CN110008701A - Static detection Rules extraction method and detection method based on ELF file characteristic - Google Patents

Static detection Rules extraction method and detection method based on ELF file characteristic Download PDF

Info

Publication number
CN110008701A
CN110008701A CN201910212116.4A CN201910212116A CN110008701A CN 110008701 A CN110008701 A CN 110008701A CN 201910212116 A CN201910212116 A CN 201910212116A CN 110008701 A CN110008701 A CN 110008701A
Authority
CN
China
Prior art keywords
value
elf
elf file
feature
static
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910212116.4A
Other languages
Chinese (zh)
Other versions
CN110008701B (en
Inventor
文伟平
李经纬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peking University
Original Assignee
Peking University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University filed Critical Peking University
Priority to CN201910212116.4A priority Critical patent/CN110008701B/en
Publication of CN110008701A publication Critical patent/CN110008701A/en
Application granted granted Critical
Publication of CN110008701B publication Critical patent/CN110008701B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses static detection Rules extraction methods and static detection method based on ELF file characteristic, by being parsed to the ELF file in sample database, extracts obtain the static structure attribute content, the static structure attribute content of program header table, the static structure attribute content of section header table of head table in ELF file respectively;It automates again and extracts detected rule included in characteristics dictionary list.Present system includes: that ELF document analysis subsystem and static detection rule base generate subsystem.The present invention can be based on the ELF paper sample library for including normal and malice, automatically extract the rule of static detection present in ELF file under Linux platform, static detection rule is based on further directed to the software under Linux platform including malice ELF file to be detected, it solves the problems, such as manually to extract that detected rule efficiency is too low, can be applied to the building of static detection rule base and file detection for ELF file under Linux platform.

Description

Static detection Rules extraction method and detection method based on ELF file characteristic
Technical field
The present invention relates to computer security technical field more particularly to a kind of static detection rule based on ELF file characteristic Then extracting method, regular base construction method, device and static detection method.
Background technique
Linux is a open source operating system based on Unix, and overwhelming majority server carries various versions at present (SuSE) Linux OS, while providing service for user, gradually by the concern of hacker.Simultaneously because its opening, allows Loophole present in linux system gradually exposes, allow linux system while being increasingly taken seriously safety problem also with day All to increase, largely the Malware quantity based on (SuSE) Linux OS increases sharply.ELF(Executable and Linking It Format) is a kind of Standard File Format for executable file, file destination, shared library and Core Dump.And ELF file It is most important executable file format in (SuSE) Linux OS, as the safety issue of linux system constantly exposes, packet The software of the file of ELF containing malice largely generates under Linux platform, and industry lacks the detected rule of malice ELF file, so as to The malicious of software under high-volume Linux platform is used for quickly detecting.
At present for Malware be based primarily upon rule carry out automatic detection, it is therein rule again be divided into dynamic rules and Static rule.The form of dynamic rules is mainly the file operation row that Malware has malice property during Dynamic Execution For, network connection behavior etc., but often detection efficiency is too low;The form of static rule is mainly that the code in Malware is had Some special strings, special function, special keyword, file cryptographic Hash etc., the detection method based on static rule detect speed Degree is fast, accuracy rate is high, and for the file automating formation static detection rule of malice ELF, there is utilization in building malice static rule library Malware under Linux platform is used for quickly detecting and killing, and static detection rule is right mainly by manually extracting at present Effective solution scheme is also lacked in the industry in the extraction static detection rule in a large amount of normal and malice ELF files of automation.
Summary of the invention
In order to overcome the above-mentioned deficiencies of the prior art, it is quiet to provide a kind of Malware based on ELF file characteristic by the present invention State detected rule extracting method and device can be automatically extracted based on the ELF paper sample library for including normal and malice The rule of static detection present in ELF file under Linux platform, further directed to including malice ELF file under Linux platform Software is based on static detection rule and is detected.
The present invention provides a kind of Malware static detection rule extraction method and dress based on ELF file characteristic It sets.
Wherein detected rule extracting method includes such as the next stage:
Stage one parses and extracts ELF paper sample library static structure feature;
Wherein, ELF paper sample library includes normal ELF paper sample and malice ELF paper sample.
Stage two, automation generate static detection rule.
Wherein the stage one includes the following steps:
Step 1, by parsing to the ELF file in sample database, head table (ELF Header) in ELF file is extracted Static structure attribute content;
Step 2, by parsing to the ELF file in sample database, ELF file routine head table (Program is extracted Header static structure attribute content);
Step 3, by parsing to the ELF file in sample database, ELF file section header table (Section is extracted Header static structure attribute content).
Wherein second stage includes the following steps:
Step 4, characteristic processing is carried out to the static structure attribute that ELF file is extracted from sample database;It executes such as Lower operation:
41) static structure attribute is simplified by feature reduction, it is main by retaining for identifying normal ELF text The static structure attribute feature of part and the more effective fruit of malice ELF file removes redundancy feature, the feature set after being simplified It closes.
For example, some static structure attribute features FiValue Value in normal ELF file and malice ELF filei More similar, this feature does not have validity for identification malice ELF file, by calculating each characteristic validity, removal The lower redundancy feature of validity.
42) based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in ELF sample database, example It such as, include m ELF file in ELF sample database, wherein the characteristics dictionary structure that j-th of ELF is generated is Dictoryj= {Filename:filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen, wherein [1, m] j ∈, i ∈ [1, n], The characteristics dictionary of each ELF file generated is by institute in the ELF filename key-value pair Filename:filename and the ELF file The feature key-value pair set { F for including1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, feature key-value pair set is by n A feature key-value pair composition, feature key FiFor static structure attribute name in ELF file extracted in steps 1 and 2,3, feature Value ValueiFor attribute F in the ELF fileiContent.
Further, the characteristics dictionary of ELF files all in ELF sample database is combined into dictionary list, [Dictory1,…, Dictoryj,…,Dictorym], wherein DictoryjRepresent j-th of ELF file characteristics dictionary Filename: filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen, m is the sum of ELF file in ELF sample database.
Step 5, based on treated static structure attribute, automation is extracted and is detected included in characteristics dictionary list Rule, the specific steps are as follows:
51) all feature key-value pair { F by not repeating in characteristics dictionary list are first looked fori:Valuei, Form a feature key-value pair set C1={ F1:Value1,F2:Value2,F3:Value3..., and count C1In each element {Fi:ValueiThe frequency that occurs in characteristics dictionary list;
52) minimum support threshold value (being such as set as 0.9) is set, further simplifies C by the following method1: " if C1In certain member Plain frequency of occurrences minimum support threshold value (less than 0.9), then remove the element ";
53) by C1In all elements be combined with each other as binomial feature key-value pair { Fi:Valuei, Fj:Valuej, composition two Item feature key-value pair set C2, and count C2In each element { Fi:Valuei, Fj:ValuejOccur in characteristics dictionary list Frequency;
54) further simplify C by the following method2: " if C2In certain element frequency of occurrences minimum support threshold value (be less than 0.9), then remove the element ";
55) by C2In all elements be combined with each other be three feature key-value pair { Fi:Valuei,Fj:Valuej,Fk: Valuek, form three feature key-value pair set C3, and count C3In each element { Fi:Valuei,Fj:Valuej,Fk: ValuekThe frequency that occurs in characteristics dictionary list;
56) further simplify C by the following method3: " if C3In certain element frequency of occurrences minimum support threshold value (be less than 0.9) or the subset of the element is not belonging to C1Or C2, then remove the element ";
57) recursive generation N feature key-value pair set C by the above processn, until the C of generationnTo be stopped operation when empty set.
58) one feature key-value pair set C of feature key-value pair for obtaining above step1, binomial feature key-value pair set C2 To N feature key-value pair set CnIt merges, obtains final feature key-value pair set C, i.e. C=C1∪C2∪…∪Cn
Step 6, feature key-value pair set C is screened, generates the static detection rule that can be used for the detection of ELF file, Form static detection rule base.
Further all elements in feature key-value pair set C are screened, are retained in malice ELF file in sample database The element that the middle frequency of occurrences is 0 is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database As blacklist rule, combine black and white lists rule to form static detection rule base.Finally by ELF file to be detected and static state Rule in detected rule library is matched, and the ELF file for meeting blacklist rule is judged as malice sample, will meet white name The ELF file of single gauge then is judged as normal sample.
Using the above-mentioned static detection rule base construction method based on ELF file characteristic, the present invention also provides one kind to be based on The static detection rule base construction device of ELF file characteristic, including following subsystem:
Subsystem one, ELF document analysis subsystem
Subsystem two, static detection rule base generate subsystem
Wherein subsystem one includes following module:
Module one, ELF header table static structure attribute extraction module, according to ELF File Format Analysis ELF header table record Static structure attribute content, including e_type, e_machine, e_version, e_entry, e_phoff, e_shoff, e_ The attributes such as ehsize, e_phnum, e_shnum;
Module two, program header table static structure attribute extraction module, according to ELF File Format Analysis PHDR, LOAD, The program headers table such as DYNAMIC, EXIDX record static structure attribute content, including p_type, p_offset, p_filesz, The attributes such as p_memsz, p_flags, p_align;
Module three, section header table static structure attribute extraction module, according to ELF File Format Analysis dynsym, dynstr, The static structure attribute content of the section headers table such as rel, plt, text, rodata, dynamic, data, bss record, including sh_ type,sh_flags,sh_addr,sh_offset,sh_size,sh_addralign;
Wherein subsystem two includes following module:
Module four, static structure attribute feature processing block are carried out based on Usefulness Pair static structure attribute feature Processing removes the lower feature of validity;
Module five, detected rule extraction module, based on treated, characteristics dictionary is extracted in the automation of static structure attribute Feature key-value pair set included in list;
Module six, detected rule library generation module, carrying out screening generation to feature key-value pair set can be used for the inspection of ELF file The static detection rule of survey forms static detection rule base.
Beneficial effects of the present invention:
The present invention provides a kind of static detection rule base construction method and device based on ELF file characteristic, can be based on Include normal and malice ELF paper sample library, automatically extracts static detection present in ELF file under Linux platform and advise Then, static detection rule is based on further directed to the software under Linux platform including malice ELF file to be detected.Using this Inventive technique scheme can be based on existing ELF paper sample library, static structure is extracted from normal and malice ELF file Attributive character, automation generate malice ELF file detected rule, solve the problems, such as manually to extract detected rule efficiency it is too low, can Applied to the static detection rule base building for ELF file under Linux platform.
Detailed description of the invention
Fig. 1 is the flow chart of detected rule extracting method of the present invention.
Fig. 2 is the system construction drawing of detected rule extraction element of the present invention.
Specific embodiment
The present invention is further elaborated in the following with reference to the drawings and specific embodiments.
A specific embodiment of the invention is as follows:
Stage one parses and extracts ELF paper sample library static structure feature;
Stage two, automation generate static detection rule.
Wherein the stage one includes the following steps:
Step 1, the sample database { filename comprising m ELF file is established1,…,filenamej,…,filenamem, File type includes normal sample and malice sample in sample database.By being parsed to the ELF file in sample database, extract The static structure attribute content of head table (ELF Header) in ELF file, extracted feature includes but is not limited to:
The e_type property content of file type is indicated in ELF file header table;
The e_machine property content of architecture needed for running is indicated in ELF file header table;
The e_version property content of FileVersion is indicated in ELF file header table;
The e_entry property content of representation program entry address in ELF file header table;
The e_phoff property content of logging program head table (Program Header) offset in ELF file header table;
The e_shoff property content of section header table (Section Header) offset is recorded in ELF file header table;
The e_ehsize property content of file header table (ELF Header) size is recorded in ELF file header table;
The e_phnum property content of logging program head table (Program Header) number of entries in ELF file header table;
The e_shnum property content of section header table (Section Header) number of entries is recorded in ELF file header table.
Step 2, by being parsed to the ELF file in sample database, extract PHDR, LOAD in ELF file, DYNAMIC, The static structure attribute content of the program headers such as EXIDX table (Program Header), extracted feature includes but is not limited to:
The p_type property content of record type in program header table;
The p_offset property content of first byte offset hereof is recorded in program header table;
The p_offset property content of first byte offset in memory is recorded in program header table;
The p_filesz property content of Program sections of length hereof is recorded in program header table;
The p_memsz property content of Program sections of length in memory is recorded in program header table;
The p_flags property content of Program segment mark position is recorded in program header table.
The Program sections of p_align property contents how being aligned in file and memory are recorded in program header table.
Step 3, by being parsed to the ELF file in sample database, extract dynsym, dynstr in ELF file, rel, The static structure attribute content of the section headers such as plt, text, rodata, dynamic, data, bss table (Section Header), Extracted feature includes but is not limited to:
The sh_type property content of Section section classification is recorded in section header table;
The sh_flags property content of Section section type is recorded in section header table;
Section section is recorded in section header table in memory with respect to the sh_addr property content of plot offset;
Recorded in section header table the Section section to top of file byte offset sh_offset property content;
The sh_size property content of Section section size is recorded in section header table;
The Section is recorded in section header table to save land the sh_addralign property content of location alignment information.
Wherein the stage two includes the following steps:
Step 4, each ELF sample file is through step 1, after 2,3 extract feature, forms primitive character key-value pair set.Example Such as, the entitled filename of filejELF file form primitive character key-value pair collection after feature extraction and be combined into { F1: Value1,…,Fi:Valuei,…,Fn:Valuen, wherein Fi∈{e_type,e_machine,e_version,e_entry, e_phoff,e_shoff,e_ehsize,e_phnum,e_shnum,p_type,p_offset,p_offset,p_filesz,p_ memsz,p_flags,p_align,sh_type,sh_flags,sh_addr,sh_offset,sh_size,sh_ Addralign }, ValueiThe as value of the ELF file respective attributes.
Characteristic processing is carried out to the primitive character key-value pair set that ELF file is extracted from sample database, passes through feature Reduction simplifies primitive character key-value pair set, main by retaining for identifying normal ELF file and malice ELF file The static structure attribute feature of more effective fruit, removes redundancy feature, and specific features reduction method is as follows:
Some static structure attribute features FiValue Value in normal ELF file and malice ELF fileiMore phase Seemingly, this feature does not have validity for identification malice ELF file, by calculating each characteristic validity, removes validity Lower redundancy feature.
For example, including p normal sample and q malice sample in sample database.Feature FiIn p normal ELF files Value condition indicates with set P, P={ Fi:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:Valueip, set P In Fi:ValueijIndicate feature FiValue in j-th of normal sample.Feature FiValue in q malice ELF file Situation indicates with set Q, Q={ Fi:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:Valueiq, F in set Qi: ValueijIndicate feature FiValue in j-th of malice sample.
Then feature FiValidity is U=| P ∩ Q |, i.e. the quantity of identical element in set P and set Q.It is arranged simultaneously effective Property threshold value, validity threshold value carries out artificial dynamic according to each characteristic validity situation that ELF in sample database is extracted and adjusts, will have Effect property is lower than the feature F of threshold valueiIt gets rid of.
Based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in sample database, characteristics dictionary It is expressed as { Filename:filename, F1:Value1,…,Fi:Valuei,…,Fn:Valuen, by the ELF filename The feature key-value pair set { F of Filename and the ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, it is special Sign key-value pair set is made of n feature key-value pair, and key is step 1, static structure category in extracted ELF file in 2,3 Property name, value ValueiFor the ELF file respective attributes content.
The characteristics dictionary that each ELF file is formed is combined into characteristics dictionary list, structure is as shown in the table, wherein Fji: ValuejiIndicate feature FiValue in file j is Valueji:
Filename Characteristic set
Filename:filename1 F11:Value11,…,F1i:Value1i,…,F1n:Value1n
Filename:filename2 F21:Value21,…,F2i:Value2i,…,F2n:Value2n
Filename:filenamej Fj1:Valuej1,…,Fji:Valueji,…,Fjn:Valuejn
Step 5, based on treated, detected rule wherein included is extracted in characteristics dictionary list automation, and specific steps are such as Under:
(1) all feature key-value pairs by not repeating in characteristics dictionary list are first looked for, a Xiang Te is formed Key-value pair set is levied, and counts the frequency that each element occurs in characteristics dictionary list in the set;
(2) setting minimum support threshold value, (such as value as 0.2~1.0, moved according to sample characteristics situation by specific value State adjustment), remove the element that the frequency of occurrences in a feature key-value pair set is lower than minimum support threshold value;
(3) all elements in a feature key-value pair set are combined with each other as binomial feature key-value pair, composition binomial Feature key-value pair set, and count the frequency that each element occurs in characteristics dictionary list in binomial feature key-value pair set;
(4) remove the element that the frequency of occurrences in binomial feature key-value pair set is lower than minimum support threshold value;
(5) being combined with each other all elements in binomial feature key-value pair set is three feature key-value pairs, forms three Feature key-value pair set, and the frequency that each element occurs in characteristics dictionary list in statistics set;
(6) if certain element frequency of occurrences minimum support threshold value or the subset of the element do not belong in three key-value pair set In a feature key-value pair set or binomial feature key-value pair set, then remove the element ";
(7) recursive generation N feature key-value pair set by the above process, until the N item feature key-value pair collection of generation is combined into It is stopped operation when empty set.
(8) one feature key-value pair set of feature key-value pair, the binomial feature key-value pair set to N for obtaining above step Item feature key-value pair set merges, and obtains final feature key-value pair set.
Step 6, feature key-value pair set is screened, generates the static detection rule that can be used for the detection of ELF file, shape At static detection rule base.
Further all elements in feature key-value pair set are screened, are retained in malice ELF file in sample database The element that the middle frequency of occurrences is 0 is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database It as blacklist rule, combines black and white lists rule to form static detection rule base, to complete based on ELF file characteristic The automation of static detection rule base constructs.Finally by the rule progress in ELF file to be detected and static detection rule base Match, the ELF file for meeting blacklist rule is judged as malice sample, the ELF file for meeting white list rule judgement is positive Normal sample.
It should be noted that the purpose for publicizing and implementing example is to help to further understand the present invention, but the skill of this field Art personnel, which are understood that, not to be departed from the present invention and spirit and scope of the appended claims, and various substitutions and modifications are all It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim Subject to the range that book defines.

Claims (7)

1. a kind of Malware static detection rule extraction method based on ELF file characteristic, including such as the next stage:
Stage one parses and extracts ELF paper sample library static structure feature;Wherein, ELF paper sample library includes normal ELF Paper sample and malice ELF paper sample;
By being parsed to the ELF file in sample database, extracts obtain the static structure attribute of head table in ELF file respectively Content, the static structure attribute content of ELF file routine head table, the static structure attribute content of ELF file section header table;
Stage two automatically extracts static detection rule;Include the following steps:
Step 4, characteristic processing is carried out to the static structure attribute that ELF file is extracted from sample database;Execute following behaviour Make:
41) static structure attribute is simplified by feature reduction, removes redundancy feature, the feature set after being simplified It closes;
42) based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in ELF sample database, tagged word Allusion quotation structure is Dictoryj={ Filename:filename, F1:Value1,…,Fi:Valuei,…,Fn:Valuen, wherein j ∈ [1, m], i ∈ [1, n];M is the total number for the ELF file for including in ELF sample database;
The characteristics dictionary of each ELF file generated is by the ELF filename key-value pair Filename:filename and the ELF file Included in feature key-value pair set { F1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, feature key-value pair collection Conjunction is made of n feature key-value pair;Wherein, feature key FiFor static structure attribute name in the ELF file of extraction, characteristic value ValueiFor attribute F in the ELF fileiContent;
43) characteristics dictionary of ELF files all in ELF sample database is combined into dictionary list, indicated are as follows: [Dictory1,…, Dictoryj,…,Dictorym], wherein DictoryjRepresent j-th of ELF file characteristics dictionary Filename: filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen};
Step 5, based on treated static structure attribute, automation, which is extracted, detects rule included in characteristics dictionary list Then, steps are as follows:
51) all feature key-value pair { F by not repeating in characteristics dictionary list are first looked fori:Valuei, composition One feature key-value pair set C1={ F1:Value1,F2:Value2,F3:Value3..., and count C1In each element { Fi: ValueiThe frequency that occurs in characteristics dictionary list;
52) minimum support threshold value is set, if C1In certain element frequency of occurrences be less than minimum support threshold value, then remove the element, Thus simplify a feature key-value pair set C1
53) C for obtaining step 52)1In all elements be combined with each other as binomial feature key-value pair { Fi:Valuei, Fj: Valuej, obtain binomial feature key-value pair set C2, and count C2In each element { Fi:Valuei, Fj:ValuejIn feature The frequency occurred in dictionary list;
If 54) C2In certain element frequency of occurrences be less than minimum support threshold value, then remove the element, thus simplify binomial feature key Value is to set C2
55) by C2In all elements be combined with each other be three feature key-value pair { Fi:Valuei,Fj:Valuej,Fk:Valuek, Obtain three feature key-value pair set C3, and count C3In each element { Fi:Valuei,Fj:Valuej,Fk:ValuekIn feature The frequency occurred in dictionary list;
If 56) C3In certain element frequency of occurrences be less than the subset of minimum support threshold value or the element and be not belonging to C1Or C2, then go Fall the element, thus simplifies C3
57) recursive generation N feature key-value pair set Cn, until the C of generationnTo be stopped operation when empty set;
58) one feature key-value pair set C of feature key-value pair that will be obtained1, binomial feature key-value pair set C2To N feature keys Value is to set CnIt merges, obtains final feature key-value pair set C, i.e. C=C1∪C2∪…∪Cn
Step 6, feature key-value pair set C is screened, being retained in sample database the frequency of occurrences in malice ELF file is 0 Element is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database is as blacklist rule; Generate the static detection rule that can be used for the detection of ELF file;Static detection rule base can be formed;
Through the above steps, automatically extracting for the Malware static detection rule based on ELF file characteristic is realized.
2. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature Being includes attribute e_type, e_ according to the static structure attribute content that ELF File Format Analysis ELF header table records machine、e_version、e_entry、e_phoff、e_shoff、e_ehsize、e_phnum、e_shnum。
3. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature Being includes PHDR, LOAD, DYNAMIC, EXIDX according to the program header table of ELF File Format Analysis;Program header table records quiet State structure attribute content includes attribute p_type, p_offset, p_filesz, p_memsz, p_flags, p_align.
4. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature Be, the section header table according to ELF File Format Analysis include: dynsym, dynstr, rel, plt, text, rodata, dynamic, data,bss;The static structure attribute content of section header table record includes sh_type, sh_flags, sh_addr, sh_ offset、sh_size、sh_addralign。
5. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature It is that step 52) minimum support threshold value is set as 0.2~1.0, is preferably arranged to 0.9.
6. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature It is, using the static detection for extracting obtained static detection rule progress Malware, to include the following steps:
1) ELF file to be detected is matched with the rule in static detection rule base;
2) the ELF file for meeting blacklist rule is judged as malice sample;
3) the ELF file for meeting white list rule is judged as normal sample.
7. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature It is to realize the Malware static detection rule automatic extracting system based on ELF file characteristic using the method;System packet Include: ELF document analysis subsystem and static detection rule base generate subsystem;
ELF document analysis subsystem includes: ELF header table static structure attribute extraction module, program header table static structure category Property extraction module, section header table static structure attribute extraction module;
ELF header table static structure attribute extraction module is used for the static knot recorded according to ELF File Format Analysis ELF header table Structure property content;Program header table static structure attribute extraction module is used to be recorded according to ELF File Format Analysis program header table Static structure attribute content;Section header table static structure attribute extraction module is used for according to ELF File Format Analysis section header The static structure attribute content of table record;
Static detection rule base generate subsystem include: static structure attribute feature processing block, detected rule extraction module, Detected rule library generation module;Static structure attribute feature processing block is used to be based on static structure attribute feature effective Property is handled;Detected rule extraction module is used for the automation from static structure attribute and extracts feature key-value pair set;Inspection Rule base generation module is surveyed for screening to feature key-value pair set, generates the static detection that can be used for the detection of ELF file Rule base.
CN201910212116.4A 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics Expired - Fee Related CN110008701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910212116.4A CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910212116.4A CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Publications (2)

Publication Number Publication Date
CN110008701A true CN110008701A (en) 2019-07-12
CN110008701B CN110008701B (en) 2020-11-03

Family

ID=67167480

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910212116.4A Expired - Fee Related CN110008701B (en) 2019-03-20 2019-03-20 Static detection rule extraction method and detection method based on ELF file characteristics

Country Status (1)

Country Link
CN (1) CN110008701B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800409A (en) * 2020-06-30 2020-10-20 杭州数梦工场科技有限公司 Interface attack detection method and device
CN113378162A (en) * 2020-02-25 2021-09-10 深信服科技股份有限公司 Method and device for checking executable and linkable format files and storage medium
CN115309785A (en) * 2022-08-08 2022-11-08 北京百度网讯科技有限公司 File rule engine library generation method, file information detection method, device and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN105138913A (en) * 2015-07-24 2015-12-09 四川大学 Malware detection method based on multi-view ensemble learning
CN107832609A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method and system based on authority feature
CN109299609A (en) * 2018-08-08 2019-02-01 北京奇虎科技有限公司 A kind of ELF file test method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102360408A (en) * 2011-09-28 2012-02-22 国家计算机网络与信息安全管理中心 Detecting method and system for malicious codes
CN105138913A (en) * 2015-07-24 2015-12-09 四川大学 Malware detection method based on multi-view ensemble learning
CN107832609A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method and system based on authority feature
CN109299609A (en) * 2018-08-08 2019-02-01 北京奇虎科技有限公司 A kind of ELF file test method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378162A (en) * 2020-02-25 2021-09-10 深信服科技股份有限公司 Method and device for checking executable and linkable format files and storage medium
CN113378162B (en) * 2020-02-25 2023-11-07 深信服科技股份有限公司 Method, device and storage medium for checking executable and linkable format files
CN111800409A (en) * 2020-06-30 2020-10-20 杭州数梦工场科技有限公司 Interface attack detection method and device
CN111800409B (en) * 2020-06-30 2023-04-25 杭州数梦工场科技有限公司 Interface attack detection method and device
CN115309785A (en) * 2022-08-08 2022-11-08 北京百度网讯科技有限公司 File rule engine library generation method, file information detection method, device and equipment

Also Published As

Publication number Publication date
CN110008701B (en) 2020-11-03

Similar Documents

Publication Publication Date Title
US20190065744A1 (en) Computer security system with malicious script document identification
JP5990284B2 (en) Spam detection system and method using character histogram
CN108875366A (en) A kind of SQL injection behavioral value system towards PHP program
CN107786545A (en) A kind of attack detection method and terminal device
CN107273752B (en) Vulnerability automatic classification method based on word frequency statistics and naive Bayes fusion model
CN107169351A (en) With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN102254111A (en) Malicious site detection method and device
CN110008701A (en) Static detection Rules extraction method and detection method based on ELF file characteristic
KR20090032305A (en) Method and system for detecting spam user created content(ucc)
CN111723371B (en) Method for constructing malicious file detection model and detecting malicious file
CN105359139A (en) Security information management system and security information management method
CN109104421B (en) Website content tampering detection method, device, equipment and readable storage medium
CN109088903A (en) A kind of exception flow of network detection method based on streaming
CN110008462A (en) A kind of command sequence detection method and command sequence processing method
CN112822121A (en) Traffic identification method, traffic determination method and knowledge graph establishment method
WO2018047027A1 (en) A method for exploring traffic passive traces and grouping similar urls
CN116975865B (en) Malicious Office document detection method, device, equipment and storage medium
Wu et al. Malicious website detection based on urls static features
US11157620B2 (en) Classification of executable files using a digest of a call graph pattern
CN109918638B (en) Network data monitoring method
US9824140B2 (en) Method of creating classification pattern, apparatus, and recording medium
CN114706948A (en) News processing method and device, storage medium and electronic equipment
Sun et al. Automatically identifying apps in mobile traffic
CN107239704A (en) Malicious web pages find method and device
CN112597494A (en) Behavior white list automatic collection method for malicious program detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201103