CN116451218A

CN116451218A - Abnormal program detection method and device, readable medium and electronic equipment

Info

Publication number: CN116451218A
Application number: CN202210010081.8A
Authority: CN
Inventors: 韩孟玲; 罗梦霞; 黎若愚; 张融
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-01-05
Filing date: 2022-01-05
Publication date: 2023-07-18

Abstract

The application discloses a detection method and device of an abnormal program, a readable medium and electronic equipment, wherein the method comprises the following steps: loading a program to be detected into a program execution simulation environment; acquiring dynamic behavior data generated when the program to be detected runs in the program execution simulation environment; generating a behavior feature sequence of the program to be detected according to the at least one target operation behavior; and determining the abnormal type of the program to be detected according to the behavior characteristic sequence. The technical scheme provided by the embodiment of the application can effectively identify various operation behaviors executed in the running process of the program, determine the abnormal type of the program from the actual operation behaviors of the program, and improve the judgment precision of program abnormality.

Description

Abnormal program detection method and device, readable medium and electronic equipment

Technical Field

The application belongs to the technical fields of Internet and computers, and particularly relates to a detection method and device for abnormal programs, a readable medium and electronic equipment.

Background

With the development of the internet and computer technology, network security events and malicious code attack layers are endless, and serious harm is caused, so that abnormal programs are detected, and the security of the programs is ensured. At present, when detecting abnormal programs, some statistical analysis is usually performed on specific codes of the programs, and whether the programs are abnormal or not is determined by detecting whether the program codes have problems or not, and the detection method is generally fast and is called a static analysis method. However, the static analysis method can only carry out statistical analysis on the code itself, and if the program code is adjusted, the purpose of malicious attack can be achieved by bypassing the detection mechanism sometimes, so that the static analysis method has a large vulnerability and has low discrimination accuracy on abnormal programs.

Disclosure of Invention

The invention aims to provide a detection method and device for an abnormal program, a readable medium and electronic equipment, so as to solve the problem of low discrimination accuracy of the abnormal program in the related technology.

Other features and advantages of the present application will be apparent from the following detailed description, or may be learned in part by the practice of the application.

According to an aspect of the embodiments of the present application, there is provided a method for detecting an abnormal program, including:

loading a program to be detected into a program execution simulation environment;

acquiring dynamic behavior data generated when the program to be detected runs in the program execution simulation environment, wherein the dynamic behavior data comprises a plurality of operation behaviors;

determining at least one target operation behavior from a plurality of operation behaviors of the dynamic behavior data, and generating a behavior feature sequence of the program to be detected according to the at least one target operation behavior;

and determining whether the program to be detected is abnormal or not according to the behavior characteristic sequence.

According to an aspect of an embodiment of the present application, there is provided a detection apparatus for an abnormal program, including:

the program loading module is used for loading the program to be detected into the program execution simulation environment;

The data acquisition module is used for acquiring dynamic behavior data generated when the program to be detected runs in the program execution simulation environment, wherein the dynamic behavior data comprises a plurality of operation behaviors;

the feature extraction module is used for determining at least one target operation behavior from a plurality of operation behaviors of the dynamic behavior data and generating a behavior feature sequence of the program to be detected according to the at least one target operation behavior;

and the abnormality type determining module is used for determining whether the program to be detected is abnormal or not according to the behavior characteristic sequence.

In one embodiment of the present application, the feature extraction module is specifically configured to:

matching each operation behavior contained in the dynamic behavior data in a preset operation behavior library to obtain at least one target operation behavior;

determining a behavior identifier of each target operation behavior in the at least one target operation behavior, and arranging the behavior identifiers according to the generation time of the corresponding target operation behaviors to generate a behavior feature sequence of the program to be detected.

In one embodiment of the present application, the anomaly type determination module is specifically configured to:

and matching in a preset abnormal program library according to the behavior characteristic sequence, and determining whether the program to be detected is abnormal.

In one embodiment of the present application, the apparatus further comprises:

the sample data acquisition module is used for acquiring sample behavior data generated by a plurality of sample programs with known abnormal types during running;

the sample feature extraction module is used for extracting at least one sample operation behavior executed by the sample program from the sample behavior data and generating a sample behavior feature sequence of the sample program;

the abnormal feature library construction module is used for establishing a mapping relation between the sample behavior feature sequence of the sample program and the abnormal type of the sample program to form a preset abnormal program library.

In one embodiment of the present application, the sample feature extraction module includes:

an importance determining unit for extracting at least one sample operation behavior executed by the sample program from the sample behavior data, and determining an importance of each sample operation behavior in the sample behavior data;

and the sample characteristic extraction unit is used for selecting sample operation behaviors with importance degrees larger than a preset threshold value to form a sample behavior characteristic sequence of the sample program.

In one embodiment of the present application, the importance determining unit is specifically configured to:

Determining a first importance of each sample operation behavior according to the occurrence times of each sample operation behavior in the sample behavior data;

determining a second importance of each sample operation behavior according to the occurrence times of each sample operation behavior in a preset behavior database;

and determining the importance of each sample operation behavior in the sample behavior data according to the first importance and the second importance.

In one embodiment of the present application, the preset exception library includes a plurality of sample behavior feature sequences; the anomaly type determination module includes:

the feature matching unit is used for matching the behavior feature sequence with each sample behavior feature sequence in a preset abnormal program library and determining whether the sample behavior feature sequence identical to the behavior feature sequence exists in the preset abnormal program library;

a normal program determining unit, configured to determine that the program to be detected is a normal program if the sample behavior feature sequence identical to the behavior feature sequence does not exist in the preset abnormal program library;

and the abnormality type determining unit is used for determining that the program to be detected is an abnormal program if the sample behavior feature sequence identical to the behavior feature sequence exists in the preset abnormality program library, and taking an abnormality type corresponding to the sample behavior feature sequence identical to the behavior feature sequence as the abnormality type of the program to be detected.

In one embodiment of the present application, the feature matching unit is specifically configured to:

performing character string matching on the behavior feature sequences and each sample behavior feature sequence in a preset abnormal program library;

and when the character string of the behavior feature sequence is completely consistent with the character string of the sample behavior feature sequence, determining that the sample behavior feature sequence is the same as the behavior feature sequence.

extracting a first behavior feature of the behavior feature sequence and a second behavior feature of each sample behavior feature sequence in a preset abnormal program library;

determining the similarity of the first behavioral characteristics of the behavioral characteristic sequence and the second behavioral characteristics of each sample behavioral characteristic sequence;

and taking the sample behavior feature sequence corresponding to the maximum similarity as the sample behavior feature sequence identical to the behavior feature sequence.

In one embodiment of the present application, the apparatus further comprises:

a sample feature sequence obtaining module, configured to obtain a plurality of first sample feature sequences extracted from sample behavior data generated by a sample program of a known anomaly type at runtime, and a plurality of second sample feature sequences extracted from sample behavior data generated by a sample program of an unknown anomaly type at runtime;

The sample clustering module is used for carrying out clustering processing on all the first sample behavior feature sequences and all the second sample behavior feature sequences to obtain a plurality of behavior sequence class clusters;

the class cluster type determining module is used for taking the abnormal type corresponding to the first sample behavior characteristic sequence in the behavior sequence class cluster as the abnormal type of the behavior sequence class cluster;

the abnormal program library construction module is used for establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

In one embodiment of the present application, the cluster type determining module is specifically configured to:

determining the number of first sample behavior feature sequences corresponding to each abnormal type in the behavior sequence class cluster;

and taking the abnormal type corresponding to the maximum value in the number as the abnormal type of the behavior sequence class cluster.

In one embodiment of the present application, the cluster-like type determining module is further configured to:

when the abnormal types corresponding to the maximum value in the number comprise at least two types, determining the distance from the first sample behavior feature sequence corresponding to each abnormal type to the cluster center of the behavior sequence cluster;

And taking the abnormal type corresponding to the minimum value in the distance as the abnormal type of the behavior sequence class cluster.

In one embodiment of the present application, the exception library construction module includes:

the behavior sequence subset generating unit is used for intersecting the behavior feature sequences in the behavior sequence class cluster two by two to obtain a plurality of behavior sequence subsets corresponding to the behavior sequence class cluster, wherein the behavior feature sequences in the behavior sequence class cluster comprise a first sample behavior feature sequence and a second sample behavior feature sequence;

the class cluster feature determining unit is used for determining the importance degree of each behavior sequence subset in the behavior sequence class cluster, and taking the behavior sequence subset with the highest importance degree as a sample behavior feature sequence of the behavior sequence class cluster;

the abnormal program library construction unit is used for establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

In one embodiment of the present application, the cluster-like feature determining unit is specifically configured to:

determining a first occurrence probability of the behavior sequence subset in the behavior sequence class cluster, a second occurrence probability of the behavior sequence subset in all behavior sequence class clusters and the length of the behavior sequence subset;

And determining importance of the behavior sequence subset in the behavior sequence class cluster according to the first occurrence probability, the second occurrence probability and the length of the behavior sequence subset.

According to an aspect of the embodiments of the present application, there is provided a computer-readable medium having stored thereon a computer program which, when executed by a processor, implements the method of detecting an abnormal program as in the above technical solution.

According to an aspect of the embodiments of the present application, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the detection method of the abnormal program as in the above technical means via execution of the executable instructions.

According to an aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions so that the computer device executes the detection method of the abnormal program as in the above technical means.

In the technical scheme provided by the embodiment of the application, by acquiring dynamic behavior data generated when the program to be detected runs in a program execution simulation environment, generating a behavior feature sequence according to the target operation behavior of the dynamic behavior data, and determining the abnormal type of the program to be detected according to the behavior feature sequence, on one hand, the program to be detected can be prevented from influencing the real execution environment by running the program to be detected in the program execution simulation environment; on the other hand, various operation behaviors executed in the running process of the program can be effectively identified, the abnormal type of the program is determined according to the actual operation behaviors of the program (namely the dynamic behaviors of the program), and the judgment precision of the program abnormality is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.

Fig. 1 schematically shows a block diagram of an exemplary system architecture to which the technical solution of the present application is applied.

Fig. 2 schematically shows a flowchart of a method for detecting an abnormal program according to an embodiment of the present application.

Fig. 3A to fig. 3E are schematic diagrams illustrating a process of creating a preset operation behavior library according to an embodiment of the present application.

Fig. 3F is a schematic diagram of a preset exception library according to an embodiment of the present application.

Fig. 3G is a schematic diagram illustrating a method for detecting an abnormal program according to an embodiment of the present application.

Fig. 4 schematically illustrates a system frame diagram to which the preset exception library construction method provided in the embodiment of the present application is applied.

Fig. 5 schematically shows a flowchart of a preset exception library construction method according to an embodiment of the present application.

Fig. 6 schematically shows a block diagram of a detection apparatus for an abnormal program provided in an embodiment of the present application.

Fig. 7 schematically illustrates a block diagram of a computer system suitable for use in implementing embodiments of the present application.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present application. One skilled in the relevant art will recognize, however, that the aspects of the application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.

The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.

It will be appreciated that in the specific embodiments of the present application, related data such as object information is referred to, and when the above embodiments of the present application are applied to specific products or technologies, permission or consent of the object is required to be obtained, and collection, use and processing of related data is required to comply with related laws and regulations and standards of related countries and regions.

As shown in fig. 1, system architecture 100 may include a terminal device 110, a network 120, and a server 130. Terminal device 110 may include a smart phone, tablet, notebook, smart voice interaction device, smart home appliance, vehicle terminal, and the like. The server 130 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud computing services. Network 120 may be a communication medium of various connection types capable of providing a communication link between terminal device 110 and server 130, and may be, for example, a wired communication link or a wireless communication link.

The system architecture in the embodiments of the present application may have any number of terminal devices, networks, and servers, as desired for implementation. For example, the server 130 may be a server group composed of a plurality of server devices. In addition, the technical solution provided in the embodiment of the present application may be applied to the terminal device 110, or may be applied to the server 130, or may be implemented by the terminal device 110 and the server 130 together, which is not limited in particular in this application.

For example, the terminal device 110 loads the program to be detected into the program execution simulation environment, and then obtains dynamic behavior data generated when the program to be detected runs in the program execution simulation environment. Further, the terminal device 110 generates a behavior feature sequence of the program to be detected according to at least one target operation behavior, and finally determines an abnormal type of the program to be detected according to the behavior feature sequence.

In one embodiment of the present application, the method for detecting an abnormal program provided in the embodiment of the present application may be executed by the terminal device 110 and the server 130 together. For example, the terminal device 110 loads the program to be detected into the program execution simulation environment, collects dynamic behavior data generated when the program to be detected runs in the program execution simulation environment, and then the terminal device 110 sends the collected dynamic behavior data to the server 130. After the server 130 obtains the dynamic behavior data, a behavior feature sequence of the program to be detected is generated according to at least one target operation behavior, and finally, the abnormal type of the program to be detected is determined according to the behavior feature sequence. After determining the anomaly type of the program to be detected, the server 130 returns the anomaly type of the program to be detected to the terminal device 110 through the network 120, and the terminal device 110 may display the anomaly type of the program to be detected to the object.

In one embodiment of the present application, server 130 may be a node in a blockchain network. Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.

The blockchain underlying platform may include processing modules for object management, basic services, smart contracts, and operational monitoring. The object management module is responsible for identity information management of all blockchain participants, including maintenance of public and private key generation (account management), key management, maintenance of corresponding relation between real identities of objects and blockchain addresses (authority management), etc., and under the condition of authorization, supervision and audit of transaction conditions of certain real identities, and provision of rule configuration (wind control audit) of risk control; the basic service module is deployed on all block chain node devices, is used for verifying the validity of a service request, recording the service request on a storage after the effective request is identified, for a new service request, the basic service firstly analyzes interface adaptation and authenticates the interface adaptation, encrypts service information (identification management) through an identification algorithm, and transmits the encrypted service information to a shared account book (network communication) in a complete and consistent manner, and records and stores the service information; the intelligent contract module is responsible for registering and issuing contracts, triggering contracts and executing contracts, a developer can define contract logic through a certain programming language, issue the contract logic to a blockchain (contract registering), invoke keys or other event triggering execution according to the logic of contract clauses to complete the contract logic, and simultaneously provide a function of registering contract upgrading; the operation monitoring module is mainly responsible for deployment in the product release process, modification of configuration, contract setting, cloud adaptation and visual output of real-time states in product operation, for example: alarming, monitoring network conditions, monitoring node equipment health status, etc.

The platform product service layer provides basic capabilities and implementation frameworks of typical applications, and developers can complete the blockchain implementation of business logic based on the basic capabilities and the characteristics of the superposition business. The application service layer provides the application service based on the block chain scheme to the business participants for use.

The detection of abnormal programs provided in the present application is described in detail below in connection with the detailed description.

Fig. 2 schematically shows a flowchart of a method for detecting an abnormal program according to an embodiment of the present application. As shown in fig. 2, the method for detecting an abnormal program provided in the embodiment of the present application includes steps 210 to 240, which are specifically as follows:

step 210, loading the program to be detected into the program execution simulation environment.

Specifically, the program execution simulation environment is a virtual environment simulated according to the real environment of program execution, and a series of operation behaviors generated by the program running in the program execution simulation environment do not affect the real environment. Generally, a program to be detected is an unknown program for a device to be operated, if the unknown program is directly operated in a real environment of the device, if the unknown program has an aggressiveness, the device is damaged, so that the program to be detected is loaded into a program execution simulation environment, and adverse effects caused by the fact that the program to be detected is directly operated in the real environment of the device are avoided.

In one embodiment of the present application, the program execution model environment may be implemented by a sandboxed system. The sandbox system is a virtual system program which creates a separate virtual work environment similar to a sandbox, allows the program to run in the virtual work environment, and can delete the operation behavior generated by the running of the program in the virtual work environment without affecting the real environment of the program execution.

Step 220, obtaining dynamic behavior data generated when the program to be detected runs in the program execution simulation environment, wherein the dynamic behavior data comprises a plurality of operation behaviors.

Specifically, when the program to be detected runs in the program execution simulation environment, some operation behaviors, such as reading files, modifying files, writing files, copying files, creating processes, loading models, rewriting registry, and the like, are performed, and these operation behaviors are dynamic behavior data of the program to be detected. The dynamic behavior data includes all operation behaviors generated by the program to be detected at the time of running and the generation time of each operation behavior.

In one embodiment of the present application, when the program execution simulation environment is implemented by the sandbox system, the sandbox system generates a behavior log of the program to be detected for running the program to be detected, and then the corresponding dynamic behavior data can be obtained through the behavior log of the program to be detected.

Step 230, determining at least one target operation behavior from the plurality of operation behaviors of the dynamic behavior data, and generating a behavior feature sequence of the program to be detected according to the at least one target operation behavior.

Specifically, as described above, the dynamic behavior data includes a plurality of operation behaviors generated when the program to be detected runs in the program execution simulation environment, and the operation behavior of the core of the program to be detected is identified from the plurality of operation behaviors as the target operation behavior, where the core operation behavior refers to the operation behavior that is representative of the program to be detected. And then combining at least one target operation behavior to generate a behavior feature sequence of the program to be detected. Therefore, the data processing amount can be effectively reduced, and the processing efficiency is improved.

In one embodiment of the present application, the process of generating a behavior feature sequence includes: matching each operation behavior contained in the dynamic behavior data in a preset operation behavior library to obtain at least one target operation behavior; and determining a behavior identifier of each target operation behavior in at least one target operation behavior, and arranging the behavior identifiers according to the generation time of the corresponding target operation behaviors to generate a behavior feature sequence of the program to be detected.

Specifically, the preset operation behavior library includes a plurality of sample operation behaviors, and one sample operation behavior is a core operation behavior of a sample program of a known exception type (i.e., a target operation behavior of the sample program). And matching each operation behavior contained in the dynamic behavior data in a preset operation behavior library, determining whether the dynamic behavior data contains the same operation behavior as the sample operation behavior in the preset operation behavior library, and if so, obtaining at least one target operation behavior, wherein the same operation behavior is the target operation behavior.

For convenience of subsequent calculation, the behavior identifier is used to represent the target operation behavior in this embodiment, and the behavior identifier is a predefined simple string, for example, the behavior identifier may be a numeric number. And recording the target operation behaviors of the sample program and the corresponding behavior identifications thereof in a behavior identification list, and searching in the behavior identification list according to the target operation behaviors to determine the behavior identifications of the target operation behaviors. Illustratively, in the behavior identification list, the behavior identification of the operation behavior of copying the file is 101, and if the target operation behavior is copying the file, the corresponding behavior identification is 101.

In the dynamic behavior data, each operation behavior has corresponding generation time, and behavior identifiers of target operation behaviors are arranged according to the generation time of the corresponding target operation behaviors, so that a behavior feature sequence of a program to be detected is obtained. Illustratively, the behavior identification includes: 248. 249, 250, according to the generation time sequence of the corresponding target operation behaviors, an operation behavior sequence 248& &249& &250 is obtained, wherein & &' is a connection symbol of a behavior identifier, and the connection symbol represents an and meaning.

In one embodiment of the present application, when a preset operation behavior library is created, a plurality of sample programs are first obtained, and an exception type is added to each sample program. For example, as shown in fig. 3A, the sample program runs in the manner of MD5 task, so the task ID of MD5 task (as shown in column 301 in fig. 3A) may be used as an identifier of the sample program, each sample program corresponds to an exception type (as shown in column 302 in fig. 3A), the exception type may be a virus. The sandboxed system is then deployed, with the sample program running on the sandboxed system. Illustratively, as shown in FIG. 3B, the different sandboxed systems are distinguished by machine ID (as shown in column 303 of FIG. 3B). Dynamic behavior data generated by the sample program running in the sandboxed system is then obtained, and illustratively, as shown in fig. 3C, the dynamic behavior data includes a plurality of operation behaviors, as LoadModule, createMutex, copyFileEx, createFile, writeFile shown in column 304 in fig. 3C, and the like. The dynamic behavior log of the sample program is then subject to target operational behavior extraction by the preset rule, and illustratively, as shown in fig. 3D, a target operational behavior (as shown in column 305 in fig. 3D) may be extracted according to a preset rule (as shown in column 306 in fig. 3D), for example, the target operational behaviors may be Account Manipulation, launchctl, source, trap, and so on. Meanwhile, each target operation behavior may set a behavior identification (i.e., a technology ID in fig. 3D), for example, the behavior identification corresponding to the target operation behavior Account Manipulation is 10. And finally, summarizing the target operation behaviors of all the sample programs to form a preset operation behavior library. Then, when the program to be detected is processed, each operation behavior included in the dynamic behavior data is matched in a preset operation behavior library, so that at least one target operation behavior can be obtained, as shown in fig. 3E, where a column 307 in fig. 3E represents the dynamic behavior data, a column 308 represents the program to be detected, and a column 309 represents the behavior identifier.

In one embodiment of the present application, one operational behavior in the dynamic behavior data is a single operation, corresponding to only one action, e.g., a copy file includes only copy actions, and a read file includes only read actions. The target operation behavior may be one operation behavior or may be formed by at least one operation behavior conforming to a rule, for example, reading a file and then writing the file may be used as one target operation behavior. The rules here can be derived by extracting core operational behavior from a sample program of known exception types. For example, the preset behavior rule base includes a plurality of behavior extraction rules, which are obtained according to core operation behaviors of a plurality of sample programs with known exception types. And performing rule matching on each operation behavior contained in the dynamic behavior data according to each behavior extraction rule in a preset behavior rule library, wherein when at least one operation behavior conforming to the behavior extraction rule is matched, the at least one operation behavior is the target operation behavior, and one behavior extraction rule corresponds to one target operation behavior. The target operational behavior is then converted to a behavior identification, e.g., the target operational behavior is to read the file before writing the file, whose behavior identification is 123. And finally, generating a behavior characteristic sequence of the program to be detected according to the behavior identification and the generation time of the target operation behavior.

Step 240, determining whether the program to be detected is abnormal according to the behavior feature sequence.

Specifically, the behavior feature sequence represents a main operation executed by the program to be detected in running, or a main attack strategy of the program to be detected, and whether the program to be detected is abnormal or not can be obtained by analyzing the behavior feature sequence.

In the technical scheme provided by the embodiment of the application, by acquiring dynamic behavior data generated when the program to be detected runs in a program execution simulation environment, generating a behavior feature sequence according to the target operation behavior of the dynamic behavior data, and determining the abnormal type of the program to be detected according to the behavior feature sequence, on one hand, the program to be detected can be prevented from influencing the real execution environment by running the program to be detected in the program execution simulation environment; on the other hand, various operation behaviors executed in the running process of the program can be effectively identified, whether the program is abnormal or not is determined according to the actual operation behaviors of the program (namely, the dynamic behaviors of the program), and the judgment precision of the program abnormality is improved.

In one embodiment of the present application, the process of determining whether the program to be detected is abnormal may be: and matching in a preset abnormal program library according to the behavior feature sequence, and determining whether the program to be detected is abnormal.

Specifically, the preset exception library defines a mapping relationship between exception types of the program and the sample behavior feature sequence. And matching the behavior feature sequence of the program to be detected in a preset abnormal program library, namely searching whether a sample behavior feature sequence identical to the behavior feature sequence of the program to be detected exists in the preset abnormal program library. If the sample behavior feature sequence identical to the behavior feature sequence does not exist in the preset abnormal program library, the program to be detected can be determined to be a normal program. If the sample behavior feature sequence identical to the behavior feature sequence exists in the preset abnormal program library, the program to be detected can be determined to be the abnormal program, and meanwhile, the abnormal type corresponding to the sample behavior feature sequence can be used as the abnormal type of the program to be detected, so that the program to be detected can be judged to be the abnormal program, and the program to be detected can be judged to belong to the abnormal program.

In one embodiment of the present application, when a sample behavior feature sequence identical to a behavior feature sequence of a program to be detected is found in a preset abnormal program library, one method is to perform character string matching on the behavior feature sequence and the sample behavior feature sequence, and when the character string of the behavior feature sequence is completely identical to the character string of the sample behavior feature sequence, it is determined that the sample behavior feature sequence is the sample behavior feature sequence identical to the behavior feature sequence. Specifically, the character string level matching is directly performed on the behavior feature sequence, and when the two character strings are completely consistent, the sample behavior feature sequence is considered to be identical to the behavior feature sequence.

In one embodiment of the present application, when searching for a sample behavior feature sequence identical to a behavior feature sequence of a program to be detected in a preset exception library, one method is: extracting a first behavior feature of the behavior feature sequence and a second behavior feature of each sample behavior feature sequence in a preset abnormal program library; determining similarity of the first behavioral characteristics of the behavioral characteristic sequences and the second behavioral characteristics of each sample behavioral characteristic sequence; and taking the sample behavior characteristic sequence corresponding to the maximum similarity as the sample behavior characteristic sequence identical to the behavior characteristic sequence.

Specifically, the behavior feature sequence is converted into behavior features for matching. In the embodiment of the application, the local sensitive hash value of the behavior feature sequence can be used as the behavior feature of the behavior feature sequence, and the local sensitive hash value can be minhash or simhash. Then, the first behavior feature refers to the locally sensitive hash value of the behavior feature sequence of the program to be detected, and the second behavior feature is the locally sensitive hash value of the sample behavior feature sequence. And calculating the similarity between the first behavior feature and the second behavior feature of each sample behavior feature sequence, and taking the sample behavior feature sequence corresponding to the maximum similarity as the sample behavior feature sequence identical to the behavior feature sequence. Or when the similarity of the two behavior feature sequences is greater than the threshold value, the sample behavior feature sequence corresponding to the second behavior feature is considered to be the same as the sample behavior feature sequence. The similarity between the first behavior feature and the second behavior feature may be a hamming distance (hamming distance), a cosine similarity, etc. between the first behavior feature and the second behavior feature.

In one embodiment of the present application, the creation of the preset operation behavior library is further included. As an example in step 230, when the preset operation behavior library is created, at least one target operation behavior of each sample program is obtained, and then, at least one target operation behavior of each sample program is combined, so that a behavior feature sequence of each sample program can be obtained, and then, a mapping relationship can be established between the behavior feature sequence of each sample program and an abnormal type of the sample program to form a preset abnormal program library. Exemplary, as shown in fig. 3F, a mapping relationship is established between the anomaly type (i.e. shown in column 310 in fig. 3F) of the sample and the sample behavior feature sequence (i.e. shown in column 311 in fig. 3F), so as to form a preset anomaly library.

In an embodiment of the present application, an anomaly type may correspond to a plurality of sample programs, and each sample program has a different sample behavior feature sequence, so when a mapping relationship is established, all sample behavior feature sequences corresponding to an anomaly type may be combined into a sample behavior feature sequence, and then the combined sample behavior feature sequence and the anomaly type suggestion are mapped. For the anomaly type a, there are 1& &2& &3 and 4 ≡5 corresponding to the two sample behavior feature sequences, and the two sample behavior feature sequences are combined to obtain a combined sample behavior feature sequence of (1 ≡2 ≡3) | (4 ≡5), wherein "|" means "or". Then, when the program to be detected is processed, if the behavior feature sequence of the program to be detected is one of 1& &2& &3 and 4& &5, the abnormality type of the program to be detected is indicated as an abnormality type A.

For example, fig. 3G is a schematic diagram illustrating a method for detecting an abnormal program according to an embodiment of the present application, where an execution flow of the method is shown by an arrow in fig. 3G, and the method includes determining a program to be detected (i.e., task MD5 shown in fig. 3G), then acquiring dynamic behavior data (i.e., log ID shown in fig. 3G) of the program to be detected, determining a behavior feature sequence according to at least one target operation behavior in the dynamic behavior data (i.e., a sequence in a TTPS technology list shown in fig. 3G), and finally determining an abnormal type of the program to be detected (i.e., family/event name shown in fig. 3G) according to the behavior feature sequence.

In one embodiment of the present application, the process of creating the preset exception library may be: acquiring sample behavior data of a plurality of sample programs with known exception types during running; extracting at least one sample operation behavior executed by a sample program from sample behavior data, and generating a sample behavior feature sequence of the sample program; and establishing a mapping relation between the sample behavior characteristic sequence of the sample program and the abnormal type of the sample program to form a preset abnormal program library.

Specifically, the preset exception program needs to be constructed according to a sample behavior feature sequence of a sample program with a known exception type. Firstly, sample behavior data of a sample program with a known abnormal type at the running time, namely dynamic behavior data of the sample program at the running time, is obtained. Generally, a sample program with a known exception type can be loaded into a program execution simulation environment to run, so as to obtain sample behavior data.

And then extracting at least one sample operation behavior from the sample operation behavior data, converting the sample operation behavior into behavior identifications, and sequencing the behavior identifications of the at least one sample operation behavior according to the generation time of the sample operation behavior to generate a sample behavior feature sequence of the sample program. Alternatively, the sample operation behavior corresponds to the target operation behavior of the sample program, and the extraction process may refer to the description of the target operation behavior extraction process.

In one embodiment of the present application, the process of generating a sample behavior feature sequence includes: extracting at least one sample operation behavior executed by a sample program from sample behavior data, and determining importance of each sample operation behavior in the sample behavior data; and selecting sample operation behaviors with importance greater than a preset threshold value to form a sample behavior feature sequence of the sample program.

In particular, the at least one sample operational behavior performed by the sample program may be all operational behaviors in the sample behavior data. The importance degree calculation mode of the sample operation behavior is as follows: determining a first importance of each sample operational behavior according to the number of occurrences of each sample operational behavior in the sample behavior data; determining a second importance of each sample operation behavior according to the occurrence times of each sample operation behavior in a preset behavior database; the importance of each sample operation behavior in the sample behavior data is determined according to the first importance and the second importance.

The first importance of the sample operation behavior is in positive correlation with the number of occurrences of the sample operation behavior in the sample behavior data, i.e. the more occurrences of the sample operation behavior in the sample behavior data, the higher the first importance thereof. Specifically, the first importance of the sample operational behavior may be calculated according to the following equation:

wherein S is _1i A first importance representing a sample operational behavior i; n is n _i Representing the egress of sample operation behavior i in sample behavior dataThe number of occurrences; n (N) _i And representing the number of all operation behaviors in the sample program corresponding to the sample operation behavior i.

The preset behavior database is a database formed by the operation behaviors of a sufficient number of sample programs. The second importance of the sample operation behavior is inversely related to the occurrence number of the sample operation behavior in the preset behavior database, that is, the more the occurrence number of the sample operation behavior in the preset behavior database is, the lower the second importance of the sample operation behavior is. Specifically, the second importance of the sample operational behavior may be calculated according to the following equation:

wherein S is _2i A second importance representing a sample operational behavior i; m is m _i Representing the number of sample programs containing sample operation behaviors i in a preset behavior database; m represents the total amount of sample programs in the preset behavior database.

Importance S of sample operation behavior i in sample behavior data _i Is the product of the first importance of the sample operation behavior i and the second importance of the sample operation behavior i, i.e. S _i ＝S _1i *S _2i 。

After determining the importance of the sample operational behaviour in the sample behaviour data, selecting at least one sample operational behaviour having an importance greater than a preset threshold constitutes a sample behaviour feature sequence. Optionally, the sample operation behaviors can be ranked from large to small according to the importance degree, and a certain number of sample operation behaviors ranked at the front are selected to form a sample behavior feature sequence.

In one embodiment of the present application, the process of creating the preset exception library may further be: acquiring a plurality of first sample behavior feature sequences and a plurality of second sample behavior feature sequences; clustering all the first sample behavior feature sequences and all the second sample behavior feature sequences to obtain a plurality of behavior sequence class clusters; taking an abnormal type corresponding to a first sample behavior characteristic sequence in the behavior sequence class cluster as an abnormal type of the behavior sequence class cluster; and establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

Specifically, the first sample behavior feature sequence is extracted from sample behavior data generated by a sample program of a known anomaly type at runtime, and the second sample behavior feature sequence is extracted from sample behavior data generated by a sample program of an unknown anomaly type at runtime. And clustering all the first sample behavior feature sequences and all the second sample behavior feature sequences serving as clustering data to obtain a plurality of behavior sequence class clusters, wherein the behavior sequence class clusters possibly contain the first sample behavior feature sequences, and the abnormal types of the first sample behavior feature sequences are known, so that the abnormal types of the first sample behavior feature sequences in the behavior sequence class clusters, namely the abnormal types of all the sample behavior feature sequences in the behavior sequence class clusters, can be used. And establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

In one embodiment of the present application, when clustering is performed, a local sensitive hash value (such as simhash or minhash) of a sample behavior feature sequence may be extracted first, then a hamming distance between each local sensitive hash value is calculated, and the sample behavior feature sequence with the hamming distance smaller than a set threshold is divided into similar classes, so as to obtain a plurality of behavior sequence class clusters.

In one embodiment of the present application, the process of determining the anomaly type of the behavior sequence class cluster specifically includes: determining the number of first sample behavior feature sequences corresponding to each abnormal type in the behavior sequence class cluster; and taking the abnormal type corresponding to the maximum value in the number as the abnormal type of the behavior sequence class cluster. Specifically, one behavior sequence cluster may include first sample behavior feature sequences corresponding to a plurality of abnormal types, the number of the first sample behavior feature sequences corresponding to each abnormal type is counted, and the abnormal type corresponding to the maximum number is taken as the abnormal type of the behavior sequence cluster.

In one embodiment of the present application, when the anomaly type corresponding to the maximum value in the number is taken as the anomaly type of the behavior sequence class cluster, there may be at least two anomaly types corresponding to the maximum value in the number, where the anomaly type of the behavior sequence class cluster may be determined according to the distance from the first sample behavior feature sequence corresponding to each anomaly type to the center of the class cluster of the behavior sequence class cluster (it may be understood that the distance is calculated by the first behavior feature corresponding to the first sample behavior feature sequence). In general, in each anomaly type corresponding to the maximum value of the number, the distance from the first sample behavior feature sequence to the center of the behavior sequence cluster is determined, and the anomaly type corresponding to the minimum value in the distance is used as the anomaly type of the behavior sequence cluster. When one anomaly type corresponds to a plurality of first sample behavior feature sequences, taking an average value of distances from the plurality of first sample behavior feature sequences to the center of the class cluster of the behavior sequence class cluster as the distance from the first sample behavior feature sequence to the center of the class cluster of the behavior sequence class cluster in the anomaly type.

In one embodiment of the present application, when the behavior sequence class cluster does not include the first sample behavior feature sequence of the known anomaly type (i.e., the second sample behavior feature sequence of all unknown anomaly types in the behavior sequence class cluster), the behavior sequence class cluster may be marked as an unknown class cluster, so that the anomaly type of the behavior sequence class cluster may be determined by taking other measures later, such as manual classification, deep learning model classification, and the like.

In one embodiment of the present application, when establishing the mapping relationship between the sample behavior feature sequence and the anomaly type, the method may further include: intersecting the behavior feature sequences in the behavior sequence clusters two by two to obtain a plurality of behavior sequence subsets corresponding to the behavior sequence clusters, determining the importance degree of each behavior sequence subset in the behavior sequence clusters, and taking the behavior sequence subset with the highest importance degree as a sample behavior feature sequence of the behavior sequence clusters; and establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

Specifically, the behavior feature sequences in the behavior sequence class cluster include a first sample behavior feature sequence and a second sample behavior feature sequence. And intersecting the sample behavior feature sequences in the behavior sequence class cluster in pairs, wherein the intersection is a behavior sequence subset. Illustratively, the two behavior feature sequences are respectively: 1& &2& &3& &5 &6, 5 &6& 7& 8, then a subset of behavior sequences can be obtained by intersecting the two. 5& &6. And determining the importance degree of each behavior sequence subset, taking the behavior sequence subset with the importance degree larger than a threshold value or with the highest importance degree as a sample behavior feature sequence of a behavior sequence class cluster, and finally establishing a mapping relation according to the sample behavior feature sequence and the abnormal type.

In one embodiment of the present application, the manner in which the importance of a subset of behavior sequences is determined is: determining a first occurrence probability of the behavior sequence subset in the behavior sequence class cluster, a second occurrence probability of the behavior sequence subset in all the behavior sequence class clusters and the length of the behavior sequence subset; and determining the importance degree of the behavior sequence subset in the behavior sequence class cluster according to the first occurrence probability, the second occurrence probability and the length of the behavior sequence subset.

Specifically, a behavior sequence subset may appear multiple times in the same behavior sequence cluster, for example, in a behavior sequence cluster, the behavior subset obtained by intersecting 1& &2& &3& &5& &6& 7& 8 is 5& &6, the behavior subset obtained by intersecting 2& &3& 4& 5& 6& 9& 10 is also 5& &6, and then the occurrence number of the behavior subset 5& 6 is at least 2 times. The first occurrence probability is then the ratio of the number of occurrences of the behavior sequence subset in the behavior sequence class cluster to the number of all the behavior sequence subsets in the behavior sequence class cluster, the second occurrence probability is the ratio of the sum of the number of occurrences of the behavior sequence subset in the respective behavior sequence class cluster to the total number of the behavior sequence subsets of all the behavior sequence class clusters, and the length of the behavior sequence subset is the number of strings (typically excluding connectors) comprised by the behavior sequence subset, e.g. the length of the behavior subset 5& 6 is 2.

The importance of a subset of behavior sequences in a cluster of behavior sequences class can be calculated as follows:

P _jk ＝A _jk *α+B _j *β+C _j *γ

wherein P is _j Representing the importance of the behavior sequence subset j in the behavior sequence class cluster k; a is that _jk Representing a second probability of occurrence of the subset j of behavior sequences in all behavior sequence class clusters; b (B) _j Representing a first probability of occurrence of the behavior sequence subset j in the behavior sequence class cluster k; c (C) _j The length of the behavior sequence subset j. Alpha, beta and gamma are respectively preset constants, wherein alpha is<0，β>γ>0, exemplary, α= (-8), β=12, γ=2. It can be seen that the importance of a subset of the behavior sequences is positively correlated with the first probability of occurrence and inversely correlated with the second probability of occurrence.

In one embodiment of the present application, the above-described process may also be periodically performed to update the preset exception library for a sample program passing through a part of known exception types and a part of unknown exception types. For example, when the number of sample programs of unknown abnormality types reaches a certain number, the preset abnormality library is updated by the above-described procedure.

In general, the preset exception program library is constructed according to a plurality of sample programs with known exception types, but in the embodiment of the application, the preset exception program library is constructed according to a part of sample programs with known exception types and a part of programs with unknown exception types, so that the classification function of the sample programs with unknown exception types is achieved, the data volume of the sample programs with known exception types required in the construction of the preset exception program library is reduced, the classification of the unknown data can be realized through a small amount of manual labeling data, the workload of manual labeling is reduced, and the classification efficiency is improved.

Fig. 4 schematically illustrates a system frame diagram of applying the preset exception library construction method provided in the embodiment of the present application, and as shown in fig. 4, the system includes an input module 410, a processing module 420, and an output module 430.

The input module 410 is configured to obtain a first sample behavior feature sequence (i.e., known samples) of a plurality of sample programs of known anomaly type and a second sample behavior feature sequence (i.e., unknown samples) of a plurality of sample programs of unknown anomaly type from a database. Wherein the database is a MySQL database. The input module 410 corresponds to step 510 in fig. 5.

The processing module 420 is configured to perform feature extraction, clustering and sample behavior feature sequence extraction on an unknown sample and a known sample, and specifically includes: a calculation unit 421, a clustering unit 422, an unknown data classification unit 423, and a feature matching unit 424.

The calculation unit 421 (corresponding to step 520 in fig. 5) is configured to calculate a locality sensitive hash value (simhash or minhash) of each sample, i.e., calculate a locality sensitive hash value of each known sample and a locality sensitive hash value of each unknown sample.

The clustering unit 422 (corresponding to step 530 in fig. 5) is configured to cluster the unknown samples according to the locally sensitive hash values of the unknown samples, to obtain a plurality of class clusters.

The unknown data classifying unit 423 (corresponding to step 540 in fig. 5) is configured to classify according to the clustering result of the unknown sample and the locally sensitive hash value of the known sample, so as to obtain a plurality of behavior sequence class clusters. Alternatively, the clustering unit 422 and the unknown data classifying unit 423 may be combined (step 530 and step 540 in fig. 5 may be combined), and the unknown samples and the known samples are directly clustered to obtain a plurality of behavior sequence class clusters.

The feature matching unit 424 (corresponding to step 550 in fig. 5) is configured to obtain a subset of the behavior sequences in the behavior sequence class cluster, and extract a sample behavior feature sequence of the behavior sequence class cluster according to the importance of the subset of the behavior sequences. Wherein the importance of the subset of the sequence of actions is determined based on the first probability of occurrence, the second probability of occurrence and the length of the subset of the sequence of actions.

The output module 430 (corresponding to step 560 and step 570 in fig. 5) is configured to output a behavior sequence class cluster and its sample behavior feature sequence for determining an anomaly type, thereby constructing a preset anomaly library. When the behavior sequence cluster failing to determine the abnormal type exists, the behavior sequence cluster is marked as an unknown cluster, and the data in the behavior sequence cluster is stored in a database so as to determine the abnormal type through other processing modes.

Fig. 5 schematically illustrates a flowchart of a preset exception library construction method according to an embodiment of the present application, where, as shown in fig. 5, the method includes:

step 510, obtaining a plurality of behavior feature sequences, wherein the behavior feature sequences comprise a first sample behavior feature sequence and a second sample behavior feature sequence.

Specifically, the first sample behavior feature sequence is a sample behavior feature sequence of a sample program of a known anomaly type (i.e., a known sample), and the second sample behavior feature sequence is a sample behavior feature sequence of a sample program of an unknown anomaly type (i.e., an unknown sample).

Step 520, extracting a locally sensitive hash value of the behavior feature sequence.

In particular, the locality sensitive hash value may be simhash or minhash. For each sample behavior feature sequence, a simhash or minhash thereof is calculated. It should be noted that, all the sample behavior feature sequences are converted into simhash, or all the sample behavior feature sequences are converted into minhash, but not a part of the sample behavior feature sequences are converted into simhash, and another part of the sample behavior feature sequences are converted into minhash.

And 530, clustering the behavior feature sequences according to the local sensitive hash values of the behavior feature sequences to obtain a plurality of behavior sequence clusters.

Specifically, when clustering, the hamming distance between the local sensitive hash values of the two sample behavior feature sequences is calculated, and when the hamming distance is smaller than the set threshold value, the two sample behavior feature sequences can be considered to belong to the same behavior sequence class cluster (i.e. the same family).

Step 540, taking the abnormal type corresponding to the first sample behavior feature sequence in the behavior sequence cluster as the abnormal type of the behavior sequence cluster.

Specifically, the sample behavior feature sequences in the behavior sequence class cluster include three cases: only the first sample behavior feature sequence, the first sample behavior feature sequence and the second sample behavior feature sequence, and only the second sample behavior feature sequence. For the first two cases, steps 550 to 560 are performed, namely determining the abnormal type of the behavior sequence class cluster by the abnormal type of the first sample behavior feature sequence in the behavior sequence class cluster; for the last case, step 570 is performed, namely, marking the behavior sequence class cluster as an unknown class cluster, since the anomaly type of the second sample behavior feature sequence is unknown.

Step 550, intersecting the behavior feature sequences in the behavior sequence class clusters two by two to obtain a plurality of behavior sequence subsets corresponding to the behavior sequence class clusters, determining the importance degree of each behavior sequence subset in the behavior sequence class clusters, and taking the behavior sequence subset with the highest importance degree as a sample behavior feature sequence of the behavior sequence class clusters.

Specifically, the sample behavior feature sequences in the behavior sequence class cluster are intersected in pairs, and the intersection is a behavior sequence subset. The first occurrence probability of each behavior sequence subset in the behavior sequence class clusters, the second occurrence probability of the behavior sequence subset in all the behavior sequence class clusters and the length of the behavior sequence subset are determined. The importance of the subset of behavior sequences in the class of behavior sequences may then be determined by a weighted summation based on the first probability of occurrence, the second probability of occurrence, and the length of the subset of behavior sequences. And finally, taking the behavior sequence subset with the highest importance as a sample behavior characteristic sequence of the behavior sequence class cluster.

Step 560, a mapping relationship is established between the sample behavior feature sequences of each behavior sequence cluster and the abnormal types of the behavior sequence clusters, so as to form a preset abnormal program library.

Specifically, the sample behavior feature sequence of one behavior sequence class cluster is equivalent to a representative behavior feature sequence of an abnormal type, so that a mapping relationship is established between the sample behavior feature sequence of each behavior sequence class cluster and the abnormal type of the behavior sequence class cluster, and a preset abnormal program library can be formed.

Step 570, when the behavior sequence class cluster does not contain the first sample behavior feature sequence of the known abnormal type, marking the behavior sequence class cluster as an unknown class cluster.

In one embodiment of the present application, for a behavior sequence class cluster marked as an unknown class cluster, a sample behavior sequence feature sequence of the behavior sequence class cluster may also be extracted through step 550. In the subsequent processing process, as long as the abnormal type of the behavior sequence cluster of the unknown cluster is determined, a mapping relation can be established between the determined abnormal type and the corresponding sample behavior sequence feature sequence, and then the mapping relation is added to a preset abnormal program library, so that the data expansion of the preset abnormal program library can be realized.

It should be noted that although the steps of the methods in the present application are depicted in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.

The following describes an embodiment of an apparatus of the present application, which may be used to execute the method for detecting an abnormal program in the above-described embodiment of the present application. Fig. 6 schematically shows a block diagram of a detection apparatus for an abnormal program provided in an embodiment of the present application. As shown in fig. 6, the detection device of the abnormal program includes:

A program loading module 610, configured to load a program to be detected into a program execution simulation environment;

a data obtaining module 620, configured to obtain dynamic behavior data generated when the program to be detected runs in the program execution simulation environment, where the dynamic behavior data includes a plurality of operation behaviors;

the feature extraction module 630 is configured to determine at least one target operation behavior from a plurality of operation behaviors of the dynamic behavior data, and generate a behavior feature sequence of the program to be detected according to the at least one target operation behavior;

and the anomaly type determining module 640 is configured to determine whether the program to be detected is anomalous according to the behavior feature sequence.

In one embodiment of the present application, the feature extraction module 630 is specifically configured to:

In one embodiment of the present application, the anomaly type determination module 640 is specifically configured to:

In one embodiment of the present application, the apparatus further comprises:

In one embodiment of the present application, the preset exception library includes a plurality of sample behavior feature sequences; the anomaly type determination module 640 includes:

In one embodiment of the present application, the apparatus further comprises:

Specific details of the detection device for abnormal programs provided in the embodiments of the present application have been described in detail in the corresponding method embodiments, and are not described herein again.

Fig. 7 schematically shows a block diagram of a computer system for implementing an electronic device according to an embodiment of the present application.

It should be noted that, the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

As shown in fig. 7, the computer system 700 includes a central processing unit 701 (Central Processing Unit, CPU) which can execute various appropriate actions and processes according to a program stored in a Read-Only Memory 702 (ROM) or a program loaded from a storage section 708 into a random access Memory 703 (Random Access Memory, RAM). In the random access memory 703, various programs and data necessary for the system operation are also stored. The central processing unit 701, the read only memory 702, and the random access memory 703 are connected to each other via a bus 704. An Input/Output interface 705 (i.e., an I/O interface) is also connected to bus 704.

The following components are connected to the input/output interface 705: an input section 706 including a keyboard, a mouse, and the like; an output section 707 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a local area network card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the input/output interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.

In particular, according to embodiments of the present application, the processes described in the various method flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The computer programs, when executed by the central processor 701, perform the various functions defined in the system of the present application.

It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal that propagates in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, in accordance with embodiments of the present application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.

From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a usb disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a touch terminal, or a network device, etc.) to perform the method according to the embodiments of the present application.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.

It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method for detecting an abnormal program, comprising:

2. The method according to claim 1, wherein determining at least one target operation behavior from a plurality of operation behaviors of the dynamic behavior data, and generating the behavior feature sequence of the program to be detected based on the at least one target operation behavior, comprises:

3. The method according to claim 1, wherein determining whether the program to be detected is abnormal according to the behavior feature sequence comprises:

4. The method for detecting an abnormal program according to claim 3, wherein before matching in a preset abnormal program library according to the behavior feature sequence, determining whether the program to be detected is abnormal, the method further comprises:

acquiring sample behavior data generated by a plurality of sample programs with known exception types during running;

extracting at least one sample operation behavior executed by the sample program from the sample behavior data, and generating a sample behavior feature sequence of the sample program;

and establishing a mapping relation between the sample behavior characteristic sequence of the sample program and the abnormal type of the sample program to form a preset abnormal program library.

5. The method of detecting an abnormal program according to claim 4, wherein extracting at least one sample operation behavior performed by the sample program from the sample behavior data, generating a sample behavior feature sequence of the sample program, comprises:

Extracting at least one sample operation behavior executed by the sample program from the sample behavior data, and determining importance of each sample operation behavior in the sample behavior data;

and selecting sample operation behaviors with importance greater than a preset threshold value to form a sample behavior feature sequence of the sample program.

6. The method of detecting an abnormal program according to claim 5, wherein determining the importance of each sample operation behavior in the sample behavior data comprises:

7. The method for detecting an abnormal program according to claim 3, wherein the preset abnormal program library comprises a plurality of sample behavior feature sequences; matching in a preset abnormal program library according to the behavior feature sequence, and determining whether the program to be detected is abnormal or not comprises the following steps:

Matching the behavior feature sequence with each sample behavior feature sequence in a preset abnormal program library, and determining whether the sample behavior feature sequence identical to the behavior feature sequence exists in the preset abnormal program library;

if the sample behavior feature sequence identical to the behavior feature sequence does not exist in the preset abnormal program library, determining that the program to be detected is a normal program;

if the sample behavior feature sequence identical to the behavior feature sequence exists in the preset abnormal program library, determining that the program to be detected is an abnormal program, and taking an abnormal type corresponding to the sample behavior feature sequence identical to the behavior feature sequence as the abnormal type of the program to be detected.

8. The method for detecting an abnormal program according to claim 7, wherein matching the behavior feature sequence with each sample behavior feature sequence in a preset abnormal program library comprises:

9. The method for detecting an abnormal program according to claim 7, wherein matching the behavior feature sequence with each sample behavior feature sequence in a preset abnormal program library comprises:

10. The method for detecting an abnormal program according to claim 3, wherein before matching in a preset abnormal program library according to the behavior feature sequence, determining whether the program to be detected is abnormal, the method further comprises:

acquiring a plurality of first sample behavior feature sequences extracted from sample behavior data generated by a sample program of a known abnormal type at runtime and a plurality of second sample behavior feature sequences extracted from sample behavior data generated by a sample program of an unknown abnormal type at runtime;

Clustering all the first sample behavior feature sequences and all the second sample behavior feature sequences to obtain a plurality of behavior sequence class clusters;

taking an abnormal type corresponding to a first sample behavior characteristic sequence in the behavior sequence class cluster as an abnormal type of the behavior sequence class cluster;

and establishing a mapping relation between the sample behavior characteristic sequences of each behavior sequence class cluster and the abnormal types of the behavior sequence class clusters to form a preset abnormal program library.

11. The method for detecting an abnormal program according to claim 10, wherein the step of using the type of abnormality corresponding to the first sample behavior feature sequence in the behavior sequence class cluster as the type of abnormality of the behavior sequence class cluster comprises:

12. The method for detecting an abnormal program according to claim 11, wherein the method further comprises:

13. The method for detecting an abnormal program according to claim 10, wherein establishing a mapping relation between a sample behavior feature sequence of each behavior sequence class cluster and an abnormal type of the behavior sequence class cluster to form a preset abnormal program library comprises:

intersecting the behavior feature sequences in the behavior sequence class cluster in pairs to obtain a plurality of behavior sequence subsets corresponding to the behavior sequence class cluster, wherein the behavior feature sequences in the behavior sequence class cluster comprise a first sample behavior feature sequence and a second sample behavior feature sequence;

determining the importance degree of each behavior sequence subset in the behavior sequence class cluster, and taking the behavior sequence subset with the highest importance degree as a sample behavior characteristic sequence of the behavior sequence class cluster;

14. The method of claim 13, wherein determining the importance of each subset of behavior sequences in the behavior sequence class cluster comprises:

15. An apparatus for detecting an abnormal program, comprising:

16. A computer-readable medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the method for detecting an abnormal program according to any one of claims 1 to 14.

17. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein execution of the executable instructions by the processor causes the electronic device to perform the method of detecting an abnormal program of any one of claims 1 to 14.