CN116707866A - Malicious process detection method and device - Google Patents

Malicious process detection method and device Download PDF

Info

Publication number
CN116707866A
CN116707866A CN202310520391.9A CN202310520391A CN116707866A CN 116707866 A CN116707866 A CN 116707866A CN 202310520391 A CN202310520391 A CN 202310520391A CN 116707866 A CN116707866 A CN 116707866A
Authority
CN
China
Prior art keywords
behavior
event
malicious
judging
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310520391.9A
Other languages
Chinese (zh)
Inventor
戈龙颜
冯顾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202310520391.9A priority Critical patent/CN116707866A/en
Publication of CN116707866A publication Critical patent/CN116707866A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a malicious process detection method and device. The method comprises the following steps: acquiring event information corresponding to a plurality of behavior events of a process to be detected; acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively; respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events. According to the malicious process detection method, through the associated detection of a plurality of behavior events of the process, missing prevention and false alarm can be greatly reduced, and the accuracy of detecting the malicious process is effectively improved.

Description

Malicious process detection method and device
Technical Field
The application relates to the technical field of network security, in particular to a malicious process detection method and device. In addition, the application also relates to an electronic device and a processor readable storage medium.
Background
In recent years, with the rapid development of internet technology, more and more malicious programs exist on the network, and the continuously growing malicious programs can perform a great deal of malicious operation behaviors on an infected computer, so that the purposes of monitoring users, spreading viruses and other malicious software and the like are achieved, and the harm is great. At present, a malicious process usually combines a plurality of behavior events to form an effective attack, wherein each behavior event is likely to have no explicit and fixed malicious features, but the existing malicious process behavior detection function cannot perform associated detection and malicious research and judgment on the plurality of behavior events of the process, so that the false alarm rate is higher, and the recognition accuracy is lower.
Disclosure of Invention
Therefore, the application provides a malicious process detection method and device, which are used for solving the defects of higher false alarm rate and poorer accuracy of a malicious process detection scheme in the prior art.
In a first aspect, the present application provides a malicious process detection method, including:
acquiring event information corresponding to a plurality of behavior events of a process to be detected;
acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively;
respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
Further, the performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule to obtain detection results of the plurality of behavior events specifically includes: if the plurality of behavior events of the process to be detected comprise network connection behavior events, performing association matching on a process name corresponding to the network connection behavior event and a first process name field defined in the judging information, if the association matching is successful, performing association matching on a network address corresponding to the network connection behavior event and a first network address defined in the judging information, and if the association matching is successful, determining that the network connection behavior event is a suspected malicious behavior event;
if the plurality of behavior events of the process to be detected comprise file writing behavior events, performing association matching on a process name corresponding to the file writing behavior events and a second process name field defined in the judging information, if the association matching is successful, performing association matching on a file writing path corresponding to the file writing behavior events and a file path defined in the judging information, and if the association matching is successful, determining that the file writing behavior events are suspected malicious behavior events;
if the plurality of behavior events of the process to be detected comprise execution program behavior events, performing association matching on a process name corresponding to the execution program behavior event and a third process name field defined in the judging information, if the association matching is successful, performing association matching on an execution program path corresponding to the execution program behavior event and a program path defined in the judging information, and if the association matching is successful, determining that the execution program behavior event is a suspected malicious behavior event.
Further, the determining, according to the detection results of the plurality of behavior events, whether the process to be detected is a malicious process specifically includes: determining a quantized value corresponding to the process to be detected according to the detection results of the behavior events; the quantized value is used for representing the number of suspected malicious behavior events in the process to be detected; judging the process to be detected as a malicious process under the condition that the quantized value is equal to or larger than a preset quantized threshold value; and under the condition that the quantized value is smaller than a preset quantized threshold value, judging the process to be detected as a non-malicious process.
Further, after obtaining the detection results of the plurality of behavior events, the method further includes:
identifying an identifier of the process to be detected; based on the identifier of the process to be detected, constructing a corresponding context structure, recording suspected malicious behavior events in the detection result into the context structure, and judging the process to be detected as a malicious process when the suspected malicious behavior events in the context structure meet all events corresponding to the judging rule.
Further, before performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule, the method further includes:
judging event types corresponding to the event information corresponding to the behavior events respectively, and determining judging information for carrying out association matching in the judging rule based on the event types; wherein the event type includes at least one of a network connection behavior event, a write file behavior event, and an execute program behavior event.
Further, after recording the suspected malicious behavior event in the detection result into the context structure, the method further includes: and deleting the context structure when the process to be detected is detected to reach the end of the running period or the process is exited.
Further, after determining that the process to be detected is a malicious process, the method further includes:
generating alarm prompt information for indicating that the process to be detected is a malicious process, and sending the alarm prompt information to corresponding terminal equipment.
In a second aspect, the present application further provides a malicious process detection apparatus, including:
the behavior event information acquisition unit is used for acquiring event information corresponding to a plurality of behavior events of the process to be detected;
the judging rule acquisition unit is used for acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively;
the malicious process detection unit is used for respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
Further, the malicious process detection unit is specifically configured to: if the plurality of behavior events of the process to be detected comprise network connection behavior events, performing association matching on a process name corresponding to the network connection behavior event and a first process name field defined in the judging information, if the association matching is successful, performing association matching on a network address corresponding to the network connection behavior event and a first network address defined in the judging information, and if the association matching is successful, determining that the network connection behavior event is a suspected malicious behavior event;
if the plurality of behavior events of the process to be detected comprise file writing behavior events, performing association matching on a process name corresponding to the file writing behavior events and a second process name field defined in the judging information, if the association matching is successful, performing association matching on a file writing path corresponding to the file writing behavior events and a file path defined in the judging information, and if the association matching is successful, determining that the file writing behavior events are suspected malicious behavior events;
if the plurality of behavior events of the process to be detected comprise execution program behavior events, performing association matching on a process name corresponding to the execution program behavior event and a third process name field defined in the judging information, if the association matching is successful, performing association matching on an execution program path corresponding to the execution program behavior event and a program path defined in the judging information, and if the association matching is successful, determining that the execution program behavior event is a suspected malicious behavior event.
Further, the malicious process detection unit is specifically configured to: determining a quantized value corresponding to the process to be detected according to the detection results of the behavior events; the quantized value is used for representing the number of suspected malicious behavior events in the process to be detected; judging the process to be detected as a malicious process under the condition that the quantized value is equal to or larger than a preset quantized threshold value; and under the condition that the quantized value is smaller than a preset quantized threshold value, judging the process to be detected as a non-malicious process.
Further, after obtaining the detection results of the plurality of behavior events, the method further includes:
a context structure construction unit, configured to identify an identifier of the process to be detected; based on the identifier of the process to be detected, constructing a corresponding context structure, recording suspected malicious behavior events in the detection result into the context structure, and judging the process to be detected as a malicious process when the suspected malicious behavior events in the context structure meet all events corresponding to the judging rule.
Further, before performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule, the method further includes:
the judging information determining unit is used for judging event types corresponding to the event information corresponding to the behavior events respectively and determining judging information used for carrying out association matching in the judging rule based on the event types; wherein the event type includes at least one of a network connection behavior event, a write file behavior event, and an execute program behavior event.
Further, after recording the suspected malicious behavior event in the detection result into the context structure, the method further includes: and the context structure destroying unit is used for deleting the context structure when the process to be detected is detected to reach the end of the running period or the process is exited.
Further, after determining that the process to be detected is a malicious process, the method further includes:
the alarm prompting unit is used for generating alarm prompting information for indicating that the process to be detected is a malicious process and sending the alarm prompting information to the corresponding terminal equipment.
In a third aspect, the present application also provides an electronic device, including: memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the malicious process detection method according to any one of the above described methods when executing the computer program.
In a fourth aspect, the present application also provides a processor-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a malicious process detection method as described in any one of the above.
According to the malicious process detection method, event information corresponding to a plurality of behavior events of a process to be detected and a preset judgment rule for determining the malicious process event are obtained, the event information corresponding to the plurality of behavior events is respectively associated and matched with judgment information defined in the judgment rule, detection results of the plurality of behavior events are obtained, and whether the process to be detected is a malicious process is judged according to the detection results of the plurality of behavior events. Through the associated detection of a plurality of behavior events of the process, missing prevention and false alarm can be greatly reduced, and the accuracy of detecting the malicious process is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly describe the drawings that are required to be used in the embodiments or the prior art, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without any inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a malicious process detection method provided by an embodiment of the present application;
fig. 2 is a complete flow diagram of a malicious process detection method according to an embodiment of the present application.
Fig. 3 is a schematic structural diagram of a malicious process detection device according to an embodiment of the present application;
fig. 4 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which are derived by a person skilled in the art from the embodiments according to the application without creative efforts, fall within the protection scope of the application.
It should be noted that the terms "first," "second," and the like in the description of the present application and the above-described figures are used for distinguishing between similar users and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Embodiments of the present application will be described in detail below based on a malicious process detection method. As shown in fig. 1, a flow chart of a malicious process detection method provided by an embodiment of the present application includes the following steps:
step 101: event information corresponding to a plurality of behavior events of a process to be detected is obtained.
Specifically, the process is a program running in the operating system, the process initiates a system call, and the processor switches to kernel mode and starts executing a kernel function. The kernel function is responsible for responding to the requirements of the application program, such as operating files, carrying out network communication or applying for memory resources, etc. Each process is a dynamic entity, and is a basic unit of program execution, namely, one execution process of the program. A process is an instance of a particular program. Malicious processes often combine through multiple behaviors to form an effective malicious attack. The process to be detected may include a plurality of behavior events (i.e., process events) that may be divided according to different event types (i.e., types of process events), and may include at least one of a network connection behavior event, a file writing behavior event, and an execution program behavior event.
In this step, the event information corresponding to the plurality of behavior events may include information of the network connection behavior event, information of the write file behavior event, information of the execution program behavior event, and the like. The information of the network connection behavior event comprises a process name corresponding to the network connection behavior event and a network address corresponding to the network connection behavior event; the network address corresponding to the network connection behavior event is an opposite end network address, and comprises a source network address and a destination network address of the network connection behavior event; the information of the file writing behavior event comprises a process name corresponding to the file writing behavior event and a file writing path corresponding to the file writing behavior event; the information of the execution program behavior event comprises a process name corresponding to the execution program behavior event and an execution program path corresponding to the execution program behavior event.
Step 102: acquiring a preset judging rule for determining a malicious process event; the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively.
Specifically, the malicious process event may refer to an abnormal behavior event among a plurality of behavior events of the process to be detected, that is, a behavior event that can be matched with the determination information in the determination rule. If the behavior event is a network connection behavior event, the judging information in the judging information may include a defined first process name field and a defined first network address. If the behavior event is a file writing behavior event, the judging information in the judging information comprises a defined second process name field and a defined file path. If the behavior event is an execution program behavior event, the judgment information in the judgment information comprises a defined third process name field and a defined program path.
In the embodiment of the present application, a rule base for storing the decision rule needs to be obtained in advance before this step, and each rule (i.e., decision rule) in the rule base defines decision information of a plurality of behavior events of the process. Each decision rule defines decision information for a plurality of behavioral events of the malicious process. In the actual implementation process, by reading the judging rule, event information corresponding to a plurality of behavior events of the process to be detected can be respectively matched with judging information of each behavior event in the judging rule.
Step 103: respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
In the implementation process of the step, if the plurality of behavior events of the process to be detected comprise network connection behavior events, performing association matching on a process name corresponding to the network connection behavior event and a first process name field defined in the judgment information, if the matching is successful, performing association matching on a network address corresponding to the network connection behavior event and a first network address defined in the judgment information, and if the matching is successful, determining that the network connection behavior event is a suspected malicious behavior event; and/or if the plurality of behavior events of the process to be detected comprise file writing behavior events, performing association matching on a process name corresponding to the file writing behavior events and a second process name field defined in the judging information, if the association matching is successful, performing association matching on a file writing path corresponding to the file writing behavior events and a file path defined in the judging information, and if the association matching is successful, determining that the file writing behavior events are suspected malicious behavior events; and/or if the plurality of behavior events of the process to be detected comprise execution program behavior events, performing association matching on a process name corresponding to the execution program behavior event and a third process name field defined in the judging information, if the association matching is successful, performing association matching on an execution program path corresponding to the execution program behavior event and a program path defined in the judging information, and if the association matching is successful, determining that the execution program behavior event is a suspected malicious behavior event. It should be noted that, in the embodiment of the present application, the association matching refers to whether the comparison fields are the same or the similarity meets a preset threshold, and may also be implemented by regular matching through a regular expression, which is not limited herein.
As shown in fig. 2, before performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule, the method further includes: judging event types corresponding to the event information corresponding to the behavior events respectively, and determining judging information for carrying out association matching in the judging rule based on the event types; wherein the event type includes at least one of a network connection behavior event, a write file behavior event, and an execute program behavior event. It should be noted that, after obtaining the detection results of the plurality of behavior events, the method further includes: identifying an identifier of the process to be detected; based on the identifier of the process to be detected, constructing a corresponding context structure, recording suspected malicious behavior events in the detection result into the context structure, and judging the process to be detected as a malicious process when the suspected malicious behavior events in the context structure meet all events corresponding to the judging rule. After recording the suspected malicious behavior event in the detection result into the context structure, the method further comprises: and deleting the context structure when the process to be detected is detected to reach the end of the running period or the process is exited. The identifier of the process to be detected is a process identification number (process ID) in the operating system, and each time a program is opened in the operating system, a process identification number, i.e., PID, is created.
Further, according to the detection results of the behavior events, determining a quantized value corresponding to the process to be detected, determining that the process to be detected is a malicious process when the quantized value is equal to or greater than a preset quantized threshold, and determining that the process to be detected is a non-malicious process when the quantized value is less than the preset quantized threshold. The quantized value is used for representing the number of suspected malicious behavior events in the process to be detected. For example, if it is determined that the network connection behavior event is a suspected malicious behavior event, the network connection behavior event may be recorded in the context structure, and the quantitative value is recorded as 1; further, if it is determined that the write file behavior event is a suspected malicious behavior event, the write file behavior event may also be recorded in the context structure, and the quantized value is added with 1, that is, the quantized value at this time is 1+1=2; further, if it is determined that the execution program behavior event is a suspected malicious behavior event, the execution program behavior event may also be recorded in the context structure, and the quantized value is added with 1 again, that is, the quantized value at this time is 1+1+1=3; if the preset quantization threshold is 2, judging that the process to be detected is a malicious process under the condition that the quantization value is equal to or larger than the preset quantization threshold.
In addition, in the implementation process, n (n is a positive integer greater than 1) behavior events of the process to be detected may be all file writing behavior events, and the n file writing behavior events are suspected malicious behavior events, and the n file writing behavior events may be sequentially recorded into the context structure, that is, the quantized value at this time is 1*n. Of course, n (n is a positive integer greater than 1) write file behavior events of the process to be detected and m (m is a positive integer greater than 1) execution program behavior events may be acquired, where both the n write file behavior events and the m execution program behavior events may be sequentially recorded in the context structure, i.e., the quantized value at this time is 1×n+1×m, which is not described herein in detail.
In the embodiment of the application, after the process to be detected is judged to be a malicious process, alarm prompt information for indicating that the process to be detected is a malicious process can be generated, and the alarm prompt information is sent to corresponding terminal equipment.
The method of the application relates to server security protection, which can be realized at the server side. The existing malicious process behavior detection function can only detect and identify a single behavior of a process, has high false alarm rate, and cannot accurately identify a process which combines a plurality of behaviors (i.e. behavior events) to perform malicious attack. According to the malicious process behavior detection method, all behavior events of the process to be detected are detected in a combined mode, and accurate identification of the malicious process is guaranteed. That is, in the prior art, rule matching can only be performed on a single event of a process, if the event matches the rule, the process is considered to be a malicious process, otherwise, the process is not the malicious process. A disadvantage of the prior art is the poor accuracy of detecting malicious processes. Since most malicious processes combine multiple behaviors to form a valid attack, each of which is likely to have no explicit and fixed malicious features, the rules defining a single event face a dilemma: the event definition is too specific, is easy to leak and prevent, and the definition is too wide and is easy to report by mistake. Therefore, the application provides a new technical scheme for realizing the accurate identification of the malicious process, and the scheme carries out the association detection on a plurality of malicious behaviors of the process, and the malicious process is judged only when the plurality of behaviors of the process hit rules.
In the actual implementation process, a process event is acquired, if the process is matched for the first time, a context structure of the process is created, and then preset judging rules are matched one by one. Each decision rule defines a plurality of behaviors of the malicious process, and matches an event (i.e., a behavior event) with decision information of each behavior event in the decision rule. If the behavior event matches a certain behavior in the rule, adding the behavior event into a context structure of the process, checking whether the event in the context structure of the process reaches all events defined by a certain rule, if so, indicating that the process is a malicious process described by the rule, and generating an alarm by an engine; otherwise, continuing to match the next action in the rule or matching the next rule. And after the behavior event is matched with all rules, the next event is continuously detected. When the process exits, the process context is destroyed. The malicious process behavior detection engine forms a rule for a plurality of behaviors of a malicious process, a process context structure is created and maintained in a process life cycle, each behavior of the rule is matched with the process, and when the behaviors in the context meet all behaviors defined by a certain rule, the process is identified as the malicious process, and an alarm is generated.
According to the malicious process detection method, event information corresponding to a plurality of behavior events of a process to be detected and a preset judgment rule for determining the malicious process event are obtained, the event information corresponding to the plurality of behavior events is respectively associated and matched with judgment information defined in the judgment rule, detection results of the plurality of behavior events are obtained, and whether the process to be detected is a malicious process is judged according to the detection results of the plurality of behavior events. Through the associated detection of a plurality of behavior events of the process, missing prevention and false alarm can be greatly reduced, and the accuracy of detecting the malicious process is effectively improved.
Corresponding to the malicious process detection method provided by the application, the application also provides a malicious process detection device. Since the embodiments of the device are similar to the method embodiments described above, the description is relatively simple, and reference should be made to the description of the method embodiments described above, and the embodiments of the malicious progress detection device described below are merely illustrative. Fig. 3 is a schematic structural diagram of a malicious process detection device according to an embodiment of the present application.
The application relates to a malicious process detection device, which specifically comprises the following parts:
a behavior event information acquiring unit 301, configured to acquire event information corresponding to a plurality of behavior events of a process to be detected;
a decision rule obtaining unit 302, configured to obtain a preset decision rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively;
a malicious process detection unit 303, configured to perform association matching on event information corresponding to the plurality of behavior events and the determination information defined in the determination rule, respectively, to obtain detection results of the plurality of behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
Further, the malicious process detection unit is specifically configured to: if the plurality of behavior events of the process to be detected comprise network connection behavior events, performing association matching on a process name corresponding to the network connection behavior event and a first process name field defined in the judging information, if the association matching is successful, performing association matching on a network address corresponding to the network connection behavior event and a first network address defined in the judging information, and if the association matching is successful, determining that the network connection behavior event is a suspected malicious behavior event;
if the plurality of behavior events of the process to be detected comprise file writing behavior events, performing association matching on a process name corresponding to the file writing behavior events and a second process name field defined in the judging information, if the association matching is successful, performing association matching on a file writing path corresponding to the file writing behavior events and a file path defined in the judging information, and if the association matching is successful, determining that the file writing behavior events are suspected malicious behavior events;
if the plurality of behavior events of the process to be detected comprise execution program behavior events, performing association matching on a process name corresponding to the execution program behavior event and a third process name field defined in the judging information, if the association matching is successful, performing association matching on an execution program path corresponding to the execution program behavior event and a program path defined in the judging information, and if the association matching is successful, determining that the execution program behavior event is a suspected malicious behavior event.
Further, the malicious process detection unit is specifically configured to: determining a quantized value corresponding to the process to be detected according to the detection results of the behavior events; judging the process to be detected as a malicious process under the condition that the quantized value is equal to or larger than a preset quantized threshold value; and under the condition that the quantized value is smaller than a preset quantized threshold value, judging the process to be detected as a non-malicious process.
Further, after obtaining the detection results of the plurality of behavior events, the method further includes:
a context structure construction unit, configured to identify an identifier of the process to be detected; based on the identifier of the process to be detected, constructing a corresponding context structure, recording suspected malicious behavior events in the detection result into the context structure, and judging the process to be detected as a malicious process when the suspected malicious behavior events in the context structure meet all events corresponding to the judging rule.
Further, before performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule, the method further includes:
the judging information determining unit is used for judging event types corresponding to the event information corresponding to the behavior events respectively and determining judging information used for carrying out association matching in the judging rule based on the event types; wherein the event type includes at least one of a network connection behavior event, a write file behavior event, and an execute program behavior event.
Further, after recording the suspected malicious behavior event in the detection result into the context structure, the method further includes: and the context structure destroying unit is used for deleting the context structure when the process to be detected is detected to reach the end of the running period or the process is exited.
Further, after determining that the process to be detected is a malicious process, the method further includes:
the alarm prompting unit is used for generating alarm prompting information for indicating that the process to be detected is a malicious process and sending the alarm prompting information to the corresponding terminal equipment.
According to the malicious process detection device, event information corresponding to a plurality of behavior events of a process to be detected and a preset judgment rule for determining the malicious process event are obtained, the event information corresponding to the plurality of behavior events is respectively associated and matched with judgment information defined in the judgment rule, detection results of the plurality of behavior events are obtained, and whether the process to be detected is a malicious process is judged according to the detection results of the plurality of behavior events. Through the associated detection of a plurality of behavior events of the process, missing prevention and false alarm can be greatly reduced, and the accuracy of detecting the malicious process is effectively improved.
Corresponding to the malicious process detection method provided by the application, the application also provides electronic equipment. Since the embodiments of the electronic device are similar to the method embodiments described above, the description is relatively simple, and reference should be made to the description of the method embodiments described above, and the electronic device described below is merely illustrative. Fig. 4 is a schematic diagram of the physical structure of an electronic device according to an embodiment of the present application. The electronic device may include: a processor (processor) 401, a memory (memory) 402, and a communication bus 403, wherein the processor 401, the memory 402 perform communication with each other through the communication bus 403, and communicate with the outside through a communication interface 404. The processor 401 may call logic instructions in the memory 402 to perform a malicious process detection method, the method comprising: acquiring event information corresponding to a plurality of behavior events of a process to be detected; acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively; respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
Further, the logic instructions in memory 402 described above may be implemented in the form of software functional units and stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a Memory chip, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, embodiments of the present application further provide a computer program product, where the computer program product includes a computer program stored on a storage medium readable by a processor, and the computer program includes program instructions, when the program instructions are executed by a computer, enable the computer to perform the malicious process detection method provided in the above method embodiments. The method comprises the following steps: acquiring event information corresponding to a plurality of behavior events of a process to be detected; acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively; respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
In yet another aspect, embodiments of the present application further provide a processor-readable storage medium having a computer program stored thereon, where the computer program is implemented when executed by a processor to perform the malicious process detection method provided in the foregoing embodiments. The method comprises the following steps: acquiring event information corresponding to a plurality of behavior events of a process to be detected; acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively; respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
The processor-readable storage medium may be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic storage (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical storage (e.g., CD, DVD, BD, HVD, etc.), semiconductor storage (e.g., ROM, EPROM, EEPROM, nonvolatile storage (NAND FLASH), solid State Disk (SSD)), and the like.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A malicious process detection method, comprising:
acquiring event information corresponding to a plurality of behavior events of a process to be detected;
acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively;
respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
2. The malicious process detection method according to claim 1, wherein the performing association matching on the event information corresponding to the plurality of behavior events and the determination information defined in the determination rule respectively to obtain detection results of the plurality of behavior events specifically includes:
if the plurality of behavior events of the process to be detected comprise network connection behavior events, performing association matching on a process name corresponding to the network connection behavior event and a first process name field defined in the judging information, if the association matching is successful, performing association matching on a network address corresponding to the network connection behavior event and a first network address defined in the judging information, and if the association matching is successful, determining that the network connection behavior event is a suspected malicious behavior event;
if the plurality of behavior events of the process to be detected comprise file writing behavior events, performing association matching on a process name corresponding to the file writing behavior events and a second process name field defined in the judging information, if the association matching is successful, performing association matching on a file writing path corresponding to the file writing behavior events and a file path defined in the judging information, and if the association matching is successful, determining that the file writing behavior events are suspected malicious behavior events;
if the plurality of behavior events of the process to be detected comprise execution program behavior events, performing association matching on a process name corresponding to the execution program behavior event and a third process name field defined in the judging information, if the association matching is successful, performing association matching on an execution program path corresponding to the execution program behavior event and a program path defined in the judging information, and if the association matching is successful, determining that the execution program behavior event is a suspected malicious behavior event.
3. The malicious process detection method according to claim 1, wherein the determining whether the process to be detected is a malicious process according to the detection results of the plurality of behavior events specifically includes:
determining a quantized value corresponding to the process to be detected according to the detection results of the behavior events; the quantized value is used for representing the number of suspected malicious behavior events in the process to be detected;
judging the process to be detected as a malicious process under the condition that the quantized value is equal to or larger than a preset quantized threshold value; and under the condition that the quantized value is smaller than a preset quantized threshold value, judging the process to be detected as a non-malicious process.
4. The malicious process detection method according to claim 1, further comprising, after obtaining detection results of a plurality of behavior events:
identifying an identifier of the process to be detected;
based on the identifier of the process to be detected, constructing a corresponding context structure, recording suspected malicious behavior events in the detection result into the context structure, and judging the process to be detected as a malicious process when the suspected malicious behavior events in the context structure meet all events corresponding to the judging rule.
5. The malicious process detection method according to claim 4, further comprising, after recording a suspected malicious behavior event in the detection result into the context structure: and deleting the context structure when the process to be detected is detected to reach the end of the running period or the process is exited.
6. The malicious process detection method according to claim 1, further comprising, before performing association matching of event information corresponding to the plurality of behavior events with determination information defined in the determination rule, respectively:
judging event types corresponding to the event information corresponding to the behavior events respectively, and determining judging information for carrying out association matching in the judging rule based on the event types; wherein the event type includes at least one of a network connection behavior event, a write file behavior event, and an execute program behavior event.
7. The malicious process detection method according to claim 3, further comprising, after determining that the process to be detected is a malicious process:
generating alarm prompt information for indicating that the process to be detected is a malicious process, and sending the alarm prompt information to corresponding terminal equipment.
8. A malicious process detection apparatus, comprising:
the behavior event information acquisition unit is used for acquiring event information corresponding to a plurality of behavior events of the process to be detected;
the judging rule acquisition unit is used for acquiring a preset judging rule for determining a malicious process event; wherein the judging rule comprises judging information of each behavior event corresponding to the malicious process respectively;
the malicious process detection unit is used for respectively carrying out association matching on event information corresponding to the behavior events and judgment information defined in the judgment rules to obtain detection results of the behavior events; and judging whether the process to be detected is a malicious process or not according to the detection results of the behavior events.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the malicious process detection method according to any one of claims 1 to 7 when the computer program is executed by the processor.
10. A processor-readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the malicious process detection method according to any one of claims 1 to 7.
CN202310520391.9A 2023-05-09 2023-05-09 Malicious process detection method and device Pending CN116707866A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310520391.9A CN116707866A (en) 2023-05-09 2023-05-09 Malicious process detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310520391.9A CN116707866A (en) 2023-05-09 2023-05-09 Malicious process detection method and device

Publications (1)

Publication Number Publication Date
CN116707866A true CN116707866A (en) 2023-09-05

Family

ID=87842353

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310520391.9A Pending CN116707866A (en) 2023-05-09 2023-05-09 Malicious process detection method and device

Country Status (1)

Country Link
CN (1) CN116707866A (en)

Similar Documents

Publication Publication Date Title
CN107888554B (en) Method and device for detecting server attack
US8713680B2 (en) Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program
US9239922B1 (en) Document exploit detection using baseline comparison
CN111277606B (en) Detection model training method, detection method and device, and storage medium
CN110263538B (en) Malicious code detection method based on system behavior sequence
US20070204257A1 (en) Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method
US10255434B2 (en) Detecting software attacks on processes in computing devices
CN110912884A (en) Detection method, detection equipment and computer storage medium
CN113761519B (en) Method and device for detecting Web application program and storage medium
CN114003903B (en) Network attack tracing method and device
CN112866292B (en) Attack behavior prediction method and device for multi-sample combination attack
CN110674500B (en) Storage medium virus searching and killing method and device, computer equipment and storage medium
CN111404949A (en) Flow detection method, device, equipment and storage medium
CN112769775A (en) Threat information correlation analysis method, system, equipment and computer medium
CN115017505A (en) PE virus detection method and device, electronic equipment and storage medium
CN116962009A (en) Network attack detection method and device
CN108197475B (en) Malicious so module detection method and related device
CN116707866A (en) Malicious process detection method and device
CN112003824B (en) Attack detection method and device and computer readable storage medium
JP2010182020A (en) Illegality detector and program
Melaragno et al. Change point detection with machine learning for rapid ransomware detection
Sykosch et al. Hunting observable objects for indication of compromise
CN117235686B (en) Data protection method, device and equipment
CN110610086B (en) Illegal code identification method, system, device and storage medium
CN111131248B (en) Website application security defect detection model modeling method and defect detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination