CN112395602B - Processing method, device and system for static security feature database - Google Patents
Processing method, device and system for static security feature database Download PDFInfo
- Publication number
- CN112395602B CN112395602B CN201910755851.XA CN201910755851A CN112395602B CN 112395602 B CN112395602 B CN 112395602B CN 201910755851 A CN201910755851 A CN 201910755851A CN 112395602 B CN112395602 B CN 112395602B
- Authority
- CN
- China
- Prior art keywords
- file
- directory
- library
- security feature
- files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a processing method, a device and a system of a static security feature database, relates to the technical field of network security, and can meet the requirement of matching static instruction sequence features and automatically generate the static security feature database. The method comprises the following steps: firstly, reading files collected in advance in a library making directory, wherein the library making directory comprises files of target official operating systems of different versions running in a memory under a clean environment; then, performing static disassembling analysis on the read file to obtain an API calling sequence corresponding to the monitoring point; and finally, creating a static security feature database according to the API calling sequence. The method and the device are suitable for processing the static security feature database.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a system for processing a static security feature database.
Background
In the current generation of internet information, network hacking events are more and more, and hacking means are continuously evolving. Hackers can use vulnerabilities to enable software processes to implement some attack events, and therefore, in order to better constrain the execution of legitimate events of software processes, the events that can be executed by software processes can be limited in a manner of defining sets of permissions.
Currently, an instruction execution sequence corresponding to program execution can be matched with an instruction execution sequence with a preset normal behavior in a static security feature database, so as to find whether a vulnerability attack event exists in time. However, the instruction execution sequences of these normal behaviors are usually manually tested and added one by one, which not only affects the creation efficiency of the security feature database, but also is difficult to obtain a more comprehensive static security feature database due to the limitation of manual work, and further affects the accuracy of subsequent behavior anomaly detection.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a system for processing a static security feature database, and mainly aims to solve the technical problems that in the prior art, the efficiency of creating a security feature database is affected, a more comprehensive static security feature database cannot be obtained, and the accuracy of detecting a subsequent behavior anomaly is affected.
According to an aspect of the present application, there is provided a processing method of a static security feature database, which is applicable to a service side, the method including:
reading files collected in advance in a library making directory, wherein the library making directory comprises files of target official operating systems of different versions running in an internal memory under a clean environment;
performing static disassembling analysis on the read file to obtain an Application Programming Interface (API) calling sequence corresponding to the monitoring point;
and creating a static security feature database according to the API calling sequence.
Optionally, static disassembling analysis is performed on the read file to obtain an API call sequence corresponding to the monitoring point, and the method specifically includes:
performing static disassembling analysis on the read file, and acquiring a key API matched with a preset key API list as the monitoring point;
and backtracking the key API to a preset level, and acquiring an API calling sequence corresponding to the key API.
Optionally, after creating the static security feature database, the method further includes:
acquiring a target API call sequence of a behavior to be detected;
matching the target API call sequence with an API call sequence in the static security feature database;
and if the static security feature database does not have a matched API calling sequence, determining that the behavior to be detected is a suspected abnormal behavior, and triggering to perform corresponding alarm.
Optionally, the library making directory further includes an update file that runs in the memory in a clean environment after the target official operating system installs the patch.
Optionally, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the target official operating system in a clean environment.
Optionally, the library manufacturing directory further includes files of other official operating systems of different versions running in the internal memory under the clean environment.
Optionally, the library manufacturing directory further includes an update file that runs in the internal memory in a clean environment after the patch is installed on the other official operating systems.
Optionally, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the other official operating systems in a clean environment.
According to another aspect of the present application, there is provided another static security feature database processing method, applicable to a client side, the method including:
acquiring a file of the installed target official operating system running in a memory under a clean environment;
uploading the file to a library making directory, wherein the library making directory comprises files of target official operating systems of different versions running in a memory under a clean environment, so that a static security feature database is created according to an API calling sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library making directory.
Optionally, the acquiring a file of the installed target official operating system running in the memory in the clean environment specifically includes:
after the target official operating system is installed, installing a driver, starting each service item of the target official operating system and setting self-starting so as to obtain each process module file when the target official operating system runs in a clean environment;
storing the file hash value and the file name directory corresponding to the process module file in a file list;
and setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
Optionally, the uploading the file to a library manufacturing directory specifically includes:
and storing the corresponding file in the library making directory according to the file hash value and the file name directory in the file list.
Optionally, storing the corresponding file in the library-making directory according to the file hash value and the file name directory in the file list, specifically including:
acquiring a corresponding file according to the file hash value and the file name directory in the file list;
and storing the acquired files in corresponding folders in the library making directory according to the operating system version number, the operating system editing number and the current system digit corresponding to the target official operating system.
Optionally, if the size of the file is greater than a preset threshold, uploading the file to a library manufacturing directory, which specifically includes:
and uploading the file to a library directory through a File Transfer Protocol (FTP) or a Secure File Transfer Protocol (SFTP).
According to another aspect of the present application, there is provided a static security feature database processing apparatus, applicable to a service side, the apparatus including:
the reading module is used for reading files collected in advance in a library making directory, wherein the library making directory comprises files of different versions of target official operating systems running in a memory under a clean environment;
the analysis module is used for performing static disassembling analysis on the read file to obtain an API calling sequence corresponding to the monitoring point;
and the creating module is used for creating a static security feature database according to the API calling sequence.
Optionally, the analysis module is specifically configured to perform static disassembling analysis on the read file, and obtain a key API matched with a preset key API list as the monitoring point;
and backtracking the key API to a preset level, and acquiring an API calling sequence corresponding to the key API.
Optionally, the apparatus further comprises:
the acquisition module is used for acquiring a target API call sequence of the behavior to be detected after the static security feature database is established;
the matching module is used for matching the target API calling sequence with the API calling sequence in the static security feature database;
and the determining module is used for determining that the behavior to be detected is suspected abnormal behavior and triggering to perform corresponding alarm if the matched API calling sequence does not exist in the static security feature database.
Optionally, the library making directory further includes an update file that runs in the memory in a clean environment after the target official operating system installs the patch.
Optionally, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the target official operating system in a clean environment.
Optionally, the library-making directory further includes files of other official operating systems of different versions running in the memory in a clean environment.
Optionally, the library manufacturing directory further includes an update file that runs in the internal memory in a clean environment after the patch is installed on the other official operating systems.
Optionally, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the other official operating systems in a clean environment.
According to still another aspect of the present application, there is provided a processing apparatus of a static security feature database, which is applicable to a client side, the apparatus including:
the acquisition module is used for acquiring files of the installed target official operating system running in the memory under the clean environment;
and the sending module is used for uploading the file to a library making directory, wherein the library making directory contains files of target official operation systems of different versions running in a memory under a clean environment, so that a static security feature database is created according to an Application Program Interface (API) calling sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library making directory.
Optionally, the obtaining module is specifically configured to, after the target official operating system is installed, install a driver and start each service item of the target official operating system, and set a self-start, so as to obtain each process module file when the target official operating system runs in a clean environment;
storing the file hash value and the file name directory corresponding to the process module file in a file list;
and setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
Optionally, the sending module is specifically configured to store the corresponding file in the library manufacturing directory according to the file hash value and the file name directory in the file list.
Optionally, the sending module is further specifically configured to obtain a corresponding file according to the file hash value and the file name directory in the file list;
and storing the acquired files in corresponding folders in the library making directory according to the operating system version number, the operating system editing number and the current system digit corresponding to the target official operating system.
Optionally, the sending module is further specifically configured to upload the file to a library directory through a file transfer protocol FTP or a secure file transfer protocol SFTP if the size of the file is greater than a preset threshold.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described processing method applicable to a static security feature database on a server side.
According to yet another aspect of the present application, there is provided a server, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor implementing the above processing method applicable to a static security feature database on a server side when executing the program.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described processing method applicable to a client-side static security feature database.
According to yet another aspect of the present application, there is provided a client device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, the processor implementing the above processing method applicable to a static security feature database on the client side when executing the program.
In accordance with yet another aspect of the present application, there is provided a system for processing a static security feature database, comprising: the client device and the server.
By means of the technical scheme, the processing method, the processing device and the processing system for the static security feature database can collect files of target official operating systems of different versions running in the internal memory in a clean environment in advance, then static disassembling analysis is carried out on the files to obtain API calling sequences corresponding to the monitoring points, and then the static security feature database is automatically created according to the API calling sequences obtained through analysis. Compared with the existing mode, the static security feature database can be automatically established, so that the establishing efficiency of the security feature database is improved; and the instruction execution sequence of the normal behavior is analyzed and generated based on the files of the official operating systems of different versions running in the memory under the clean environment, so that a more comprehensive static security feature database can be obtained, and the accuracy of the subsequent behavior abnormity detection can be improved by utilizing the static security feature database.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a static security feature database processing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating a process for creating a base rule base according to an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating the process of creating an updated rule base according to an embodiment of the present application;
FIG. 4 is a flow chart illustrating another static security feature database processing method provided in an embodiment of the present application;
FIG. 5 is a schematic diagram illustrating an architecture of a distributed file analysis system provided by an embodiment of the present application;
FIG. 6 is a flowchart illustrating a processing method for a static security feature database according to an embodiment of the present application;
fig. 7 is a schematic structural diagram illustrating a processing apparatus of a static security feature database according to an embodiment of the present application;
FIG. 8 is a schematic structural diagram of another static security feature database processing apparatus provided in an embodiment of the present application;
fig. 9 shows a schematic structural diagram of a processing system of a static security feature database according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict.
For the technical problems existing in the prior art that the creating efficiency of the security feature database is low and the accuracy of subsequent behavior anomaly detection is affected, this embodiment provides a processing method of a static security feature database, as shown in fig. 1, which can be applied to a server side or other terminal sides, and the method includes:
101. reading the files collected in advance in the library-making directory.
The library making catalog comprises files of different versions of target official operating systems running in the internal memory under a clean environment. The files can be uploaded through client side collection in advance, namely, different versions of target official operating systems are installed on the client side and then run, and the files which run in the internal memory in a clean environment are obtained and uploaded to a library making directory of the server side.
It should be noted that, target official operating systems of different versions may also be installed through a local terminal associated with the server, and then these files are collected into a specified library-making directory. The setting can be selected in advance according to actual requirements.
102. And performing static disassembling analysis on the file read from the library-making directory to obtain an API calling sequence corresponding to the monitoring point.
The monitoring point may be a key API, such as a primary API called by the behavioral event implementation.
In this embodiment, the library-making script engine may be edited in advance, and then the collected files may be subjected to static disassembly analysis by using the library-making script engine. For example, the library-making script engine can be realized by using a python language, and can be divided into two functions, namely file processing and function task scheduling, and supporting a disassembling tool such as an Interactive Disassembler (IDA) to call a plug-in script, and extracting required information from the disassembling tool such as IDA to make rules. The method can be used for automatically processing all collected files, calling IDA loading files and IDA scripts, realizing static disassembling analysis of PE files, and outputting all monitoring point rules, namely API calling sequences corresponding to monitoring points.
103. And creating a static security feature database according to the API call sequence obtained by the static disassembling analysis.
In the static security feature database, aiming at target official operating systems of different versions, behavior events executed by the system process have respective corresponding normal API calling sequences, so that whether abnormal behaviors exist in the system process or not can be verified through the normal API calling sequences when the behavior events of the system process of a certain version are verified in the subsequent process.
The method can collect files of target official operation systems of different versions running in the internal memory in a clean environment in advance, then static disassembling analysis is carried out on the files to obtain the API calling sequences corresponding to the monitoring points, and then the static safety feature database is automatically created according to the API calling sequences obtained through analysis. Compared with the existing mode, the method can automatically establish the static security feature database, thereby improving the establishing efficiency of the security feature database; and the instruction execution sequence of the normal behavior is analyzed and generated based on the files of the official operating systems of different versions running in the memory in the clean environment, so that a more comprehensive static security feature database can be obtained, and the accuracy of the subsequent behavior abnormity detection can be improved by utilizing the static security feature database.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to accurately obtain an API call sequence corresponding to a monitoring point. As an optional manner, step 102 may specifically include: performing static disassembling analysis on the read files, and acquiring key APIs matched with a preset key API list as monitoring points; and then backtracking preset levels of the key APIs respectively to obtain an API calling sequence corresponding to the key APIs.
The preset key API list can be used for finding the monitoring point, and can be preset according to actual service requirements. The preset level can also be preset according to actual requirements, and if the preset level is level 3, a target API calling the key API and an API calling the target API need to be traced back.
After the static security feature database is created, in order to implement subsequent behavior anomaly detection, optionally, the method in this embodiment may further include: firstly, acquiring a target API calling sequence of a behavior to be detected; then matching the target API calling sequence with the API calling sequence in the static security feature database; and if the static security feature database does not have the matched API calling sequence, determining that the behavior to be detected is suspected abnormal behavior, and triggering to perform corresponding alarm. The alarm modes can include characters, pictures, audio, video, light, vibration and the like.
When no matching API call sequence exists in the static security feature database, a report can be made for further analysis and examination, and if the target API call sequence is determined to be normal, the target API call sequence can be updated to the static security feature database.
In this embodiment, in addition to the library catalogs containing the files of the target official operating systems of different versions running in the memory under the clean environment, in order to obtain a more comprehensive static security feature database, the following more optional ways are given:
as an alternative, the library-making directory may further include updated files that are run in the memory in a clean environment after the target official operating systems of these versions are installed with the patches. For example, as shown in fig. 2, a target Operating System (OS) is first installed and version differentiation is performed; then, operating a collection tool to perform behavior triggering to collect files operating in the internal memory in a clean environment, and uploading the files to a library making directory; and finally, running a library making script engine to perform static disassembling analysis on the files in the library making directory to make a rule library so as to obtain a basic rule library.
Installing updated patches in the target operating system subsequently, and running a collection tool to perform behavior triggering to collect updated files running in the internal memory under a clean environment; then, the updated file is uploaded to the library making directory in the same manner, and the library making script engine is operated to make the rule base, so as to obtain the updated rule base, which is specifically shown in fig. 3.
Alternatively, the library-making directory may further include new files generated in the memory when different pieces of legal software (such as browsers, office software, PDF readers, etc.) are respectively and independently run in the target official operating system in a clean environment. And subsequently, static disassembling analysis is carried out on the new files, a normal API calling sequence is made when the legal software runs in a target official operating system, and the finally obtained static security feature database can realize abnormal detection on software behaviors and enrich various application scenes of security verification.
For example, a clean system installed by the official website system ISO, only a software installation package downloaded by official software is installed; and then, collecting new files generated in the memory when the software runs in an official operating system in a clean environment by using a latest file collection tool provided by a rule maintenance party.
As a further alternative, the library-making directory may also contain files of different versions of other official operating systems running in the memory in a clean environment. And subsequently, static disassembling analysis is carried out on the files, and a static security feature database capable of verifying more abnormal operating system behaviors is obtained.
Further, based on the above, as yet another optional way, the library manufacturing directory may further include an update file that runs in the memory in a clean environment after the patch is installed on the other official operating systems. And finally, not only the basic rule base of other official operating systems of different versions can be obtained, but also the updated rule base of other official operating systems of the versions can be obtained, so that more system behavior abnormity detection requirements are met.
Still further, the library-making directory may further include new files generated in the memory when different legal versions of software are respectively and independently run in other official operating systems in a clean environment. Therefore, the finally obtained static security feature database can detect whether software behaviors in other operating systems are abnormal or not, and further meets more software behavior detection requirements.
The content of the foregoing embodiment is a processing procedure of a static security feature database described on a client side, and further, to fully illustrate an implementation of this embodiment, this embodiment further provides another processing method of a static security feature database, which can be applied to the client side, as shown in fig. 4, where the method includes:
201. and acquiring files of the installed target official operating system running in the internal memory under the clean environment.
Specifically, the module files running in the memory within a period of time can be collected by running on the target operating system by using a file collection tool.
202. And uploading the acquired file to a library making directory.
The library making directory may contain files of different versions of the target official operating system running in the internal memory in a clean environment, and further, the static security feature database may be created according to an API call sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library making directory.
For example, to improve the efficiency of creating a static security features database, multiple terminals may be used for file collection as described in the present solution. And then uploading to a library-making directory of the distributed static file analysis system. As shown in fig. 5, the distributed static file analysis system may output a base library and an incremental library of static rules, where a client submits a file task to be analyzed according to a certain file directory format requirement, and a task scheduler performs scheduling to determine which back-end service to analyze, and outputs the base library or the incremental library after analysis is completed, and the analysis service provides a rule acquisition interface and a task query interface. The analysis service can be a micro HTTP Server, the analysis service can annotate services to a task scheduling module, the initial version can have no task scheduling service, the micro HTTP Server receives an analysis request, stores an uploaded file, calls a disassembly tool analysis script engine such as IDA and the like to complete analysis of a static file, and outputs a rule file. The following is an interface design example:
1) the POST/make _ rules submits task catalog analysis to generate a basic library or an increment library;
2) the POST/rule obtains a basic library or an incremental library of a certain OS;
3) and the POST/zipfile uploads the basic library or incremental library file to be analyzed and analyzes, and is suitable for file transmission with the total size of the library file being less than 300 MB.
Compared with the existing mode, the processing method of the static security feature database applicable to the client side can automatically establish the static security feature database, so that the establishing efficiency of the security feature database is improved; and the instruction execution sequence of the normal behavior is analyzed and generated based on the files of the official operating systems of different versions running in the memory under the clean environment, so that a more comprehensive static security feature database can be obtained, and the accuracy of the subsequent behavior abnormity detection can be improved by utilizing the static security feature database.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully explain the specific implementation process of the embodiment, another processing method applicable to a static security feature database on the client side is provided, as shown in fig. 6, the method includes:
301. after the target official operating system is installed, installing a driver, starting each service item of the target official operating system and setting self-starting so as to obtain each process module file when the target official operating system runs in a clean environment.
302. And storing the file hash value and the file name directory corresponding to the process module file in a file list.
303. And setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
304. And storing the corresponding file in the library-making directory according to the file hash value and the file name directory in the file list.
By the method, the collected files are more comprehensive and accurate, and more instruction execution sequences with normal system behaviors can be obtained.
For example, a file collection tool is used for running an installation function driver, opening all service items and setting self-starting, a driver layer enumerates all process modules, a file list is saved, module loading callback is set, dynamic module loading in a period of time is captured and merged into the file list, file hash of the file list is calculated, when clicking is completed, the file list saves the file to a specified directory in a 'filename directory/hash' mode, and if the file hash in a target directory exists, the file hash is covered. And subsequently, a static security feature database is conveniently created according to an API calling sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library-making directory.
In order to facilitate management of the library inventory and make the subsequent creation of the static security feature database more normative, as an alternative, step 304 may specifically include: acquiring a corresponding file according to the file hash value and the file name directory in the file list; and then storing the acquired file in a corresponding folder in a warehouse making directory according to the operating system version number, the operating system editing number and the current system digit corresponding to the target official operating system.
For example, after the done is run by the collection tool, a folder "os version number + os compilation number + current system bit" is created in the same directory, and the collection of software run files such as a browser and Office/PDF can be output according to the output standard.
If the size of the File to be uploaded to the library-making directory is larger than the preset threshold, as an optional way to increase the File Transfer speed, the File may be uploaded to the library-making directory by using a File Transfer Protocol (FTP) or a Secure File Transfer Protocol (SFTP). For example, for an increment package or a base package file larger than a certain size, the file is uploaded to a specified directory by ftp/sftp, and the task directory is directly submitted to complete analysis.
By applying the scheme, the automatic library preparation scheme for the static instruction sequence characteristics is correspondingly provided. Through standardizing system installation version, installation environment and file collection method, a static analysis mode is adopted to obtain a complete program instruction execution sequence, a static instruction sequence feature library is manufactured according to a specified rule, and output and verification are carried out in an automatic mode. The method can meet the requirement of static instruction sequence feature matching and automatically generate a basic library or an incremental library. The subsequently created database may be applied to all scenarios based on instruction execution sequence feature matching.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present application provides a processing apparatus applicable to a static security feature database on a server side, as shown in fig. 7, the apparatus includes: a reading module 41, an analyzing module 42, a creating module 43.
The reading module 41 may be configured to read a file collected in advance in a library-making directory, where the library-making directory includes files in which target official operating systems of different versions run in an internal memory in a clean environment;
the analysis module 42 is configured to perform static disassembling analysis on the read file to obtain an application program interface API call sequence corresponding to the monitoring point;
a creating module 43, operable to create a static security feature database according to the API call sequence.
In a specific application scenario, the analysis module 42 may be specifically configured to perform static disassembling analysis on the read file, and obtain a key API matched with a preset key API list as the monitoring point; and backtracking the key API to a preset level, and acquiring an API calling sequence corresponding to the key API.
In a specific application scenario, the apparatus may further include: an acquisition module 44, a matching module 45 and a determination module 46;
the obtaining module 44 is configured to obtain a target API call sequence of the behavior to be detected after the static security feature database is created and obtained;
a matching module 45, configured to match the target API call sequence with an API call sequence in the static security feature database;
the determining module 46 is configured to determine that the behavior to be detected is a suspected abnormal behavior if there is no matching API call sequence in the static security feature database, and trigger a corresponding alarm.
In a specific application scenario, optionally, the library-making directory may further include an update file that runs in an internal memory in a clean environment after the target official operating system installs the patch.
In a specific application scenario, optionally, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the target official operating system in a clean environment.
In a specific application scenario, optionally, the library-making directory further includes files of other official operating systems of different versions running in the memory in a clean environment.
In a specific application scenario, optionally, the library making directory further includes an update file that runs in the memory in a clean environment after the patch is installed on the other official operating systems.
In a specific application scenario, the library-making directory further includes new files generated in the memory when different legal versions of software are respectively and independently run in the other official operating systems in a clean environment.
It should be noted that other corresponding descriptions of the functional units involved in the processing apparatus applicable to the static security feature database at the server side provided in this embodiment may refer to the corresponding descriptions in fig. 1, and are not repeated herein.
Further, as a specific implementation of the methods shown in fig. 4 and fig. 6, an embodiment of the present application provides a processing apparatus applicable to a static security feature database on a client side, as shown in fig. 8, the apparatus includes: an acquisition module 51 and a sending module 52.
An obtaining module 51, configured to obtain a file that is run by the installed target official operating system in the memory in a clean environment;
the sending module 52 may be configured to upload the file to a library manufacturing directory, where the library manufacturing directory includes files in which target official operating systems of different versions run in a memory in a clean environment, so as to create a static security feature database according to an application program interface API call sequence corresponding to the monitoring point, obtained by static disassembling analysis on the files in the library manufacturing directory.
In a specific application scenario, the obtaining module 51 may be specifically configured to, after the target official operating system is installed, install a driver and start each service item of the target official operating system, and set a self-start, so as to obtain each process module file when the target official operating system runs in a clean environment; storing the file hash value and the file name directory corresponding to the process module file in a file list; and setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
In a specific application scenario, the sending module 52 may be specifically configured to store the corresponding file in the library manufacturing directory according to the file hash value and the file name directory in the file list.
In a specific application scenario, the sending module 52 may be further configured to obtain a corresponding file according to the file hash value and the file name directory in the file list; and storing the acquired file in a corresponding folder in the library making directory according to the operating system version number, the operating system edition number and the current system digit corresponding to the target official operating system.
In a specific application scenario, the sending module 52 may be further configured to upload the file to a library directory through FTP or SFTP if the size of the file is greater than a preset threshold.
It should be noted that other corresponding descriptions of the functional units involved in the processing apparatus applicable to the static security feature database on the client side provided in this embodiment may refer to the corresponding descriptions in fig. 4 and fig. 6, and are not described herein again.
Based on the method shown in fig. 1, correspondingly, the present application further provides a storage medium, on which a computer program is stored, and when the program is executed by a processor, the program implements the processing method applicable to the static security feature database on the server side shown in fig. 1. Based on the methods shown in fig. 4 and fig. 6, the present application provides another storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processing method applicable to the static security feature database on the client side shown in fig. 4 and fig. 6 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method of the embodiments of the present application.
Based on the method shown in fig. 1 and the virtual device embodiment shown in fig. 7, in order to achieve the above object, the embodiment of the present application further provides a server, which may specifically be a computer, a server device, or other network devices. The apparatus includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the above processing method applicable to the static security feature database on the server side as shown in fig. 1.
Based on the methods shown in fig. 4 and fig. 6 and the virtual device embodiment shown in fig. 8, in order to achieve the above object, an embodiment of the present application further provides a client device, which may be specifically a personal computer, a notebook computer, a tablet computer, a smart phone, or other network devices, and the client device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the above processing method applicable to a static security feature database on the client side as shown in fig. 4 and 6.
Optionally, both the two entity devices may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
Those skilled in the art will appreciate that the physical device structure of the client device and the server provided in the present embodiment does not constitute a limitation to the two physical devices, and may include more or less components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the two physical devices described above, supporting the operation of the information processing program as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the information processing entity equipment.
Based on the above, further, an embodiment of the present application further provides a processing system of a static security feature database, as shown in fig. 9, the system includes: server 61, client device 62;
wherein the server 61 is operable to perform the method as shown in fig. 1 and the client device 62 is operable to perform the method as shown in fig. 4 and 6.
A client device 62 operable to obtain files of the installed target official operating system running in memory in a clean environment; the file is then uploaded to the library-making directory of the server 61.
The server 61 is configured to first read a file collected in advance in a library-making directory, where the library-making directory includes files of target official operating systems of different versions running in a memory in a clean environment; then, performing static disassembling analysis on the read file to obtain an API calling sequence corresponding to the monitoring point; and finally, creating a static security feature database according to the API calling sequence.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme of the application, the automatic library preparation scheme of the static instruction sequence features is correspondingly provided. Through standardizing system installation version, installation environment and file collection method, a static analysis mode is adopted to obtain a complete program instruction execution sequence, a static instruction sequence feature library is manufactured according to a specified rule, and output and verification are carried out in an automatic mode. The method can meet the requirement of static instruction sequence feature matching and automatically generate a basic library or an incremental library. The subsequently created database may be applied to all scenarios based on instruction execution sequence feature matching.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial number is merely for description and does not represent the superiority and inferiority of the implementation scenario. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (29)
1. A method for processing a static security feature database, comprising:
reading files collected in advance in a library making directory, wherein the library making directory comprises files of target official operating systems of different versions running in a memory under a clean environment, and the files are obtained by installing the target official operating systems of different versions in a terminal to run; performing static disassembling analysis on the read file to obtain an application program interface API calling sequence corresponding to the monitoring point;
creating a static security feature database according to the API calling sequence;
the method includes that a terminal acquires a file of an installed target official operating system running in an internal memory in a clean environment, and specifically includes the following steps:
after the target official operating system is installed, the terminal installs a driver and starts each service item of the target official operating system and sets self-starting so as to obtain each process module file when the target official operating system runs in a clean environment;
the terminal stores the file hash value and the file name directory corresponding to the process module file in a file list;
and the terminal setting module loads and recalls, and loads and merges the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
2. The method according to claim 1, wherein performing static disassembling analysis on the read file to obtain an API call sequence corresponding to the monitoring point specifically comprises:
performing static disassembling analysis on the read file, and acquiring a key API matched with a preset key API list as the monitoring point;
and backtracking the key API to a preset level, and acquiring an API calling sequence corresponding to the key API.
3. The method of claim 1, wherein after creating the static security feature database, the method further comprises:
acquiring a target API call sequence of a behavior to be detected;
matching the target API call sequence with an API call sequence in the static security feature database;
and if the static security feature database does not have a matched API calling sequence, determining that the behavior to be detected is a suspected abnormal behavior, and triggering to perform corresponding alarm.
4. The method of claim 1, wherein the library directory further comprises an update file that runs in a memory in a clean environment after the target official operating system installs a patch.
5. The method of claim 1, wherein the library catalogs further comprise new files generated in memory when different legal versions of software are run separately in the target official os in a clean environment.
6. The method of claim 1, wherein the library directory further comprises files of different versions of other official operating systems running in the memory in a clean environment.
7. The method of claim 6, wherein the library catalogs further comprise updated files that are run in memory in a clean environment after the other official operating systems have installed the patches.
8. The method of claim 6, wherein the library catalogs further comprise new files generated in the memory when different legal versions of software are respectively and independently run in the other official operating systems in the clean environment.
9. A method for processing a static security feature database, comprising:
acquiring a file of the installed target official operating system running in a memory under a clean environment;
uploading the file to a library making directory, wherein the library making directory comprises files of target official operation systems of different versions running in an internal memory under a clean environment, so that a static security feature database is created according to an Application Program Interface (API) calling sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library making directory;
the acquiring of the file of the installed target official operating system running in the memory in the clean environment specifically includes:
after the target official operating system is installed, installing a driver, starting each service item of the target official operating system and setting self-starting so as to obtain each process module file when the target official operating system runs in a clean environment;
storing the file hash value and the file name directory corresponding to the process module file in a file list;
and setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
10. The method according to claim 9, wherein uploading the file into a library directory specifically comprises:
and storing the corresponding file in the library making directory according to the file hash value and the file name directory in the file list.
11. The method according to claim 10, wherein storing the corresponding file in the library-making directory according to the file hash value and the file name directory in the file list specifically comprises:
acquiring a corresponding file according to the file hash value and the file name directory in the file list;
and storing the acquired file in a corresponding folder in the library making directory according to the operating system version number, the operating system edition number and the current system digit corresponding to the target official operating system.
12. The method according to claim 9, wherein if the file size is larger than a preset threshold, the uploading the file to a library manufacturing directory specifically comprises:
and uploading the file to a library directory through a File Transfer Protocol (FTP) or a Secure File Transfer Protocol (SFTP).
13. A processing apparatus for a static security feature database, comprising:
the reading module is used for reading files collected in advance in a library making directory, wherein the library making directory comprises files of target official operating systems of different versions running in a memory under a clean environment, and the files are obtained by installing the target official operating systems of different versions in a terminal to run;
the analysis module is used for performing static disassembling analysis on the read file to obtain an application program interface API calling sequence corresponding to the monitoring point;
the creating module is used for creating a static security feature database according to the API calling sequence;
after the target official operating system is installed, the terminal installs, drives and starts each service item of the target official operating system and sets self-starting so as to obtain each process module file when the target official operating system runs in a clean environment;
the terminal stores the file hash value and the file name directory corresponding to the process module file in a file list;
and the terminal setting module loads and recalls, and loads and merges the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
14. The apparatus of claim 13,
the analysis module is specifically configured to perform static disassembling analysis on the read file, and acquire a key API matched with a preset key API list as the monitoring point;
and backtracking the key API to a preset level, and acquiring an API calling sequence corresponding to the key API.
15. The apparatus of claim 13, further comprising:
the acquisition module is used for acquiring a target API call sequence of the behavior to be detected after the static security feature database is established;
the matching module is used for matching the target API calling sequence with the API calling sequence in the static security feature database;
and the determining module is used for determining that the behavior to be detected is suspected abnormal behavior and triggering to perform corresponding alarm if the matched API calling sequence does not exist in the static security feature database.
16. The apparatus of claim 13, wherein the library directory further comprises an update file that runs in a memory in a clean environment after the target official operating system installs the patch.
17. The apparatus of claim 13, wherein the library catalogs further comprise new files generated in memory when different legal versions of software are run separately in the target official os in a clean environment.
18. The apparatus of claim 13, wherein the library directory further comprises files of different versions of other official operating systems running in the clean environment memory.
19. The apparatus of claim 18, wherein the library catalogs further comprise updated files that are run in memory in a clean environment after the other official operating systems have installed the patches.
20. The apparatus of claim 18, wherein the library catalogs further comprise new files generated in the memory when different legal versions of software are run separately in the other official operating systems in a clean environment.
21. A processing apparatus for a static security feature database, comprising:
the acquisition module is used for acquiring files of the installed target official operating system running in the memory under the clean environment;
the sending module is used for uploading the file to a library making directory, wherein the library making directory comprises files of target official operation systems of different versions running in a memory under a clean environment, so that a static safety characteristic database is created according to an Application Program Interface (API) calling sequence corresponding to the monitoring point, which is obtained by static disassembling analysis of the files in the library making directory;
the acquiring module is specifically configured to, after the target official operating system is installed, install a driver and start each service item of the target official operating system and set a self-start, so as to acquire each process module file of the target official operating system when the target official operating system runs in a clean environment;
storing the file hash value and the file name directory corresponding to the process module file in a file list;
and setting module loading callback, and loading and merging the dynamic module files in the preset running time into the file list according to the corresponding file hash value and the file name directory.
22. The apparatus of claim 21,
the sending module is specifically configured to store the corresponding file in the library manufacturing directory according to the file hash value and the file name directory in the file list.
23. The apparatus of claim 22,
the sending module is specifically further configured to obtain a corresponding file according to the file hash value and the file name directory in the file list;
and storing the acquired files in corresponding folders in the library making directory according to the operating system version number, the operating system editing number and the current system digit corresponding to the target official operating system.
24. The apparatus of claim 21,
the sending module is specifically configured to upload the file to a library directory through a File Transfer Protocol (FTP) or a Secure File Transfer Protocol (SFTP) if the size of the file is greater than a preset threshold.
25. A storage medium on which a computer program is stored, which program, when being executed by a processor, carries out the method of processing a static security feature database according to any one of claims 1 to 8.
26. A server comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the processing method of the static security feature database according to any one of claims 1 to 8 when executing the program.
27. A storage medium on which a computer program is stored, which program, when being executed by a processor, carries out the method of processing a static security feature database according to any one of claims 9 to 12.
28. A client device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the processing method of the static security feature database according to any one of claims 9 to 12 when executing the program.
29. A system for processing a static security feature database, comprising: a server as claimed in claim 26 and a client device as claimed in claim 28.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755851.XA CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755851.XA CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112395602A CN112395602A (en) | 2021-02-23 |
| CN112395602B true CN112395602B (en) | 2022-09-30 |
Family
ID=74601794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755851.XA Active CN112395602B (en) | 2019-08-15 | 2019-08-15 | Processing method, device and system for static security feature database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395602B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN104243214A (en) * | 2014-09-28 | 2014-12-24 | 北京奇虎科技有限公司 | Data processing method, device and system |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352B (en) * | 2008-09-25 | 2010-08-25 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| EP2609537A1 (en) * | 2010-08-26 | 2013-07-03 | Verisign, Inc. | Method and system for automatic detection and analysis of malware |
| CN109815701B (en) * | 2018-12-29 | 2022-04-22 | 奇安信安全技术(珠海)有限公司 | Software security detection method, client, system and storage medium |
-
2019
- 2019-08-15 CN CN201910755851.XA patent/CN112395602B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN105229661A (en) * | 2013-07-31 | 2016-01-06 | 惠普发展公司,有限责任合伙企业 | Malware is determined based on signal mark |
| CN104243214A (en) * | 2014-09-28 | 2014-12-24 | 北京奇虎科技有限公司 | Data processing method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| 一种针对Android平台恶意代码的检测方法及***实现;胡文君等;《西安交通大学学报》;20130703(第10期);第38-39页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112395602A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111522922B (en) | Log information query method and device, storage medium and computer equipment | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| CN106815135B (en) | Vulnerability detection method and device | |
| CN111221625B (en) | File detection method, device and equipment | |
| KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
| CN111400132B (en) | Automatic monitoring method and system for on-shelf APP | |
| CN110069693B (en) | Method and device for determining target page | |
| CN112597020A (en) | Interface testing method and device, computer equipment and storage medium | |
| WO2018121266A1 (en) | Method and device for obtaining application and terminal device | |
| CN111177623A (en) | Information processing method and device | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN107368407B (en) | Information processing method and device | |
| CN113961936A (en) | Trusted white list construction method, system and device and computer equipment | |
| CN113591079B (en) | Method and device for acquiring abnormal application installation package and electronic equipment | |
| CN111597557A (en) | Malicious application detection method, system, device, equipment and storage medium | |
| CN110727576B (en) | Web page testing method, device, equipment and storage medium | |
| CN114546814A (en) | Recording playback method, recording playback device and storage medium | |
| CN112395602B (en) | Processing method, device and system for static security feature database | |
| CN115552401A (en) | Fast application detection method, device, equipment and storage medium | |
| CN112817816B (en) | Embedded point processing method and device, computer equipment and storage medium | |
| KR101582420B1 (en) | Method and apparatus for checking integrity of processing module | |
| CN109714371B (en) | Industrial control network safety detection system | |
| CN109246297B (en) | Method, device and storage medium for determining factory reset time of mobile terminal | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| CN111782291A (en) | Test page starting method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |