the front end, and whether the compressed file is the decompression bomb is determined; then, when the compressed file passes through hash detection, receiving the uploading of the compressed file, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold value, and determining whether the compressed file is a file to be observed; then, when the compressed file is a file to be observed, decompressing the compressed file in the isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompression bomb or not; and when the compressed file is decompressed and detected in the isolation sandbox, the CPU and the memory of the isolation sandbox are abnormally detected when the compressed file is decompressed and detected according to the preset CPU threshold value and the preset content threshold value of the isolation camera shooting, and whether the compressed file is a decompressed bomb is determined.
Therefore, through hash detection and compression ratio detection, the detection efficiency of the compressed files is ensured, unnecessary follow-up operation of subsequent detection is reduced, the server pressure is reduced, and the safety detection of all the compressed files is realized without missing detection and error detection; the decompression detection and the anomaly detection are synchronously carried out, so that further defense and deep monitoring of the compressed file are realized, the decompression bomb is defended systematically, normatively and safely, and the problems of denial of service attack, virus carrying, self-starting data stealing information and the like of the decompression bomb are effectively and comprehensively solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. Wherein:
FIG. 1 is a flow diagram of a method of detection defense of a decompression bomb according to some embodiments of the present application;
FIG. 2 is a logical schematic diagram of a detection defense method of a decompression bomb provided according to some embodiments of the present application;
FIG. 3 is a logic diagram of decompression detection provided according to some embodiments of the present application;
FIG. 4 is a schematic diagram of an architecture of a detection defense system of a decompression bomb provided according to some embodiments of the present application;
FIG. 5 is a schematic diagram of a detection defense system of a decompression bomb provided according to some embodiments of the present application;
fig. 6 is a schematic structural diagram of an electronic device provided according to some embodiments of the present application;
fig. 7 is a hardware schematic of an electronic device provided according to some embodiments of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. Various examples are provided by way of explanation of the present application and not limitation of the present application. Indeed, it will be apparent to those skilled in the art that modifications and variations can be made in the present application without departing from the scope or spirit of the application. For example, features illustrated or described as part of one embodiment can be used on another embodiment to yield still a further embodiment. Accordingly, it is intended that the present application include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Aiming at detection and defense of the decompression bomb to ensure the safety of a server and information, the applicant proposes a detection and defense technology of the decompression bomb, wherein a detection part comprises hash detection and compression ratio detection; the defending part comprises decompression detection and abnormality detection, wherein the abnormality detection is synchronously carried out in the decompression detection process. Through hash detection and compression ratio detection, the detection efficiency of the compressed files is ensured, unnecessary follow-up operation of subsequent detection is reduced, the server pressure is reduced, and the safety detection of all the compressed files is realized without omission and error detection; the decompression detection and the anomaly detection are synchronously carried out, so that further defense and deep monitoring of the compressed file are realized, the decompression bomb is defended systematically, normatively and safely, and the problems of denial of service attack, virus carrying, self-starting data stealing information and the like of the decompression bomb are effectively and comprehensively solved.
As shown in fig. 1 to 3, the detection defense method of the decompression bomb includes:
step S1, hash detection: based on a pre-constructed decompression bomb database, carrying out hash detection on the compressed file according to the received hash value of the compressed file acquired from the front end, and determining whether the compressed file is a decompression bomb.
First, a decompressed bomb database is built by mysql based on the collected public data (e.g., 42. Zip); and then, inquiring whether the compressed file exists in the decompressed bomb database according to the received hash value of the compressed file acquired by the front end, and determining whether the compressed file is the decompressed bomb according to the inquiry result.
Specifically, before the compressed file is not uploaded to the server, the hash value of the compressed file is obtained through the front end, and the compressed file is inquired in a decompression bomb database to determine whether the compressed file is marked or not. If the compressed file is not marked in the decompression bomb database, judging that the compressed file is a normal file; if the compressed file is marked in the decompression bomb database, the compressed file is determined to be a decompression bomb.
Step S2, compression ratio detection: and receiving the uploading of the compressed file in response to the compressed file passing the hash detection, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold, and determining whether the compressed file is a file to be observed.
Specifically, in response to the absence of the compressed file in the decompressed bomb database, i.e., when the compressed file is not marked in the decompressed bomb database, the compressed file uploaded through the front end is received and the compression ratio of the compressed file is calculated. Specifically, the size before compression and the size after compression of the compressed file are obtained through the linux command, the ratio of the size before compression to the size after compression is the compression ratio of the compressed file, and the larger the compression ratio is, the unsafe the compressed file is indicated.
Then, comparing the compression ratio of the compressed file with a preset compression ratio threshold, and if the compression ratio of the compressed file is smaller than the preset compression ratio threshold, considering the compressed file as a normal file; if the compression ratio of the compressed file is greater than or equal to a preset compression ratio threshold, the compressed file is considered to be an abnormal file, the compressed file is marked as a file to be observed, and the compressed file is waited to enter an isolation sandbox for detection.
In general, when the compression ratio exceeds 20, it is judged as a decompression bomb, but when some documents are subjected to special shelling treatment and compressed to the extreme, the compression ratio may be large. In the decompression process, the size of the decompressed file is different due to the different compression rates, and the file subjected to special shell processing can be easily hidden from cloud searching and killing and cannot be considered as a decompression bomb. Therefore, whether the compressed file is the decompression bomb or not is judged simply by means of compression ratio detection, and in the method, the compressed file which is not detected by the compression ratio is marked as the file to be observed, and then the next decompression bomb detection is carried out on the file to be observed, so that the detection precision of the decompression bomb is further improved.
Step S3, decompression detection: and responding to the compressed file as the file to be observed, decompressing the compressed file in the isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb.
In the application, the isolation sandbox is used as a virtual directory, decompression detection is carried out on files to be observed under the virtual directory, and judgment detection of the number of the files, the content values of the files and the repeatability of the file data is carried out in the decompression process. When the compressed file is the file to be observed, sequentially detecting the number of the files, the content value of the files and the repeatability of the file data in the isolation sandbox, and judging whether the compressed file is a decompression bomb. Specifically, an isolation sandbox is created according to the size of the compressed files, a preset maximum file number threshold and a maximum decompressed content threshold.
Wherein, according to the formula:
determining a maximum decompressed content threshold
. In (1) the->
For a preset maximum number of files threshold, +.>
For maximum decompression rate of compressed files, < >>
。
In the isolation sandbox, firstly, the number of the compressed files is detected, namely, the number of the decompressed files of the compressed files is compared with a preset maximum file number threshold, and when the number of the decompressed files of the compressed files is greater than or equal to the preset maximum file number threshold, the compressed files are judged to be decompressed bombs.
When the number of decompressed files of the compressed files is smaller than a preset maximum file number threshold, detecting file content values of the compressed files, namely performing traversal operation on the decompressed content of the compressed files, circularly acquiring the decompressed content, and accumulating the number of the decompressed content obtained each time to obtain accumulated values of the traversal operation. That is, the number of files of the decompressed content acquired each time of the cycle is accumulated to obtain the accumulated value of the last cycle.
And judging whether the compressed file is a decompression bomb or not through traversing the accumulated value of the operation and a preset maximum decompression content threshold value. When the accumulated value of the traversal operation is greater than or equal to the maximum decompressed content threshold, judging that the compressed file is a decompressed bomb; and if the accumulated value of the traversal operation is smaller than the maximum decompressed content threshold, judging that the compressed file is a normal file. Each traversal of the decompressed content of the compressed file needs to determine whether the accumulated value is greater than the maximum decompressed content threshold, if so, stopping the traversal, and determining that the compressed file is a decompressed bomb.
If the number of the files is detected and the content value of the files is detected, detecting the repeatability of the file data of the compressed files after the content value of the files is detected, and judging whether the compressed files are decompression bombs or not. When the accumulated value of the traversing operation is smaller than the maximum decompression content threshold value, file data in the compressed file is read, and whether the compressed file is a decompression bomb is judged according to the number of files with the same name in the file data. For example, by importing the os module plug-in through python, judging whether repeated file names and file paths exist in the compressed file by using an os.path.exists () method; and if the number of files with the same name in the file data is greater than or equal to a preset data repetition threshold, judging that the compressed file is a decompression bomb.
In this application, detect compressed file in proper order from file quantity, file content value, file data repetition degree, effectively avoided software, hardware ability to limit on deep decompression for can carry out accurate detection to the compressed file of level more, improve the detection precision of the deep decompression bomb of level.
Step S4, abnormality detection: in response to decompression detection of the compressed file in the isolation sandbox, according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, abnormality detection is performed on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file, and whether the compressed file is a decompression bomb is determined.
Specifically, the CPU and the memory occupation condition of the isolation sandbox are respectively subjected to CPU abnormality detection and memory abnormality detection while decompression detection is performed. The CPU and memory occupation conditions of the isolation sandbox are detected in real time respectively, and when the CPU occupation of the isolation sandbox reaches a corresponding preset CPU threshold value or the occupation of the isolation sandbox reaches a corresponding preset memory threshold value, the system is judged to be abnormal. And stopping decompressing the compressed file when the isolation sandbox captures the CPU and/or the memory is abnormal, and judging that the compressed file is a decompressed bomb.
In the method, based on a pre-constructed decompression bomb database, hash detection is carried out on a compressed file according to a received hash value of the compressed file acquired by the front end, and whether the compressed file is a decompression bomb is determined so as to reduce unnecessary slave operation and server pressure of subsequent detection; when the compressed file is not marked as a decompression bomb in the decompression bomb database, the compressed file receives the uploaded compressed file through hash detection, the compressed file is subjected to compression ratio detection through the compression ratio of the compressed file and a preset compression ratio threshold value, whether the compressed file is normal or not is judged according to the compression ratio detection result, if the compressed file is abnormal, the compressed file is marked as a file to be observed, and in an isolation sandbox, the compressed file is subjected to gradual decompression detection from the number of files, the content value of the files and the repetition degree of the file data; and in the decompression detection process, according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, CPU and memory of the isolation sandbox are subjected to CPU abnormality detection and memory abnormality detection during decompression detection. When any one of hash detection, decompression detection and anomaly detection is not satisfied, judging that the compressed file is a decompression bomb, and adding the hash of the compressed file into a decompression bomb database; in the detection process, if the compressed file is a normal file, the compressed file is added into the white list database.
As shown in fig. 4 and 5, a detection defense system of a decompression bomb provided in an embodiment of the present application includes: hash detection unit 501, compression ratio detection unit 502, decompression detection unit 503, and abnormality detection unit 504.
The hash detection unit 501 is configured to perform hash detection on the compressed file based on a pre-built decompression bomb database according to the received hash value of the compressed file acquired by the front end, and determine whether the compressed file is a decompression bomb.
The compression ratio detection unit 502 is configured to receive the compressed file upload in response to the compressed file passing the hash detection, obtain the compression ratio of the compressed file, perform the compression ratio detection on the compressed file according to a preset compression ratio threshold, and determine whether the compressed file is a file to be observed.
The decompression detection unit 503 is configured to decompress the compressed file in the isolation sandbox in response to the compressed file being the file to be observed, and to decompress the decompressed file to determine whether the compressed file is a decompressed bomb; wherein, the decompression detection includes: the method comprises the steps of detecting the number of files, detecting the content value of the files and detecting the repeatability of the file data.
The anomaly detection unit 504 is configured to respond to decompression detection of the compressed file in the isolation sandbox, and perform anomaly detection on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file according to the preset CPU threshold value and the preset content estimation value of the isolation sandbox, so as to determine whether the compressed file is a decompression bomb; the abnormal detection comprises CPU abnormal detection and memory abnormal detection of the isolation sandbox.
The detection defense system of the decompression bomb provided by the embodiment of the application can realize the steps and the flow of any detection defense method of the decompression bomb, and achieve the same technical effects, and the detection defense system is not described in detail herein.
Fig. 6 is a schematic structural diagram of an electronic device provided according to some embodiments of the present application; as shown in fig. 6, the electronic device includes:
one or more processors 601;
a computer readable medium may be configured to store one or more programs 602, the one or more processors 601, when executing the one or more programs 602, implement the steps of: based on a pre-constructed decompression bomb database, carrying out hash detection on the compressed file according to the received hash value of the compressed file acquired from the front end, and determining whether the compressed file is a decompression bomb; receiving compressed file uploading in response to the compressed file passing through hash detection, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold, and determining whether the compressed file is a file to be observed; responding to the compressed file as the file to be observed, decompressing the compressed file in the isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection; in response to decompression detection of the compressed file in the isolation sandbox, performing anomaly detection on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, and determining whether the compressed file is a decompression bomb; wherein the anomaly detection includes quarantining the sandbox.
FIG. 7 is a hardware architecture of an electronic device provided in accordance with some embodiments of the present application; as shown in fig. 7, the hardware structure of the electronic device may include: a processor 701, a communication interface 702, a computer readable medium 703 and a communication bus 704.
Wherein the processor 701, the communication interface 702, and the computer readable storage medium 703 communicate with each other via a communication bus 704.
Alternatively, the communication interface 702 may be an interface of a communication module, such as an interface of a GSM module.
The processor 701 may be specifically configured to: based on a pre-constructed decompression bomb database, carrying out hash detection on the compressed file according to the received hash value of the compressed file acquired from the front end, and determining whether the compressed file is a decompression bomb; receiving compressed file uploading in response to the compressed file passing through hash detection, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold, and determining whether the compressed file is a file to be observed; responding to the compressed file as the file to be observed, decompressing the compressed file in the isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection; in response to decompression detection of the compressed file in the isolation sandbox, performing anomaly detection on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, and determining whether the compressed file is a decompression bomb; wherein the anomaly detection includes quarantining the sandbox.
The processor 701 may be a general purpose processor including a central processing unit (central processing unit, CPU for short), a network processor (Network Processor, NP for short), etc., and may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exist in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction function.
It should be noted that, according to implementation requirements, each component/step described in the embodiments of the present application may be split into more components/steps, and two or more components/steps or part of operations of the components/steps may be combined into new components/steps, so as to achieve the purposes of the embodiments of the present application.
The above-described methods according to embodiments of the present application may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, RAM, floppy disk, hard disk, or magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine storage medium and to be stored in a local recording medium downloaded through a network, so that the methods described herein may be stored on such software processes on a recording medium using a general purpose computer, a special purpose processor, or programmable or dedicated hardware such as an ASIC or FPGA. It is understood that a computer, processor, microprocessor controller, or programmable hardware includes a memory component (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by the computer, processor, or hardware, implements the detection defense methods of the decompression bombs described herein. Furthermore, when a general purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general purpose computer into a special purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the elements and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, with reference to the description of the method embodiments in part.
The above-described apparatus and system embodiments are merely illustrative, in which elements that are not explicitly described may or may not be physically separated, and elements that are not explicitly described may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the same, but rather, various modifications and variations may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
Claims (8)
1. A method of detecting and defending a decompression bomb, comprising:
step S1, hash detection: based on a pre-constructed decompression bomb database, carrying out hash detection on the compressed file according to the received hash value of the compressed file acquired from the front end, and determining whether the compressed file is a decompression bomb;
step S2, compression ratio detection: receiving the compressed file to upload in response to the compressed file passing the hash detection, acquiring the compression ratio of the compressed file, detecting the compression ratio of the compressed file according to a preset compression ratio threshold, and determining whether the compressed file is a file to be observed;
step S3, decompression detection: responding to the compressed file as the file to be observed, decompressing the compressed file in an isolation sandbox, decompressing and detecting the decompressed file, and determining whether the compressed file is a decompressed bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection;
step S4, abnormality detection: in response to decompression detection of the compressed file in the isolation sandbox, performing anomaly detection on the CPU and the memory of the isolation sandbox during the decompression detection of the compressed file according to a preset CPU threshold value and a preset memory threshold value of the isolation sandbox, and determining whether the compressed file is a decompression bomb; wherein the anomaly detection comprises the quarantine sandbox.
2. The method of claim 1, wherein step S1 comprises:
and inquiring whether the compressed file exists in the decompression bomb database according to the received hash value of the compressed file acquired by the front end, and determining whether the compressed file is the decompression bomb according to an inquiry result.
3. The method of claim 1, wherein step S2 comprises:
receiving the uploaded compressed file and calculating the compression ratio of the compressed file in response to the compressed file not being present in the decompressed bomb database;
comparing the compression ratio of the compressed file with the preset compression ratio threshold, and responding to the compression ratio of the compressed file being greater than or equal to the preset compression ratio threshold, wherein the compressed file is the file to be observed.
4. The method of claim 1, wherein in step S3,
and responding to the compressed file as the file to be observed, and sequentially detecting the number of the files, the content value of the files and the repeatability of the file data in the isolation sandbox to determine whether the compressed file is a decompression bomb.
5. The method of claim 4, wherein step S3 comprises:
creating the isolation sandbox according to the size of the compressed file, a preset maximum file number threshold and a maximum decompressed content threshold;
decompressing the compressed files in the isolation sandbox, and comparing the number of decompressed files of the compressed files with the preset maximum file number threshold;
responding to the number of decompressed files of the compressed files to be greater than or equal to the preset maximum file number threshold, and enabling the compressed files to be decompressed bombs;
responding to the fact that the number of the decompressed files of the compressed files is smaller than the preset maximum file number threshold, performing traversal operation on the decompressed content of the compressed files, circularly obtaining the decompressed content, and accumulating the number of the decompressed content obtained each time to obtain accumulated values of the traversal operation;
responding to the accumulated value of the traversing operation to be greater than or equal to the maximum decompressed content threshold, and enabling the compressed file to be a decompressed bomb;
and reading file data in the compressed file in response to the accumulated value of the traversing operation is smaller than the maximum decompression content threshold, and if the number of files with the same name in the file data is greater than or equal to a preset data repetition threshold, the compressed file is a decompression bomb.
6. A detection defense system for a decompression bomb, comprising:
the hash detection unit is configured to perform hash detection on the compressed file according to the received hash value of the compressed file acquired by the front end based on a pre-constructed decompression bomb database, and determine whether the compressed file is a decompression bomb;
the compression ratio detection unit is configured to respond to the compressed file passing the hash detection, receive the compressed file for uploading, acquire the compression ratio of the compressed file, detect the compression ratio of the compressed file according to a preset compression ratio threshold value and determine whether the compressed file is a file to be observed;
the decompression detection unit is configured to respond to the compressed file as the file to be observed, decompress the compressed file in the isolation sandbox, decompress the decompressed file, and determine whether the compressed file is a decompression bomb; the decompression detection comprises file quantity detection, file content value detection and file data repeatability detection;
the anomaly detection unit is configured to respond to decompression detection of the compressed file in the isolation sandbox, and according to a preset CPU threshold value and a preset content threshold value of the isolation sandbox, anomaly detection is performed on the CPU and the memory of the isolation sandbox when the compressed file is decompressed and detected, so as to determine whether the compressed file is a decompression bomb; the abnormal detection comprises CPU abnormal detection and memory abnormal detection of the isolation sandbox.
7. A computer readable storage medium having stored thereon a computer program, wherein the computer program is a detection defense method of a decompression bomb according to any one of claims 1-5.
8. An electronic device, comprising: a memory, a processor, and a program stored in the memory and executable on the processor, the processor implementing the detection defense method of the decompression bomb according to any one of claims 1-5 when the program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310633354.9A CN116361786B (en) | 2023-05-31 | 2023-05-31 | Detection defense method, system, medium and electronic equipment of decompression bomb |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310633354.9A CN116361786B (en) | 2023-05-31 | 2023-05-31 | Detection defense method, system, medium and electronic equipment of decompression bomb |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116361786A true CN116361786A (en) | 2023-06-30 |
| CN116361786B CN116361786B (en) | 2023-08-15 |
Family
ID=86923432
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310633354.9A Active CN116361786B (en) | 2023-05-31 | 2023-05-31 | Detection defense method, system, medium and electronic equipment of decompression bomb |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116361786B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090210943A1 (en) * | 2004-09-08 | 2009-08-20 | Galit Alon | Method to detect viruses hidden inside a password-protected archive of compressed files |
| US20170161158A1 (en) * | 2015-12-07 | 2017-06-08 | Sap Se | Optimal hash calculation of archive files and their file entries |
| CN108229164A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | Decompress the judgment method and device of bomb |
| CN112214462A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Multi-layer decompression method of compressed file, electronic equipment and storage medium |
| CN113868704A (en) * | 2021-09-28 | 2021-12-31 | 奇安信科技集团股份有限公司 | Signature verification method and system for file data content |
| CN116107973A (en) * | 2022-12-15 | 2023-05-12 | 中国电信股份有限公司 | Compressed file processing method and device and nonvolatile storage medium |
-
2023
- 2023-05-31 CN CN202310633354.9A patent/CN116361786B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090210943A1 (en) * | 2004-09-08 | 2009-08-20 | Galit Alon | Method to detect viruses hidden inside a password-protected archive of compressed files |
| US20170161158A1 (en) * | 2015-12-07 | 2017-06-08 | Sap Se | Optimal hash calculation of archive files and their file entries |
| CN108229164A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | Decompress the judgment method and device of bomb |
| CN112214462A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Multi-layer decompression method of compressed file, electronic equipment and storage medium |
| CN113868704A (en) * | 2021-09-28 | 2021-12-31 | 奇安信科技集团股份有限公司 | Signature verification method and system for file data content |
| CN116107973A (en) * | 2022-12-15 | 2023-05-12 | 中国电信股份有限公司 | Compressed file processing method and device and nonvolatile storage medium |
Non-Patent Citations (2)
| Title |
|---|
| ALEKSANDAR VELINOV等: "POSTER: Launching a ZIP Bomb on the DICOM-enabled Devices", PROCEEDINGS OF THE 2022 EUROPEAN INTERDISCIPLINARY CYBERSECURITY CONFERENCE, pages 102 - 103 * |
| 程思远;米婷;吴宇亮;杜江斌;: "CUDA并行数据压缩技术研究", 电脑知识与技术, no. 05, pages 1035 - 1036 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116361786B (en) | 2023-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11669872B2 (en) | Smart broadcasting device | |
| US9900355B2 (en) | Method, terminal device, server and system for sharing information | |
| CN107506648B (en) | Method, device and system for searching application vulnerability | |
| US9654486B2 (en) | System and method for generating sets of antivirus records for detection of malware on user devices | |
| EP2998902B1 (en) | Method and apparatus for processing file | |
| US11249987B2 (en) | Data storage in blockchain-type ledger | |
| US10681052B2 (en) | Method and system for classifying network requests | |
| CN110866248B (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| WO2021027252A1 (en) | Data storage method and apparatus in block chain-type account book, and device | |
| CN104239795B (en) | The scan method and device of file | |
| CN116361786B (en) | Detection defense method, system, medium and electronic equipment of decompression bomb | |
| KR101473658B1 (en) | Apparatus and system for detecting malicious code using filter and method thereof | |
| CN116899212A (en) | Game weapon control method and device, electronic equipment and storage medium | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN108809909B (en) | Data processing method and data processing device | |
| US20160187231A1 (en) | Performance testing method, performance testing apparatus performing the same and storage medium storing the same | |
| CN111401197B (en) | Picture risk identification method, device and equipment | |
| CN114003907A (en) | Malicious file detection method and device, computing equipment and storage medium | |
| CN106487771B (en) | Network behavior acquisition method and device | |
| CN110008081B (en) | Interactive data processing method and device | |
| KR20220014852A (en) | System and method for application verification | |
| CN110888686B (en) | Application program starting method, device and storage medium | |
| CN111010400A (en) | Portal authentication method and device | |
| CN108829397B (en) | System and method for downloading screening rules onto mobile device | |
| CN117978509A (en) | Compressed file detection defense method, device and processing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |