CN112395602B - Processing method, device and system for static security feature database - Google Patents
Processing method, device and system for static security feature database Download PDFInfo
- Publication number
- CN112395602B CN112395602B CN201910755851.XA CN201910755851A CN112395602B CN 112395602 B CN112395602 B CN 112395602B CN 201910755851 A CN201910755851 A CN 201910755851A CN 112395602 B CN112395602 B CN 112395602B
- Authority
- CN
- China
- Prior art keywords
- file
- directory
- library
- files
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003068 static effect Effects 0.000 title claims abstract description 144
- 238000003672 processing method Methods 0.000 title claims abstract description 15
- 238000000034 method Methods 0.000 claims abstract description 85
- 238000004458 analytical method Methods 0.000 claims abstract description 53
- 238000012544 monitoring process Methods 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 30
- 230000006399 behavior Effects 0.000 claims description 34
- 238000003860 storage Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012546 transfer Methods 0.000 claims description 13
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 72
- 238000001514 detection method Methods 0.000 description 10
- 238000013515 script Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000009434 installation Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000026676 system process Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
技术领域technical field
本申请涉及网络安全技术领域,尤其是涉及到一种静态安全特征数据库的处理方法、装置及系统。The present application relates to the technical field of network security, and in particular, to a method, device and system for processing a static security feature database.
背景技术Background technique
互联网信息化发达的当代,网络黑客攻击事件越来越多,黑客攻击手段也在不断演化。黑客可利用漏洞使得软件进程实现一些攻击事件,因此,为了更好的约束软件进程合法事件的执行,可利用定义权限集的方式,限制软件进程所能执行的事件。With the development of Internet informatization, there are more and more cyber hacker attacks, and hacker attack methods are constantly evolving. Hackers can use vulnerabilities to make software processes realize some attack events. Therefore, in order to better restrict the execution of legitimate events of software processes, the way of defining permission sets can be used to limit the events that software processes can execute.
目前,可将程序执行时对应的指令执行序列,与静态安全特征数据库中的预设正常行为的指令执行序列进行匹配,进而及时发现是否存在漏洞攻击事件。然而,这些正常行为的指令执行序列通常是由人工测试并逐一汇总添加,不但影响安全特征数据库的创建效率,并且由于人工具有局限性,很难获取更加全面的静态安全特征数据库,进而会影响后续行为异常检测的准确性。At present, the corresponding instruction execution sequence during program execution can be matched with the preset normal behavior instruction execution sequence in the static security feature database, so as to timely discover whether there is a vulnerability attack event. However, these normal behavior instruction execution sequences are usually manually tested and added one by one, which not only affects the creation efficiency of the security feature database, but also makes it difficult to obtain a more comprehensive static security feature database due to the limitations of manual labor, which will affect the subsequent The accuracy of behavioral anomaly detection.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本申请提供了一种静态安全特征数据库的处理方法、装置及系统,主要目的在于解决目前现有技术中会影响安全特征数据库的创建效率,无法获取更加全面的静态安全特征数据库,进而会影响后续行为异常检测的准确性的技术问题。In view of this, the present application provides a method, device and system for processing a static security feature database, the main purpose of which is to solve the problem that the current prior art will affect the creation efficiency of the security feature database, and a more comprehensive static security feature database cannot be obtained, In turn, it will affect the technical problem of the accuracy of subsequent behavior anomaly detection.
依据本申请的一个方面,提供了一种静态安全特征数据库的处理方法,可应用于服务端侧,该方法包括:According to one aspect of the present application, a method for processing a static security feature database is provided, which can be applied to the server side, and the method includes:
读取制库目录中预先收集的文件,其中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件;Read the pre-collected files in the library directory, wherein the library directory contains files of different versions of the target official operating system running in memory in a clean environment;
对读取到的所述文件进行静态反汇编分析,得到监控点对应的应用程序接口(Application Programming Interface,API)调用序列;Perform static disassembly analysis on the read file to obtain an application programming interface (Application Programming Interface, API) calling sequence corresponding to the monitoring point;
根据所述API调用序列,创建静态安全特征数据库。According to the sequence of API calls, a static security feature database is created.
可选的,对读取到的所述文件进行静态反汇编分析,得到监控点对应的API调用序列,具体包括:Optionally, static disassembly analysis is performed on the read file to obtain the API call sequence corresponding to the monitoring point, specifically including:
对读取到的所述文件进行静态反汇编分析,获取与预设关键API列表中匹配的关键API作为所述监控点;Perform static disassembly analysis on the read file, and obtain the key API matching in the preset key API list as the monitoring point;
对所述关键API进行回溯预设层级,获取与所述关键API对应的API调用序列。The key API is backtracked to a preset level, and the API call sequence corresponding to the key API is obtained.
可选的,在创建得到所述静态安全特征数据库之后,所述方法还包括:Optionally, after creating and obtaining the static security feature database, the method further includes:
获取待检测行为的目标API调用序列;Obtain the target API call sequence of the behavior to be detected;
将所述目标API调用序列与所述静态安全特征数据库中的API调用序列进行匹配;Matching the target API call sequence with the API call sequence in the static security feature database;
若所述静态安全特征数据库中不存在匹配的API调用序列,则确定所述待检测行为是疑似异常行为,并触发进行相应告警。If there is no matching API calling sequence in the static security feature database, it is determined that the behavior to be detected is a suspected abnormal behavior, and a corresponding alarm is triggered.
可选的,所述制库目录中还包含所述目标官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。Optionally, the library directory further includes an update file that runs in the memory in a clean environment after the target official operating system is patched.
可选的,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述目标官方操作系统内运行时,内存中所产生的新文件。Optionally, the library directory also includes new files generated in the memory when different genuine software runs separately in the target official operating system in a clean environment.
可选的,所述制库目录中还包含不同版本的其他官方操作系统在干净环境下内存中运行的文件。Optionally, the library directory also includes files of different versions of other official operating systems running in memory in a clean environment.
可选的,所述制库目录中还包含所述其他官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。Optionally, the library directory further includes update files that run in memory in a clean environment after the other official operating systems are patched.
可选的,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述其他官方操作系统内运行时,内存中所产生的新文件。Optionally, the library directory also includes new files generated in the memory when different genuine software runs separately in the other official operating systems in a clean environment.
依据本申请的另一方面,提供了另一种静态安全特征数据库的处理方法,可应用于客户端侧,该方法包括:According to another aspect of the present application, another method for processing a static security feature database is provided, which can be applied to the client side, and the method includes:
获取安装的目标官方操作系统在干净环境下内存中运行的文件;Obtain the files of the installed target official operating system running in memory in a clean environment;
将所述文件上传至制库目录中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件,以便根据所述制库目录中文件通过静态反汇编分析得到的与监控点对应的API调用序列,创建静态安全特征数据库。Upload the file to the library directory, which contains files of different versions of the target official operating system running in the memory in a clean environment, so as to obtain through static disassembly analysis according to the files in the library directory The API call sequence corresponding to the monitoring point is created to create a static security feature database.
可选的,所述获取安装的目标官方操作系统在干净环境下内存中运行的文件,具体包括:Optionally, the obtaining the files running in the memory of the installed target official operating system in a clean environment specifically includes:
在安装所述目标官方操作系统后,安装驱动和开启所述目标官方操作系统各个服务项并设置自启动,以便获取所述目标官方操作系统在干净环境下运行时的各个进程模块文件;After installing the target official operating system, install the driver and enable each service item of the target official operating system and set up self-start, so as to obtain each process module file when the target official operating system runs in a clean environment;
将所述进程模块文件各自对应的文件哈希值和文件名目录保存在文件列表中;The respective corresponding file hash values and file name directories of the process module files are stored in the file list;
设置模块加载回调,将预设运行时长内的动态模块文件按照对应的文件哈希值和文件名目录加载合并到所述文件列表中。A module loading callback is set, and the dynamic module files within the preset running time are loaded and merged into the file list according to the corresponding file hash value and file name directory.
可选的,所述将所述文件上传至制库目录中,具体包括:Optionally, the uploading of the file to the library-making directory specifically includes:
按照所述文件列表中的文件哈希值和文件名目录,将对应的文件保存在所述制库目录中。According to the file hash value and the file name directory in the file list, the corresponding file is stored in the library directory.
可选的,按照所述文件列表中的文件哈希值和文件名目录,将对应的文件保存在所述制库目录中,具体包括:Optionally, according to the file hash value and file name directory in the file list, save the corresponding file in the library directory, specifically including:
依据所述文件列表中的文件哈希值和文件名目录,获取对应的文件;Obtain the corresponding file according to the file hash value and the file name directory in the file list;
按照所述目标官方操作系统对应的操作系统版本号、操作系统编辑号、当前系统位数,将获取到的文件保存在所述制库目录中的对应文件夹内。According to the version number of the operating system, the editing number of the operating system, and the number of digits of the current system corresponding to the target official operating system, the obtained file is stored in a corresponding folder in the library directory.
可选的,若所述文件大小大于预设阈值,则所述将所述文件上传至制库目录中,具体包括:Optionally, if the file size is greater than a preset threshold, uploading the file to the library directory specifically includes:
通过文件传输协议FTP或安全文件传送协议SFTP,将所述文件上传至制库目录中。The file is uploaded to the library directory through the file transfer protocol FTP or the secure file transfer protocol SFTP.
依据本申请的又一方面,提供了一种静态安全特征数据库的处理装置,可应用于服务端侧,该装置包括:According to another aspect of the present application, a processing device for a static security feature database is provided, which can be applied to a server side, and the device includes:
读取模块,用于读取制库目录中预先收集的文件,其中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件;The reading module is used to read the pre-collected files in the library directory, wherein the library directory contains files of different versions of the target official operating system running in the memory in a clean environment;
分析模块,用于对读取到的所述文件进行静态反汇编分析,得到监控点对应的API调用序列;The analysis module is used to perform static disassembly analysis on the read file, and obtain the API call sequence corresponding to the monitoring point;
创建模块,用于根据所述API调用序列,创建静态安全特征数据库。A creation module is used to create a static security feature database according to the API calling sequence.
可选的,所述分析模块,具体用于对读取到的所述文件进行静态反汇编分析,获取与预设关键API列表中匹配的关键API作为所述监控点;Optionally, the analysis module is specifically configured to perform static disassembly analysis on the read file, and obtain a key API that matches a preset key API list as the monitoring point;
对所述关键API进行回溯预设层级,获取与所述关键API对应的API调用序列。The key API is backtracked to a preset level, and the API call sequence corresponding to the key API is obtained.
可选的,所述装置还包括:Optionally, the device further includes:
获取模块,用于在创建得到所述静态安全特征数据库之后,获取待检测行为的目标API调用序列;an acquisition module, configured to acquire the target API calling sequence of the behavior to be detected after the static security feature database is created and obtained;
匹配模块,用于将所述目标API调用序列与所述静态安全特征数据库中的API调用序列进行匹配;a matching module for matching the target API call sequence with the API call sequence in the static security feature database;
确定模块,用于若所述静态安全特征数据库中不存在匹配的API调用序列,则确定所述待检测行为是疑似异常行为,并触发进行相应告警。A determining module, configured to determine that the to-be-detected behavior is a suspected abnormal behavior if there is no matching API calling sequence in the static security feature database, and trigger a corresponding alarm.
可选的,所述制库目录中还包含所述目标官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。Optionally, the library directory further includes an update file that runs in the memory in a clean environment after the target official operating system is patched.
可选的,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述目标官方操作系统内运行时,内存中所产生的新文件。Optionally, the library directory also includes new files generated in the memory when different genuine software runs separately in the target official operating system in a clean environment.
可选的,所述制库目录中还包含不同版本的其他官方操作系统在干净环境下内存中运行的文件。Optionally, the library directory also includes files of different versions of other official operating systems running in memory in a clean environment.
可选的,所述制库目录中还包含所述其他官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。Optionally, the library directory further includes update files that run in memory in a clean environment after the other official operating systems are patched.
可选的,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述其他官方操作系统内运行时,内存中所产生的新文件。Optionally, the library directory also includes new files generated in the memory when different genuine software runs separately in the other official operating systems in a clean environment.
依据本申请的再一方面,提供了一种静态安全特征数据库的处理装置,可应用于客户端侧,该装置包括:According to another aspect of the present application, a processing device for a static security feature database is provided, which can be applied to a client side, and the device includes:
获取模块,用于获取安装的目标官方操作系统在干净环境下内存中运行的文件;The acquisition module is used to acquire the files running in the memory of the installed target official operating system in a clean environment;
发送模块,用于将所述文件上传至制库目录中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件,以便根据所述制库目录中文件通过静态反汇编分析得到的与监控点对应的应用程序接口API调用序列,创建静态安全特征数据库。The sending module is used for uploading the file to the library directory, and the library directory contains files of different versions of the target official operating system running in the memory in a clean environment, so that according to the files in the library directory The application program interface API call sequence corresponding to the monitoring point obtained by static disassembly analysis is used to create a static security feature database.
可选的,所述获取模块,具体用于在安装所述目标官方操作系统后,安装驱动和开启所述目标官方操作系统各个服务项并设置自启动,以便获取所述目标官方操作系统在干净环境下运行时的各个进程模块文件;Optionally, the obtaining module is specifically configured to install a driver, enable each service item of the target official operating system and set self-start after installing the target official operating system, so as to obtain the clean state of the target official operating system. Each process module file when running in the environment;
将所述进程模块文件各自对应的文件哈希值和文件名目录保存在文件列表中;The respective corresponding file hash values and file name directories of the process module files are stored in the file list;
设置模块加载回调,将预设运行时长内的动态模块文件按照对应的文件哈希值和文件名目录加载合并到所述文件列表中。A module loading callback is set, and the dynamic module files within the preset running time are loaded and merged into the file list according to the corresponding file hash value and file name directory.
可选的,所述发送模块,具体用于按照所述文件列表中的文件哈希值和文件名目录,将对应的文件保存在所述制库目录中。Optionally, the sending module is specifically configured to save the corresponding file in the library directory according to the file hash value and the file name directory in the file list.
可选的,所述发送模块,具体还用于依据所述文件列表中的文件哈希值和文件名目录,获取对应的文件;Optionally, the sending module is further configured to obtain the corresponding file according to the file hash value and the file name directory in the file list;
按照所述目标官方操作系统对应的操作系统版本号、操作系统编辑号、当前系统位数,将获取到的文件保存在所述制库目录中的对应文件夹内。According to the version number of the operating system, the editing number of the operating system, and the number of digits of the current system corresponding to the target official operating system, the obtained file is stored in a corresponding folder in the library directory.
可选的,所述发送模块,具体还用于若所述文件大小大于预设阈值,则通过文件传输协议FTP或安全文件传送协议SFTP,将所述文件上传至制库目录中。Optionally, the sending module is further configured to upload the file to the library directory through a file transfer protocol FTP or a secure file transfer protocol SFTP if the file size is greater than a preset threshold.
依据本申请再一个方面,提供了一种存储介质,其上存储有计算机程序,所述程序被处理器执行时实现上述可应用于服务端侧的静态安全特征数据库的处理方法。According to yet another aspect of the present application, a storage medium is provided on which a computer program is stored, and when the program is executed by a processor, the above-mentioned processing method applicable to the static security feature database on the server side is implemented.
依据本申请再一个方面,提供了一种服务器,包括存储介质、处理器及存储在存储介质上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述可应用于服务端侧的静态安全特征数据库的处理方法。According to yet another aspect of the present application, a server is provided, including a storage medium, a processor, and a computer program stored on the storage medium and executed on the processor, the processor implementing the above-mentioned applicable to the program when the processor executes the program. The processing method of the static security feature database on the server side.
依据本申请再一个方面,提供了一种存储介质,其上存储有计算机程序,所述程序被处理器执行时实现上述可应用于客户端侧的静态安全特征数据库的处理方法。According to a further aspect of the present application, a storage medium is provided on which a computer program is stored, and when the program is executed by a processor, the above-mentioned processing method applicable to a client-side static security feature database is implemented.
依据本申请再一个方面,提供了一种客户端设备,包括存储介质、处理器及存储在存储介质上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述可应用于客户端侧的静态安全特征数据库的处理方法。According to yet another aspect of the present application, a client device is provided, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the above-mentioned program when executing the program. The processing method applied to the static security feature database on the client side.
依据本申请再一个方面,提供了一种静态安全特征数据库的处理系统,包括:上述客户端设备和上述服务器。According to another aspect of the present application, a processing system for a static security feature database is provided, including: the above-mentioned client device and the above-mentioned server.
借由上述技术方案,本申请提供的一种静态安全特征数据库的处理方法、装置及系统,本申请可预先收集不同版本的目标官方操作系统在干净环境下内存中运行的文件,然后通过对这些文件进行静态反汇编分析,得到监控点对应的API调用序列,进而根据分析得到的这些API调用序列自动创建静态安全特征数据库。与目前现有方式相比,可自动实现创建静态安全特征数据库,因此提高了安全特征数据库的创建效率;并且基于不同版本的官方操作系统在干净环境下内存中运行的文件,分析生成正常行为的指令执行序列,可获取更加全面的静态安全特征数据库,从而利用该静态安全特征数据库可提高后续行为异常检测的准确性。By means of the above technical solutions, a method, device and system for processing a static security feature database provided by the present application, the present application can collect in advance the files of different versions of the target official operating system running in the memory in a clean environment, and then pass these files. The file is statically disassembled and analyzed to obtain the API call sequence corresponding to the monitoring point, and then a static security feature database is automatically created according to these API call sequences obtained by the analysis. Compared with the current existing methods, the static security feature database can be created automatically, thus improving the efficiency of creating the security feature database; and based on the files running in the memory of different versions of the official operating system in a clean environment, analyze and generate normal behavior. The instruction execution sequence can obtain a more comprehensive static security feature database, so that the accuracy of subsequent behavior anomaly detection can be improved by using the static security feature database.
上述说明仅是本申请技术方案的概述,为了能够更清楚了解本申请的技术手段,而可依照说明书的内容予以实施,并且为了让本申请的上述和其它目的、特征和优点能够更明显易懂,以下特举本申请的具体实施方式。The above description is only an overview of the technical solution of the present application. In order to be able to understand the technical means of the present application more clearly, it can be implemented according to the content of the description, and in order to make the above-mentioned and other purposes, features and advantages of the present application more obvious and easy to understand , and the specific embodiments of the present application are listed below.
附图说明Description of drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:
图1示出了本申请实施例提供的一种静态安全特征数据库的处理方法的流程示意图;1 shows a schematic flowchart of a method for processing a static security feature database provided by an embodiment of the present application;
图2示出了本申请实施例提供的制作基础规则库的流程示意图;FIG. 2 shows a schematic flowchart of making a basic rule base provided by an embodiment of the present application;
图3示出了本申请实施例提供的制作更新规则库的流程示意图;FIG. 3 shows a schematic flowchart of making and updating a rule base provided by an embodiment of the present application;
图4示出了本申请实施例提供的另一种静态安全特征数据库的处理方法的流程示意图;4 shows a schematic flowchart of another method for processing a static security feature database provided by an embodiment of the present application;
图5示出了本申请实施例提供的分布式文件分析系统的架构示意图;FIG. 5 shows a schematic diagram of the architecture of a distributed file analysis system provided by an embodiment of the present application;
图6示出了本申请实施例提供的又一种静态安全特征数据库的处理方法的流程示意图;6 shows a schematic flowchart of another method for processing a static security feature database provided by an embodiment of the present application;
图7示出了本申请实施例提供的一种静态安全特征数据库的处理装置的结构示意图;FIG. 7 shows a schematic structural diagram of a processing apparatus for a static security feature database provided by an embodiment of the present application;
图8示出了本申请实施例提供的另一种静态安全特征数据库的处理装置的结构示意图;FIG. 8 shows a schematic structural diagram of another apparatus for processing a static security feature database provided by an embodiment of the present application;
图9示出了本申请实施例提供的一种静态安全特征数据库的处理系统的结构示意图。FIG. 9 shows a schematic structural diagram of a system for processing a static security feature database provided by an embodiment of the present application.
具体实施方式Detailed ways
下文中将参考附图并结合实施例来详细说明本申请。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Hereinafter, the present application will be described in detail with reference to the accompanying drawings and in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict.
针对现有技术中存在的安全特征数据库的创建效率较低,影响后续行为异常检测的准确性的技术问题,本实施例提供了一种静态安全特征数据库的处理方法,如图1所示,可应用于服务端侧或其他终端侧,该方法包括:Aiming at the technical problem in the prior art that the creation efficiency of the security feature database is low and the accuracy of subsequent behavior abnormality detection is affected, the present embodiment provides a processing method for a static security feature database, as shown in FIG. 1 , which can Applied to the server side or other terminal side, the method includes:
101、读取制库目录中预先收集的文件。101. Read the pre-collected files in the library directory.
其中,制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件。这些文件可预先通过客户端侧收集上传,即在客户端侧安装不同版本的目标官方操作系统然后运行,获取在干净环境下内存中运行的文件并上传到服务端的制库目录中。Among them, the library directory contains files of different versions of the target official operating system running in memory in a clean environment. These files can be collected and uploaded on the client side in advance, that is, install different versions of the target official operating system on the client side and run them, obtain the files running in the memory in a clean environment, and upload them to the library directory on the server side.
需要说明的是,也可以通过服务端关联的本地终端安装不同版本的目标官方操作系统,然后收集这些文件到指定的制库目录中。具体可根据实际需求预先选择设定。It should be noted that you can also install different versions of the target official operating system through the local terminal associated with the server, and then collect these files into the specified library directory. Specific settings can be pre-selected according to actual needs.
102、对从制库目录中读取到的文件进行静态反汇编分析,得到监控点对应的API调用序列。102. Perform static disassembly analysis on the file read from the library directory, and obtain an API calling sequence corresponding to the monitoring point.
其中,监控点可为关键API,如行为事件实现所调用的主要API。The monitoring point may be a key API, such as the main API called by the behavior event implementation.
在本实施例中,可预先编辑制库脚本引擎,然后利用该制库脚本引擎对收集到的文件进行静态反汇编分析。例如,制库脚本引擎可全部使用python语言来实现,可分两部分功能,一是文件处理和功能任务调度,二是支持交互式反汇编器(InteractiveDisassembler,IDA)等反汇编工具调用插件脚本,从IDA等反汇编工具提取所需要的信息制成规则。具体可自动化处理所有收集上来的文件,调用IDA加载文件及IDA脚本,实现PE文件的静态反汇编分析,输出所有监控点规则,即监控点对应的API调用序列。In this embodiment, the library making script engine can be edited in advance, and then the library making script engine is used to perform static disassembly analysis on the collected files. For example, the library scripting engine can be fully implemented in python language, and can be divided into two parts, one is file processing and function task scheduling, and the other is to support the interactive disassembler (Interactive Disassembler, IDA) and other disassembly tools to call plug-in scripts, Extract the required information from disassembly tools such as IDA to make rules. Specifically, it can automatically process all collected files, call IDA to load files and IDA scripts, realize static disassembly analysis of PE files, and output all monitoring point rules, that is, the API call sequence corresponding to the monitoring point.
103、根据静态反汇编分析得到的API调用序列,创建静态安全特征数据库。103. Create a static security feature database according to the API calling sequence obtained by the static disassembly analysis.
在静态安全特征数据库中,针对不同版本的目标官方操作系统,系统进程执行的行为事件都有各自对应的正常API调用序列,以便在后续校验某版本系统进程的行为事件时,通过这些正常API调用序列校验系统进程是否存在异常行为。In the static security feature database, for different versions of the target official operating system, the behavior events executed by the system process have their own corresponding normal API call sequences, so that when the behavior events of a certain version of the system process are subsequently verified, these normal APIs can be passed through. The calling sequence verifies whether the system process has abnormal behavior.
本实施例方法可预先收集不同版本的目标官方操作系统在干净环境下内存中运行的文件,然后通过对这些文件进行静态反汇编分析,得到监控点对应的API调用序列,进而根据分析得到的这些API调用序列自动创建静态安全特征数据库。与目前现有方式相比,可自动实现创建静态安全特征数据库,因此提高了安全特征数据库的创建效率;并且基于不同版本的官方操作系统在干净环境下内存中运行的文件,分析生成正常行为的指令执行序列,可获取更加全面的静态安全特征数据库,从而利用该静态安全特征数据库可提高后续行为异常检测的准确性。The method of this embodiment can collect files of different versions of the target official operating system running in the memory in a clean environment in advance, and then perform static disassembly analysis on these files to obtain the API call sequence corresponding to the monitoring point, and then according to the analysis of these obtained The sequence of API calls automatically creates a database of static security features. Compared with the current existing methods, the static security feature database can be created automatically, thus improving the efficiency of creating the security feature database; and based on the files running in the memory of different versions of the official operating system in a clean environment, analyze and generate normal behavior. The instruction execution sequence can obtain a more comprehensive static security feature database, so that the accuracy of subsequent behavior anomaly detection can be improved by using the static security feature database.
进一步的,作为上述实施例具体实施方式的细化和扩展,为了准确得到监控点所对应的API调用序列。作为一种可选方式,步骤102具体可包括:对读取到的这些文件进行静态反汇编分析,获取与预设关键API列表中匹配的关键API作为监控点;然后对这些关键API分别进行回溯预设层级,获取与关键API对应的API调用序列。Further, as a refinement and extension of the specific implementation of the above embodiment, in order to accurately obtain the API calling sequence corresponding to the monitoring point. As an optional method, step 102 may specifically include: performing static disassembly analysis on the read files, and obtaining key APIs matching the preset key API list as monitoring points; then backtracking these key APIs respectively Preset levels to obtain API call sequences corresponding to key APIs.
其中,预设关键API列表中可保存有各个关键API的信息,本可选方式利用预设关键API列表可找到监控点,预设设关键API列表可根据实际业务需求预先设定。而预设层级也可根据实际需求预先设定,如预设层级为3级,则需要回溯到调用关键API的目标API,以及调用该目标API的API。Among them, the preset key API list can store information of each key API, this optional method can use the preset key API list to find monitoring points, and the preset key API list can be preset according to actual business needs. The preset level can also be preset according to actual needs. If the preset level is level 3, it is necessary to trace back to the target API that calls the key API, and the API that calls the target API.
在创建得到静态安全特征数据库之后,为了实现后续行为异常检测,可选的,本实施例方法还可包括:首先获取待检测行为的目标API调用序列;然后将目标API调用序列与静态安全特征数据库中的API调用序列进行匹配;若静态安全特征数据库中不存在匹配的API调用序列,则确定待检测行为是疑似异常行为,并触发进行相应告警。其中告警的方式可包括文字、图片、音频、视频、灯光、振动等。After the static security feature database is created and obtained, in order to implement subsequent behavior anomaly detection, optionally, the method of this embodiment may further include: first acquiring the target API call sequence of the behavior to be detected; then comparing the target API call sequence with the static security feature database If there is no matching API call sequence in the static security feature database, it is determined that the behavior to be detected is a suspected abnormal behavior, and a corresponding alarm is triggered. The methods of the alarm may include text, pictures, audio, video, lighting, vibration, and the like.
当静态安全特征数据库中不存在匹配的API调用序列时,可进行上报以便进一步分析排查,如果确定该目标API调用序列为正常的,可将其更新到静态安全特征数据库中。When there is no matching API call sequence in the static security feature database, it can be reported for further analysis and investigation. If it is determined that the target API call sequence is normal, it can be updated to the static security feature database.
在本实施例中,制库目录中除了包含不同版本的目标官方操作系统在干净环境下内存中运行的文件以外,为了得到更加全面的静态安全特征数据库,给出如下更多的可选方式:In this embodiment, in addition to the files running in the memory of the target official operating system of different versions in the clean environment, in the library directory, in order to obtain a more comprehensive static security feature database, the following more optional methods are provided:
作为一种可选方式,制库目录中还可包含这些版本的目标官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。例如,如图2所示,首先安装目标操作系统(Operating System,OS),并进行版本区分;然后运行收集工具进行行为触发收集干净环境下内存中运行的文件,并将文件上传到制库目录;最后运行制库脚本引擎对制库目录中的文件进行静态反汇编分析制作规则库,进而得到基础规则库。As an option, the repository directory can also contain update files for these versions of the target official operating system to run in memory in a clean environment after patches are installed. For example, as shown in Figure 2, first install the target operating system (Operating System, OS), and differentiate between versions; then run the collection tool to trigger behaviors to collect files running in memory in a clean environment, and upload the files to the library directory ; Finally, run the library-making script engine to perform static disassembly analysis on the files in the library-making directory to make a rule base, and then obtain a basic rule base.
后续在目标操作系统安装更新的补丁,运行收集工具进行行为触发收集干净环境下内存中运行的更新文件;然后同样的将更新文件上传到制库目录,运行制库脚本引擎制作规则库,进而得到更新规则库,具体如图3所示。Then install the updated patch on the target operating system, run the collection tool to trigger the behavior to collect the update files running in the memory in a clean environment; then upload the update files to the library directory in the same way, run the library script engine to make the rule base, and then get Update the rule base, as shown in Figure 3.
作为另一种可选方式,制库目录中还可包含不同正版软件(如可包括浏览器、办公软件、PDF阅读器等)分别单独在干净环境下的目标官方操作系统内运行时,内存中所产生的新文件。后续针对这些新文件进行静态反汇编分析,制作正版软件在目标官方操作系统内运行时正常的API调用序列,进而最后得到的静态安全特征数据库可实现对软件行为的异常检测,丰富安全校验的多种应用场景。As another optional method, the library directory can also contain different genuine software (such as browsers, office software, PDF readers, etc.) when running separately in the target official operating system in a clean environment, the memory New file generated. Follow-up static disassembly analysis is carried out on these new files, and the normal API call sequence when the genuine software runs in the target official operating system is produced, and the static security feature database obtained at the end can realize abnormal detection of software behavior and enrich the security verification. Various application scenarios.
例如,官网系统ISO安装的干净系统,只安装官方软件下载的软件安装包;然后使用规则维护方提供的最新版文件收集工具,收集软件在干净环境下的官方操作系统内运行时,内存中所产生的新文件。For example, the clean system installed by the official website system ISO only installs the software installation package downloaded by the official software; then use the latest version of the file collection tool provided by the rule maintainer to collect the information about the files in the memory when the software runs in the official operating system in a clean environment. New file generated.
作为又一种可选方式,制库目录中还可包含不同版本的其他官方操作系统在干净环境下内存中运行的文件。后续针对这些文件进行静态反汇编分析,进而得到可验证更多操作系统行为异常的静态安全特征数据库。As yet another option, the library directory can also contain files of different versions of other official operating systems running in memory in a clean environment. Afterwards, static disassembly analysis is performed on these files, and a static security feature database that can verify more abnormal operating system behaviors is obtained.
进一步的,基于上述内容,作为再一种可选方式,制库目录中还可包含这些其他官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。相当于最后不仅可得到不同版本的其他官方操作系统的基础规则库,而且还可得到这些版本的其他官方操作系统的更新规则库,进而满足更多的系统行为异常检测需求。Further, based on the above content, as another optional method, the library directory may also include update files that run in the memory in a clean environment after installing patches for other official operating systems. It is equivalent to finally obtaining not only the basic rule bases of different versions of other official operating systems, but also the updated rule bases of these versions of other official operating systems, so as to meet more system behavior anomaly detection needs.
再进一步的,制库目录中还可包含不同正版软件分别单独在干净环境下的其他官方操作系统内运行时,内存中所产生的新文件。这样最终得到的静态安全特征数据库,可以检测在其他操作系统下的软件行为是否存在异常,进而满足更多的软件行为检测需求。Further, the library directory may also contain new files generated in the memory when different genuine software runs separately in other official operating systems in a clean environment. The static security feature database finally obtained in this way can detect whether software behaviors under other operating systems are abnormal, thereby satisfying more software behavior detection requirements.
上述实施例内容为在客户端侧描述的静态安全特征数据库的处理过程,进一步的,为了完整说明本实施例的实施方式,本实施例还提供了另一种静态安全特征数据库的处理方法,可应用于客户端侧,如图4所示,该方法包括:The content of the above embodiment is the processing process of the static security feature database described on the client side. Further, in order to fully describe the implementation of this embodiment, this embodiment also provides another processing method for the static security feature database, which can be used. Applied to the client side, as shown in Figure 4, the method includes:
201、获取安装的目标官方操作系统在干净环境下内存中运行的文件。201. Obtain the files running in the memory of the installed target official operating system in a clean environment.
具体可利用文件收集工具实现在目标操作系统上运行,收集一段时间内运行在内存中的模块文件。Specifically, the file collection tool can be used to run on the target operating system and collect the module files running in the memory for a period of time.
202、将获取到的文件上传至制库目录中。202. Upload the obtained file to the production library directory.
其中,制库目录中可包含不同版本的目标官方操作系统在干净环境下内存中运行的文件,进一步的,以便于根据制库目录中文件通过静态反汇编分析得到的与监控点对应的API调用序列,创建静态安全特征数据库。Among them, the library-making directory can contain files of different versions of the target official operating system running in the memory in a clean environment, and further, in order to facilitate the API calls corresponding to the monitoring points obtained through static disassembly analysis of the files in the library-making directory sequence to create a static security feature database.
例如,为了提高静态安全特征数据库的创建效率,可采用多个终端进行如本方案所述过程的文件收集。然后上传至分布式的静态文件分析系统的制库目录。如图5所示,分布式的静态文件分析系统可以输出静态规则的基础库和增量库,客户端按一定文件目录格式要求提交要分析的文件任务,由任务调度器进行调度,决定哪个后端服务进行分析,分析完成后输出基础库或增量库,分析服务提供规则获取接口和任务查询接口。其中,分析服务可为微HTTP Server,可以向任务调度模块注服务,最初的版本可以没有任务调度服务,微HTTP Server接受到分析请求后保存好上传的文件调用IDA等反汇编工具分析脚本引擎来完成静态文件的分析,输出规则文件。以下为接口设计范例:For example, in order to improve the creation efficiency of the static security feature database, multiple terminals may be used to collect files in the process described in this solution. Then upload it to the library directory of the distributed static file analysis system. As shown in Figure 5, the distributed static file analysis system can output the basic library and incremental library of static rules. The client submits the file tasks to be analyzed according to the requirements of a certain file directory format, and the task scheduler performs scheduling to decide which one The terminal service performs analysis, and after the analysis is completed, the basic library or incremental library is output, and the analysis service provides a rule acquisition interface and a task query interface. Among them, the analysis service can be the micro HTTP Server, which can be injected into the task scheduling module. The initial version may not have the task scheduling service. After receiving the analysis request, the micro HTTP Server saves the uploaded file and calls disassembly tools such as IDA to analyze the script engine. Complete the analysis of static files and output rule files. The following is an example of interface design:
1)POST/make_rules提交任务目录分析产生基础库或增量库;1) POST/make_rules submit task directory analysis to generate basic library or incremental library;
2)POST/rules获取某OS的基础库或增量库;2) POST/rules to obtain the basic library or incremental library of an OS;
3)POST/zipfile上传要分析的基础库或增量库文件并进行分析,适用于库文件总大小小于300MB的文件传输。3) POST/zipfile uploads the basic library or incremental library file to be analyzed and analyzes it, which is suitable for file transfer when the total size of the library file is less than 300MB.
通过上述可应用于客户端侧的静态安全特征数据库的处理方法,与目前现有方式相比,可自动实现创建静态安全特征数据库,因此提高了安全特征数据库的创建效率;并且基于不同版本的官方操作系统在干净环境下内存中运行的文件,分析生成正常行为的指令执行序列,可获取更加全面的静态安全特征数据库,从而利用该静态安全特征数据库可提高后续行为异常检测的准确性。Through the above processing method applicable to the static security feature database on the client side, compared with the current existing method, the static security feature database can be created automatically, thus improving the creation efficiency of the security feature database; By analyzing the files running in the memory of the operating system in a clean environment, the command execution sequences that generate normal behaviors can be analyzed, and a more comprehensive static security feature database can be obtained, so that the accuracy of subsequent behavior anomaly detection can be improved by using the static security feature database.
进一步的,作为上述实施例具体实施方式的细化和扩展,为了完整说明本实施例的具体实施过程,提供了又一种可应用于客户端侧的静态安全特征数据库的处理方法,如图6所示,该方法包括:Further, as a refinement and extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of this embodiment, another method for processing a static security feature database applicable to the client side is provided, as shown in FIG. 6 . As shown, the method includes:
301、在安装目标官方操作系统后,安装驱动和开启目标官方操作系统各个服务项并设置自启动,以便获取目标官方操作系统在干净环境下运行时的各个进程模块文件。301. After installing the target official operating system, install the driver, enable each service item of the target official operating system, and set auto-start, so as to obtain each process module file when the target official operating system runs in a clean environment.
302、将进程模块文件各自对应的文件哈希值和文件名目录保存在文件列表中。302. Save the respective file hash values and file name directories of the process module files in the file list.
303、设置模块加载回调,将预设运行时长内的动态模块文件按照对应的文件哈希值和文件名目录加载合并到所述文件列表中。303. Set a module loading callback, and load and merge the dynamic module files within the preset running duration into the file list according to the corresponding file hash value and file name directory.
304、按照文件列表中的文件哈希值和文件名目录,将对应的文件保存在制库目录中。304. Save the corresponding file in the library directory according to the file hash value and the file name directory in the file list.
通过上述方式使得收集到文件更全面、更准确,进而可获取更多的系统行为正常的指令执行序列。Through the above method, the collected files are more comprehensive and accurate, and more instruction execution sequences with normal system behavior can be obtained.
例如,利用文件收集工具运行安装功能驱动和打开所有服务项并设置自启动,驱动层枚举所有进程模块,保存一份文件列表,并设置模块加载回调,捕获一段时间内的动态模块加载合并到文件列表,计算文件列表的文件哈希,当点击完成时文件列表按”文件名目录\哈希”方式,将文件保存到指定目录,如果目标目录内文件哈希已存在则覆盖。后续便于根据制库目录中文件通过静态反汇编分析得到的与监控点对应的API调用序列,创建静态安全特征数据库。For example, use the file collection tool to run the installation function driver and open all service items and set auto-start, the driver layer enumerates all process modules, saves a file list, and sets the module loading callback, captures the dynamic module loading over a period of time and merges it into File list, calculate the file hash of the file list, when the click is completed, the file list will be saved to the specified directory according to the "file name directory\hash" method, and if the file hash in the target directory already exists, it will be overwritten. Subsequently, it is convenient to create a static security feature database according to the API calling sequence corresponding to the monitoring point obtained by static disassembly analysis of the files in the library directory.
为了制库目录便于管理,使得后续静态安全特征数据库创建的更加具有规范性,作为一种可选方式,步骤304具体可包括:依据文件列表中的文件哈希值和文件名目录,获取对应的文件;然后按照目标官方操作系统对应的操作系统版本号、操作系统编辑号、当前系统位数,将获取到的文件保存在制库目录中的对应文件夹内。In order to facilitate the management of the library catalogue and make the subsequent creation of the static security feature database more normative, as an optional method, step 304 may specifically include: according to the file hash value and the file name catalogue in the file list, obtain the corresponding file; and then save the obtained file in the corresponding folder in the library directory according to the operating system version number, operating system edit number, and current system digits corresponding to the target official operating system.
例如,收集工具运行done后,同目录下会创建"操作系统版本号+操作系统编译号+当前系统位数"文件夹,另外,对于浏览器及Office/PDF等软件运行文件收集也可按此输出标准。For example, after the collection tool runs done, a folder of "OS version number + OS compilation number + current system digits" will be created in the same directory. In addition, you can also click here to collect running files of software such as browsers and Office/PDF. output standard.
若需要上传到制库目录的文件大小大于预设阈值,为了提高文件传输速度,作为一种可选方式,则可通过文件传输协议(File Transfer Protocol,FTP)或安全文件传送协议(Secure File Transfer Protocol,SFTP),将该文件上传至制库目录中。例如,对于大于一定大小的增量包或基础包文件用ftp/sftp将文件上传到指定目录,直接提交任务目录来完成分析。If the size of the file to be uploaded to the library directory is larger than the preset threshold, in order to improve the file transfer speed, as an optional method, the File Transfer Protocol (FTP) or Secure File Transfer Protocol (Secure File Transfer) can be used as an optional method. Protocol, SFTP), upload the file to the library directory. For example, for incremental packages or basic package files larger than a certain size, use ftp/sftp to upload the files to the specified directory, and submit the task directory directly to complete the analysis.
通过应用上述方案,相应于提供了一种静态指令序列特征自动化制库方案。通过规范系统安装版本、安装环境,文件收集方法,采取静态分析方式获取完整程序指令执行序列并按指定规则制作静态指令序列特征库,以自动化的方式产出并校验。可满足静态指令序列特征匹配需要,自动化生成基础库或增量库。后续创建的数据库可应用于基于指令执行序列特征匹配的所有场景。By applying the above solution, a solution for automatic library preparation of static instruction sequence features is provided correspondingly. By standardizing the system installation version, installation environment, and file collection method, static analysis is used to obtain the complete program instruction execution sequence, and the static instruction sequence feature library is created according to the specified rules, which is automatically produced and verified. It can meet the needs of static instruction sequence feature matching, and automatically generate basic library or incremental library. The subsequently created database can be applied to all scenarios based on instruction execution sequence feature matching.
进一步的,作为图1所示方法的具体实现,本申请实施例提供了一种可应用于服务端侧的静态安全特征数据库的处理装置,如图7所示,该装置包括:读取模块41、分析模块42、创建模块43。Further, as a specific implementation of the method shown in FIG. 1 , an embodiment of the present application provides a processing device that can be applied to a static security feature database on the server side. As shown in FIG. 7 , the device includes: a reading
读取模块41,可用于读取制库目录中预先收集的文件,其中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件;The
分析模块42,可用于对读取到的所述文件进行静态反汇编分析,得到监控点对应的应用程序接口API调用序列;The
创建模块43,可用于根据所述API调用序列,创建静态安全特征数据库。The creating
在具体的应用场景中,所述分析模块42,具体可用于对读取到的所述文件进行静态反汇编分析,获取与预设关键API列表中匹配的关键API作为所述监控点;对所述关键API进行回溯预设层级,获取与所述关键API对应的API调用序列。In a specific application scenario, the
在具体的应用场景中,本装置还可包括:获取模块44、匹配模块45、确定模块46;In a specific application scenario, the device may further include: an acquisition module 44, a matching module 45, and a determination module 46;
获取模块44,可用于在创建得到所述静态安全特征数据库之后,获取待检测行为的目标API调用序列;The acquiring module 44 can be used to acquire the target API calling sequence of the behavior to be detected after the static security feature database is created and obtained;
匹配模块45,可用于将所述目标API调用序列与所述静态安全特征数据库中的API调用序列进行匹配;A matching module 45, configured to match the target API call sequence with the API call sequence in the static security feature database;
确定模块46,可用于若所述静态安全特征数据库中不存在匹配的API调用序列,则确定所述待检测行为是疑似异常行为,并触发进行相应告警。The determining module 46 may be configured to determine that the to-be-detected behavior is a suspected abnormal behavior if there is no matching API calling sequence in the static security feature database, and trigger a corresponding alarm.
在具体的应用场景中,可选的,所述制库目录中还可包含所述目标官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。In a specific application scenario, optionally, the library directory may further include an update file that runs in the memory in a clean environment after the target official operating system is patched.
在具体的应用场景中,可选的,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述目标官方操作系统内运行时,内存中所产生的新文件。In a specific application scenario, optionally, the library directory further includes new files generated in the memory when different genuine software runs separately in the target official operating system in a clean environment.
在具体的应用场景中,可选的,所述制库目录中还包含不同版本的其他官方操作系统在干净环境下内存中运行的文件。In a specific application scenario, optionally, the library directory also includes files of different versions of other official operating systems running in memory in a clean environment.
在具体的应用场景中,可选的,所述制库目录中还包含所述其他官方操作系统安装补丁后,在干净环境下内存中运行的更新文件。In a specific application scenario, optionally, the library directory further includes update files that run in the memory in a clean environment after the other official operating systems are patched.
在具体的应用场景中,所述制库目录中还包含不同正版软件分别单独在干净环境下的所述其他官方操作系统内运行时,内存中所产生的新文件。In a specific application scenario, the library directory also includes new files generated in the memory when different genuine software runs separately in the other official operating systems in a clean environment.
需要说明的是,本实施例提供的一种可应用于服务端侧的静态安全特征数据库的处理装置所涉及各功能单元的其它相应描述,可以参考图1中的对应描述,在此不再赘述。It should be noted that, for other corresponding descriptions of the functional units involved in the apparatus for processing a static security feature database on the server side provided by this embodiment, reference may be made to the corresponding descriptions in FIG. 1 , which will not be repeated here. .
进一步的,作为图4和图6所示方法的具体实现,本申请实施例提供了一种可应用于客户端侧的静态安全特征数据库的处理装置,如图8所示,该装置包括:获取模块51、发送模块52。Further, as a specific implementation of the methods shown in FIG. 4 and FIG. 6 , an embodiment of the present application provides a processing device for a static security feature database on the client side. As shown in FIG. 8 , the device includes: acquiring
获取模块51,可用于获取安装的目标官方操作系统在干净环境下内存中运行的文件;Obtaining
发送模块52,可用于将所述文件上传至制库目录中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件,以便根据所述制库目录中文件通过静态反汇编分析得到的与监控点对应的应用程序接口API调用序列,创建静态安全特征数据库。The sending
在具体的应用场景中,所述获取模块51,具体可用于在安装所述目标官方操作系统后,安装驱动和开启所述目标官方操作系统各个服务项并设置自启动,以便获取所述目标官方操作系统在干净环境下运行时的各个进程模块文件;将所述进程模块文件各自对应的文件哈希值和文件名目录保存在文件列表中;设置模块加载回调,将预设运行时长内的动态模块文件按照对应的文件哈希值和文件名目录加载合并到所述文件列表中。In a specific application scenario, the obtaining
在具体的应用场景中,所述发送模块52,具体可用于按照所述文件列表中的文件哈希值和文件名目录,将对应的文件保存在所述制库目录中。In a specific application scenario, the sending
在具体的应用场景中,所述发送模块52,具体还可用于依据所述文件列表中的文件哈希值和文件名目录,获取对应的文件;按照所述目标官方操作系统对应的操作系统版本号、操作系统编辑号、当前系统位数,将获取到的文件保存在所述制库目录中的对应文件夹内。In a specific application scenario, the sending
在具体的应用场景中,所述发送模块52,具体还可用于若所述文件大小大于预设阈值,则通过FTP或SFTP,将所述文件上传至制库目录中。In a specific application scenario, the sending
需要说明的是,本实施例提供的一种可应用于客户端侧的静态安全特征数据库的处理装置所涉及各功能单元的其它相应描述,可以参考图4和图6中的对应描述,在此不再赘述。It should be noted that, for other corresponding descriptions of the functional units involved in a processing device for a static security feature database on the client side provided by this embodiment, reference may be made to the corresponding descriptions in FIG. 4 and FIG. 6 , here No longer.
基于上述如图1所示方法,相应的,本申请实施例还提供了一种存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述如图1所示的可应用于服务端侧的静态安全特征数据库的处理方法。基于上述如图4和图6所示方法,本申请实施例还提供了另一种存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述如图4和图6所示的可应用于客户端侧的静态安全特征数据库的处理方法。Based on the above method shown in FIG. 1 , correspondingly, an embodiment of the present application further provides a storage medium on which a computer program is stored, and when the program is executed by a processor, the above applicable service shown in FIG. 1 is implemented. The processing method of the static security feature database on the terminal side. Based on the above methods shown in FIG. 4 and FIG. 6 , the embodiment of the present application further provides another storage medium on which a computer program is stored, and when the program is executed by a processor, the above-mentioned methods shown in FIG. 4 and FIG. 6 are realized. A processing method applicable to the static security feature database on the client side.
基于这样的理解,本申请的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施场景的方法。Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the software product can be stored in a non-volatile storage medium (which may be CD-ROM, U disk, mobile hard disk, etc.), including several The instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of various implementation scenarios of the present application.
基于上述如图1所示的方法,以及图7所示的虚拟装置实施例,为了实现上述目的,本申请实施例还提供了一种服务器,具体可以为计算机、服务器设备、或其他网络设备等。该设备包括存储介质和处理器;存储介质,用于存储计算机程序;处理器,用于执行计算机程序以实现上述如图1所示的可应用于服务端侧的静态安全特征数据库的处理方法。Based on the above method shown in FIG. 1 and the virtual device embodiment shown in FIG. 7 , in order to achieve the above purpose, an embodiment of the present application further provides a server, which may specifically be a computer, server equipment, or other network equipment, etc. . The device includes a storage medium and a processor; the storage medium is used to store a computer program; and the processor is used to execute the computer program to implement the above-mentioned processing method of the static security feature database on the server side as shown in FIG. 1 .
基于上述如图4和图6所示的方法,以及图8所示的虚拟装置实施例,为了实现上述目的,本申请实施例还提供了一种客户端设备,具体可以为个人计算机、笔记本电脑、平板电脑、智能手机、或其他网络设备等,该客户端设备包括存储介质和处理器;存储介质,用于存储计算机程序;处理器,用于执行计算机程序以实现上述如图4和图6所示的可应用于客户端侧的静态安全特征数据库的处理方法。Based on the methods shown in FIG. 4 and FIG. 6 and the virtual device embodiment shown in FIG. 8 , in order to achieve the above purpose, an embodiment of the present application further provides a client device, which may specifically be a personal computer, a notebook computer , tablet computer, smart phone, or other network equipment, etc., the client device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing the computer program to achieve the above-mentioned Figures 4 and 6 The shown processing method can be applied to the static security feature database on the client side.
可选的,上述两种实体设备都还可以包括用户接口、网络接口、摄像头、射频(Radio Frequency,RF)电路,传感器、音频电路、WI-FI模块等等。用户接口可以包括显示屏(Display)、输入单元比如键盘(Keyboard)等,可选用户接口还可以包括USB接口、读卡器接口等。网络接口可选的可以包括标准的有线接口、无线接口(如WI-FI接口)等。Optionally, both of the above two physical devices may further include a user interface, a network interface, a camera, a radio frequency (Radio Frequency, RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a display screen (Display), an input unit such as a keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, and the like. Optional network interfaces may include standard wired interfaces, wireless interfaces (such as WI-FI interfaces), and the like.
本领域技术人员可以理解,本实施例提供的一种客户端设备和服务器的实体设备结构并不构成对这两种实体设备的限定,可以包括更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the physical device structure of a client device and a server provided in this embodiment does not constitute a limitation on the two physical devices, and may include more or less components, or combine some components , or a different component arrangement.
存储介质中还可以包括操作系统、网络通信模块。操作系统是管理上述两个实体设备硬件和软件资源的程序,支持信息处理程序以及其它软件和/或程序的运行。网络通信模块用于实现存储介质内部各组件之间的通信,以及与信息处理实体设备中其它硬件和软件之间通信。The storage medium may also include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the above two physical devices, and supports the operation of information processing programs and other software and/or programs. The network communication module is used to realize the communication between various components in the storage medium, as well as the communication with other hardware and software in the information processing entity device.
基于上述内容,进一步的,本申请实施例还提供了一种静态安全特征数据库的处理系统,如图9所示,该系统包括:服务器61、客户端设备62;Based on the above content, further, an embodiment of the present application further provides a processing system for a static security feature database. As shown in FIG. 9 , the system includes: a
其中,服务器61可用于执行如图1所示的方法,客户端设备62可用于执行如图4和图6所示的方法。The
客户端设备62,可用于获取安装的目标官方操作系统在干净环境下内存中运行的文件;然后将所述文件上传至服务器61的制库目录中。The
服务器61,可用于首先读取制库目录中预先收集的文件,其中,所述制库目录中包含不同版本的目标官方操作系统在干净环境下内存中运行的文件;然后对读取到的所述文件进行静态反汇编分析,得到监控点对应的API调用序列;最后根据所述API调用序列,创建静态安全特征数据库。The
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本申请可以借助软件加必要的通用硬件平台的方式来实现,也可以通过硬件实现。通过应用本申请的技术方案,相应于提供了一种静态指令序列特征自动化制库方案。通过规范系统安装版本、安装环境,文件收集方法,采取静态分析方式获取完整程序指令执行序列并按指定规则制作静态指令序列特征库,以自动化的方式产出并校验。可满足静态指令序列特征匹配需要,自动化生成基础库或增量库。后续创建的数据库可应用于基于指令执行序列特征匹配的所有场景。From the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical solution of the present application, a solution for automatic library preparation of static instruction sequence features is provided correspondingly. By standardizing the system installation version, installation environment, and file collection method, static analysis is used to obtain the complete program instruction execution sequence, and a static instruction sequence feature library is created according to the specified rules, which is automatically produced and verified. It can meet the needs of static instruction sequence feature matching, and automatically generate basic library or incremental library. The subsequently created database can be applied to all scenarios based on instruction execution sequence feature matching.
本领域技术人员可以理解附图只是一个优选实施场景的示意图,附图中的模块或流程并不一定是实施本申请所必须的。本领域技术人员可以理解实施场景中的装置中的模块可以按照实施场景描述进行分布于实施场景的装置中,也可以进行相应变化位于不同于本实施场景的一个或多个装置中。上述实施场景的模块可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the accompanying drawing is only a schematic diagram of a preferred implementation scenario, and the modules or processes in the accompanying drawing are not necessarily necessary to implement the present application. Those skilled in the art can understand that the modules in the device in the implementation scenario may be distributed in the device in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the implementation scenario with corresponding changes. The modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.
上述本申请序号仅仅为了描述,不代表实施场景的优劣。以上公开的仅为本申请的几个具体实施场景,但是,本申请并非局限于此,任何本领域的技术人员能思之的变化都应落入本申请的保护范围。The above serial numbers in the present application are only for description, and do not represent the pros and cons of the implementation scenarios. The above disclosures are only a few specific implementation scenarios of the present application, however, the present application is not limited thereto, and any changes that can be conceived by those skilled in the art should fall within the protection scope of the present application.
Claims (29)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755851.XA CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755851.XA CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395602A CN112395602A (en) | 2021-02-23 |
| CN112395602B true CN112395602B (en) | 2022-09-30 |
Family
ID=74601794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755851.XA Active CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395602B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US12265526B2 (en) | 2022-03-31 | 2025-04-01 | Sophos Limited | Methods and apparatus for natural language interface for constructing complex database queries |
| US12204870B2 (en) | 2022-03-31 | 2025-01-21 | Sophos Limited | Natural language analysis of a command line using a machine learning model to generate a natural language description of the command line |
| US12130923B2 (en) | 2022-03-31 | 2024-10-29 | Sophos Limited | Methods and apparatus for augmenting training data using large language models |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN104243214A (en) * | 2014-09-28 | 2014-12-24 | 北京奇虎科技有限公司 | Data processing method, device and system |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352B (en) * | 2008-09-25 | 2010-08-25 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| AU2011293160B2 (en) * | 2010-08-26 | 2015-04-09 | Verisign, Inc. | Method and system for automatic detection and analysis of malware |
| CN109815701B (en) * | 2018-12-29 | 2022-04-22 | 奇安信安全技术(珠海)有限公司 | Software security detection method, client, system and storage medium |
-
2019
- 2019-08-15 CN CN201910755851.XA patent/CN112395602B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
| CN104243214A (en) * | 2014-09-28 | 2014-12-24 | 北京奇虎科技有限公司 | Data processing method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| 一种针对Android平台恶意代码的检测方法及系统实现;胡文君等;《西安交通大学学报》;20130703(第10期);第38-39页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395602A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9215245B1 (en) | Exploration system and method for analyzing behavior of binary executable programs | |
| JP5802848B2 (en) | Computer-implemented method, non-temporary computer-readable medium and computer system for identifying Trojanized applications (apps) for mobile environments | |
| WO2021072861A1 (en) | Application service processing method and apparatus, and terminal and storage medium | |
| JP2017511923A (en) | Virus processing method, apparatus, system, device, and computer storage medium | |
| US20120102569A1 (en) | Computer system analysis method and apparatus | |
| Bommisetty et al. | Practical mobile forensics | |
| CN112395602B (en) | Processing method, device and system for static security feature database | |
| WO2014139300A1 (en) | Method and device for loading a plug-in | |
| CN102819713A (en) | Method and system for detecting security of popup window | |
| CN104572327A (en) | Method, device and system for processing browser crash | |
| CN110213234B (en) | Application program file developer identification method, device, equipment and storage medium | |
| CN103544434A (en) | Method and terminal used for ensuring safe operation of application program | |
| CN111597557B (en) | Method, system, device, equipment and storage medium for detecting malicious application program | |
| WO2017107961A1 (en) | Backup system and method | |
| CN113961936A (en) | Trusted whitelist construction method, system, device and computer equipment | |
| CN111563257A (en) | Data detection method and device, computer readable medium and terminal equipment | |
| CN108255735A (en) | Associated environment test method, electronic device and computer readable storage medium | |
| US9336025B2 (en) | Systems and methods of analyzing a software component | |
| CN110008698B (en) | Virus detection method and device | |
| Geus et al. | Systematic evaluation of forensic data acquisition using smartphone local backup | |
| CN103365674B (en) | A kind of plug-in management method based on mobile terminal, device and system | |
| Vecchiato et al. | A security configuration assessment for android devices | |
| US9280369B1 (en) | Systems and methods of analyzing a software component | |
| CN105956050B (en) | A kind of method of data capture, device and equipment | |
| CN109714371B (en) | Industrial control network safety detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |