CN117459310A - Analysis and detection method, device, equipment and storage medium for malicious code - Google Patents
Analysis and detection method, device, equipment and storage medium for malicious code Download PDFInfo
- Publication number
- CN117459310A CN117459310A CN202311575971.4A CN202311575971A CN117459310A CN 117459310 A CN117459310 A CN 117459310A CN 202311575971 A CN202311575971 A CN 202311575971A CN 117459310 A CN117459310 A CN 117459310A
- Authority
- CN
- China
- Prior art keywords
- malicious code
- sample
- preset
- detection
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 109
- 238000004458 analytical method Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 claims abstract description 67
- 244000035744 Hura crepitans Species 0.000 claims abstract description 47
- 230000008569 process Effects 0.000 claims abstract description 27
- 238000000605 extraction Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 230000003068 static effect Effects 0.000 description 8
- 230000008901 benefit Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment discloses a method, a device, equipment and a storage medium for analyzing and detecting malicious codes. Wherein the method comprises the following steps: acquiring malicious code samples in a malicious code sample set, and storing the malicious code samples in a target area of a temporary shared memory; acquiring the malicious code sample in a target area through a scanning process of the Nginx proxy server, and extracting target sample characteristics of the malicious code sample; matching the target sample characteristics with preset sample characteristics in a preset malicious code characteristic library to obtain a matching result; and when the matching result confirms that the target sample characteristics fail to match with the preset sample characteristics, sending the malicious code samples to an externally linked sandbox through the detection process of the Nginx proxy server for sandbox detection. The method can improve analysis and detection efficiency and accuracy of malicious code samples.
Description
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a method, a device, equipment and a storage medium for analyzing and detecting malicious codes.
Background
The data flow mode processing technology is a working mode of network equipment in processing network traffic, and is to treat related data packets as one flow and process the whole data packets, so that the processing efficiency and performance are improved, and the data flow mode processing technology is widely applied to aspects such as content filtering, deep packet inspection and the like.
In the related technology, a data stream mode processing technology is adopted, a malicious code feature library is relied on to detect safety protection equipment of a malicious code sample, static features are extracted from the obtained malicious code sample, the static features of the malicious code sample are matched with known static features in the static feature library, but the static features and the dynamic features are matched by relying on the corresponding static feature library or dynamic behavior feature library, if the static feature library or the dynamic behavior feature library has no corresponding features, the malicious code sample cannot be completely described as non-malicious code, and if the malicious code sample is confirmed as malicious code, the corresponding static feature library or the dynamic behavior feature library can only be required to be updated to support the detection of the malicious code sample, so that the analysis and the detection of the malicious code are complicated, and the efficiency and the accuracy are low.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a method, an apparatus, a device, and a storage medium for analyzing and detecting malicious codes, which can automatically analyze and detect malicious code samples without preparing in advance a malicious code sample file transmitted and carried in an environment simulation network traffic, analyzing, restoring, and detecting a data block by a security engine, and directly uploading the malicious code sample file without completely relying on updating a malicious code feature library file, thereby improving the analysis and detection efficiency and accuracy of the malicious code sample.
In a first aspect, an embodiment of the present disclosure provides a method for analyzing and detecting malicious code, which adopts the following technical scheme:
acquiring a malicious code sample in a malicious code sample set, and storing the malicious code sample in a target area of a temporary shared memory;
acquiring the malicious code sample in the target area through a scanning process of an Nginx proxy server, and extracting target sample characteristics of the malicious code sample;
matching the target sample characteristics with preset sample characteristics in a preset malicious code characteristic library to obtain a matching result;
and when the matching result confirms that the target sample feature fails to match with the preset sample feature, sending the malicious code sample to an externally linked sandbox through the detection process of the Nginx proxy server to carry out sandbox detection.
In some embodiments, sending the malicious code sample to an externally linked sandbox for sandbox detection by a detection process of the nginnx proxy server includes:
when the detection result of the sandbox detection is that the matching is successful, returning the analysis and detection result of the malicious code sample to the client; wherein the analysis and detection result comprises at least one of the following: a malicious code type, a malicious code file name, a malicious code file type, or a malicious code file hash value of the malicious code sample;
updating the preset malicious code feature library based on the analysis and detection results;
deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory;
and when the detection result of the sandbox detection is that the matching fails, directly deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory.
In some embodiments, the method further comprises:
detecting update information of any one data in the analysis and detection results;
and updating the preset malicious code feature library based on the detected updating information of any item of data in the analysis and detection results.
In some embodiments, the matching the target sample feature with a preset sample feature in a preset malicious code feature library to obtain a matching result includes at least one of the following:
matching a target MD5 hash value in the target sample feature with a preset MD5 hash value in the preset malicious code feature library to obtain a first matching result;
and matching the target SHA256 hash value in the target sample feature with a preset SHA256 hash value in the preset malicious code feature library to obtain a second matching result.
In some embodiments, the method further comprises:
when the target sample characteristics are confirmed to be successfully matched with the preset sample characteristics based on the matching result, returning analysis and detection results of the malicious code samples to a client;
and deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory.
In some embodiments, the method further comprises:
detecting update information of the preset sample characteristics;
and updating the preset malicious code feature library based on the detected updating information of the preset sample feature.
In a second aspect, an embodiment of the present disclosure further provides an apparatus for analyzing and detecting malicious code, which adopts the following technical scheme:
an acquisition unit configured to acquire a malicious code sample in a malicious code sample set, and store the malicious code sample in a target area of a temporary shared memory;
a feature extraction unit configured to obtain the malicious code sample in the target area through a scanning process of an nginnx proxy server, and extract a target sample feature of the malicious code sample;
the feature matching unit is configured to match the target sample features with preset sample features in a preset malicious code feature library to obtain a matching result;
and the sandbox detection unit is configured to send the malicious code sample to an externally linked sandbox for sandbox detection through the detection process of the Nginx proxy server when the matching result confirms that the target sample feature fails to match with the preset sample feature.
In some embodiments, the sandbox detection unit comprises:
the result returning module is configured to return analysis and detection results of the malicious code sample to the client when the detection result of the sandbox detection is successful in matching; wherein the analysis and detection result comprises at least one of the following: a malicious code type, a malicious code file name, a malicious code file type, or a malicious code file hash value of the malicious code sample;
the updating module is configured to update the preset malicious code feature library based on the analysis and detection results;
the first deleting module is configured to delete the malicious code sample in the target area of the temporary shared memory and release the memory;
and the second deleting module is configured to directly delete the malicious code sample in the target area of the temporary shared memory and release the memory when the detection result of the sandbox detection is that the matching fails.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, which adopts the following technical scheme:
the electronic device includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the above methods of malicious code analysis and detection.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium storing computer instructions for causing a computer to perform any of the above methods of analysis and detection of malicious code.
According to the analysis and detection method for the malicious code, provided by the embodiment of the disclosure, the malicious code sample can be automatically analyzed and detected without preparing the environment simulation network traffic in advance, analyzing, restoring and detecting the network traffic by a security engine, and under the condition that updating of the malicious code feature library file is not completely relied on, the malicious code sample can be directly uploaded, and when the matching of the target sample feature and the preset sample feature fails, the malicious code sample can be sent to an externally linked sandbox for further sandbox detection through the detection process of the Nginx proxy server, so that the analysis and detection efficiency and accuracy of the malicious code sample are improved.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 is a flow chart of a method for analyzing and detecting malicious code according to an embodiment of the disclosure;
FIG. 2 is a flow chart of another method for analyzing and detecting malicious code according to an embodiment of the disclosure;
fig. 3 is a schematic structural diagram of an analysis and detection apparatus for malicious code according to an embodiment of the disclosure;
FIG. 4 is a schematic structural diagram of another device for analyzing and detecting malicious code according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It should be appreciated that the following specific embodiments of the disclosure are described in order to provide a better understanding of the present disclosure, and that other advantages and effects will be apparent to those skilled in the art from the present disclosure. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Fig. 1 is a flow chart of a method for analyzing and detecting malicious code according to an embodiment of the present disclosure, where the method for analyzing and detecting malicious code according to an embodiment of the present disclosure includes the following steps:
s101, acquiring malicious code samples in a malicious code sample set, and storing the malicious code samples in a target area of a temporary shared memory.
The target area may be any designated area of temporary shared memory.
S102, acquiring malicious code samples in a target area through a scanning process of the Nginx proxy server, and extracting target sample characteristics of the malicious code samples.
And S103, matching the target sample characteristics with preset sample characteristics in a preset malicious code characteristic library to obtain a matching result.
And S104, when the matching result confirms that the target sample characteristics fail to match with the preset sample characteristics, sending the malicious code samples to an externally linked sandbox through the detection process of the Nginx proxy server to carry out sandbox detection.
According to the analysis and detection method for the malicious code, provided by the embodiment of the disclosure, the malicious code sample can be automatically analyzed and detected without preparing the environment simulation network traffic in advance, analyzing, restoring and detecting the network traffic by a security engine, and under the condition that updating of the malicious code feature library file is not completely relied on, the malicious code sample can be directly uploaded, and when the matching of the target sample feature and the preset sample feature fails, the malicious code sample can be sent to an externally linked sandbox for further sandbox detection through the detection process of the Nginx proxy server, so that the analysis and detection efficiency and accuracy of the malicious code sample are improved.
In some embodiments, sending malicious code samples to an externally linked sandbox for sandbox detection by a detection process of an nmginx proxy server includes:
when the detection result of the sandbox detection is that the matching is successful, the analysis and detection result of the malicious code sample is returned to the client; wherein the analysis and detection result comprises at least one of the following: malicious code type, malicious code file name, malicious code file type, or malicious code file hash value of the malicious code sample;
updating a preset malicious code feature library based on analysis and detection results;
deleting malicious code samples in a target area of the temporary shared memory, and releasing the memory;
and when the detection result of the sandbox detection is that the matching fails, directly deleting malicious code samples in the target area of the temporary shared memory, and releasing the memory.
In some embodiments, the method further comprises:
detecting update information of any data in analysis and detection results;
and updating the preset malicious code feature library based on the detected updating information of any item of data in the analysis and detection results.
Optionally, under the condition that analysis and detection results (such as malicious code type, malicious code file name, malicious code file type and malicious code file hash value) of the malicious code file are known, new rules aiming at the analysis and detection results can be added into a preset malicious code feature library in a self-defined mode, so that the purposes of supplementing and perfecting feature rules and feature data in the preset malicious code feature library are achieved, and the accuracy of a matching result is improved.
In some embodiments, matching the target sample feature with a preset sample feature in a preset malicious code feature library to obtain a matching result, including at least one of the following:
matching a target MD5 hash value in the target sample feature with a preset MD5 hash value in a preset malicious code feature library to obtain a first matching result;
and matching the target SHA256 hash value in the target sample characteristic with a preset SHA256 hash value in a preset malicious code characteristic library to obtain a second matching result.
Alternatively, the first matching result may be directly used as a matching result of the target sample feature and a preset sample feature in the preset malicious code feature library, or the second matching result may be directly used as a matching result of the target sample feature and a preset sample feature in the preset malicious code feature library. And the comprehensive result of the first matching result and the second matching result can be used as a matching result of the target sample characteristic and the preset sample characteristic in the preset malicious code characteristic library. For example, when the first matching result is that the matching is passed, confirming that the matching result of the target sample feature and the preset sample feature in the preset malicious code feature library is that the matching is passed; or when the second matching result is that the matching is passed, confirming that the matching result of the target sample characteristic and the preset sample characteristic in the preset malicious code characteristic library is that the matching is passed; or when the first matching result and the second matching result are both matching passing, confirming that the matching result of the target sample feature and the preset sample feature in the preset malicious code feature library is the matching passing.
In some embodiments, the method further comprises:
when the matching result is based on the fact that the target sample characteristics and the preset sample characteristics are successfully matched, the analysis and detection results of the malicious code samples are returned to the client;
and deleting malicious code samples in the target area of the temporary shared memory, and releasing the memory.
In some embodiments, the method further comprises:
detecting update information of preset sample characteristics;
and updating the preset malicious code feature library based on the detected update information of the preset sample features.
Optionally, if a relevant rule is added in the new version malicious code feature library, the preset malicious code feature library can be updated by introducing the new version malicious code feature library, and analysis and detection are performed on the malicious code sample based on the updated preset malicious code feature library, so that analysis and detection accuracy is improved.
Fig. 2 is a flow chart of another method for analyzing and detecting malicious code according to an embodiment of the present disclosure, where the method for analyzing and detecting malicious code according to the embodiment of the present disclosure includes the following steps:
s1, acquiring a malicious code sample, and storing the malicious code sample in a designated area of a temporary shared memory;
s2, a scanning process of the Nginx proxy server acquires a malicious code sample, and target sample characteristics of the malicious code sample are extracted;
step S3, matching the target sample characteristics with preset sample characteristics in a preset malicious code characteristic library; if the target sample feature is successfully matched with the preset sample feature, executing step S4; if the matching of the target sample feature and the preset sample feature fails, executing step S6;
step S4, returning analysis and detection results of the malicious code sample to the client, where the analysis and detection results may include the following data: malicious code type, malicious code file name, malicious code file type, or malicious code file hash value (MD 5, SHA 256);
s5, deleting malicious code samples in the temporary shared memory, and releasing the memory;
s6, automatically sending malicious code samples to an externally linked sandbox by a detection process of the nginx proxy server;
step S7, carrying out sandbox detection on the sandboxes which are externally linked, and if the sandbox detection is successful, executing a step S8; if the sandbox fails to detect, executing the step S5;
step S8, a malicious code type, a malicious code file name, a malicious code file type and a malicious code file hash value (md 5 and sha 256) are returned;
s9, updating a preset malicious code feature library;
s10, importing a new version of malicious code feature library, and updating a preset malicious code feature library;
step S11, the type of the malicious code, the name of the malicious code file, the type of the malicious code file and hash values (md 5 and sha 256) of the malicious code file are added in a self-defined mode, and a preset malicious code feature library is updated.
Fig. 3 is a schematic structural diagram of an analysis and detection device for malicious code according to an embodiment of the present disclosure, where the analysis and detection device for malicious code according to an embodiment of the present disclosure includes:
an acquisition unit 31 configured to acquire malicious code samples in the malicious code sample set, and to save the malicious code samples in a target area of the temporary shared memory;
a feature extraction unit 32 configured to obtain malicious code samples in the target area through a scanning process of the nginnx proxy server, and extract target sample features of the malicious code samples;
a feature matching unit 33 configured to match the target sample feature with a preset sample feature in a preset malicious code feature library, so as to obtain a matching result;
and a sandbox detection unit 34 configured to send the malicious code sample to an externally linked sandbox for sandbox detection through a detection process of the ng inx proxy server when it is confirmed that the target sample feature fails to match with the preset sample feature based on the matching result.
Fig. 4 is a schematic structural diagram of another analysis and detection apparatus for malicious code according to an embodiment of the present disclosure, and in some embodiments, the sandbox detection unit 34 includes:
the result returning module 341 is configured to return an analysis and detection result of the malicious code sample to the client when the detection result of the sandbox detection is that the matching is successful; wherein the analysis and detection result comprises at least one of the following: malicious code type, malicious code file name, malicious code file type, or malicious code file hash value of the malicious code sample;
an updating module 342 configured to update a preset malicious code feature library based on the analysis and detection results;
a first deleting module 343 configured to delete malicious code samples in the target area of the temporary shared memory, and release the memory;
the second deleting module 344 is configured to directly delete the malicious code sample in the target area of the temporary shared memory and release the memory when the detection result of the sandbox detection is that the matching fails.
An electronic device according to an embodiment of the present disclosure includes a memory and a processor. The memory is for storing non-transitory computer readable instructions. In particular, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory, so that the electronic device performs all or part of the steps of the foregoing method for analyzing and detecting malicious code according to embodiments of the present disclosure.
It should be understood by those skilled in the art that, in order to solve the technical problem of how to obtain a good user experience effect, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures are also included in the protection scope of the present disclosure.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. A schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 5 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 5, the electronic device may include a processor (e.g., a central processing unit, a graphic processor, etc.) that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage device into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the electronic device are also stored. The processor, ROM and RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
In general, the following devices may be connected to the I/O interface: input means including, for example, sensors or visual information gathering devices; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; a communication device. The communication means may allow the electronic device to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While fig. 5 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. All or part of the steps of the method of analysis and detection of malicious code of embodiments of the present disclosure are performed when the computer program is executed by a processor.
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
A computer-readable storage medium according to an embodiment of the present disclosure has stored thereon non-transitory computer-readable instructions. When executed by a processor, the non-transitory computer readable instructions perform all or part of the steps of the methods of analysis and detection of malicious code of the various embodiments of the disclosure described above.
The computer-readable storage medium described above includes, but is not limited to: optical storage media (e.g., CD-ROM and DVD), magneto-optical storage media (e.g., MO), magnetic storage media (e.g., magnetic tape or removable hard disk), media with built-in rewritable non-volatile memory (e.g., memory card), and media with built-in ROM (e.g., ROM cartridge).
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, however, it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this disclosure, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems involved in this disclosure are merely illustrative examples and are not intended to require or implicate that connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
In addition, as used herein, the use of "or" in the recitation of items beginning with "at least one" indicates a separate recitation, such that recitation of "at least one of A, B or C" for example means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C). Furthermore, the term "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.
Claims (10)
1. A method for analyzing and detecting malicious code, comprising:
acquiring a malicious code sample in a malicious code sample set, and storing the malicious code sample in a target area of a temporary shared memory;
acquiring the malicious code sample in the target area through a scanning process of an Nginx proxy server, and extracting target sample characteristics of the malicious code sample;
matching the target sample characteristics with preset sample characteristics in a preset malicious code characteristic library to obtain a matching result;
and when the matching result confirms that the target sample feature fails to match with the preset sample feature, sending the malicious code sample to an externally linked sandbox through the detection process of the Nginx proxy server to carry out sandbox detection.
2. The method for analyzing and detecting malicious code according to claim 1, wherein the sending the malicious code sample to an externally linked sandbox for sandbox detection by the detection process of the naginx proxy server comprises:
when the detection result of the sandbox detection is that the matching is successful, returning the analysis and detection result of the malicious code sample to the client; wherein the analysis and detection result comprises at least one of the following: a malicious code type, a malicious code file name, a malicious code file type, or a malicious code file hash value of the malicious code sample;
updating the preset malicious code feature library based on the analysis and detection results;
deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory;
and when the detection result of the sandbox detection is that the matching fails, directly deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory.
3. The method of claim 2, further comprising:
detecting update information of any one data in the analysis and detection results;
and updating the preset malicious code feature library based on the detected updating information of any item of data in the analysis and detection results.
4. The method for analyzing and detecting malicious code according to claim 1, wherein the matching the target sample feature with a preset sample feature in a preset malicious code feature library to obtain a matching result includes at least one of the following:
matching a target MD5 hash value in the target sample feature with a preset MD5 hash value in the preset malicious code feature library to obtain a first matching result;
and matching the target SHA256 hash value in the target sample feature with a preset SHA256 hash value in the preset malicious code feature library to obtain a second matching result.
5. The method of claim 1, further comprising:
when the target sample characteristics are confirmed to be successfully matched with the preset sample characteristics based on the matching result, returning analysis and detection results of the malicious code samples to a client;
and deleting the malicious code sample in the target area of the temporary shared memory, and releasing the memory.
6. The method of claim 1, further comprising:
detecting update information of the preset sample characteristics;
and updating the preset malicious code feature library based on the detected updating information of the preset sample feature.
7. An apparatus for analyzing and detecting malicious code, comprising:
an acquisition unit configured to acquire a malicious code sample in a malicious code sample set, and store the malicious code sample in a target area of a temporary shared memory;
a feature extraction unit configured to obtain the malicious code sample in the target area through a scanning process of an nginnx proxy server, and extract a target sample feature of the malicious code sample;
the feature matching unit is configured to match the target sample features with preset sample features in a preset malicious code feature library to obtain a matching result;
and the sandbox detection unit is configured to send the malicious code sample to an externally linked sandbox for sandbox detection through the detection process of the Nginx proxy server when the matching result confirms that the target sample feature fails to match with the preset sample feature.
8. The method for analyzing and detecting malicious code according to claim 7, wherein the sandbox detection unit includes:
the result returning module is configured to return analysis and detection results of the malicious code sample to the client when the detection result of the sandbox detection is successful in matching; wherein the analysis and detection result comprises at least one of the following: a malicious code type, a malicious code file name, a malicious code file type, or a malicious code file hash value of the malicious code sample;
the updating module is configured to update the preset malicious code feature library based on the analysis and detection results;
the first deleting module is configured to delete the malicious code sample in the target area of the temporary shared memory and release the memory;
and the second deleting module is configured to directly delete the malicious code sample in the target area of the temporary shared memory and release the memory when the detection result of the sandbox detection is that the matching fails.
9. An electronic device, the electronic device comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of malicious code analysis and detection of any one of claims 1 to 6.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the method of analyzing and detecting malicious code according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311575971.4A CN117459310A (en) | 2023-11-23 | 2023-11-23 | Analysis and detection method, device, equipment and storage medium for malicious code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311575971.4A CN117459310A (en) | 2023-11-23 | 2023-11-23 | Analysis and detection method, device, equipment and storage medium for malicious code |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117459310A true CN117459310A (en) | 2024-01-26 |
Family
ID=89585464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311575971.4A Pending CN117459310A (en) | 2023-11-23 | 2023-11-23 | Analysis and detection method, device, equipment and storage medium for malicious code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117459310A (en) |
-
2023
- 2023-11-23 CN CN202311575971.4A patent/CN117459310A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
| US11475133B2 (en) | Method for machine learning of malicious code detecting model and method for detecting malicious code using the same | |
| US20120240231A1 (en) | Apparatus and method for detecting malicious code, malicious code visualization device and malicious code determination device | |
| EP2693356B1 (en) | Detecting pirated applications | |
| CN107851156B (en) | Analysis method, analysis device, and recording medium | |
| EP3547121B1 (en) | Combining device, combining method and combining program | |
| CN111639337A (en) | Unknown malicious code detection method and system for massive Windows software | |
| CN106663171B (en) | Browser simulator device, browser simulator building device, browser simulation method, and browser simulation building method | |
| WO2017177003A1 (en) | Extraction and comparison of hybrid program binary features | |
| EP3001319A1 (en) | Method for detecting libraries in program binaries | |
| CN114584619B (en) | Equipment data analysis method and device, electronic equipment and storage medium | |
| US10409572B2 (en) | Compiled file normalization | |
| KR102011725B1 (en) | Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method | |
| WO2018121464A1 (en) | Method and device for detecting virus, and storage medium | |
| CN111898126B (en) | Android repackaging application detection method based on dynamically acquired user interface | |
| US20140298002A1 (en) | Method and device for identifying a disk boot sector virus, and storage medium | |
| CN117459310A (en) | Analysis and detection method, device, equipment and storage medium for malicious code | |
| CN114925367A (en) | Compressed file malicious detection method and device, electronic equipment and storage medium | |
| KR102415494B1 (en) | Emulation based security analysis method for embedded devices | |
| RU2583712C2 (en) | System and method of detecting malicious files of certain type | |
| CN106372508B (en) | Malicious document processing method and device | |
| CN113722714A (en) | Network threat processing method and device | |
| CN117579320A (en) | Web vulnerability detection method and system | |
| CN112580037B (en) | Method, device and equipment for repairing virus file data | |
| EP3739484B1 (en) | Method and system for detection of post compilation modification of binary images |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |