CN117892303A - Defense methods and systems for antivirus products in kill free scenarios - Google Patents
Defense methods and systems for antivirus products in kill free scenarios Download PDFInfo
- Publication number
- CN117892303A CN117892303A CN202410061880.7A CN202410061880A CN117892303A CN 117892303 A CN117892303 A CN 117892303A CN 202410061880 A CN202410061880 A CN 202410061880A CN 117892303 A CN117892303 A CN 117892303A
- Authority
- CN
- China
- Prior art keywords
- feature
- file
- list
- database
- feature code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002155 anti-virotic effect Effects 0.000 title claims abstract description 64
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000007123 defense Effects 0.000 title abstract description 18
- 238000012360 testing method Methods 0.000 claims abstract description 51
- 241000700605 Viruses Species 0.000 claims abstract description 17
- 230000006399 behavior Effects 0.000 claims description 11
- 238000012545 processing Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 5
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 231100000252 nontoxic Toxicity 0.000 description 1
- 230000003000 nontoxic effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001012 protector Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a defense method and system for an antivirus product in a kill free scenario, comprising: scanning input files; Match the feature codes from the virus library with the file content, and form a list of successfully matched feature codes; Detect whether the successfully matched feature codes are a subset of any feature code list in the database; Among them, when the successfully matched feature codes are a subset of any feature code list in the database, it represents non first-time testing; When the file is the first input and the current feature code is not a subset of any feature code list in the database, store this feature list in the corresponding database. Through the disclosed processing plan, it is possible to effectively solve the challenge of targeted exemption of antivirus software products, significantly enhance the leading position of antivirus software products in the field of security defense, and effectively improve the obvious defense and attack concealment issues in security defense.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for defending an anti-virus product under -free scenes.
Background
As network security events occur frequently, it is critical for antivirus products to be able to successfully cope with the kill-free testing of malicious code writers. These kill-free tests are intended to combat malicious code writers from a technical perspective. However, due to the nature of network antagonism (anti-virus software is disclosed, and virus trojans are usually kept secret before release), new virus trojan authors can perform a kill-free test on popular virus killing software, and existing methods adopted by security products are often difficult to solve, which causes frequent occurrence of network security events and causes network security protectors to be disadvantaged.
For the disinfection software disinfection-free countermeasure technology, the existing schemes at present are as follows: cloud searching is free from killing, and IP blocking is carried out according to uploading frequency.
For the cloud non-killing countermeasure technology, the principle is that the number of times of uploading samples of the fixed IP in unit time is recorded, the IP is added into a blacklist above a threshold value, and the subsequent non-toxic treatment is carried out on blacklist users.
Although the cloud IP blacklist approach represents an important advance in the challenge of killing-free, it is noted that there are two major shortcomings to this approach, one of which is: the kill-free tester may perform the upload test for different periods of time. This means that if our solution only focuses on activity for a certain period of time, it will also fail for other periods of time. And the second disadvantage is that: when the killing-free tester uses the VPN to perform the IP switching test, the short-term frequent request of the same IP does not exist, so that the strategy fails.
Therefore, the above-mentioned defense method under the test of killing-free still has inconvenience and defects, and further improvement is needed. How to create a new defense method under the test of no killing becomes the aim of improvement in the current industry.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a method for defending an antivirus product without scenes, which at least partially solves the problems existing in the prior art.
In a first aspect, embodiments of the present disclosure provide a method for defending a -free anti-virus product, the method comprising the steps of:
Scanning an input file; matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes;
Detecting whether the successfully matched feature codes are a subset of any feature code list in a database; when the successfully matched features are a subset of any feature code list in the database, representing non-first test;
when the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored in the corresponding database.
According to a specific implementation of an embodiment of the present disclosure, when a malicious file is not first input, the method includes the following steps:
After the test file is input, the antivirus engine scans and acquires a feature code list;
When the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time;
Detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow;
when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file;
extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database;
When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
According to a specific implementation manner of the embodiment of the present disclosure, the detecting whether the current feature code is a subset of any feature code list in the database includes:
Judging whether the file is transmitted for the first time; when the file is first input, the antivirus engine scans the file to generate a large number of feature codes, and the feature codes form a feature list to be stored; and
When the file is not transmitted for the first time and the feature list is not emptied, generating a new feature code after the file is scanned by an antivirus engine; checking whether the new feature code exists in an original feature list; when the feature code exists, deleting the corresponding feature code item in the original feature list until the last feature code in the original feature list is deleted;
When the file is not first imported and the feature list is emptied, the currently imported file is treated as a potentially threatening decoy segment.
According to a specific implementation of an embodiment of the disclosure, the method further comprises the steps of:
When the incoming file is not a decoy mark file, a special character string is obtained as a decoy feature, and the decoy feature is added into a feature list database;
Cutting the file, inquiring and modifying the characteristics added into the characteristic list database, and taking the characteristics as a decoy file;
When the incoming file is a decoy markup file, it indicates that a kill-free test is underway.
According to a specific implementation of an embodiment of the disclosure, after each file upload, checking whether the feature list is emptied; when the feature list is emptied, it indicates that a no-kill test is being performed.
In a second aspect, embodiments of the present disclosure provide a defense system for a -free anti-virus product, the system comprising:
The scanning module is configured to scan the input file; matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes;
The identification module is configured to detect whether the successfully matched feature codes are a subset of any feature code list in the database; when the successfully matched features are a subset of any feature code list in the database, representing non-first test; and
When the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored in the corresponding database.
According to a specific implementation of an embodiment of the disclosure, the system further includes:
The operation module is configured to scan and acquire a feature code list after the test file is input;
When the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time;
Detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow;
when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file;
extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database;
When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
In a third aspect, embodiments of the present disclosure further provide an electronic device, including:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor, which when executed by the at least one processor, cause the at least one processor to implement the method of defending against scene-free anti-virus products of the first aspect or any implementation of the first aspect.
In a fourth aspect, the presently disclosed embodiments also provide a non-transitory computer-readable storage medium storing computer instructions that, when executed by at least one processor, cause the at least one processor to perform the method of defending against -free anti-virus products in the foregoing first aspect or any implementation of the first aspect.
In a fifth aspect, embodiments of the present disclosure also provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the method of defending against -scene-free anti-virus products in the foregoing first aspect or any implementation of the first aspect.
The method for defending the virus-free product under scene in the embodiment of the disclosure can effectively solve the challenge that the virus-free software product is pointedly and exempted from killing. The unique killing-free identification technology and the efficient killing-free countering strategy are adopted, so that the leading position of the antivirus software product in the field of safety defense is remarkably improved, and the problem of obvious defense and secret attack in safety defense is effectively solved.
Drawings
The foregoing is merely an overview of the present invention, and the present invention is further described in detail below with reference to the accompanying drawings and detailed description.
1 fig. 1 is a schematic flow diagram of a defense method of a -free anti-virus product according to an embodiment of the present disclosure;
2 FIG. 2 is a block diagram of a defense method of -free anti-virus products according to an example embodiment of the present disclosure;
fig. 3 is a schematic diagram of an operation principle of an identification module according to an embodiment of the disclosure;
FIG. 4 is a schematic diagram of an anti-virus engine scanning feature set forming feature list provided in an embodiment of the present disclosure;
FIG. 5 is a schematic illustration of a non-first-in and no empty feature list provided by an embodiment of the present disclosure;
FIG. 6 is a schematic illustration of a non-first-in and empty feature list provided by an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an operation principle of a bait module according to an embodiment of the disclosure;
8 fig. 8 is a schematic diagram of a defense system structure of a -free anti-virus product according to an embodiment of the present disclosure; and
Fig. 9 is a schematic diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present disclosure will become readily apparent to those skilled in the art from the following disclosure, which describes embodiments of the present disclosure by way of specific examples. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Aiming at the defects of the prior scheme, the scheme comprises the following steps: and (3) preliminarily observing the behavior of the target file by adopting the change of the characteristic point positions, and accurately acquiring the target behavior by using the decoy file.
In the test process of killing-free, virus Trojan authors can repeatedly transmit virus Trojan to an anti-virus product immediately, and whether the virus Trojan is identified by a scanning result is observed, so that the virus Trojan is modified and prevented from being scanned and cleared by virus killing software.
The embodiment of the invention provides a method for defending an antivirus product without scenes, which comprises the steps of carrying out characteristic point position record on a scanned file, scanning and detecting characteristic point position change when the scanned file is uploaded in the follow-up same file, judging that the file is a malicious file when the point position change exceeds a threshold value, directly extracting file characteristics from the antivirus product, adding the file characteristics into a library, adding the characteristics into isolation characteristics when the follow-up virus library is updated, and recovering after the safety period is exceeded.
This innovation subtly addresses the known killing-free strategies in the market by careful adjustment of the design of the anti-virus product. Not only ensures the continuous openness of the antivirus product, but also rapidly builds a strong defense system. The innovation provides reliable navigations for network security, provides powerful support for network defenders, ensures that the network security can smoothly go forward, and is not affected by threat.
Killing-free: malware authors employ various methods and strategies to avoid technical means of detection and removal by traditional antivirus software and security systems.
Characteristic point position: a key technology of antivirus software, security personnel can extract a unique mark of a malicious file after analyzing the malicious software, and the unique mark can be a character string or binary data. In the next file scan, once these special markers are found, the file is quickly marked as potentially malicious.
1 fig. 1 is a schematic diagram of a defense method flow of a -free anti-virus product according to an embodiment of the present disclosure.
2 fig. 2 is a block flow diagram of a defense method of the -free anti-virus product corresponding to fig. 1.
As shown in fig. 2, the identification module is used for:
original feature collection: and recording a scanned feature list when the file is uploaded for the first time.
Characteristic collision: and uploading the scanned features of the file to a subsequent record, and recording the features in the feature list.
And (3) behavior judgment: and checking whether the feature list is emptied after each file uploading process, wherein the emptying represents that the target is in a killing-free test.
The bait module is used for:
Feature extraction: simple feature extraction is performed on the string or code list in the file.
Bait characteristics: and taking the extracted characteristics as baits for the testers to continue the non-killing test.
Bait monitoring: and monitoring whether the bait characteristic points are collided in the follow-up uploading file, and then processing the point positions.
As shown in fig. 1, at step S110, an input file is scanned; and matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes.
More specifically, after a malicious file is first input, the antivirus engine scans the file, wherein one scanning strategy is to match the content of the file with the feature codes in the virus library, and the feature codes successfully matched form a list, and the list is transmitted to the identification module.
More specifically, step S120 is next followed.
At step S120, detecting whether the successfully matched feature codes are a subset of any feature code list in the database; and when the successfully matched features are a subset of any feature code list in the database, representing non-first test.
More specifically, in the identification module, whether the current feature code is a subset of any feature code list in the database is detected, and the subset represents a non-first test; here, the malicious file is first entered, not a subset, and this feature list is stored in the corresponding database. The flow ends.
Next, the process goes to step S130.
At step S130, when the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored into the corresponding database.
In an embodiment of the present invention, the detecting whether the current feature code is a subset of any feature code list in the database includes: judging whether the file is transmitted for the first time; when the file is first input, the antivirus engine scans the file to generate a large number of feature codes, and the feature codes form a feature list to be stored; when the file is not transmitted for the first time and the feature list is not emptied, generating a new feature code after the file is scanned by an antivirus engine; checking whether the new feature code exists in an original feature list; when the feature code exists, deleting the corresponding feature code item in the original feature list until the last feature code in the original feature list is deleted; when the file is not first imported and the feature list is emptied, the currently imported file is treated as a potentially threatening decoy segment.
More specifically, as shown in fig. 3, the operation principle of the identification module includes the following steps:
Step 1: first file import
As shown in FIG. 4, after the first incoming scan of the file is completed, the antivirus engine generates a large number of feature codes after scanning, and forms a feature list for storage.
Step 2: non-first-time incoming and not emptied feature list
As shown in fig. 5, after the file upload is scanned by the antivirus engine, some new feature codes are generated. Our system will check if these new feature codes are present in the original feature list. If so, the system deletes the corresponding feature code item in the original feature list. This process is continually cycled until the last feature code in the original feature list is deleted.
Step 3: non-first-time incoming and clearing feature list
As shown in fig. 6, the currently incoming file is treated as a potentially threatening bait fragment that is passed to the bait module for further processing.
In an embodiment of the present invention, the method further includes the following steps: when the incoming file is not a decoy mark file, a special character string is obtained as a decoy feature, and the decoy feature is added into a feature list database; cutting the file, inquiring and modifying the characteristics added to the characteristic list database, and taking the characteristic as a decoy file; when the incoming file is a decoy markup file, it indicates that a kill-free test is underway.
More specifically, as shown in fig. 7, the working principle of the bait module comprises the following steps:
Step one: incoming file non-decoy markup file
The special character string is acquired as a bait feature, and the feature is added to a feature list database. The subsequent killing-free testers can continue to cut the file to inquire and modify the characteristics of the library, at the moment, the characteristics in the library can be emptied again at the behavior recognition module, and then the characteristics enter the bait module through the bait file.
Step two: the incoming file is a decoy mark file
When the incoming file is a decoy file marked in the database, the target person is being tested without killing.
In the embodiment of the invention, when a malicious file is not input for the first time, the method comprises the following steps: after the test file is input, the antivirus engine scans and acquires a feature code list; when the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time; detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow; when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file; extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database; when the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
More specifically, when a malicious file is not first input, the method comprises the following steps of
(1) After the malicious file is input, the antivirus engine scans and acquires the feature code list, and uploads the feature code list to the identification module.
(2) The identification module determines that the file is a subset of the previous feature list and either "or" operates on the list with the database list to remove the excess.
(3) Detecting whether the feature list is empty, and ending the current flow when the feature list is not empty
(4) The feature list is empty, the current test file is set as a decoy seed file, and the file is transmitted to the decoy module
(5) In the bait module, the non-repeated character strings of the file are extracted and added to the temporary feature database as threat features.
(6) When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
In the embodiment of the invention, after each file uploading, checking whether the feature list is emptied; when the feature list is emptied, it indicates that a no-kill test is being performed.
The killing-free identification technology comprises the following steps: first, carrying out primary feature recognition through feature point collision, and then adding some bait features aiming at potential killing-free fragments. Next, the target is monitored for attempts to clear these decoy features. Thereby judging whether the target is in the test of killing-free.
8 fig. 8 shows a defense system 800 for a -free anti-virus product provided by the present invention, including a scanning module 810 and an identification module 820.
The scanning module 810 is used for scanning the input file; matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes;
the identifying module 820 is configured to detect whether the feature codes successfully matched are a subset of any feature code list in the database; when the successfully matched features are a subset of any feature code list in the database, representing non-first test; and
When the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored in the corresponding database.
In an embodiment of the present invention, the system further includes:
The operation module is configured to scan and acquire a feature code list after the test file is input;
When the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time;
Detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow;
when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file;
extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database;
When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
Referring to fig. 9, the disclosed embodiment also provides an electronic device 90, which includes:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of defending against scene-free anti-virus products in the foregoing method embodiments.
The disclosed embodiments also provide a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of defending against -scene-free anti-virus products in the foregoing method embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the method of defending against scene-free anti-virus products in the foregoing method embodiments.
Referring now to fig. 9, a schematic diagram of an electronic device 90 suitable for use in implementing embodiments of the present disclosure is shown. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 9 is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present disclosure.
As shown in fig. 9, the electronic device 90 may include a processing means (e.g., a central processor, a graphics processor, etc.) 901, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage means 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the electronic device 90 are also stored. The processing device 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.
In general, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, and the like; an output device 907 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. The communication means 909 may allow the electronic device 90 to communicate with other devices wirelessly or by wire to exchange data. While an electronic device 90 having various means is shown, it should be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 909, or installed from the storage device 908, or installed from the ROM 902. When executed by the processing device 901, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising the at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects an internet protocol address from the at least two internet protocol addresses and returns the internet protocol address; receiving an Internet protocol address returned by the node evaluation equipment; wherein the acquired internet protocol address indicates an edge node in the content distribution network.
Or the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from the at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof.
The foregoing is merely specific embodiments of the disclosure, but the protection scope of the disclosure is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the disclosure are intended to be covered by the protection scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (9)
1. A method of defending a -free anti-virus product, the method comprising the steps of:
Scanning an input file; matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes;
Detecting whether the successfully matched feature codes are a subset of any feature code list in a database; when the successfully matched features are a subset of any feature code list in the database, representing non-first test;
when the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored in the corresponding database.
2. The method of claim 1, wherein when a malicious file is not first input, comprising the steps of:
After the test file is input, the antivirus engine scans and acquires a feature code list;
When the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time;
Detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow;
when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file;
extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database;
When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
3. The method of claim 1, wherein detecting whether the current signature is a subset of any signature list in the database comprises:
Judging whether the file is transmitted for the first time; when the file is first input, the antivirus engine scans the file to generate a large number of feature codes, and the feature codes form a feature list to be stored; and
When the file is not transmitted for the first time and the feature list is not emptied, generating a new feature code after the file is scanned by an antivirus engine; checking whether the new feature code exists in an original feature list; when the feature code exists, deleting the corresponding feature code item in the original feature list until the last feature code in the original feature list is deleted;
When the file is not first imported and the feature list is emptied, the currently imported file is treated as a potentially threatening decoy segment.
4. A method of defending an anti-virus product in the th view of claim 3, further comprising the steps of:
When the incoming file is not a decoy mark file, a special character string is obtained as a decoy feature, and the decoy feature is added into a feature list database;
Cutting the file, inquiring and modifying the characteristics added into the characteristic list database, and taking the characteristics as a decoy file;
When the incoming file is a decoy markup file, it indicates that a kill-free test is underway.
5. A method of defending an anti-virus product under a scene as claimed in any one of claims 1 to 4, wherein after each file upload, see if the feature list is emptied; when the feature list is emptied, it indicates that a no-kill test is being performed.
6. A defence system for a -free anti-virus product, the system comprising:
The scanning module is configured to scan the input file; matching the feature codes in the virus library with file contents, and forming a feature code list from the successfully matched feature codes;
The identification module is configured to detect whether the successfully matched feature codes are a subset of any feature code list in the database; when the successfully matched features are a subset of any feature code list in the database, representing non-first test; and
When the file is first entered and the current feature code is not a subset of any of the feature code lists in the database, this feature list is stored in the corresponding database.
7. The anti-virus product protection system of claim 6, further comprising:
The operation module is configured to scan and acquire a feature code list after the test file is input;
When the test file is judged to be a subset of any feature code list in the database, executing or operating the feature code list extracted in the scanning and the database list to remove the redundant items; the database list is a feature code list which is scanned for the file and stored in the database in the previous time;
Detecting whether a stored antivirus engine scans to obtain a feature code list or not; when the current flow is not empty, ending the current flow;
when the stored antivirus engine scans and acquires the feature code list to be empty, setting the current test file as a decoy seed file;
extracting non-repeated character strings in the bait seed file as threat features, and adding the threat features into a temporary feature database;
When the file is again input into the test, whether the decoy feature exists or not is detected, and the test-free behavior is judged if the decoy feature exists.
8. An electronic device, comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor, which when executed by the at least one processor, cause the at least one processor to perform the method of defending against the scene-free anti-virus product of any one of claims 1 to 5.
9. A non-transitory computer-readable storage medium storing computer instructions that, when executed by at least one processor, cause the at least one processor to perform the method of defending against anti-virus products in the scene of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410061880.7A CN117892303A (en) | 2024-01-16 | 2024-01-16 | Defense methods and systems for antivirus products in kill free scenarios |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410061880.7A CN117892303A (en) | 2024-01-16 | 2024-01-16 | Defense methods and systems for antivirus products in kill free scenarios |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117892303A true CN117892303A (en) | 2024-04-16 |
Family
ID=90648556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410061880.7A Pending CN117892303A (en) | 2024-01-16 | 2024-01-16 | Defense methods and systems for antivirus products in kill free scenarios |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117892303A (en) |
-
2024
- 2024-01-16 CN CN202410061880.7A patent/CN117892303A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| EP3502943B1 (en) | Method and system for generating cognitive security intelligence for detecting and preventing malwares | |
| KR102210627B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| US8914886B2 (en) | Dynamic quarantining for malware detection | |
| RU2551820C2 (en) | Method and apparatus for detecting viruses in file system | |
| US9432400B2 (en) | Method and system for protecting against unknown malicious activities by detecting a heap spray attack on an electronic device | |
| KR101607951B1 (en) | Dynamic cleaning for malware using cloud technology | |
| US8695094B2 (en) | Detecting secondary infections in virus scanning | |
| KR100992434B1 (en) | Method for Detecting the file with fraud name and apparatus thereof | |
| CN110336835B (en) | Malicious behavior detection method, user equipment, storage medium and device | |
| WO2017012241A1 (en) | File inspection method, device, apparatus and non-volatile computer storage medium | |
| CN112906001A (en) | Linux lasso virus prevention method and system | |
| US10747879B2 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
| US11487868B2 (en) | System, method, and apparatus for computer security | |
| CN115470491A (en) | File detection method and device | |
| EP3146460B1 (en) | Identifying suspected malware files and sites based on presence in known malicious environment | |
| CN117892303A (en) | Defense methods and systems for antivirus products in kill free scenarios | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN113596044B (en) | Network protection method and device, electronic equipment and storage medium | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| WO2015178002A1 (en) | Information processing device, information processing system, and communication history analysis method | |
| CN113839912A (en) | Method, apparatus, medium, and device for performing abnormal host analysis by active and passive combination | |
| Bhanu et al. | Protecting Android based applications from malware affected through SMS messages | |
| Khilosiya et al. | Malware analysis and detection using memory forensic | |
| CN112395637A (en) | Database protection method and device, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |