CN112612756A - Abnormal file repairing method, device, equipment and storage medium - Google Patents
Abnormal file repairing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112612756A CN112612756A CN202011522781.2A CN202011522781A CN112612756A CN 112612756 A CN112612756 A CN 112612756A CN 202011522781 A CN202011522781 A CN 202011522781A CN 112612756 A CN112612756 A CN 112612756A
- Authority
- CN
- China
- Prior art keywords
- file
- abnormal
- repairing
- rule
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 422
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000008439 repair process Effects 0.000 claims abstract description 115
- 238000004458 analytical method Methods 0.000 claims description 36
- 238000000605 extraction Methods 0.000 claims description 17
- 230000036541 health Effects 0.000 abstract description 7
- 230000001960 triggered effect Effects 0.000 abstract description 5
- 238000013507 mapping Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 238000009411 base construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/14—Details of searching files based on file metadata
- G06F16/148—File search processing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Library & Information Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for repairing an abnormal file, wherein the method comprises the steps of obtaining file structure information corresponding to a file to be detected, and searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base; and when the target abnormal rule exists, judging the file to be detected as an abnormal file, acquiring a file repair algorithm corresponding to the target abnormal rule, and repairing the file to be detected according to the file repair algorithm. Compared with the existing method of identifying or detecting abnormal files through feature codes and repairing files by searching corresponding health files or address information of the health files in a file database, the method and the device judge whether the files to be detected trigger abnormal rules or not through file structure information, judge whether the files to be detected are abnormal or not if the files to be detected trigger the abnormal rules, and acquire corresponding file repairing algorithms according to the triggered abnormal rules to repair the files, so that the accuracy of abnormal identification is guaranteed, and the file repairing rate is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for repairing an abnormal file.
Background
The security analysis engineer can use an analysis tool to process some unknown files in daily work, and some malicious software authors can intentionally modify some anomalies in file manufacturing by using the logic of analyzing a sample by using the analysis tool, so that the analysis tool fails to analyze the file, and therefore, an analyst can easily misjudge the file as an invalid file, and the efficiency and accuracy of the analyst in judging the unknown sample are seriously affected.
The current mainstream detection technology for abnormal files is mainly to identify through abnormal feature codes. Namely, a batch of known abnormal files are collected and classified, and abnormal feature codes are extracted. And inquiring and matching the data of the target file in the characteristic code database, and judging whether the data contains abnormity. Meanwhile, in the prior art, the abnormal file is repaired by mainly searching the corresponding health file or the address information of the health file in the file database and returning the health file or the address information to the user. The existing abnormal file matching and repairing mode seriously depends on the width of an abnormal characteristic code database, the adaptability and flexibility of abnormal file detection are low, the repairing rate is low, and a large amount of time, manpower and material resources are consumed.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for repairing an abnormal file, and aims to solve the technical problems that in the prior art, when the abnormal file is detected and repaired, the detection adaptability and flexibility are low, the width of an abnormal characteristic code database is seriously depended on, and meanwhile, the repair rate is low.
In order to achieve the above object, the present invention provides a method for repairing an abnormal file, including the following steps:
acquiring file structure information corresponding to a file to be detected;
searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
when the target abnormal rule exists, judging the file to be detected as an abnormal file, and acquiring a file repair algorithm corresponding to the target abnormal rule;
and repairing the file to be detected according to the file repairing algorithm.
Optionally, the step of obtaining the file structure information corresponding to the file to be detected includes:
acquiring a target file format corresponding to a file to be detected;
and acquiring file structure information corresponding to the file to be detected according to the target file format.
Optionally, the file structure information includes: a file structure characteristic;
the step of searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base comprises the following steps:
and searching whether a target abnormal rule matched with the file structure characteristic exists in a preset abnormal rule base.
Optionally, the step of obtaining the file structure information corresponding to the file to be detected according to the target file format includes:
determining a target file feature extraction module according to the target file format;
and scanning the structural characteristics of the file to be detected through the target file characteristic extraction module to obtain the structural characteristics of the file.
Optionally, the step of repairing the file to be detected according to the file repair algorithm includes:
determining file abnormal data corresponding to the file to be detected according to the target abnormal rule;
and repairing the abnormal file data according to the file repairing algorithm.
Optionally, the step of determining the file abnormal data corresponding to the file to be detected according to the target abnormal rule includes:
determining a file abnormal point and a file abnormal value corresponding to the file to be detected according to the target abnormal rule;
and taking the file abnormal point and the file abnormal value as file abnormal data.
Optionally, before the step of obtaining the file structure information corresponding to the file to be detected, the method further includes:
reading a history abnormal file set, and acquiring a file format corresponding to each abnormal file in the history abnormal file set;
classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set;
and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
Optionally, after the step of analyzing the different types of abnormal files in the classified abnormal file set and constructing a preset abnormal rule base according to an analysis result, the method further includes:
configuring a corresponding file repair algorithm for each abnormal rule stored in the preset abnormal rule base according to the analysis result;
and constructing a repair algorithm library according to the configured file repair algorithm.
Optionally, the step of analyzing the abnormal files of different categories in the classified abnormal file set and constructing a preset abnormal rule base according to an analysis result includes:
acquiring file structures and file characteristics of different types of abnormal files in the classified abnormal file set;
acquiring abnormal information generated by the different types of abnormal files in the file analysis process;
and generating corresponding abnormal rules according to the file structure, the file characteristics and the abnormal information, and constructing a preset abnormal rule base according to the abnormal rules.
Optionally, the step of generating a corresponding exception rule according to the file structure, the file characteristics, and the exception information, and constructing a preset exception rule base according to the exception rule includes:
determining the abnormal type of each type of abnormal file according to the abnormal information;
and establishing an abnormal rule according to the file structure, the file characteristics and the abnormal type, and establishing a preset abnormal rule base according to the abnormal rule.
Optionally, the step of obtaining the file repair algorithm corresponding to the target exception rule includes:
acquiring a rule identifier corresponding to the target abnormal rule;
and searching a corresponding file repair algorithm in a preset mapping relation according to the rule identifier, wherein the preset mapping relation stores a direct corresponding relation between the rule identifier and the file repair algorithm.
In addition, in order to achieve the above object, the present invention further provides a device for repairing the abnormal file, including:
the information acquisition module is used for acquiring file structure information corresponding to the file to be detected;
the rule matching module is used for searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
the algorithm matching module is used for judging the file to be detected as an abnormal file when the target abnormal rule exists and acquiring a file repair algorithm corresponding to the target abnormal rule;
and the file repairing module is used for repairing the file to be detected according to the file repairing algorithm.
Optionally, the information obtaining module is further configured to obtain a target file format corresponding to the file to be detected; and acquiring file structure information corresponding to the file to be detected according to the target file format.
Optionally, the file structure information includes: a file structure characteristic; the rule matching module is also used for searching whether a target abnormal rule matched with the file structure characteristic exists in a preset abnormal rule base.
Optionally, the information obtaining module is further configured to determine a target file feature extraction module according to the target file format; and scanning the structural characteristics of the file to be detected through the target file characteristic extraction module to obtain the structural characteristics of the file.
Optionally, the file repairing module is configured to determine, according to the target exception rule, file exception data corresponding to the file to be detected; and repairing the abnormal file data according to the file repairing algorithm.
Optionally, the file repairing module is further configured to determine a file abnormal point and a file abnormal value corresponding to the file to be detected according to the target abnormal rule; and taking the file abnormal point and the file abnormal value as file abnormal data.
Optionally, the apparatus for repairing the abnormal file further includes: a rule base construction module; the rule base building module is used for reading a historical abnormal file set and acquiring a file format corresponding to each abnormal file in the historical abnormal file set; classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set; and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
In addition, in order to achieve the above object, the present invention further provides an abnormal file repairing apparatus, including: the system comprises a memory, a processor and a repairing program of the abnormal file stored on the memory and capable of running on the processor, wherein the repairing program of the abnormal file is configured to realize the steps of the repairing method of the abnormal file.
In addition, in order to achieve the above object, the present invention further provides a storage medium, on which a repairing program of an abnormal file is stored, wherein the repairing program of the abnormal file, when executed by a processor, implements the steps of the repairing method of the abnormal file as described above.
The method comprises the steps of obtaining file structure information corresponding to a file to be detected, and searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base; and when the target abnormal rule exists, judging the file to be detected as an abnormal file, acquiring a file repair algorithm corresponding to the target abnormal rule, and repairing the file to be detected according to the file repair algorithm. Compared with the existing method of identifying or detecting abnormal files through feature codes and repairing files by searching corresponding health files or address information of the health files in a file database, the method and the device judge whether the files to be detected trigger abnormal rules or not through file structure information, judge whether the files to be detected are abnormal or not if the files to be detected trigger the abnormal rules, and acquire corresponding file repairing algorithms according to the triggered abnormal rules to repair the files, so that the accuracy of abnormal identification is guaranteed, and the file repairing rate is improved.
Drawings
Fig. 1 is a schematic structural diagram of a device for repairing an exception file of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for repairing an abnormal file according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for repairing an abnormal file according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a method for repairing an abnormal file according to a third embodiment of the present invention;
fig. 5 is a block diagram of the abnormal file repair apparatus according to the first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a device for repairing an exception file in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the apparatus for repairing the exception file may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of the anomaly file repair apparatus, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and a repair program of an exception file.
In the restoration apparatus of an abnormal file shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the device for repairing an abnormal file according to the present invention may be provided in the device for repairing an abnormal file, and the device for repairing an abnormal file calls a program for repairing an abnormal file stored in the memory 1005 through the processor 1001 and executes the method for repairing an abnormal file according to the embodiment of the present invention.
An embodiment of the present invention provides a method for repairing an abnormal file, and referring to fig. 2, fig. 2 is a schematic flow diagram of a first embodiment of the method for repairing an abnormal file according to the present invention.
In this embodiment, the method for repairing an abnormal file includes the following steps:
step S10: acquiring file structure information corresponding to a file to be detected;
it should be noted that the execution main body of the method of this embodiment may be a computing service device having functions of data processing, network communication, and program execution, such as a smart phone, a tablet computer, a personal computer, and the like, or may be other devices capable of implementing abnormal file repair. This embodiment and the following embodiments will be specifically described by taking a file repair apparatus as an example.
In this embodiment, the file structure information may be file characteristics, file structures and/or other data that can represent various attributes or characteristics of the file corresponding to the file to be detected, such as types, attributes, physical structures (storage structures of the file), logical structures (organization forms of the file), and the like of the file.
In a specific implementation, the file repair device may analyze the file to be detected, and then obtain corresponding file structure information according to an analysis result.
Step S20: searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
it should be noted that the preset exception rule base may be a database containing many exception rules. The exception rule may be a standard configured by a developer for determining file exceptions for different types of exception files according to an exception condition or rule (e.g., an offset exception, a size exception, or another exception that is often likely to occur) of a file that once caused the file analysis tool to be abnormal.
In practical application, the abnormal rule corresponding to each type of abnormal file may be associated with the file structure information corresponding to the abnormal file, for example, a mapping table and key value peers between the abnormal rule and the file structure information may be established, so that the file repair device may subsequently directly obtain the abnormal rule corresponding to each file structure information through the association relationship.
Further, in order to facilitate configuration of the exception rules of each type of exception file, in practical applications, different exception files may be classified according to file formats, and then a corresponding exception rule may be configured for each type of exception file according to the exception condition of each type of exception file. Therefore, as an implementation manner, the step S10 in this embodiment can be specifically subdivided into:
step S101: acquiring a target file format corresponding to a file to be detected;
step S102: and acquiring file structure information corresponding to the file to be detected according to the target file format.
It is understood that the file format (or file type) refers to a special encoding mode of information used by the terminal for storing information, such as a file format of PE, ELF, Mach-o (Mach object), and the like. In general, most of the file structure information of files in the same file format is the same, mainly the difference of file contents, so in this embodiment, the file format of each abnormal file and the file structure information corresponding to the abnormal file may also be associated in advance, so that the file repair device can accurately and quickly acquire the file structure information of the abnormal file to be detected when acquiring the file format of the file to be detected, that is, the target file format.
Further, it is considered that some redundant information may exist in the file structure information, and the redundant information may not be used when the target abnormal rule matching is performed, and conversely, if too much redundant information is used, the overall repair efficiency of the file repair device when repairing the abnormal file is also reduced. Therefore, in the embodiment, the file repair device can acquire the file structure characteristics (which may be composed of the file characteristics and/or the file structure) from the file structure information, and then search whether the target exception rule matched with the file structure characteristics exists in the preset exception rule base, so that the target exception rule can be quickly acquired, and the file repair efficiency is improved.
In practical applications, in order to accurately obtain the structural features of the file, in this embodiment, corresponding file feature extraction modules may be configured in advance for files of different file formats, and these file feature extraction modules may be pre-programmed programs or components, and are used to scan the structural features of the file to obtain the structural features of the file. Specifically, the file repair device may determine a target file feature extraction module according to the target file format; and then, carrying out structural feature scanning on the file to be detected through the target file feature extraction module to obtain file structural features.
Step S30: when the target abnormal rule exists, judging the file to be detected as an abnormal file, and acquiring a file repair algorithm corresponding to the target abnormal rule;
it should be noted that the file repair algorithm may be a file repair rule configured in advance for different file exception rules. For example, the repair algorithm configured for the ELF file with the abnormal section header table may be to locate a PT _ DYNAMIC (DYNAMIC link information) segment containing the DYNAMIC section by the program header, and then parse the segment to repair the abnormal file, and the main repair targets include: init _ array,. fini _ array,. hash,. preinit _ array,. dynastr,. got,. dynaym,. arm.extab,. arm.exidx,. dynamic,. data,. text,. bss, and the like.
In practical application, when the file repair device finds the target abnormal rule in the preset abnormal rule base according to the file structure information or the file structure characteristics in the file structure information, it can be determined that the file to be detected belongs to the abnormal file and the subsequent repair operation needs to be executed, and at this time, the file repair device can obtain the corresponding file repair algorithm according to the successfully matched target abnormal rule.
Further, in order to improve the search speed of the file repair algorithm, in this embodiment, a mapping relationship between a rule identifier (e.g., a rule name and a number) of an abnormal rule and the file repair algorithm corresponding to the abnormal rule may be established in the file repair device. Correspondingly, when the file repair device searches for a file repair algorithm, the rule identification corresponding to the target abnormal rule can be obtained firstly; and then searching a corresponding file repair algorithm in a preset mapping relation according to the rule identifier, wherein the preset mapping relation stores a direct corresponding relation between the rule identifier and the file repair algorithm.
Step S40: and repairing the file to be detected according to the file repairing algorithm.
In a specific implementation, after the file repair device obtains the file repair algorithm, the file to be detected which is determined as the abnormal file can be repaired according to the algorithm, and a finally repaired file is obtained.
In the embodiment, file structure information corresponding to a file to be detected is obtained, and then whether a target abnormal rule matched with the file structure information exists is searched in a preset abnormal rule base; and when the target abnormal rule exists, judging the file to be detected as an abnormal file, acquiring a file repair algorithm corresponding to the target abnormal rule, and repairing the file to be detected according to the file repair algorithm. Compared with the existing method of identifying or detecting abnormal files through feature codes and searching corresponding healthy files or address information of the healthy files in a file database to repair files, the embodiment judges whether the files to be detected trigger abnormal rules or not through file structure information, if so, judges that the files to be detected are abnormal, and repairs the files according to file repair algorithms corresponding to the triggered abnormal rules, so that the accuracy of abnormal identification is guaranteed, and the file repair rate is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for repairing an abnormal file according to a second embodiment of the present invention.
Based on the first embodiment described above, in the present embodiment, the step S40 includes:
step S401: determining file abnormal data corresponding to the file to be detected according to the target abnormal rule;
it should be noted that the file exception data may be exception data matching a target exception rule, for example, in an ELF file, the file exception data matching an exception section header table rule includes a file exception point and/or an exception value contained in a PT _ DYNAMIC link information (PT _ DYNAMIC link information) segment.
In practical application, the file repair device may determine the file abnormal data corresponding to the file to be detected according to the target abnormal rule.
Further, in consideration of the fact that abnormal file data in the same file format have certain commonalities, the abnormal file data can be quickly determined or obtained according to the commonalities. Specifically, the file repair device may determine a file exception point and a file exception value corresponding to the file to be detected according to the target exception rule; and then taking the file abnormal point and the file abnormal value as file abnormal data.
It should be understood that the file exception point may be a location where an exception occurs or data where an exception exists, and the file exception value may be an exception field corresponding to the exception data.
Step S402: and repairing the abnormal file data according to the file repairing algorithm.
In a specific implementation, after determining the file abnormal data in the file to be detected, the file repair device can repair the file abnormal data according to a file repair algorithm.
The present embodiment and the first embodiment described above will be described below with reference to specific examples.
For example, a file to be detected is an ELF file, the offset of a segment head table of the file and the number of entries of the segment head table are both intentionally destroyed, so that a file analysis tool for analyzing the ELF file through the segment head table cannot normally identify the file, and meanwhile, a malicious file detection tool cannot accurately judge whether the file is a malicious file, as in an actual situation, readelf-S (a file information reading tool) cannot display correct segment head table information, IDA Pro (an interactive disassembly tool) cannot correctly analyze a segment head table, when the ELF file is input to a file repair device, the file repair device may first identify that the file format is an ELF, then determine that a target file feature extraction module should be an ELF file feature extraction module, then scan file structure features through the ELF file feature extraction module, and then search for a target abnormal rule corresponding to file structure features in a preset abnormal rule database to determine that a target abnormal rule is "abnormal And (5) determining the ELF file as an abnormal file according to the rule of the head table of the constant section area, and recording corresponding file abnormal data.
Then, according to the hit abnormal rule, determining that the repair algorithm adopts an abnormal section head table, and finally positioning a PT _ DYNAMIC (DYNAMIC Link information) section by a program head, wherein the section comprises a DYNAMIC section, and analyzing the section to the following important sections of the abnormal file: init _ array,. fini _ array,. hash,. preinit _ array,. dynastr,. got,. dynam,. arm.extab,. arm.exidx,. dynamic,. data,. text,. bss, etc. are repaired to generate a new repaired file.
According to the method and the device, the abnormal rule triggered by the abnormal file is determined firstly, and then the corresponding file repair algorithm is obtained according to the abnormal rule to repair the abnormal data of the file, so that the efficiency and the success rate of file repair are ensured.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for repairing an abnormal file according to a third embodiment of the present invention.
Based on the foregoing embodiments, in this embodiment, before the step S10, the method further includes:
step S01: reading a history abnormal file set, and acquiring a file format corresponding to each abnormal file in the history abnormal file set;
it should be noted that, in order to ensure that the abnormality rules of the previously-constructed abnormality rule base have higher accuracy and breadth and to cover the abnormality of the abnormal file in each file format, the file repair device in this embodiment may further obtain various historical abnormal files, that is, the historical abnormal file set, in a manner of big data analysis.
In a specific implementation, after the file repair device reads the history abnormal file set, the file format corresponding to each abnormal file in the history abnormal file set, such as PE, ELF, and Mach-o (Mach object), may be obtained.
Step S02: classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set;
it should be understood that, considering that abnormal situations of abnormal files in different file formats may be different, but the abnormal situations of abnormal files in the same file format mostly have a certain commonality, the abnormal files in the history abnormal file set are preliminarily classified according to the file format, and then the classified abnormal files (sets) are analyzed, so that the analysis efficiency can be improved, and the accuracy of the analysis result can also be ensured.
In a specific implementation, the file repair device may classify the abnormal files in the history abnormal file set according to the acquired file format, and acquire a classified abnormal file set.
Of course, the classification criterion of the abnormal file in the present embodiment is not limited to the file format, and may be performed according to other criteria (for example, the attribute and the size of the file). Further, in this embodiment, after the classification is performed according to the file format, the classified file may be further subdivided, for example, secondary classification is performed according to the size of the file, and the like, which is not limited in this embodiment.
Step S03: and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
In a specific implementation, after the file repair device obtains the classified abnormal file set, the file repair device may analyze the abnormal files of different classes in the set, and then construct an abnormal rule base according to an analysis result, that is, the preset abnormal rule base. In this embodiment, the analyzing of the abnormal file may be analyzing an association relationship between various information of the abnormal file, such as a file structure, a file characteristic, an attribute, and a size, and the abnormal information, and then defining a corresponding abnormal rule according to the association relationship.
Further, in order to ensure that the generated abnormal rule has strong pertinence, in the embodiment, the file repair device may first obtain file structures and file features of different types of abnormal files in the classified abnormal file set; then obtaining abnormal information generated by the abnormal files of different types in the file analysis process; and generating corresponding abnormal rules according to the file structure, the file characteristics and the abnormal information, and constructing a preset abnormal rule base according to the abnormal rules.
It should be noted that the abnormal information generated in the file analysis process can be provided by a file analysis tool, and compared with a manual analysis mode, the speed of acquiring the abnormal information is increased, and the labor cost is reduced.
Further, in order to ensure that the generated exception rule has higher accuracy, in the embodiment, when the file repair device constructs the exception rule, the file repair device may also perform the exception rule according to the exception type to which the exception file belongs. Specifically, the file repair device may determine, according to the exception information, an exception type to which each category of exception file belongs; and then establishing an abnormal rule according to the file structure, the file characteristics and the abnormal type, and establishing a preset abnormal rule base according to the abnormal rule.
The exception type may be divided according to the attribute of the exception, for example, the exception may be divided into an offset exception, a size exception, and the like according to the attribute.
Step S04: configuring a corresponding file repair algorithm for each abnormal rule stored in the preset abnormal rule base according to the analysis result;
it should be understood that, after the analysis result is obtained, the file repair device may further configure, according to the analysis result, a file repair algorithm capable of repairing the corresponding file for each abnormal rule stored in the preset abnormal rule base.
Step S05: and constructing a repair algorithm library according to the configured file repair algorithm.
In a specific implementation, the file repair device may construct a repair algorithm library according to the obtained file repair algorithm. In this embodiment, the algorithms stored in the repair algorithm library can be updated, added, and deleted according to actual requirements, so as to ensure the breadth of the repair algorithm library.
In the embodiment, a history abnormal file set is read, and a file format corresponding to each abnormal file in the history abnormal file set is obtained; then classifying the abnormal files in the historical abnormal file set according to the acquired file format to acquire a classified abnormal file set; and then, the classified abnormal files are analyzed in different categories, and a preset abnormal rule base is constructed according to the analysis result, so that the reliability of the constructed abnormal rule base is ensured, and an effective detection basis is provided for the detection of the subsequent abnormal files.
In addition, an embodiment of the present invention further provides a storage medium, where a repairing program of an abnormal file is stored on the storage medium, and when executed by a processor, the repairing program of the abnormal file implements the steps of the repairing method of the abnormal file as described above.
Referring to fig. 5, fig. 5 is a block diagram of a first embodiment of the apparatus for repairing an abnormal file according to the present invention.
As shown in fig. 5, the apparatus for repairing an abnormal file according to an embodiment of the present invention includes:
the information obtaining module 501 is configured to obtain file structure information corresponding to a file to be detected;
a rule matching module 502, configured to search, in a preset exception rule base, whether a target exception rule matching the file structure information exists;
the algorithm matching module 503 is configured to, when the target exception rule exists, determine that the file to be detected is an exception file, and obtain a file repair algorithm corresponding to the target exception rule;
and the file repair module 504 is configured to repair the file to be detected according to the file repair algorithm.
In the embodiment, file structure information corresponding to a file to be detected is obtained, and then whether a target abnormal rule matched with the file structure information exists is searched in a preset abnormal rule base; and when the target abnormal rule exists, judging the file to be detected as an abnormal file, acquiring a file repair algorithm corresponding to the target abnormal rule, and repairing the file to be detected according to the file repair algorithm. Compared with the existing method of identifying or detecting abnormal files through feature codes and searching corresponding healthy files or address information of the healthy files in a file database to repair files, the embodiment judges whether the files to be detected trigger abnormal rules or not through file structure information, if so, judges that the files to be detected are abnormal, and repairs the files according to file repair algorithms corresponding to the triggered abnormal rules, so that the accuracy of abnormal identification is guaranteed, and the file repair rate is improved.
Based on the first embodiment of the apparatus for restoring an abnormal file according to the present invention, a second embodiment of the apparatus for restoring an abnormal file according to the present invention is provided.
In this embodiment, the information obtaining module 501 is further configured to obtain a target file format corresponding to a file to be detected; and acquiring file structure information corresponding to the file to be detected according to the target file format.
Further, the file structure information includes: a file structure characteristic; the rule matching module 502 is further configured to search, in a preset exception rule base, whether a target exception rule matching the file structure feature exists.
Further, the information obtaining module 501 is further configured to determine a target file feature extraction module according to the target file format; and scanning the structural characteristics of the file to be detected through the target file characteristic extraction module to obtain the structural characteristics of the file.
Further, the file repair module 504 is configured to determine, according to the target exception rule, file exception data corresponding to the file to be detected; and repairing the abnormal file data according to the file repairing algorithm.
Further, the file repair module 504 is further configured to determine a file exception point and a file exception value corresponding to the file to be detected according to the target exception rule; and taking the file abnormal point and the file abnormal value as file abnormal data.
Further, the apparatus for repairing the abnormal file further includes: a rule base construction module; the rule base building module is used for reading a historical abnormal file set and acquiring a file format corresponding to each abnormal file in the historical abnormal file set; classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set; and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
Further, the apparatus for repairing the abnormal file further includes: an algorithm library construction module; the algorithm library configuration module is used for configuring a corresponding file repair algorithm for each abnormal rule stored in the preset abnormal rule library according to the analysis result; and constructing a repair algorithm library according to the configured file repair algorithm.
Further, the rule base building module is further configured to obtain file structures and file features of different classes of abnormal files in the classified abnormal file set; acquiring abnormal information generated by the different types of abnormal files in the file analysis process; and generating corresponding abnormal rules according to the file structure, the file characteristics and the abnormal information, and constructing a preset abnormal rule base according to the abnormal rules.
Further, the rule base building module is further configured to determine an exception type to which the exception file of each category belongs according to the exception information; and establishing an abnormal rule according to the file structure, the file characteristics and the abnormal type, and establishing a preset abnormal rule base according to the abnormal rule.
Further, the algorithm matching module 503 is further configured to obtain a rule identifier corresponding to the target exception rule; and searching a corresponding file repair algorithm in a preset mapping relation according to the rule identifier, wherein the preset mapping relation stores a direct corresponding relation between the rule identifier and the file repair algorithm.
Other embodiments or specific implementation manners of the apparatus for repairing an abnormal file according to the present invention may refer to the above method embodiments, and are not described herein again.
The invention provides a1 a method for repairing an abnormal file, which comprises the following steps:
acquiring file structure information corresponding to a file to be detected;
searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
when the target abnormal rule exists, judging the file to be detected as an abnormal file, and acquiring a file repair algorithm corresponding to the target abnormal rule;
and repairing the file to be detected according to the file repairing algorithm.
A2, the method for repairing the abnormal file according to claim A1, wherein the step of obtaining the file structure information corresponding to the file to be detected includes:
acquiring a target file format corresponding to a file to be detected;
and acquiring file structure information corresponding to the file to be detected according to the target file format.
A3, the method for repairing the abnormal file according to claim A2, wherein the file structure information includes: a file structure characteristic;
the step of searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base comprises the following steps:
and searching whether a target abnormal rule matched with the file structure characteristic exists in a preset abnormal rule base.
A4, the method for repairing the abnormal file according to claim A3, wherein the step of obtaining the file structure information corresponding to the file to be detected according to the target file format includes:
determining a target file feature extraction module according to the target file format;
and scanning the structural characteristics of the file to be detected through the target file characteristic extraction module to obtain the structural characteristics of the file.
A5, the method for repairing the abnormal file according to claim A1, wherein the step of repairing the file to be detected according to the file repairing algorithm comprises:
determining file abnormal data corresponding to the file to be detected according to the target abnormal rule;
and repairing the abnormal file data according to the file repairing algorithm.
A6, the method for repairing the abnormal file according to claim A5, wherein the step of determining the abnormal file data corresponding to the file to be detected according to the target abnormal rule includes:
determining a file abnormal point and a file abnormal value corresponding to the file to be detected according to the target abnormal rule;
and taking the file abnormal point and the file abnormal value as file abnormal data.
A7, the method for repairing abnormal file as claimed in claim A1, wherein before the step of obtaining the file structure information corresponding to the file to be detected, the method further comprises:
reading a history abnormal file set, and acquiring a file format corresponding to each abnormal file in the history abnormal file set;
classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set;
and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
A8, the method for repairing abnormal files according to claim A7, wherein after the step of analyzing the abnormal files of different categories in the classified abnormal file set and building a preset abnormal rule base according to the analysis result, the method further comprises:
configuring a corresponding file repair algorithm for each abnormal rule stored in the preset abnormal rule base according to the analysis result;
and constructing a repair algorithm library according to the configured file repair algorithm.
A9, the method for repairing abnormal files according to claim A7, wherein the step of analyzing the abnormal files of different categories in the classified abnormal file set and constructing a preset abnormal rule base according to the analysis result comprises:
acquiring file structures and file characteristics of different types of abnormal files in the classified abnormal file set;
acquiring abnormal information generated by the different types of abnormal files in the file analysis process;
and generating corresponding abnormal rules according to the file structure, the file characteristics and the abnormal information, and constructing a preset abnormal rule base according to the abnormal rules.
A10, the method for repairing the abnormal file according to claim A9, wherein the step of generating the corresponding abnormal rule according to the file structure, the file characteristics and the abnormal information, and constructing the preset abnormal rule base according to the abnormal rule comprises:
determining the abnormal type of each type of abnormal file according to the abnormal information;
and establishing an abnormal rule according to the file structure, the file characteristics and the abnormal type, and establishing a preset abnormal rule base according to the abnormal rule.
A11, the method for repairing the abnormal file according to claim A1, wherein the step of obtaining the target abnormal rule corresponding to the file repairing algorithm comprises:
acquiring a rule identifier corresponding to the target abnormal rule;
and searching a corresponding file repair algorithm in a preset mapping relation according to the rule identifier, wherein the preset mapping relation stores a direct corresponding relation between the rule identifier and the file repair algorithm.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A method for repairing an abnormal file is characterized by comprising the following steps:
acquiring file structure information corresponding to a file to be detected;
searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
when the target abnormal rule exists, judging the file to be detected as an abnormal file, and acquiring a file repair algorithm corresponding to the target abnormal rule;
and repairing the file to be detected according to the file repairing algorithm.
2. The method for repairing an abnormal file according to claim 1, wherein the step of obtaining the file structure information corresponding to the file to be detected comprises:
acquiring a target file format corresponding to a file to be detected;
and acquiring file structure information corresponding to the file to be detected according to the target file format.
3. A method of repairing an abnormal file according to claim 2, wherein said file structure information includes: a file structure characteristic;
the step of searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base comprises the following steps:
and searching whether a target abnormal rule matched with the file structure characteristic exists in a preset abnormal rule base.
4. The method for repairing an abnormal file according to claim 3, wherein the step of obtaining the file structure information corresponding to the file to be detected according to the target file format comprises:
determining a target file feature extraction module according to the target file format;
and scanning the structural characteristics of the file to be detected through the target file characteristic extraction module to obtain the structural characteristics of the file.
5. The method for repairing the abnormal file according to claim 1, wherein the step of repairing the file to be detected according to the file repair algorithm comprises:
determining file abnormal data corresponding to the file to be detected according to the target abnormal rule;
and repairing the abnormal file data according to the file repairing algorithm.
6. The method for repairing an abnormal file according to any one of claims 1 to 5, wherein before the step of obtaining the file structure information corresponding to the file to be detected, the method further comprises:
reading a history abnormal file set, and acquiring a file format corresponding to each abnormal file in the history abnormal file set;
classifying the abnormal files in the historical abnormal file set according to the acquired file format to obtain a classified abnormal file set;
and analyzing the abnormal files of different categories in the classified abnormal file set, and constructing a preset abnormal rule base according to an analysis result.
7. The method for repairing an abnormal file according to claim 6, wherein after the step of analyzing the abnormal files of different categories in the classified abnormal file set and constructing a preset abnormal rule base according to the analysis result, the method further comprises:
configuring a corresponding file repair algorithm for each abnormal rule stored in the preset abnormal rule base according to the analysis result;
and constructing a repair algorithm library according to the configured file repair algorithm.
8. An apparatus for restoring an abnormal file, comprising:
the information acquisition module is used for acquiring file structure information corresponding to the file to be detected;
the rule matching module is used for searching whether a target abnormal rule matched with the file structure information exists in a preset abnormal rule base;
the algorithm matching module is used for judging the file to be detected as an abnormal file when the target abnormal rule exists and acquiring a file repair algorithm corresponding to the target abnormal rule;
and the file repairing module is used for repairing the file to be detected according to the file repairing algorithm.
9. An apparatus for repairing an abnormal file, the apparatus comprising: memory, a processor and a repairing program of an exception file stored on the memory and executable on the processor, the repairing program of the exception file being configured to implement the steps of the method of repairing an exception file according to any one of claims 1 to 7.
10. A storage medium having stored thereon a repair program for an abnormal file, the repair program for an abnormal file implementing the steps of the method for repairing an abnormal file according to any one of claims 1 to 7 when executed by a processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011522781.2A CN112612756A (en) | 2020-12-21 | 2020-12-21 | Abnormal file repairing method, device, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011522781.2A CN112612756A (en) | 2020-12-21 | 2020-12-21 | Abnormal file repairing method, device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112612756A true CN112612756A (en) | 2021-04-06 |
Family
ID=75243917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011522781.2A Pending CN112612756A (en) | 2020-12-21 | 2020-12-21 | Abnormal file repairing method, device, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112612756A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113206849A (en) * | 2021-04-29 | 2021-08-03 | 杭州安恒信息安全技术有限公司 | Vulnerability scanning method and device based on ghidra and related equipment |
CN113326511A (en) * | 2021-06-25 | 2021-08-31 | 深信服科技股份有限公司 | File repair method, system, device and medium |
CN113852602A (en) * | 2021-08-11 | 2021-12-28 | 奇安信科技集团股份有限公司 | File reconstruction method, file reconstruction device, transmission equipment, electronic device, program product and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414299A (en) * | 2008-10-20 | 2009-04-22 | 腾讯科技(深圳)有限公司 | Method and apparatus for repairing composite document |
CN103902855A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | File tamper detecting and repairing method and system |
CN105528263A (en) * | 2015-12-10 | 2016-04-27 | 北京金山安全管理***技术有限公司 | Method and device for repairing document |
CN106295342A (en) * | 2016-08-19 | 2017-01-04 | 北京金山安全管理***技术有限公司 | The method and device of infection type virus in detection and removing Portable executable file |
-
2020
- 2020-12-21 CN CN202011522781.2A patent/CN112612756A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101414299A (en) * | 2008-10-20 | 2009-04-22 | 腾讯科技(深圳)有限公司 | Method and apparatus for repairing composite document |
CN103902855A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | File tamper detecting and repairing method and system |
CN105528263A (en) * | 2015-12-10 | 2016-04-27 | 北京金山安全管理***技术有限公司 | Method and device for repairing document |
CN106295342A (en) * | 2016-08-19 | 2017-01-04 | 北京金山安全管理***技术有限公司 | The method and device of infection type virus in detection and removing Portable executable file |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113206849A (en) * | 2021-04-29 | 2021-08-03 | 杭州安恒信息安全技术有限公司 | Vulnerability scanning method and device based on ghidra and related equipment |
CN113326511A (en) * | 2021-06-25 | 2021-08-31 | 深信服科技股份有限公司 | File repair method, system, device and medium |
CN113326511B (en) * | 2021-06-25 | 2024-04-09 | 深信服科技股份有限公司 | File repair method, system, equipment and medium |
CN113852602A (en) * | 2021-08-11 | 2021-12-28 | 奇安信科技集团股份有限公司 | File reconstruction method, file reconstruction device, transmission equipment, electronic device, program product and medium |
CN113852602B (en) * | 2021-08-11 | 2023-12-08 | 奇安信科技集团股份有限公司 | File reconstruction method, device, transmission equipment, electronic equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110413506B (en) | Test case recommendation method, device, equipment and storage medium | |
CN109687991B (en) | User behavior identification method, device, equipment and storage medium | |
CN112612756A (en) | Abnormal file repairing method, device, equipment and storage medium | |
CN110597651A (en) | Method, device and equipment for troubleshooting business anomaly and computer readable storage medium | |
CN111723133A (en) | Nucleic acid detection result query method, device, storage medium and device | |
CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
CN112615873B (en) | Internet of things equipment safety detection method, equipment, storage medium and device | |
CN111191201A (en) | User identification method, device and equipment based on data buried points and storage medium | |
CN112580047B (en) | Industrial malicious code marking method, equipment, storage medium and device | |
WO2004023342A1 (en) | Method and system for registering goods information | |
CN112632529A (en) | Vulnerability identification method, device, storage medium and device | |
CN111767350A (en) | Data warehouse testing method and device, terminal equipment and storage medium | |
CN112529575A (en) | Risk early warning method, equipment, storage medium and device | |
CN111324375A (en) | Code management method and device, computer equipment and storage medium | |
CN112507087B (en) | Terminal equipment identification method, equipment, storage medium and device | |
CN112632528A (en) | Threat information generation method, equipment, storage medium and device | |
CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
CN113254577A (en) | Sensitive file detection method, device, equipment and storage medium | |
CN112711424A (en) | Application risk problem determination method and device and storage medium | |
CN115618350A (en) | Industrial control asset vulnerability detection method, equipment, storage medium and device | |
CN115618349A (en) | Industrial control asset vulnerability detection method, equipment, storage medium and device | |
CN112698883A (en) | Configuration data processing method, device, terminal and storage medium | |
CN113918384A (en) | Data saving method, device, equipment and storage medium | |
CN114996698A (en) | Method, device and equipment for determining virus file and storage medium | |
CN115408244A (en) | Webpage performance testing method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Applicant after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Applicant before: Beijing Hongteng Intelligent Technology Co.,Ltd. |