CN110008701A - Static detection Rules extraction method and detection method based on ELF file characteristic - Google Patents
Static detection Rules extraction method and detection method based on ELF file characteristic Download PDFInfo
- Publication number
- CN110008701A CN110008701A CN201910212116.4A CN201910212116A CN110008701A CN 110008701 A CN110008701 A CN 110008701A CN 201910212116 A CN201910212116 A CN 201910212116A CN 110008701 A CN110008701 A CN 110008701A
- Authority
- CN
- China
- Prior art keywords
- value
- elf
- elf file
- feature
- static
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000003068 static effect Effects 0.000 title claims abstract description 111
- 238000001514 detection method Methods 0.000 title claims abstract description 63
- 238000000605 extraction Methods 0.000 title claims abstract description 27
- 239000000284 extract Substances 0.000 claims abstract description 14
- 238000000034 method Methods 0.000 claims description 16
- 239000000203 mixture Substances 0.000 claims description 7
- 230000000717 retained effect Effects 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims description 2
- 238000009411 base construction Methods 0.000 description 4
- 235000013399 edible fruits Nutrition 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/254—Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses static detection Rules extraction methods and static detection method based on ELF file characteristic, by being parsed to the ELF file in sample database, extracts obtain the static structure attribute content, the static structure attribute content of program header table, the static structure attribute content of section header table of head table in ELF file respectively;It automates again and extracts detected rule included in characteristics dictionary list.Present system includes: that ELF document analysis subsystem and static detection rule base generate subsystem.The present invention can be based on the ELF paper sample library for including normal and malice, automatically extract the rule of static detection present in ELF file under Linux platform, static detection rule is based on further directed to the software under Linux platform including malice ELF file to be detected, it solves the problems, such as manually to extract that detected rule efficiency is too low, can be applied to the building of static detection rule base and file detection for ELF file under Linux platform.
Description
Technical field
The present invention relates to computer security technical field more particularly to a kind of static detection rule based on ELF file characteristic
Then extracting method, regular base construction method, device and static detection method.
Background technique
Linux is a open source operating system based on Unix, and overwhelming majority server carries various versions at present
(SuSE) Linux OS, while providing service for user, gradually by the concern of hacker.Simultaneously because its opening, allows
Loophole present in linux system gradually exposes, allow linux system while being increasingly taken seriously safety problem also with day
All to increase, largely the Malware quantity based on (SuSE) Linux OS increases sharply.ELF(Executable and Linking
It Format) is a kind of Standard File Format for executable file, file destination, shared library and Core Dump.And ELF file
It is most important executable file format in (SuSE) Linux OS, as the safety issue of linux system constantly exposes, packet
The software of the file of ELF containing malice largely generates under Linux platform, and industry lacks the detected rule of malice ELF file, so as to
The malicious of software under high-volume Linux platform is used for quickly detecting.
At present for Malware be based primarily upon rule carry out automatic detection, it is therein rule again be divided into dynamic rules and
Static rule.The form of dynamic rules is mainly the file operation row that Malware has malice property during Dynamic Execution
For, network connection behavior etc., but often detection efficiency is too low;The form of static rule is mainly that the code in Malware is had
Some special strings, special function, special keyword, file cryptographic Hash etc., the detection method based on static rule detect speed
Degree is fast, accuracy rate is high, and for the file automating formation static detection rule of malice ELF, there is utilization in building malice static rule library
Malware under Linux platform is used for quickly detecting and killing, and static detection rule is right mainly by manually extracting at present
Effective solution scheme is also lacked in the industry in the extraction static detection rule in a large amount of normal and malice ELF files of automation.
Summary of the invention
In order to overcome the above-mentioned deficiencies of the prior art, it is quiet to provide a kind of Malware based on ELF file characteristic by the present invention
State detected rule extracting method and device can be automatically extracted based on the ELF paper sample library for including normal and malice
The rule of static detection present in ELF file under Linux platform, further directed to including malice ELF file under Linux platform
Software is based on static detection rule and is detected.
The present invention provides a kind of Malware static detection rule extraction method and dress based on ELF file characteristic
It sets.
Wherein detected rule extracting method includes such as the next stage:
Stage one parses and extracts ELF paper sample library static structure feature;
Wherein, ELF paper sample library includes normal ELF paper sample and malice ELF paper sample.
Stage two, automation generate static detection rule.
Wherein the stage one includes the following steps:
Step 1, by parsing to the ELF file in sample database, head table (ELF Header) in ELF file is extracted
Static structure attribute content;
Step 2, by parsing to the ELF file in sample database, ELF file routine head table (Program is extracted
Header static structure attribute content);
Step 3, by parsing to the ELF file in sample database, ELF file section header table (Section is extracted
Header static structure attribute content).
Wherein second stage includes the following steps:
Step 4, characteristic processing is carried out to the static structure attribute that ELF file is extracted from sample database;It executes such as
Lower operation:
41) static structure attribute is simplified by feature reduction, it is main by retaining for identifying normal ELF text
The static structure attribute feature of part and the more effective fruit of malice ELF file removes redundancy feature, the feature set after being simplified
It closes.
For example, some static structure attribute features FiValue Value in normal ELF file and malice ELF filei
More similar, this feature does not have validity for identification malice ELF file, by calculating each characteristic validity, removal
The lower redundancy feature of validity.
42) based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in ELF sample database, example
It such as, include m ELF file in ELF sample database, wherein the characteristics dictionary structure that j-th of ELF is generated is Dictoryj=
{Filename:filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen, wherein [1, m] j ∈, i ∈ [1, n],
The characteristics dictionary of each ELF file generated is by institute in the ELF filename key-value pair Filename:filename and the ELF file
The feature key-value pair set { F for including1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, feature key-value pair set is by n
A feature key-value pair composition, feature key FiFor static structure attribute name in ELF file extracted in steps 1 and 2,3, feature
Value ValueiFor attribute F in the ELF fileiContent.
Further, the characteristics dictionary of ELF files all in ELF sample database is combined into dictionary list, [Dictory1,…,
Dictoryj,…,Dictorym], wherein DictoryjRepresent j-th of ELF file characteristics dictionary Filename:
filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen, m is the sum of ELF file in ELF sample database.
Step 5, based on treated static structure attribute, automation is extracted and is detected included in characteristics dictionary list
Rule, the specific steps are as follows:
51) all feature key-value pair { F by not repeating in characteristics dictionary list are first looked fori:Valuei,
Form a feature key-value pair set C1={ F1:Value1,F2:Value2,F3:Value3..., and count C1In each element
{Fi:ValueiThe frequency that occurs in characteristics dictionary list;
52) minimum support threshold value (being such as set as 0.9) is set, further simplifies C by the following method1: " if C1In certain member
Plain frequency of occurrences minimum support threshold value (less than 0.9), then remove the element ";
53) by C1In all elements be combined with each other as binomial feature key-value pair { Fi:Valuei, Fj:Valuej, composition two
Item feature key-value pair set C2, and count C2In each element { Fi:Valuei, Fj:ValuejOccur in characteristics dictionary list
Frequency;
54) further simplify C by the following method2: " if C2In certain element frequency of occurrences minimum support threshold value (be less than
0.9), then remove the element ";
55) by C2In all elements be combined with each other be three feature key-value pair { Fi:Valuei,Fj:Valuej,Fk:
Valuek, form three feature key-value pair set C3, and count C3In each element { Fi:Valuei,Fj:Valuej,Fk:
ValuekThe frequency that occurs in characteristics dictionary list;
56) further simplify C by the following method3: " if C3In certain element frequency of occurrences minimum support threshold value (be less than
0.9) or the subset of the element is not belonging to C1Or C2, then remove the element ";
57) recursive generation N feature key-value pair set C by the above processn, until the C of generationnTo be stopped operation when empty set.
58) one feature key-value pair set C of feature key-value pair for obtaining above step1, binomial feature key-value pair set C2
To N feature key-value pair set CnIt merges, obtains final feature key-value pair set C, i.e. C=C1∪C2∪…∪Cn。
Step 6, feature key-value pair set C is screened, generates the static detection rule that can be used for the detection of ELF file,
Form static detection rule base.
Further all elements in feature key-value pair set C are screened, are retained in malice ELF file in sample database
The element that the middle frequency of occurrences is 0 is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database
As blacklist rule, combine black and white lists rule to form static detection rule base.Finally by ELF file to be detected and static state
Rule in detected rule library is matched, and the ELF file for meeting blacklist rule is judged as malice sample, will meet white name
The ELF file of single gauge then is judged as normal sample.
Using the above-mentioned static detection rule base construction method based on ELF file characteristic, the present invention also provides one kind to be based on
The static detection rule base construction device of ELF file characteristic, including following subsystem:
Subsystem one, ELF document analysis subsystem
Subsystem two, static detection rule base generate subsystem
Wherein subsystem one includes following module:
Module one, ELF header table static structure attribute extraction module, according to ELF File Format Analysis ELF header table record
Static structure attribute content, including e_type, e_machine, e_version, e_entry, e_phoff, e_shoff, e_
The attributes such as ehsize, e_phnum, e_shnum;
Module two, program header table static structure attribute extraction module, according to ELF File Format Analysis PHDR, LOAD,
The program headers table such as DYNAMIC, EXIDX record static structure attribute content, including p_type, p_offset, p_filesz,
The attributes such as p_memsz, p_flags, p_align;
Module three, section header table static structure attribute extraction module, according to ELF File Format Analysis dynsym, dynstr,
The static structure attribute content of the section headers table such as rel, plt, text, rodata, dynamic, data, bss record, including sh_
type,sh_flags,sh_addr,sh_offset,sh_size,sh_addralign;
Wherein subsystem two includes following module:
Module four, static structure attribute feature processing block are carried out based on Usefulness Pair static structure attribute feature
Processing removes the lower feature of validity;
Module five, detected rule extraction module, based on treated, characteristics dictionary is extracted in the automation of static structure attribute
Feature key-value pair set included in list;
Module six, detected rule library generation module, carrying out screening generation to feature key-value pair set can be used for the inspection of ELF file
The static detection rule of survey forms static detection rule base.
Beneficial effects of the present invention:
The present invention provides a kind of static detection rule base construction method and device based on ELF file characteristic, can be based on
Include normal and malice ELF paper sample library, automatically extracts static detection present in ELF file under Linux platform and advise
Then, static detection rule is based on further directed to the software under Linux platform including malice ELF file to be detected.Using this
Inventive technique scheme can be based on existing ELF paper sample library, static structure is extracted from normal and malice ELF file
Attributive character, automation generate malice ELF file detected rule, solve the problems, such as manually to extract detected rule efficiency it is too low, can
Applied to the static detection rule base building for ELF file under Linux platform.
Detailed description of the invention
Fig. 1 is the flow chart of detected rule extracting method of the present invention.
Fig. 2 is the system construction drawing of detected rule extraction element of the present invention.
Specific embodiment
The present invention is further elaborated in the following with reference to the drawings and specific embodiments.
A specific embodiment of the invention is as follows:
Stage one parses and extracts ELF paper sample library static structure feature;
Stage two, automation generate static detection rule.
Wherein the stage one includes the following steps:
Step 1, the sample database { filename comprising m ELF file is established1,…,filenamej,…,filenamem,
File type includes normal sample and malice sample in sample database.By being parsed to the ELF file in sample database, extract
The static structure attribute content of head table (ELF Header) in ELF file, extracted feature includes but is not limited to:
The e_type property content of file type is indicated in ELF file header table;
The e_machine property content of architecture needed for running is indicated in ELF file header table;
The e_version property content of FileVersion is indicated in ELF file header table;
The e_entry property content of representation program entry address in ELF file header table;
The e_phoff property content of logging program head table (Program Header) offset in ELF file header table;
The e_shoff property content of section header table (Section Header) offset is recorded in ELF file header table;
The e_ehsize property content of file header table (ELF Header) size is recorded in ELF file header table;
The e_phnum property content of logging program head table (Program Header) number of entries in ELF file header table;
The e_shnum property content of section header table (Section Header) number of entries is recorded in ELF file header table.
Step 2, by being parsed to the ELF file in sample database, extract PHDR, LOAD in ELF file, DYNAMIC,
The static structure attribute content of the program headers such as EXIDX table (Program Header), extracted feature includes but is not limited to:
The p_type property content of record type in program header table;
The p_offset property content of first byte offset hereof is recorded in program header table;
The p_offset property content of first byte offset in memory is recorded in program header table;
The p_filesz property content of Program sections of length hereof is recorded in program header table;
The p_memsz property content of Program sections of length in memory is recorded in program header table;
The p_flags property content of Program segment mark position is recorded in program header table.
The Program sections of p_align property contents how being aligned in file and memory are recorded in program header table.
Step 3, by being parsed to the ELF file in sample database, extract dynsym, dynstr in ELF file, rel,
The static structure attribute content of the section headers such as plt, text, rodata, dynamic, data, bss table (Section Header),
Extracted feature includes but is not limited to:
The sh_type property content of Section section classification is recorded in section header table;
The sh_flags property content of Section section type is recorded in section header table;
Section section is recorded in section header table in memory with respect to the sh_addr property content of plot offset;
Recorded in section header table the Section section to top of file byte offset sh_offset property content;
The sh_size property content of Section section size is recorded in section header table;
The Section is recorded in section header table to save land the sh_addralign property content of location alignment information.
Wherein the stage two includes the following steps:
Step 4, each ELF sample file is through step 1, after 2,3 extract feature, forms primitive character key-value pair set.Example
Such as, the entitled filename of filejELF file form primitive character key-value pair collection after feature extraction and be combined into { F1:
Value1,…,Fi:Valuei,…,Fn:Valuen, wherein Fi∈{e_type,e_machine,e_version,e_entry,
e_phoff,e_shoff,e_ehsize,e_phnum,e_shnum,p_type,p_offset,p_offset,p_filesz,p_
memsz,p_flags,p_align,sh_type,sh_flags,sh_addr,sh_offset,sh_size,sh_
Addralign }, ValueiThe as value of the ELF file respective attributes.
Characteristic processing is carried out to the primitive character key-value pair set that ELF file is extracted from sample database, passes through feature
Reduction simplifies primitive character key-value pair set, main by retaining for identifying normal ELF file and malice ELF file
The static structure attribute feature of more effective fruit, removes redundancy feature, and specific features reduction method is as follows:
Some static structure attribute features FiValue Value in normal ELF file and malice ELF fileiMore phase
Seemingly, this feature does not have validity for identification malice ELF file, by calculating each characteristic validity, removes validity
Lower redundancy feature.
For example, including p normal sample and q malice sample in sample database.Feature FiIn p normal ELF files
Value condition indicates with set P, P={ Fi:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:Valueip, set P
In Fi:ValueijIndicate feature FiValue in j-th of normal sample.Feature FiValue in q malice ELF file
Situation indicates with set Q, Q={ Fi:Valuei1,Fi:Valuei2,…,Fi:Valueij,…,Fi:Valueiq, F in set Qi:
ValueijIndicate feature FiValue in j-th of malice sample.
Then feature FiValidity is U=| P ∩ Q |, i.e. the quantity of identical element in set P and set Q.It is arranged simultaneously effective
Property threshold value, validity threshold value carries out artificial dynamic according to each characteristic validity situation that ELF in sample database is extracted and adjusts, will have
Effect property is lower than the feature F of threshold valueiIt gets rid of.
Based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in sample database, characteristics dictionary
It is expressed as { Filename:filename, F1:Value1,…,Fi:Valuei,…,Fn:Valuen, by the ELF filename
The feature key-value pair set { F of Filename and the ELF file1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, it is special
Sign key-value pair set is made of n feature key-value pair, and key is step 1, static structure category in extracted ELF file in 2,3
Property name, value ValueiFor the ELF file respective attributes content.
The characteristics dictionary that each ELF file is formed is combined into characteristics dictionary list, structure is as shown in the table, wherein Fji:
ValuejiIndicate feature FiValue in file j is Valueji:
Filename | Characteristic set |
Filename:filename1 | F11:Value11,…,F1i:Value1i,…,F1n:Value1n |
Filename:filename2 | F21:Value21,…,F2i:Value2i,…,F2n:Value2n |
… | … |
Filename:filenamej | Fj1:Valuej1,…,Fji:Valueji,…,Fjn:Valuejn |
… | … |
Step 5, based on treated, detected rule wherein included is extracted in characteristics dictionary list automation, and specific steps are such as
Under:
(1) all feature key-value pairs by not repeating in characteristics dictionary list are first looked for, a Xiang Te is formed
Key-value pair set is levied, and counts the frequency that each element occurs in characteristics dictionary list in the set;
(2) setting minimum support threshold value, (such as value as 0.2~1.0, moved according to sample characteristics situation by specific value
State adjustment), remove the element that the frequency of occurrences in a feature key-value pair set is lower than minimum support threshold value;
(3) all elements in a feature key-value pair set are combined with each other as binomial feature key-value pair, composition binomial
Feature key-value pair set, and count the frequency that each element occurs in characteristics dictionary list in binomial feature key-value pair set;
(4) remove the element that the frequency of occurrences in binomial feature key-value pair set is lower than minimum support threshold value;
(5) being combined with each other all elements in binomial feature key-value pair set is three feature key-value pairs, forms three
Feature key-value pair set, and the frequency that each element occurs in characteristics dictionary list in statistics set;
(6) if certain element frequency of occurrences minimum support threshold value or the subset of the element do not belong in three key-value pair set
In a feature key-value pair set or binomial feature key-value pair set, then remove the element ";
(7) recursive generation N feature key-value pair set by the above process, until the N item feature key-value pair collection of generation is combined into
It is stopped operation when empty set.
(8) one feature key-value pair set of feature key-value pair, the binomial feature key-value pair set to N for obtaining above step
Item feature key-value pair set merges, and obtains final feature key-value pair set.
Step 6, feature key-value pair set is screened, generates the static detection rule that can be used for the detection of ELF file, shape
At static detection rule base.
Further all elements in feature key-value pair set are screened, are retained in malice ELF file in sample database
The element that the middle frequency of occurrences is 0 is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database
It as blacklist rule, combines black and white lists rule to form static detection rule base, to complete based on ELF file characteristic
The automation of static detection rule base constructs.Finally by the rule progress in ELF file to be detected and static detection rule base
Match, the ELF file for meeting blacklist rule is judged as malice sample, the ELF file for meeting white list rule judgement is positive
Normal sample.
It should be noted that the purpose for publicizing and implementing example is to help to further understand the present invention, but the skill of this field
Art personnel, which are understood that, not to be departed from the present invention and spirit and scope of the appended claims, and various substitutions and modifications are all
It is possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim
Subject to the range that book defines.
Claims (7)
1. a kind of Malware static detection rule extraction method based on ELF file characteristic, including such as the next stage:
Stage one parses and extracts ELF paper sample library static structure feature;Wherein, ELF paper sample library includes normal ELF
Paper sample and malice ELF paper sample;
By being parsed to the ELF file in sample database, extracts obtain the static structure attribute of head table in ELF file respectively
Content, the static structure attribute content of ELF file routine head table, the static structure attribute content of ELF file section header table;
Stage two automatically extracts static detection rule;Include the following steps:
Step 4, characteristic processing is carried out to the static structure attribute that ELF file is extracted from sample database;Execute following behaviour
Make:
41) static structure attribute is simplified by feature reduction, removes redundancy feature, the feature set after being simplified
It closes;
42) based on the characteristic set after simplifying, for one characteristics dictionary of ELF file generated each in ELF sample database, tagged word
Allusion quotation structure is Dictoryj={ Filename:filename, F1:Value1,…,Fi:Valuei,…,Fn:Valuen, wherein j
∈ [1, m], i ∈ [1, n];M is the total number for the ELF file for including in ELF sample database;
The characteristics dictionary of each ELF file generated is by the ELF filename key-value pair Filename:filename and the ELF file
Included in feature key-value pair set { F1:Value1,…,Fi:Valuei,…,Fn:ValuenComposition, feature key-value pair collection
Conjunction is made of n feature key-value pair;Wherein, feature key FiFor static structure attribute name in the ELF file of extraction, characteristic value
ValueiFor attribute F in the ELF fileiContent;
43) characteristics dictionary of ELF files all in ELF sample database is combined into dictionary list, indicated are as follows: [Dictory1,…,
Dictoryj,…,Dictorym], wherein DictoryjRepresent j-th of ELF file characteristics dictionary Filename:
filename,F1:Value1,…,Fi:Valuei,…,Fn:Valuen};
Step 5, based on treated static structure attribute, automation, which is extracted, detects rule included in characteristics dictionary list
Then, steps are as follows:
51) all feature key-value pair { F by not repeating in characteristics dictionary list are first looked fori:Valuei, composition
One feature key-value pair set C1={ F1:Value1,F2:Value2,F3:Value3..., and count C1In each element { Fi:
ValueiThe frequency that occurs in characteristics dictionary list;
52) minimum support threshold value is set, if C1In certain element frequency of occurrences be less than minimum support threshold value, then remove the element,
Thus simplify a feature key-value pair set C1;
53) C for obtaining step 52)1In all elements be combined with each other as binomial feature key-value pair { Fi:Valuei, Fj:
Valuej, obtain binomial feature key-value pair set C2, and count C2In each element { Fi:Valuei, Fj:ValuejIn feature
The frequency occurred in dictionary list;
If 54) C2In certain element frequency of occurrences be less than minimum support threshold value, then remove the element, thus simplify binomial feature key
Value is to set C2;
55) by C2In all elements be combined with each other be three feature key-value pair { Fi:Valuei,Fj:Valuej,Fk:Valuek,
Obtain three feature key-value pair set C3, and count C3In each element { Fi:Valuei,Fj:Valuej,Fk:ValuekIn feature
The frequency occurred in dictionary list;
If 56) C3In certain element frequency of occurrences be less than the subset of minimum support threshold value or the element and be not belonging to C1Or C2, then go
Fall the element, thus simplifies C3;
57) recursive generation N feature key-value pair set Cn, until the C of generationnTo be stopped operation when empty set;
58) one feature key-value pair set C of feature key-value pair that will be obtained1, binomial feature key-value pair set C2To N feature keys
Value is to set CnIt merges, obtains final feature key-value pair set C, i.e. C=C1∪C2∪…∪Cn;
Step 6, feature key-value pair set C is screened, being retained in sample database the frequency of occurrences in malice ELF file is 0
Element is as white list rule, and the element that the frequency of occurrences is 0 in normal ELF file in sample database is as blacklist rule;
Generate the static detection rule that can be used for the detection of ELF file;Static detection rule base can be formed;
Through the above steps, automatically extracting for the Malware static detection rule based on ELF file characteristic is realized.
2. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
Being includes attribute e_type, e_ according to the static structure attribute content that ELF File Format Analysis ELF header table records
machine、e_version、e_entry、e_phoff、e_shoff、e_ehsize、e_phnum、e_shnum。
3. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
Being includes PHDR, LOAD, DYNAMIC, EXIDX according to the program header table of ELF File Format Analysis;Program header table records quiet
State structure attribute content includes attribute p_type, p_offset, p_filesz, p_memsz, p_flags, p_align.
4. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
Be, the section header table according to ELF File Format Analysis include: dynsym, dynstr, rel, plt, text, rodata, dynamic,
data,bss;The static structure attribute content of section header table record includes sh_type, sh_flags, sh_addr, sh_
offset、sh_size、sh_addralign。
5. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
It is that step 52) minimum support threshold value is set as 0.2~1.0, is preferably arranged to 0.9.
6. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
It is, using the static detection for extracting obtained static detection rule progress Malware, to include the following steps:
1) ELF file to be detected is matched with the rule in static detection rule base;
2) the ELF file for meeting blacklist rule is judged as malice sample;
3) the ELF file for meeting white list rule is judged as normal sample.
7. the Malware static detection rule extraction method based on ELF file characteristic as described in claim 1, feature
It is to realize the Malware static detection rule automatic extracting system based on ELF file characteristic using the method;System packet
Include: ELF document analysis subsystem and static detection rule base generate subsystem;
ELF document analysis subsystem includes: ELF header table static structure attribute extraction module, program header table static structure category
Property extraction module, section header table static structure attribute extraction module;
ELF header table static structure attribute extraction module is used for the static knot recorded according to ELF File Format Analysis ELF header table
Structure property content;Program header table static structure attribute extraction module is used to be recorded according to ELF File Format Analysis program header table
Static structure attribute content;Section header table static structure attribute extraction module is used for according to ELF File Format Analysis section header
The static structure attribute content of table record;
Static detection rule base generate subsystem include: static structure attribute feature processing block, detected rule extraction module,
Detected rule library generation module;Static structure attribute feature processing block is used to be based on static structure attribute feature effective
Property is handled;Detected rule extraction module is used for the automation from static structure attribute and extracts feature key-value pair set;Inspection
Rule base generation module is surveyed for screening to feature key-value pair set, generates the static detection that can be used for the detection of ELF file
Rule base.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910212116.4A CN110008701B (en) | 2019-03-20 | 2019-03-20 | Static detection rule extraction method and detection method based on ELF file characteristics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910212116.4A CN110008701B (en) | 2019-03-20 | 2019-03-20 | Static detection rule extraction method and detection method based on ELF file characteristics |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110008701A true CN110008701A (en) | 2019-07-12 |
CN110008701B CN110008701B (en) | 2020-11-03 |
Family
ID=67167480
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910212116.4A Expired - Fee Related CN110008701B (en) | 2019-03-20 | 2019-03-20 | Static detection rule extraction method and detection method based on ELF file characteristics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110008701B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111800409A (en) * | 2020-06-30 | 2020-10-20 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
CN113378162A (en) * | 2020-02-25 | 2021-09-10 | 深信服科技股份有限公司 | Method and device for checking executable and linkable format files and storage medium |
CN115309785A (en) * | 2022-08-08 | 2022-11-08 | 北京百度网讯科技有限公司 | File rule engine library generation method, file information detection method, device and equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102360408A (en) * | 2011-09-28 | 2012-02-22 | 国家计算机网络与信息安全管理中心 | Detecting method and system for malicious codes |
CN105138913A (en) * | 2015-07-24 | 2015-12-09 | 四川大学 | Malware detection method based on multi-view ensemble learning |
CN107832609A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method and system based on authority feature |
CN109299609A (en) * | 2018-08-08 | 2019-02-01 | 北京奇虎科技有限公司 | A kind of ELF file test method and device |
-
2019
- 2019-03-20 CN CN201910212116.4A patent/CN110008701B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102360408A (en) * | 2011-09-28 | 2012-02-22 | 国家计算机网络与信息安全管理中心 | Detecting method and system for malicious codes |
CN105138913A (en) * | 2015-07-24 | 2015-12-09 | 四川大学 | Malware detection method based on multi-view ensemble learning |
CN107832609A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method and system based on authority feature |
CN109299609A (en) * | 2018-08-08 | 2019-02-01 | 北京奇虎科技有限公司 | A kind of ELF file test method and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113378162A (en) * | 2020-02-25 | 2021-09-10 | 深信服科技股份有限公司 | Method and device for checking executable and linkable format files and storage medium |
CN113378162B (en) * | 2020-02-25 | 2023-11-07 | 深信服科技股份有限公司 | Method, device and storage medium for checking executable and linkable format files |
CN111800409A (en) * | 2020-06-30 | 2020-10-20 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
CN111800409B (en) * | 2020-06-30 | 2023-04-25 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
CN115309785A (en) * | 2022-08-08 | 2022-11-08 | 北京百度网讯科技有限公司 | File rule engine library generation method, file information detection method, device and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN110008701B (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20190065744A1 (en) | Computer security system with malicious script document identification | |
JP5990284B2 (en) | Spam detection system and method using character histogram | |
CN108875366A (en) | A kind of SQL injection behavioral value system towards PHP program | |
CN107786545A (en) | A kind of attack detection method and terminal device | |
CN107273752B (en) | Vulnerability automatic classification method based on word frequency statistics and naive Bayes fusion model | |
CN107169351A (en) | With reference to the Android unknown malware detection methods of dynamic behaviour feature | |
CN102254111A (en) | Malicious site detection method and device | |
CN110008701A (en) | Static detection Rules extraction method and detection method based on ELF file characteristic | |
KR20090032305A (en) | Method and system for detecting spam user created content(ucc) | |
CN111723371B (en) | Method for constructing malicious file detection model and detecting malicious file | |
CN105359139A (en) | Security information management system and security information management method | |
CN109104421B (en) | Website content tampering detection method, device, equipment and readable storage medium | |
CN109088903A (en) | A kind of exception flow of network detection method based on streaming | |
CN110008462A (en) | A kind of command sequence detection method and command sequence processing method | |
CN112822121A (en) | Traffic identification method, traffic determination method and knowledge graph establishment method | |
WO2018047027A1 (en) | A method for exploring traffic passive traces and grouping similar urls | |
CN116975865B (en) | Malicious Office document detection method, device, equipment and storage medium | |
Wu et al. | Malicious website detection based on urls static features | |
US11157620B2 (en) | Classification of executable files using a digest of a call graph pattern | |
CN109918638B (en) | Network data monitoring method | |
US9824140B2 (en) | Method of creating classification pattern, apparatus, and recording medium | |
CN114706948A (en) | News processing method and device, storage medium and electronic equipment | |
Sun et al. | Automatically identifying apps in mobile traffic | |
CN107239704A (en) | Malicious web pages find method and device | |
CN112597494A (en) | Behavior white list automatic collection method for malicious program detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20201103 |