WO2021243716A1 - Suspicious software detection method and apparatus, and computer readable medium - Google Patents

Suspicious software detection method and apparatus, and computer readable medium Download PDF

Info

Publication number
WO2021243716A1
WO2021243716A1 PCT/CN2020/094742 CN2020094742W WO2021243716A1 WO 2021243716 A1 WO2021243716 A1 WO 2021243716A1 CN 2020094742 W CN2020094742 W CN 2020094742W WO 2021243716 A1 WO2021243716 A1 WO 2021243716A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
information
executable file
executable
suspicious
Prior art date
Application number
PCT/CN2020/094742
Other languages
French (fr)
Chinese (zh)
Inventor
高永吉
李锐
王哲
万朔
闫韬
马工速
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2020/094742 priority Critical patent/WO2021243716A1/en
Priority to CN202080100927.6A priority patent/CN115605866A/en
Publication of WO2021243716A1 publication Critical patent/WO2021243716A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the embodiments of the present invention relate to the field of security technologies, and in particular, to a method, device, and computer-readable medium for detecting suspicious software.
  • One task of the security analysis is to detect suspicious software installed on the device. Attackers can maliciously install such software to tamper with sensitive data, modify configuration files, etc. Therefore, these suspicious software should be fully and effectively detected.
  • the software whitelist is a method that only allows specific software and applications to run to maintain security. It is a collection of trusted software. In other words, software that is not on the whitelist is considered untrustworthy, at least suspicious.
  • the software blacklist is a method that only prohibits certain software and applications from running to maintain security. It is a collection of untrusted software, even very suspicious software or malware. Using whitelists and blacklists to detect suspicious software through signatures requires the maintenance of a huge signature database, and for the detection of a specific device, a large amount of information in the signature database is redundant.
  • the embodiments of the present invention provide a suspicious software detection method, device, and computer readable medium. By adopting the solution provided by the embodiment of the present invention, the detection range of suspicious software can be effectively reduced, and the detection efficiency is higher.
  • a method for detecting suspicious software may include:
  • each executable file found perform the following operations: determine the first information, the first information includes the information of the operation that causes the executable file to change; determine the second information, the second information is used for Indicate the attribute of the executable file; determine the suspicious degree of the executable file according to the first information and the second information.
  • a suspicious software detection device which may include:
  • -A search module configured to determine at least one file that has changed in a device, and search for an executable file from the at least one file;
  • -A detection module configured to perform the following operations for each executable file found: determine first information, where the first information includes information about operations that cause the executable file to change; determine second information, The second information is used to indicate the attributes of the executable file; the suspicious degree of the executable file is determined according to the first information and the second information.
  • a suspicious software detection device including: at least one memory configured to store computer-readable code; at least one processor configured to call the computer-readable code to execute the software provided in the first aspect step.
  • a computer-readable medium has computer-readable instructions stored on the computer-readable medium, and when the computer-readable instructions are executed by a processor, the processor executes what is provided in the first aspect step.
  • the executable file is searched from the changed file, and the suspicious software is detected from the executable file. It can effectively reduce the detection range of suspicious software and improve detection efficiency.
  • the third information used to record the file status in the device at each time point in a time period can be obtained, and the third information at each time point can be compared to determine The at least one file that has changed in the device during the time period.
  • the existing third information can be used to quickly and easily determine the changed file, effectively reducing the detection access of suspicious software.
  • VSS snapshot files are designed for data recovery.
  • VSS snapshot files at different points in time are used cleverly to obtain file change information, and accordingly to narrow the detection range of suspicious software, which is convenient and efficient.
  • the third information at each point in time may be compared to determine the information about the operation that changes each executable file found within the time period.
  • the operating information can be used to determine the degree of suspiciousness of executable files.
  • the first information includes at least one of the following information:
  • the second information includes at least one of the following information:
  • FIG. 1 is a schematic structural diagram of a suspicious software detection device provided by an embodiment of the present invention.
  • Fig. 2 is a flowchart of a suspicious software detection method provided by an embodiment of the present invention.
  • Fig. 3 is a flowchart of determining the suspicious degree of a file according to file operations in an embodiment of the present invention.
  • FIG. 4 is a flowchart of determining the suspicious degree of a file according to the file attribute in an embodiment of the present invention.
  • the term “including” and its variations mean open terms, meaning “including but not limited to”.
  • the term “based on” means “based at least in part on.”
  • the terms “one embodiment” and “an embodiment” mean “at least one embodiment.”
  • the term “another embodiment” means “at least one other embodiment.”
  • the terms “first”, “second”, etc. may refer to different or the same objects. Other definitions can be included below, whether explicit or implicit. Unless clearly indicated in the context, the definition of a term is consistent throughout the specification.
  • the device that implements suspicious software detection is called the suspicious software detection device 10.
  • the suspicious software detection device 10 can obtain file change information on the device 30 to be detected, search for executable files from the changed files, and detect suspicious software from the executable files. By obtaining file change information, the detection range of suspicious software can be narrowed, and the detection efficiency has been greatly improved.
  • the device to be tested 30 may be any computer device, or a device with a computer architecture, and may include a computer, a notebook computer, a tablet computer, an industrial computer, a server, an embedded device, and so on. It can be used for testing various equipment such as industrial control equipment and household equipment.
  • the suspicious software detection apparatus 10 may be implemented as a network of computer processors to execute the suspicious software detection method 200 in the embodiment of the present invention.
  • the suspicious software detection apparatus 10 may also be a single computer as shown in FIG.
  • the suspicious software detection device 10 may also include at least one memory 101, which includes a computer-readable medium, such as a random access memory (RAM).
  • the device 10 also includes at least one processor 102 coupled with at least one memory 101.
  • Computer-executable instructions are stored in at least one memory 101, and when executed by at least one processor 102, can cause at least one processor 102 to perform the steps described herein.
  • the at least one processor 102 may include a microprocessor, an application specific integrated circuit (ASIC), a digital signal processor (DSP), a central processing unit (CPU), a graphics processing unit (GPU), a state machine, and the like.
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • CPU central processing unit
  • GPU graphics processing unit
  • Examples of computer-readable media include, but are not limited to, floppy disks, CD-ROMs, magnetic disks, memory chips, ROM, RAM, ASICs, configured processors, all-optical media, all magnetic tapes or other magnetic media, or computer processors can be used from them Any other medium for reading instructions.
  • various other forms of computer-readable media can send or carry instructions to the computer, including routers, private or public networks, or other wired and wireless transmission devices or channels. Instructions can include codes in any computer programming language, including C, C++, C language, Visual Basic, Java, and JavaScript.
  • the at least one memory 101 shown in FIG. 1 may contain a suspicious software detection program 20, so that at least one processor 102 executes the method 200 for suspicious software detection described in the embodiment of the present invention.
  • the suspicious software detection program 20 may include:
  • -A search module 201 configured to determine at least one file 40 that has changed in the device 30, and search for the executable file 41 from the at least one file 40;
  • -A detection module 202 configured to perform the following operations for each executable file 41 found:
  • the first information includes the information of the operation that causes the executable file 41 to change;
  • the searching module 201 determines at least one file 40 that has changed in the device 30, it is configured to:
  • the first information 51 (including the information of the operation that causes the executable file 41 to change), the second information 52 (information for indicating the attributes of the executable file 41), and the third information 53 (used in the recording device 30
  • the file status information can be stored in at least one memory 101.
  • the first information 51 may include at least one of the following information:
  • the second information 52 may include at least one of the following information:
  • the embodiment of the present invention may include a device having a structure different from that shown in FIG. 2.
  • the foregoing architecture is only exemplary, and is used to explain the method 200 provided by the embodiment of the present invention.
  • the suspicious software detection device 10 can be implemented as a piece of software, including a suspicious software detection program 20, which can be deployed on the device 30 to be detected and used to detect suspicious software on the device 30.
  • the above-mentioned modules can also be regarded as various functional modules implemented by hardware, which are used to implement various functions involved in the suspicious software detection method performed by the suspicious software detection device 10, such as pre-processing the various processes involved in the method.
  • the control logic is burned into a Field-Programmable Gate Array (FPGA) chip or a Complex Programmable Logic Device (CPLD), and these chips or devices perform the functions of the above-mentioned modules.
  • FPGA Field-Programmable Gate Array
  • CPLD Complex Programmable Logic Device
  • the specific implementation method may depend on engineering practice.
  • an exemplary method 200 includes the following steps:
  • the first information 51 includes the information of the operation that causes the executable file 41 to change;
  • the suspicious software detection device 10 may obtain the third information 53 used to record the status of the file in the device 30 at each time point in a time period, and compare the third information 53 at each time point. , To determine at least one file 40 that has changed in the device 30 during the time period; and in step S203, the third information 53 at each time point can be compared to determine each file 40 found in the time period.
  • An executable file 41 changes operation information.
  • VSS snapshot files at various points in time within a period of time can be obtained. Sort these VSS snapshot files in chronological order, and then compare adjacent VSS snapshot files one by one, you can identify the changed files 40, and can identify the information of the operations that caused these files to change. These operations include: create, delete And modify.
  • step S202 it can be determined whether the file is an executable file according to the meta information of the changed file 40, such as the format of the file.
  • the meta information of the changed file 40 such as the format of the file.
  • the file type can be determined by parsing the file format.
  • Executable files may include scripts, binary executable files, and so on. This can further narrow the detection range of suspicious software.
  • the degree of suspiciousness of the executable file 41 may be determined according to the determined first information 51 and second information 52.
  • the suspicious degree of an executable file 41 can be measured by scoring. The lower the score, the higher the suspicious degree.
  • a possible implementation manner is to score according to the first information 51 to obtain a first score value 71; to score according to the second information 52 to obtain a second score value 72. Then calculate a total score value based on the first score value 71 and the second score value 72 (such as the sum of the two score values or the weighted sum), and determine the suspiciousness of the executable file 41 based on the total score value degree.
  • Sub-step S2051 may further include:
  • -S20511 Determine the content of the first message 51. If the message 51 includes the file creation operation information 511, perform sub-step S20512; if the message 51 includes the file modification operation information 512, perform the sub-step S20513; if the message 51 includes delete For the operation information 513 of the file, sub-step S20514 is executed.
  • the foregoing process of determining the first score value 71 based on the first information 51 is only an example. In fact, there may be multiple determination methods. It can be seen from the foregoing methods that the executable file 41 is determined to be highly suspicious for the operation of creating a file. For the operations of modifying files and deleting files, it is determined that the suspicious degree of the executable file 41 is slightly lower, while for files that have not changed, the suspicious degree is not considered. Therefore, as long as the above judgment rules can be realized, the purpose of determining the suspicious degree of executable files according to the types of file operations can be achieved.
  • Sub-step S2052 may further include:
  • -S20521 Compare the file name 521 of the executable file 41 with the system file name 521'. If the file name judgment condition 61 is met (for example, the similarity between the two is greater than the preset threshold), it means that the two are similar, then execute the sub Step S20522, otherwise, skip the sub-step S20522 and directly execute the sub-step S20523.
  • -S20523 Compare the file storage path 522 of the executable file 41 with the designated directory 522', where the designated directory 522' may include but is not limited to: system directory, user profile directory, temporary (temp) directory, etc. If the file storage path judgment condition 62 is satisfied (for example, the directories are the same), the sub-step S20524 is executed, otherwise, the sub-step S20524 is skipped and the sub-step S20525 is directly executed.
  • -S20525 Compare the file processing time 523 of the executable file 41 with the creation time value range 523', if the file processing time judgment condition 63 is met (for example: the time related to a file includes: file creation time, file modification time, file Access time and MFT record change time, if the file creation time is greater than other types of file time, or all types of file time is 0, these two conditions are met either), perform sub-step S20526, otherwise, skip sub-step S20526 And directly execute the sub-step S20527.
  • the file processing time judgment condition 63 for example: the time related to a file includes: file creation time, file modification time, file Access time and MFT record change time, if the file creation time is greater than other types of file time, or all types of file time is 0, these two conditions are met either
  • -S20527 Compare the file type 524 of the executable file 41 with the specified file type 524'. If the file type judgment condition 64 is met (for example: the file type is a system file, a hidden file, a read-only file or an archive file), then execute the sub Step S20528, otherwise skip the sub-step S20528 and directly execute the sub-step S20529.
  • the file type judgment condition 64 for example: the file type is a system file, a hidden file, a read-only file or an archive file
  • the second score value 72 is determined to be minus 1, if the executable file 41 is If it belongs to three of the above four types, the second point value 72 minus 3 is determined.
  • -S20529 Determine whether the digital signature 525 of the executable file 41 satisfies the digital signature judgment condition 65 (for example: the digital signature is valid), if yes, execute the sub-step S20530, otherwise, skip the sub-step S20530 and directly get the final second score The value is 72.
  • the digital signature judgment condition 65 for example: the digital signature is valid
  • the above process of determining the second score value 72 based on the second information 52 is only an example. In fact, there are many ways to determine the value. From the above methods, it can be seen that if the file name of the changed executable file 41 is similar to the system file name, the file name is similar to the system file name.
  • the storage path is in the above designated directory 522', the file creation time meets the preset condition, and the file type is the above designated file type 524', the suspicious degree is greater, and if the digital signature is valid, the suspicious degree will be greatly reduced. Therefore, as long as the above judgment rules can be realized, the purpose of determining the suspicious degree of executable files according to the types of file operations can be achieved.
  • a scvhost.exe file and an application.exe file are mirrored, and the first score value 71 and the second score value 72 are determined using the above process, and the total score value is determined accordingly to determine the suspicious degree of the executable file 41.
  • the total scores of these two files are -8 and 50 respectively, indicating that scvhost.exe is more suspicious.
  • Table 1 shows the determination process of the second score value 72.
  • Table 2 shows the determination process of the first score value 71 and the total score value.
  • the embodiments of the present invention also provide a computer-readable medium having computer-readable instructions stored on the computer-readable medium.
  • the processor executes the aforementioned suspicious software detection. method.
  • Examples of computer-readable media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape, Volatile memory card and ROM.
  • the computer-readable instructions can be downloaded from the server computer or the cloud via the communication network.
  • the embodiments of the present invention provide a suspicious software detection method, device, and computer-readable medium.
  • the white list and the black list are adopted, and huge and comprehensive data needs to be maintained, while the solution provided by the embodiment of the present invention does not need to maintain the database in advance.
  • most of the data in the whitelist and blacklist is redundant for the detection of a specific device or system.
  • the detection result is based on the file in the device itself, so the detection result is more accurate and can be applied to various devices and systems.
  • the whitelist and blacklist methods requires frequent updating of the signature database, and the solution provided in the embodiment of the present invention can detect suspicious software as long as the file changes in the device can be detected without updating the database.
  • the whitelist and blacklist are set based on known suspicious software, and unknown suspicious software cannot be detected.
  • the characteristics of the suspicious software itself are summarized, and the suspicious software is detected accordingly. , So there is a chance to find all kinds of unknown suspicious software.
  • system structure described in the foregoing embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in independent devices are implemented together.

Abstract

Embodiments of the present invention relate to the technical field of security, and in particular to a suspicious software detection method and apparatus, and a computer readable medium, for achieving fast and effective detection of suspicious software. A suspicious software detection method (200) comprises: determining (S201) at least one file (40) that is changed in one device (30); searching for (S202) executable files (41) from the at least one file (40); for each searched executable file (41), performing the following operations: determining (S203) first information (51), the first information comprising information of an operation enabling the executable file (41) to change; determining (S204) second information (52), the second information being used for indicating attributes of the executable file (41); and according to the first information (51) and the second information (52), determining (S205) a suspicious degree of the executable file (41).

Description

一种可疑软件检测方法、装置和计算机可读介质Suspicious software detection method, device and computer readable medium 技术领域Technical field
本发明实施例涉及安全技术领域,尤其涉及一种可疑软件检测方法、装置和计算机可读介质。The embodiments of the present invention relate to the field of security technologies, and in particular, to a method, device, and computer-readable medium for detecting suspicious software.
背景技术Background technique
安全分析的一项任务是检测安装在设备上的可疑软件。攻击者可以恶意安装此类软件,以篡改敏感数据、修改配置文件等,因此应充分有效地检测这些可疑软件。One task of the security analysis is to detect suspicious software installed on the device. Attackers can maliciously install such software to tamper with sensitive data, modify configuration files, etc. Therefore, these suspicious software should be fully and effectively detected.
但是,随着计算机技术的发展,设备存储介质的容量越来越大,从中查找可疑软件如同大海捞针,因此,亟需找到一种有效检测可疑软件的方法。However, with the development of computer technology, the capacity of device storage media is getting larger and larger. Finding suspicious software from it is like finding a needle in a haystack. Therefore, it is urgent to find an effective method for detecting suspicious software.
目前,在进行可疑软件检测时,主要采用白名单和黑名单的方式。其中,软件白名单是一种只允许特定软件和应用程序运行以维护安全性的方法。它是可信软件的集合。换句话说,不在白名单上的软件被认为是不可信的,至少是可疑的。而软件黑名单是一种仅禁止特定软件和应用程序运行以维护安全性的方法。它是不可信软件的集合,甚至是非常可疑的软件或恶意软件。采用白名单和黑名单的方式,通过签名进行可疑软件检测,需要维护庞大的签名数据库,而且对于某个特定设备的检测,签名数据库中大量的信息是多余的。At present, when detecting suspicious software, whitelists and blacklists are mainly used. Among them, the software whitelist is a method that only allows specific software and applications to run to maintain security. It is a collection of trusted software. In other words, software that is not on the whitelist is considered untrustworthy, at least suspicious. The software blacklist is a method that only prohibits certain software and applications from running to maintain security. It is a collection of untrusted software, even very suspicious software or malware. Using whitelists and blacklists to detect suspicious software through signatures requires the maintenance of a huge signature database, and for the detection of a specific device, a large amount of information in the signature database is redundant.
发明内容Summary of the invention
考虑到设备上的大多数数据都是干净的。如果能尽可能过滤掉干净的数据,就能缩小检测范围,减少检测数据量,从而实现可疑软件的快速、有效的检测。因此,本发明实施例提供一种可疑软件检测方法、装置和计算机可读介质。采用本发明实施例提供的方案,可疑软件的检测范围能被有效缩小,检测效率更高。Consider that most of the data on the device is clean. If the clean data can be filtered out as much as possible, the detection range can be narrowed, and the amount of detection data can be reduced, thereby realizing quick and effective detection of suspicious software. Therefore, the embodiments of the present invention provide a suspicious software detection method, device, and computer readable medium. By adopting the solution provided by the embodiment of the present invention, the detection range of suspicious software can be effectively reduced, and the detection efficiency is higher.
第一方面,提供一种可疑软件检测方法。该方法可包括:In the first aspect, a method for detecting suspicious software is provided. The method may include:
-确定一个设备中发生变化的至少一个文件;-Determine at least one file that has changed in a device;
-从所述至少一个文件中查找可执行文件;-Find an executable file from the at least one file;
-对于查找到的每一个可执行文件,执行如下操作:确定第一信息,所述第一信息包括使该可执行文件发生变化的操作的信息;确定第二信息,所述第二信息用于指示该可执行文件的属性;根据所述第一信息和所述第二信息,确定该可执行文件的可疑程度。-For each executable file found, perform the following operations: determine the first information, the first information includes the information of the operation that causes the executable file to change; determine the second information, the second information is used for Indicate the attribute of the executable file; determine the suspicious degree of the executable file according to the first information and the second information.
第二方面,提供一种可疑软件检测装置,该装置可包括:In a second aspect, a suspicious software detection device is provided, which may include:
-一个查找模块,被配置为确定一个设备中发生变化的至少一个文件,以及从所述至少一个文件中查找可执行文件;-A search module configured to determine at least one file that has changed in a device, and search for an executable file from the at least one file;
-一个检测模块,被配置为对于查找到的每一个可执行文件,执行如下操作:确定第一信息,所述第一信息包括使该可执行文件发生变化的操作的信息;确定第二信息,所述第二信息用于指示该可执行文件的属性;根据所述第一信息和所述第二信息,确定该可执行文件的可疑程度。-A detection module configured to perform the following operations for each executable file found: determine first information, where the first information includes information about operations that cause the executable file to change; determine second information, The second information is used to indicate the attributes of the executable file; the suspicious degree of the executable file is determined according to the first information and the second information.
第三方面,提供一种可疑软件检测装置,包括:至少一个存储器,被配置为存储计算机可读代码;至少一个处理器,被配置为调用所述计算机可读代码,执行第一方面所提供的步骤。In a third aspect, a suspicious software detection device is provided, including: at least one memory configured to store computer-readable code; at least one processor configured to call the computer-readable code to execute the software provided in the first aspect step.
第四方面,一种计算机可读介质,所述计算机可读介质上存储有计算机可读指令,所述计算机可读指令在被处理器执行时,使所述处理器执行第一方面所提供的步骤。In a fourth aspect, a computer-readable medium has computer-readable instructions stored on the computer-readable medium, and when the computer-readable instructions are executed by a processor, the processor executes what is provided in the first aspect step.
其中,通过获取待检测设备上的文件变化的信息,进而从发生变化的文件中查找可执行文件,在从可执行文件中检测可疑软件。可有效缩小可疑软件的检测范围,提高检测效率。Among them, by obtaining the file change information on the device to be detected, the executable file is searched from the changed file, and the suspicious software is detected from the executable file. It can effectively reduce the detection range of suspicious software and improve detection efficiency.
对于上述任一方面,可选地,可获取一个时间段内各个时间点上用于记录所述设备中文件状态的第三信息,并通过比较各个时间点上的所述第三信息,以确定在所述时间段内所述设备中发生变化的所述至少一个文件。这样,可利用已有的第三信息,方便快速地确定发生变化的文件,有效缩小可疑软件的检测访问。比如:通过比较不同时间点上的VSS快照文件来确定发生变化的文件。VSS快照文件的设计目的是用来进行数据恢复的,这里巧妙地利用不同时间点的VSS快照文件来获取文件变化的信息,并据此缩小可疑软件的检测范围,既方便又高效。For any of the above aspects, optionally, the third information used to record the file status in the device at each time point in a time period can be obtained, and the third information at each time point can be compared to determine The at least one file that has changed in the device during the time period. In this way, the existing third information can be used to quickly and easily determine the changed file, effectively reducing the detection access of suspicious software. For example: by comparing the VSS snapshot files at different points in time to determine the changed files. VSS snapshot files are designed for data recovery. Here, VSS snapshot files at different points in time are used cleverly to obtain file change information, and accordingly to narrow the detection range of suspicious software, which is convenient and efficient.
进一步地,可比较各个时间点上的所述第三信息,以确定在所述时间段内使查找到的每一个可执行文件发生变化的操作的信息。利用操作信息可以确定可执行文件的可疑程度。Further, the third information at each point in time may be compared to determine the information about the operation that changes each executable file found within the time period. The operating information can be used to determine the degree of suspiciousness of executable files.
对于上述任一方面,可选地,根据所述至少一个文件中的每一个文件的元信息,确定该文件是否为可执行文件。For any of the foregoing aspects, optionally, it is determined whether the file is an executable file according to the meta-information of each file in the at least one file.
对于上述任一方面,可选地,所述第一信息包括如下信息中的至少一项:For any of the foregoing aspects, optionally, the first information includes at least one of the following information:
-创建文件的操作信息;-Operation information for file creation;
-修改文件的操作信息;-Modify the operation information of the file;
-删除文件的操作信息。-Delete file operation information.
对于上述任一方面,可选地,所述第二信息包括如下信息中的至少一项:For any of the foregoing aspects, optionally, the second information includes at least one of the following information:
-文件名称;-file name;
-文件存储路径;-File storage path;
-文件创建时间;-File creation time;
-文件类型;-file type;
-数字签名。-digital signature.
附图说明Description of the drawings
图1为本发明实施例提供的可疑软件检测装置的结构示意图。FIG. 1 is a schematic structural diagram of a suspicious software detection device provided by an embodiment of the present invention.
图2为本发明实施例提供的可疑软件检测方法的流程图。Fig. 2 is a flowchart of a suspicious software detection method provided by an embodiment of the present invention.
图3为本发明实施例中根据文件操作确定文件可疑程度的流程图。Fig. 3 is a flowchart of determining the suspicious degree of a file according to file operations in an embodiment of the present invention.
图4为本发明实施例中根据文件属性确定文件可疑程度的流程图。FIG. 4 is a flowchart of determining the suspicious degree of a file according to the file attribute in an embodiment of the present invention.
附图标记列表:List of reference signs:
Figure PCTCN2020094742-appb-000001
Figure PCTCN2020094742-appb-000001
具体实施方式detailed description
现在将参考示例实施方式讨论本文描述的主题。应该理解,讨论这些实施方式只是为了使得本领域技术人员能够更好地理解从而实现本文描述的主题,并非是对权利要求书中所阐述的保护范围、适用性或者示例的限制。可以在不脱离本发明实施例内容的保护范围的情况下,对所讨论的元素的功能和排列进行改变。各个示例可以根据需要,省略、替代或者添加各种过程或组件。例如,所描述的方法可以按照与所描述的顺序不同的顺序来执行,以及各 个步骤可以被添加、省略或者组合。另外,相对一些示例所描述的特征在其它例子中也可以进行组合。The subject matter described herein will now be discussed with reference to example embodiments. It should be understood that the discussion of these embodiments is only to enable those skilled in the art to better understand and realize the subject described herein, and is not to limit the scope of protection, applicability, or examples set forth in the claims. The function and arrangement of the discussed elements can be changed without departing from the protection scope of the content of the embodiments of the present invention. Various examples can omit, substitute, or add various procedures or components as needed. For example, the described method may be executed in a different order from the described order, and various steps may be added, omitted, or combined. In addition, features described with respect to some examples can also be combined in other examples.
如本文中使用的,术语“包括”及其变型表示开放的术语,含义是“包括但不限于”。术语“基于”表示“至少部分地基于”。术语“一个实施例”和“一实施例”表示“至少一个实施例”。术语“另一个实施例”表示“至少一个其他实施例”。术语“第一”、“第二”等可以指代不同的或相同的对象。下面可以包括其他的定义,无论是明确的还是隐含的。除非上下文中明确地指明,否则一个术语的定义在整个说明书中是一致的。As used herein, the term "including" and its variations mean open terms, meaning "including but not limited to". The term "based on" means "based at least in part on." The terms "one embodiment" and "an embodiment" mean "at least one embodiment." The term "another embodiment" means "at least one other embodiment." The terms "first", "second", etc. may refer to different or the same objects. Other definitions can be included below, whether explicit or implicit. Unless clearly indicated in the context, the definition of a term is consistent throughout the specification.
下面结合附图对本发明实施例进行详细说明。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
本发明实施例中,实现可疑软件检测的装置被称为可疑软件检测装置10。可疑软件检测装置10可获取待检测设备30上的文件变化的信息,从发生变化的文件中查找可执行文件,在从可执行文件中检测可疑软件。通过获取文件变化的信息,来缩小可疑软件的检测范围,极大地提高了检测效率。其中,待检测设备30可以是任何计算机设备,或者具有计算机架构的设备,可包括计算机、笔记本电脑、平板电脑、工控机、服务器、嵌入式设备等等。其可用于工业控制设备、家用设备等各种设备的检测。In the embodiment of the present invention, the device that implements suspicious software detection is called the suspicious software detection device 10. The suspicious software detection device 10 can obtain file change information on the device 30 to be detected, search for executable files from the changed files, and detect suspicious software from the executable files. By obtaining file change information, the detection range of suspicious software can be narrowed, and the detection efficiency has been greatly improved. Among them, the device to be tested 30 may be any computer device, or a device with a computer architecture, and may include a computer, a notebook computer, a tablet computer, an industrial computer, a server, an embedded device, and so on. It can be used for testing various equipment such as industrial control equipment and household equipment.
其中,可疑软件检测装置10可以实现为计算机处理器的网络,以执行本发明实施例中的可疑软件检测方法200。可疑软件检测装置10也可以是如图1所示的单台计算机,其通过通信模块103获取待检测设备30上的文件状态的信息53。可疑软件检测装置10还可包括至少一个存储器101,其包括计算机可读介质,例如随机存取存储器(RAM)。装置10还包括与至少一个存储器101耦合的至少一个处理器102。计算机可执行指令存储在至少一个存储器101中,并且当由至少一个处理器102执行时,可以使至少一个处理器102执行本文所述的步骤。至少一个处理器102可以包括微处理器、专用集成电路(ASIC)、数字信号处理器(DSP)、中央处理单元(CPU)、图形处理单元(GPU)、状态机等。计算机可读介质的实施例包括但不限于软盘、CD-ROM、磁盘,存储器芯片、ROM、RAM、ASIC、配置的处理器、全光介质、所有磁带或其他磁性介质,或计算机处理器可以从中读取指令的任何其他介质。此外,各种其它形式的计算机可读介质可以向计算机发送或携带指令,包括路由器、专用或公用网络、或其它有线和无线传输设备或信道。指令可以包括任何计算机编程语言的代码,包括C、C++、C语言、Visual Basic、java和JavaScript。The suspicious software detection apparatus 10 may be implemented as a network of computer processors to execute the suspicious software detection method 200 in the embodiment of the present invention. The suspicious software detection apparatus 10 may also be a single computer as shown in FIG. The suspicious software detection device 10 may also include at least one memory 101, which includes a computer-readable medium, such as a random access memory (RAM). The device 10 also includes at least one processor 102 coupled with at least one memory 101. Computer-executable instructions are stored in at least one memory 101, and when executed by at least one processor 102, can cause at least one processor 102 to perform the steps described herein. The at least one processor 102 may include a microprocessor, an application specific integrated circuit (ASIC), a digital signal processor (DSP), a central processing unit (CPU), a graphics processing unit (GPU), a state machine, and the like. Examples of computer-readable media include, but are not limited to, floppy disks, CD-ROMs, magnetic disks, memory chips, ROM, RAM, ASICs, configured processors, all-optical media, all magnetic tapes or other magnetic media, or computer processors can be used from them Any other medium for reading instructions. In addition, various other forms of computer-readable media can send or carry instructions to the computer, including routers, private or public networks, or other wired and wireless transmission devices or channels. Instructions can include codes in any computer programming language, including C, C++, C language, Visual Basic, Java, and JavaScript.
当由至少一个处理器102执行时,图1中所示的至少一个存储器101可以包含可疑软件检测程序20,使得至少一个处理器102执行本发明实施例中所述的用于可疑软件检测方法200。 可疑软件检测程序20可以包括:When executed by at least one processor 102, the at least one memory 101 shown in FIG. 1 may contain a suspicious software detection program 20, so that at least one processor 102 executes the method 200 for suspicious software detection described in the embodiment of the present invention. . The suspicious software detection program 20 may include:
-一个查找模块201,被配置为确定设备30中发生变化的至少一个文件40,以及从至少一个文件40中查找可执行文件41;-A search module 201 configured to determine at least one file 40 that has changed in the device 30, and search for the executable file 41 from the at least one file 40;
-一个检测模块202,被配置为对于查找到的每一个可执行文件41,执行如下操作:-A detection module 202 configured to perform the following operations for each executable file 41 found:
-确定第一信息51,第一信息包括使该可执行文件41发生变化的操作的信息;-Determine the first information 51, the first information includes the information of the operation that causes the executable file 41 to change;
-确定第二信息52,第二信息用于指示该可执行文件41的属性;-Determine the second information 52, which is used to indicate the attributes of the executable file 41;
-根据第一信息51和第二信息52,确定该可执行文件41的可疑程度。-Determine the degree of suspiciousness of the executable file 41 according to the first information 51 and the second information 52.
可选地,查找模块201在确定设备30中发生变化的至少一个文件40时,被配置为:Optionally, when the searching module 201 determines at least one file 40 that has changed in the device 30, it is configured to:
-获取一个时间段内各个时间点上用于记录设备30中文件状态的第三信息53;-Obtain the third information 53 used to record the status of the files in the device 30 at various points in a time period;
-比较各个时间点上的第三信息53,以确定在该时间段内设备30中发生变化的至少一个文件40。-Compare the third information 53 at various points in time to determine at least one file 40 that has changed in the device 30 during this time period.
其中,第一信息51(包括使可执行文件41发生变化的操作的信息)、第二信息52(用于指示可执行文件41的属性的信息)以及第三信息53(用于记录设备30中文件状态的信息)均可存储在至少一个存储器101中。Among them, the first information 51 (including the information of the operation that causes the executable file 41 to change), the second information 52 (information for indicating the attributes of the executable file 41), and the third information 53 (used in the recording device 30 The file status information) can be stored in at least one memory 101.
举例说来,第一信息51可包括下列信息中的至少一项:For example, the first information 51 may include at least one of the following information:
-创建文件的操作信息511;-Operation information 511 for file creation;
-修改文件的操作信息512;-Modify file operation information 512;
-删除文件的操作信息513。-Delete file operation information 513.
第二信息52可包括下列信息中的至少一项:The second information 52 may include at least one of the following information:
-文件名称521;-File name 521;
-文件存储路径522;-File storage path 522;
-文件处理时间523;-File processing time 523;
-文件类型524;-File type 524;
-数字签名525。-Digital signature 525.
应当提及的是,本发明实施例可以包括具有不同于图2所示架构的装置。上述架构仅仅是示例性的,用于解释本发明实施例提供的方法200。比如:可疑软件检测装置10可以实现为一个软件,包括可疑软件检测程序20,其可部署在待检测设备30上,用于检测设备30上的可疑软件。It should be mentioned that the embodiment of the present invention may include a device having a structure different from that shown in FIG. 2. The foregoing architecture is only exemplary, and is used to explain the method 200 provided by the embodiment of the present invention. For example, the suspicious software detection device 10 can be implemented as a piece of software, including a suspicious software detection program 20, which can be deployed on the device 30 to be detected and used to detect suspicious software on the device 30.
此外,上述各模块还也可视为由硬件实现的各个功能模块,用于实现可疑软件检测装置10在执行可疑软件检测方法时涉及的各种功能,比如预先将该方法中涉及的各流程的控制逻辑烧制到诸如现场可编程门阵列(Field-Programmable Gate Array,FPGA)芯片或复杂可编程 逻辑器件(Complex Programmable Logic Device,CPLD)中,而由这些芯片或器件执行上述各模块的功能,具体实现方式可依工程实践而定。In addition, the above-mentioned modules can also be regarded as various functional modules implemented by hardware, which are used to implement various functions involved in the suspicious software detection method performed by the suspicious software detection device 10, such as pre-processing the various processes involved in the method. The control logic is burned into a Field-Programmable Gate Array (FPGA) chip or a Complex Programmable Logic Device (CPLD), and these chips or devices perform the functions of the above-mentioned modules. The specific implementation method may depend on engineering practice.
如图2所示,根据本发明实施例的一个示例性方法200包括以下步骤:As shown in FIG. 2, an exemplary method 200 according to an embodiment of the present invention includes the following steps:
-S201:确定一个设备30中发生变化的至少一个文件40;-S201: Determine at least one file 40 that has changed in one device 30;
-S202:从上述至少一个文件40中查找可执行文件41,对于查找到的每一个可执行文件41,执行如下操作:-S202: Search for the executable file 41 from the aforementioned at least one file 40, and perform the following operations for each executable file 41 found:
-S203:确定第一信息51,第一信息包括使该可执行文件41发生变化的操作的信息;-S203: Determine the first information 51, the first information includes the information of the operation that causes the executable file 41 to change;
-S204:确定第二信息52,第二信息用于指示该可执行文件41的属性;-S204: Determine the second information 52, the second information is used to indicate the attributes of the executable file 41;
-S205:根据第一信息51和第二信息52,确定该可执行文件41的可疑程度。-S205: Determine the suspicious degree of the executable file 41 according to the first information 51 and the second information 52.
可选地,在步骤S201中,可疑软件检测装置10可获取一个时间段内各个时间点上用于记录设备30中文件状态的第三信息53,并通过比较各个时间点上的第三信息53,来确定在该时间段内设备30中发生变化的至少一个文件40;而在步骤S203中,可通过比较各个时间点上的第三信息53,以确定在该时间段内使查找到的每一个可执行文件41发生变化的操作的信息。Optionally, in step S201, the suspicious software detection device 10 may obtain the third information 53 used to record the status of the file in the device 30 at each time point in a time period, and compare the third information 53 at each time point. , To determine at least one file 40 that has changed in the device 30 during the time period; and in step S203, the third information 53 at each time point can be compared to determine each file 40 found in the time period. An executable file 41 changes operation information.
以运行了卷快照服务(Volume Snapshot Service,VSS)的待检测设备30为例,在步骤S201中,可获取一段时间内各个时间点上的VSS快照文件。将这些VSS快照文件按照时间排序,再逐一比较相邻的VSS快照文件,即可识别出发生变化的文件40,并能识别出使得这些文件发生变化的操作的信息,这些操作包括:创建、删除和修改。Taking the device to be tested 30 running the Volume Snapshot Service (VSS) as an example, in step S201, VSS snapshot files at various points in time within a period of time can be obtained. Sort these VSS snapshot files in chronological order, and then compare adjacent VSS snapshot files one by one, you can identify the changed files 40, and can identify the information of the operations that caused these files to change. These operations include: create, delete And modify.
在步骤S202中,可根据发生变化的文件40的元信息,比如文件的格式,来确定文件是否为可执行文件。比如:在WINDOWS操作系统中,不同类型文件各自的格式不同,可以通过解析文件格式来确定文件的类型。可执行文件可包括脚本、二进制可执行文件等。这样就能进一步缩小可疑软件的检测范围。In step S202, it can be determined whether the file is an executable file according to the meta information of the changed file 40, such as the format of the file. For example: In the WINDOWS operating system, different types of files have different formats, and the file type can be determined by parsing the file format. Executable files may include scripts, binary executable files, and so on. This can further narrow the detection range of suspicious software.
在步骤S205中,可根据确定的第一信息51和第二信息52来确定可执行文件41的可疑程度。比如:可以通过打分的方式来衡量一个可执行文件41的可疑程度,分数越低,可疑程度越高。一种可能的实现方式是,根据第一信息51打分,得到第一分数值71;根据第二信息52打分,得到第二分数值72。然后再基于第一分数值71和第二分数值72计算得到一个总的分数值(比如两个分数值加和或加权加和),并基于该总的分数值来确定可执行文件41的可疑程度。In step S205, the degree of suspiciousness of the executable file 41 may be determined according to the determined first information 51 and second information 52. For example, the suspicious degree of an executable file 41 can be measured by scoring. The lower the score, the higher the suspicious degree. A possible implementation manner is to score according to the first information 51 to obtain a first score value 71; to score according to the second information 52 to obtain a second score value 72. Then calculate a total score value based on the first score value 71 and the second score value 72 (such as the sum of the two score values or the weighted sum), and determine the suspiciousness of the executable file 41 based on the total score value degree.
下面,参考图3,说明根据第一信息51确定第一分数值71的子步骤S2051。子步骤S2051进一步可包括:Next, referring to FIG. 3, the sub-step S2051 of determining the first score value 71 based on the first information 51 will be described. Sub-step S2051 may further include:
-S20511:判断第一信息51的内容,若信息51包括创建文件的操作信息511,则执行子步骤S20512,若信息51包括修改文件的操作信息512,则执行子步骤S20513,若信息51包括删除文件的操作信息513,则执行子步骤S20514。-S20511: Determine the content of the first message 51. If the message 51 includes the file creation operation information 511, perform sub-step S20512; if the message 51 includes the file modification operation information 512, perform the sub-step S20513; if the message 51 includes delete For the operation information 513 of the file, sub-step S20514 is executed.
-S20512:确定第一分数值71减2;-S20512: Determine the first score value 71 minus 2;
-S20513:确定第一分数值71减1;-S20513: Determine the first score value 71 minus 1;
-S20514:确定第一分数值71减1。-S20514: Determine the first score value 71 minus 1.
上述根据第一信息51确定第一分数值71的过程仅为示例,实际上确定方式可有多种,从上述方式可见,对于创建文件的操作,确定该可执行文件41的可疑程度较高,而对于修改文件和删除文件的操作,确定该可执行文件41的可疑程度略低,而对于没有变化的文件,则不考虑其可疑程度。因此,只要能够实现上述判断规则,则能够达到根据文件操作的类型来确定可执行文件可疑程度的目的。The foregoing process of determining the first score value 71 based on the first information 51 is only an example. In fact, there may be multiple determination methods. It can be seen from the foregoing methods that the executable file 41 is determined to be highly suspicious for the operation of creating a file. For the operations of modifying files and deleting files, it is determined that the suspicious degree of the executable file 41 is slightly lower, while for files that have not changed, the suspicious degree is not considered. Therefore, as long as the above judgment rules can be realized, the purpose of determining the suspicious degree of executable files according to the types of file operations can be achieved.
下面,参考图4,说明根据第二信息52确定第二分数值72的子步骤S2052。子步骤S2052进一步可包括:Next, referring to FIG. 4, the sub-step S2052 of determining the second score value 72 based on the second information 52 will be described. Sub-step S2052 may further include:
-S20521:将可执行文件41的文件名称521与系统文件名称521’进行比较,若满足文件名称判断条件61(比如:二者相似程度大于预设阈值),即表示二者相似,则执行子步骤S20522,否则,略过子步骤S20522而直接执行子步骤S20523。-S20521: Compare the file name 521 of the executable file 41 with the system file name 521'. If the file name judgment condition 61 is met (for example, the similarity between the two is greater than the preset threshold), it means that the two are similar, then execute the sub Step S20522, otherwise, skip the sub-step S20522 and directly execute the sub-step S20523.
-S20522:确定第二分数值72减3,之后执行子步骤S20523。-S20522: Determine the second score value 72 minus 3, and then perform sub-step S20523.
-S20523:将可执行文件41的文件存储路径522与指定目录522’进行比较,其中指定目录522’可包括但不限于:系统目录、用户描述文件(user profile)目录、临时(temp)目录等,若满足文件存储路径判断条件62(比如:目录相同),则执行子步骤S20524,否则,略过子步骤S20524而直接执行子步骤S20525。-S20523: Compare the file storage path 522 of the executable file 41 with the designated directory 522', where the designated directory 522' may include but is not limited to: system directory, user profile directory, temporary (temp) directory, etc. If the file storage path judgment condition 62 is satisfied (for example, the directories are the same), the sub-step S20524 is executed, otherwise, the sub-step S20524 is skipped and the sub-step S20525 is directly executed.
-S20524:确定第二分数值72减1,之后执行子步骤S20525。-S20524: Determine the second score value 72 minus 1, and then perform sub-step S20525.
-S20525:将可执行文件41的文件处理时间523与创建时间取值范围523’比较,若满足文件处理时间判断条件63(比如:一个文件相关的时间包括:文件创建时间、文件修改时间、文件访问时间和MFT记录改变时间,若文件创建时间大于其他类型的文件时间,或者所有类型的文件时间为0,这两个条件满足其中任一个)则执行子步骤S20526,否则,略过子步骤S20526而直接执行子步骤S20527。-S20525: Compare the file processing time 523 of the executable file 41 with the creation time value range 523', if the file processing time judgment condition 63 is met (for example: the time related to a file includes: file creation time, file modification time, file Access time and MFT record change time, if the file creation time is greater than other types of file time, or all types of file time is 0, these two conditions are met either), perform sub-step S20526, otherwise, skip sub-step S20526 And directly execute the sub-step S20527.
-S20526:确定第二分数值72减2,之后执行子步骤S20527。-S20526: Determine the second score value 72 minus 2, and then perform sub-step S20527.
-S20527:将可执行文件41的文件类型524与指定文件类型524’比较,若满足文件类型判断条件64(比如:文件类型为系统文件、隐藏文件、只读文件或归档文件),则执行子步骤S20528,否则略过子步骤S20528而直接执行子步骤S20529。-S20527: Compare the file type 524 of the executable file 41 with the specified file type 524'. If the file type judgment condition 64 is met (for example: the file type is a system file, a hidden file, a read-only file or an archive file), then execute the sub Step S20528, otherwise skip the sub-step S20528 and directly execute the sub-step S20529.
-S20528:对于系统文件、隐藏文件、只读文件和归档文件中的任一种,只要可执行文件41属于其中任一种文件类型,则确定第二分数值72减1,若可执行文件41属于上述四种类型中的三种,则确定第二分数值72减3。-S20528: For any of system files, hidden files, read-only files and archive files, as long as the executable file 41 belongs to any of these file types, the second score value 72 is determined to be minus 1, if the executable file 41 is If it belongs to three of the above four types, the second point value 72 minus 3 is determined.
-S20529:判断可执行文件41的数字签名525是否满足数字签名判断条件65(比如:数字签名有效),若是,则执行子步骤S20530,否则,略过子步骤S20530而直接得到最终的第二分数值72。-S20529: Determine whether the digital signature 525 of the executable file 41 satisfies the digital signature judgment condition 65 (for example: the digital signature is valid), if yes, execute the sub-step S20530, otherwise, skip the sub-step S20530 and directly get the final second score The value is 72.
-S20530:确定第二分数值72加50。-S20530: Determine the second point value 72 plus 50.
上述根据第二信息52确定第二分数值72的过程仅为示例,实际上确定方式可有多种,从上述方式可见,如果发生变化的可执行文件41的文件名称与系统文件名称相似,文件存储路径在上述指定目录522’下,文件创建时间满足预设条件,文件类型是上述指定文件类型524’,则可疑程度较大,而如果数字签名是有效的,则可疑程度会大大降低。因此,只要能够实现上述判断规则,则能够达到根据文件操作的类型来确定可执行文件可疑程度的目的。The above process of determining the second score value 72 based on the second information 52 is only an example. In fact, there are many ways to determine the value. From the above methods, it can be seen that if the file name of the changed executable file 41 is similar to the system file name, the file name is similar to the system file name. The storage path is in the above designated directory 522', the file creation time meets the preset condition, and the file type is the above designated file type 524', the suspicious degree is greater, and if the digital signature is valid, the suspicious degree will be greatly reduced. Therefore, as long as the above judgment rules can be realized, the purpose of determining the suspicious degree of executable files according to the types of file operations can be achieved.
下面,举例说明。将一个scvhost.exe文件和一个application.exe文件进镜像,并采用上述过程确定第一分数值71和第二分数值72并据此确定总的分数值来确定可执行文件41的可疑程度。这两个文件的总的分数值分别为-8和50,说明scvhost.exe的可疑程度更大。Below, give an example. A scvhost.exe file and an application.exe file are mirrored, and the first score value 71 and the second score value 72 are determined using the above process, and the total score value is determined accordingly to determine the suspicious degree of the executable file 41. The total scores of these two files are -8 and 50 respectively, indicating that scvhost.exe is more suspicious.
表1示出了第二分数值72的确定过程。表2示出了第一分数值71以及总的分数值的确定过程。Table 1 shows the determination process of the second score value 72. Table 2 shows the determination process of the first score value 71 and the total score value.
表1Table 1
Figure PCTCN2020094742-appb-000002
Figure PCTCN2020094742-appb-000002
表2Table 2
Figure PCTCN2020094742-appb-000003
Figure PCTCN2020094742-appb-000003
此外,本发明实施例实施例还提供一种计算机可读介质,该计算机可读介质上存储有计算机可读指令,计算机可读指令在被处理器执行时,使处理器执行前述的可疑软件检测方法。计算机可读介质的实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选地,可以由通信网络从服务器计算机上或云上下载计算机可读指令。In addition, the embodiments of the present invention also provide a computer-readable medium having computer-readable instructions stored on the computer-readable medium. When the computer-readable instructions are executed by a processor, the processor executes the aforementioned suspicious software detection. method. Examples of computer-readable media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape, Volatile memory card and ROM. Alternatively, the computer-readable instructions can be downloaded from the server computer or the cloud via the communication network.
综上,本发明实施例提供一种可疑软件检测方法、装置和计算机可读介质。传统的方法中,采用白名单和黑名单的方式,需要维护庞大而全面的数据,而采用本发明实施例提供的方案不需要提前维护数据库。并且,白名单和黑名单中的大多数数据对于某个特定设备或系统的检测,名单中的大量信息是多余的。而本发明实施例提供的方案中,检测结果是基于设备中文件自身的,因此检测结果更准确,并且可适用于各种设备和系统。进一步地,采用白名单和黑名单的方式需要经常更新签名数据库,而本发明实施例提供的方案,只要能够检测到设备中文件的变化,即可实现可疑软件的检测,无需更新数据库。最后,白名单和黑名单是基于已知的可疑软件来设置的,无法检测未知的可疑软件,而本发明实施例提供的方案中,总结了可疑软件自身的特点,并据此来检测可疑软件,因此有机会发现各种未知的可疑软件。In summary, the embodiments of the present invention provide a suspicious software detection method, device, and computer-readable medium. In the traditional method, the white list and the black list are adopted, and huge and comprehensive data needs to be maintained, while the solution provided by the embodiment of the present invention does not need to maintain the database in advance. In addition, most of the data in the whitelist and blacklist is redundant for the detection of a specific device or system. In the solution provided by the embodiment of the present invention, the detection result is based on the file in the device itself, so the detection result is more accurate and can be applied to various devices and systems. Further, adopting the whitelist and blacklist methods requires frequent updating of the signature database, and the solution provided in the embodiment of the present invention can detect suspicious software as long as the file changes in the device can be detected without updating the database. Finally, the whitelist and blacklist are set based on known suspicious software, and unknown suspicious software cannot be detected. However, in the solution provided in the embodiment of the present invention, the characteristics of the suspicious software itself are summarized, and the suspicious software is detected accordingly. , So there is a chance to find all kinds of unknown suspicious software.
需要说明的是,上述各流程和各系统结构图中不是所有的步骤和模块都是必须的,可以根据实际的需要忽略某些步骤或模块。各步骤的执行顺序不是固定的,可以根据需要进行调整。上述各实施例中描述的系统结构可以是物理结构,也可以是逻辑结构,即,有些模块可能由同一物理实体实现,或者,有些模块可能分由多个物理实体实现,或者,可以由多个独立设备中的某些部件共同实现。It should be noted that not all steps and modules in the above processes and system structure diagrams are necessary, and some steps or modules can be ignored according to actual needs. The order of execution of each step is not fixed and can be adjusted as needed. The system structure described in the foregoing embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in independent devices are implemented together.

Claims (10)

  1. 一种可疑软件检测方法(200),其特征在于,包括:A method (200) for detecting suspicious software, which is characterized in that it comprises:
    -确定(S201)一个设备(30)中发生变化的至少一个文件(40);-Determine (S201) at least one file (40) that has changed in a device (30);
    -从所述至少一个文件(40)中查找(S202)可执行文件(41);-Find (S202) the executable file (41) from the at least one file (40);
    -对于查找到的每一个可执行文件(41),执行如下操作:-For each executable file (41) found, perform the following operations:
    -确定(S203)第一信息(51),所述第一信息包括使该可执行文件(41)发生变化的操作的信息;-Determine (S203) the first information (51), the first information includes the information of the operation that causes the executable file (41) to change;
    -确定(S204)第二信息(52),所述第二信息用于指示该可执行文件(41)的属性;-Determine (S204) the second information (52), which is used to indicate the attributes of the executable file (41);
    -根据所述第一信息(51)和所述第二信息(52),确定(S205)该可执行文件(41)的可疑程度。-Determine (S205) the suspicious degree of the executable file (41) according to the first information (51) and the second information (52).
  2. 如权利要求1所述的方法,其特征在于,确定(S201)一个设备(30)中发生变化的至少一个文件(40),包括:The method according to claim 1, wherein determining (S201) at least one file (40) that has changed in a device (30) comprises:
    -获取一个时间段内各个时间点上用于记录所述设备(30)中文件状态的第三信息(53);-Obtain the third information (53) used to record the file status in the device (30) at various points in a time period;
    -比较各个时间点上的所述第三信息(53),以确定在所述时间段内所述设备(30)中发生变化的所述至少一个文件(40)。-Comparing the third information (53) at various points in time to determine the at least one file (40) that has changed in the device (30) during the time period.
  3. 如权利要求2所述的方法,其特征在于,所述确定(S203)第一信息(51),包括:The method according to claim 2, wherein said determining (S203) the first information (51) comprises:
    -比较各个时间点上的所述第三信息(53),以确定在所述时间段内使查找到的每一个可执行文件(41)发生变化的操作的信息。-Comparing the third information (53) at each time point to determine the information of the operation that changes each executable file (41) found within the time period.
  4. 如权利要求1所述的方法,其特征在于,从所述至少一个文件(40)中查找(S202)可执行文件(41),包括:The method according to claim 1, wherein searching (S202) an executable file (41) from the at least one file (40) comprises:
    -根据所述至少一个文件(40)中的每一个文件的元信息,确定该文件是否为可执行文件。-Determine whether the file is an executable file according to the meta-information of each file in the at least one file (40).
  5. 如权利要求1所述的方法,其特征在于,所述第一信息(51)包括如下信息中的至少一项:The method according to claim 1, wherein the first information (51) includes at least one of the following information:
    -创建文件的操作信息(511);-Operational information for file creation (511);
    -修改文件的操作信息(512);-Modify file operation information (512);
    -删除文件的操作信息(513)。-Delete file operation information (513).
  6. 如权利要求1所述的方法,其特征在于,所述第二信息(52)包括如下信息中的至少一项:The method according to claim 1, wherein the second information (52) includes at least one of the following information:
    -文件名称(521);-File name (521);
    -文件存储路径(522);-File storage path (522);
    -文件创建时间(523);-File creation time (523);
    -文件类型(524);-File type (524);
    -数字签名(525)。-Digital signature (525).
  7. 一种可疑软件检测装置(10),其特征在于,包括:A suspicious software detection device (10), characterized in that it comprises:
    -一个查找模块(201),被配置为确定一个设备(30)中发生变化的至少一个文件(40),以及从所述至少一个文件(40)中查找可执行文件(41);-A search module (201) configured to determine at least one file (40) that has changed in a device (30), and search for an executable file (41) from the at least one file (40);
    -一个检测模块(202),被配置为对于查找到的每一个可执行文件(41),执行如下操作:-A detection module (202), configured to perform the following operations for each executable file (41) found:
    -确定第一信息(51),所述第一信息包括使该可执行文件(41)发生变化的操作的信息;-Determine the first information (51), the first information including the information of the operation that causes the executable file (41) to change;
    -确定第二信息(52),所述第二信息用于指示该可执行文件(41)的属性;-Determine second information (52), which is used to indicate the attributes of the executable file (41);
    -根据所述第一信息(51)和所述第二信息(52),确定该可执行文件(41)的可疑程度。-Determine the suspicious degree of the executable file (41) according to the first information (51) and the second information (52).
  8. 如权利要求7所述的装置,其特征在于,所述查找模块(201)在确定一个设备(30)中发生变化的至少一个文件(40)时,被配置为:The apparatus according to claim 7, characterized in that, when the search module (201) determines at least one file (40) that has changed in a device (30), it is configured to:
    -获取一个时间段内各个时间点上用于记录所述设备(30)中文件状态的第三信息(53);-Obtain the third information (53) used to record the file status in the device (30) at various points in a time period;
    -比较各个时间点上的所述第三信息(53),以确定在所述时间段内所述设备(30)中发生变化的所述至少一个文件(40)。-Comparing the third information (53) at various points in time to determine the at least one file (40) that has changed in the device (30) during the time period.
  9. 一种可疑软件检测装置(10),其特征在于,包括:A suspicious software detection device (10), characterized in that it comprises:
    至少一个存储器(101),被配置为存储计算机可读代码;At least one memory (101) configured to store computer readable codes;
    至少一个处理器(102),被配置为调用所述计算机可读代码,执行如权利要求1~6任一项所述的方法。At least one processor (102) is configured to invoke the computer readable code to execute the method according to any one of claims 1 to 6.
  10. 一种计算机可读介质,其特征在于,所述计算机可读介质上存储有计算机可读指令,所述计算机可读指令在被处理器执行时,使所述处理器执行如权利要求1~6任一项所述的方 法。A computer-readable medium, characterized in that, computer-readable instructions are stored on the computer-readable medium, and when the computer-readable instructions are executed by a processor, the processor executes as claimed in claims 1 to 6 Any one of the methods.
PCT/CN2020/094742 2020-06-05 2020-06-05 Suspicious software detection method and apparatus, and computer readable medium WO2021243716A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/094742 WO2021243716A1 (en) 2020-06-05 2020-06-05 Suspicious software detection method and apparatus, and computer readable medium
CN202080100927.6A CN115605866A (en) 2020-06-05 2020-06-05 Suspicious software detection method, device and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/094742 WO2021243716A1 (en) 2020-06-05 2020-06-05 Suspicious software detection method and apparatus, and computer readable medium

Publications (1)

Publication Number Publication Date
WO2021243716A1 true WO2021243716A1 (en) 2021-12-09

Family

ID=78830071

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/094742 WO2021243716A1 (en) 2020-06-05 2020-06-05 Suspicious software detection method and apparatus, and computer readable medium

Country Status (2)

Country Link
CN (1) CN115605866A (en)
WO (1) WO2021243716A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302193B1 (en) * 2008-05-30 2012-10-30 Symantec Corporation Methods and systems for scanning files for malware
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN103714269A (en) * 2013-12-02 2014-04-09 百度国际科技(深圳)有限公司 Virus identification method and device
CN105488390A (en) * 2014-12-13 2016-04-13 哈尔滨安天科技股份有限公司 Suspicious file discovery method and system under Linux

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302193B1 (en) * 2008-05-30 2012-10-30 Symantec Corporation Methods and systems for scanning files for malware
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN103714269A (en) * 2013-12-02 2014-04-09 百度国际科技(深圳)有限公司 Virus identification method and device
CN105488390A (en) * 2014-12-13 2016-04-13 哈尔滨安天科技股份有限公司 Suspicious file discovery method and system under Linux

Also Published As

Publication number Publication date
CN115605866A (en) 2023-01-13

Similar Documents

Publication Publication Date Title
US20210256127A1 (en) System and method for automated machine-learning, zero-day malware detection
US9300682B2 (en) Composite analysis of executable content across enterprise network
US8375450B1 (en) Zero day malware scanner
US9147071B2 (en) System and method for proactive detection of malware device drivers via kernel forensic behavioral monitoring and a back-end reputation system
KR101162051B1 (en) Using string comparison malicious code detection and classification system and method
KR100620313B1 (en) The system for detecting malicious code using the structural features of microsoft portable executable and its using method
US20170149830A1 (en) Apparatus and method for automatically generating detection rule
US10482246B2 (en) Binary search of byte sequences using inverted indices
CN111988341B (en) Data processing method, device, computer system and storage medium
US20120159628A1 (en) Malware detection apparatus, malware detection method and computer program product thereof
WO2020000743A1 (en) Webshell detection method and related device
JP2010182019A (en) Abnormality detector and program
TWI622894B (en) Electronic device and method for detecting malicious file
KR102366637B1 (en) Cyber threat detection method of electronic apparatus
KR102318991B1 (en) Method and device for detecting malware based on similarity
US11157620B2 (en) Classification of executable files using a digest of a call graph pattern
EP3758330A1 (en) System and method of determining a trust level of a file
WO2021243716A1 (en) Suspicious software detection method and apparatus, and computer readable medium
KR20070077517A (en) Profile-based web application intrusion detection system and the method
US20130312100A1 (en) Electronic device with virus prevention function and virus prevention method thereof
WO2023151238A1 (en) Ransomware detection method and related system
US11275836B2 (en) System and method of determining a trust level of a file
CN114238974A (en) Malicious Office document detection method and device, electronic equipment and storage medium
US11232202B2 (en) System and method for identifying activity in a computer system
CN112818348A (en) Lesovirus file identification and detection method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20938783

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20938783

Country of ref document: EP

Kind code of ref document: A1