CN113032779B - Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule - Google Patents
Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule Download PDFInfo
- Publication number
- CN113032779B CN113032779B CN202110166489.XA CN202110166489A CN113032779B CN 113032779 B CN113032779 B CN 113032779B CN 202110166489 A CN202110166489 A CN 202110166489A CN 113032779 B CN113032779 B CN 113032779B
- Authority
- CN
- China
- Prior art keywords
- behavior
- matching
- rule
- behaviors
- expression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000014509 gene expression Effects 0.000 title claims abstract description 99
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000006399 behavior Effects 0.000 claims abstract description 237
- 238000004458 analytical method Methods 0.000 claims abstract description 42
- 230000006870 function Effects 0.000 claims description 14
- 238000005516 engineering process Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 description 11
- 238000011160 research Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 2
- 238000012351 Integrated analysis Methods 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a multi-behavior joint matching method and device based on behavior parameter Boolean expression rules. The method comprises the following steps: firstly, constructing a malicious behavior rule file, and completing single behavior matching analysis based on analysis of the xml behavior file and the constructed behavior rule file. Then, constructing a multi-behavior joint matching rule file based on the Boolean expression, which comprises the following steps: constructing a basic element expression form of behavior in a Boolean expression; and constructing a multi-behavior joint matching rule. And then, analyzing the multi-behavior joint matching rule file. And finally, completing the matching replacement of the multi-behavior joint matching rule expression on the basis of sequential matching of the behaviors one by one, executing the replaced character string expression through the built-in function of the programming function library, and returning a matching result. The invention provides the thought of multi-behavior joint matching based on analysis of sample behaviors, realizes the process from sequential matching of single behaviors to multi-behavior joint matching, has high accuracy and is easy to popularize.
Description
Technical Field
The invention relates to detection analysis of malicious code behaviors, in particular to a behavior parameter Boolean expression rule-based multi-behavior joint matching method and device, and belongs to the technical field of malicious code analysis and detection.
Background
Malicious software such as Trojan horse, virus, luxury software and the like is frequent, and the malicious code becomes an important potential safety hazard of the Internet. Related work of malicious code detection and analysis is also one of research hotspots, and researchers have achieved a lot of results. However, at present, no method can detect all malicious code behaviors, and no method can detect and analyze the association relation of all malicious code behaviors. Therefore, further development of detection and analysis of malicious code behaviors plays an important role in effective prevention of network security problems.
In the current malicious code detection analysis research work, detection methods such as feature code detection, behavior detection, virtual machine detection, heuristic detection and the like are available, but the application of the detection methods is based on analysis of behaviors or behavior association. According to different malicious code analysis methods, the method is mainly divided into two methods of static analysis and dynamic analysis.
Static analysis is to use excellent tools such as IDA Pro to complete analysis work without actually running malicious code. However, static analysis relies on a disassembly technology, and part of malicious codes can protect themselves by means of encryption, shell adding and the like, so that functions of completely mastering malicious code behaviors by utilizing the static analysis are difficult, and dynamic analysis technology is presented. The dynamic analysis is carried out by monitoring the actual running process of the malicious code, is not interfered by the means of adding the shell of the malicious code and the like, and can better judge the actual behavior of the malicious code. Researchers at home and abroad propose various methods for establishing and executing snapshot recursion exploration, searching malicious code behaviors and the like aiming at dynamic analysis. However, these methods are rarely focused on the association between behaviors, and little research is done on joint matching of multiple behaviors. Some researchers put forward an analysis method of the relationship of behavior association, but the method needs to monitor the behavior to obtain the behavior points for integrated analysis, which involves complicated workload.
In the face of the requirements of matching and association analysis of a large number of detected malicious code behaviors, especially sandboxed complex behaviors, how to quickly and efficiently detect specific association relations between behaviors or further analyze the lack of related methods and ideas of the malicious code based on a plurality of behaviors.
Thus, further research into malicious behavior analysis techniques based on multiple behavior associations is highly desirable for more comprehensive analysis of malicious code behavior.
Disclosure of Invention
Aiming at the shortages of multi-behavior joint analysis research branches of software malicious codes and urgent requirements of analysis, matching and association of sandboxed complex behaviors, the invention aims to provide a multi-behavior joint matching method and device based on behavior parameter Boolean expression rules.
The principle of the invention is as follows: firstly, a malicious behavior rule file is established; secondly, constructing a Boolean expression rule of the multi-behavior parameters; and then, carrying out single behavior rule matching; finally, the self-contained functions in a programming realization language library (such as a python library) are fully utilized to process and analyze expressions capable of expressing a plurality of behavior association matches so as to obtain a joint matching result among a plurality of behaviors.
The technical scheme adopted by the invention is as follows:
the multi-behavior joint matching method based on the behavior parameter Boolean expression rule is characterized by comprising the following steps of:
constructing a malicious behavior rule file for single behavior matching;
constructing a multi-behavior joint matching rule file based on a behavior parameter Boolean expression rule;
analyzing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors;
sequentially matching the analyzed multiple behaviors one by using a malicious behavior rule file;
and on the basis of sequentially matching the behaviors one by one, performing multi-behavior joint matching.
Further, the constructing a multi-behavior joint matching rule file based on behavior parameter boolean expression rules includes:
constructing an expression form of a behavior basic element in a Boolean expression;
based on the expression form of the behavior basic element, constructing a Boolean expression rule based on the joint matching of behavior parameters;
and constructing a multi-behavior joint matching rule file by utilizing the Boolean expression rules of the multi-behavior joint matching.
Further, the expression form of the behavior basic element in the boolean expression is:
%{${API_INDEX}-${ARG_INDEX}}
wherein,% represents a prefix placeholder matching the behavior parameters, $ represents a placeholder for a sequence number identification, api_index represents a sequence number in the current behavior sequence, arg_index represents a sequence number of the current behavior parameters.
Further, the expression form based on the behavior basic element constructs a Boolean expression rule based on behavior parameter multi-behavior joint matching, which comprises the following steps:
based on the expression form of the behavior basic element in the Boolean expression and the combination of the or/not/and logic operator and the in/not in member operator, a Boolean expression rule based on the behavior parameter multi-behavior joint matching is constructed.
Further, the parsing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors includes:
and resolving names of multiple behaviors, boolean expressions of multiple behavior parameters and related description information in the multiple behavior joint matching rule file based on an lxml resolving technology.
Further, the step of sequentially matching the analyzed multiple behaviors one by using the malicious behavior rule file includes:
converting the behavior file into a rule expression by using a malicious behavior rule file;
based on regular matching, names and parameters of a plurality of behaviors are sequentially matched one by utilizing corresponding behavior names and parameters in the rule expression.
Further, the performing multi-behavior joint matching on the basis of sequentially matching the plurality of behaviors one by one includes:
replacing the behavior parameter values in the Boolean expression with the behavior parameter values obtained by sequentially matching the behaviors one by one;
and executing the replaced character string expression through built-in functions in the programming language library to obtain a matching result.
The multi-behavior joint matching device based on the behavior parameter Boolean expression rule adopting the method comprises the following components:
the malicious behavior rule file construction module is used for constructing a malicious behavior rule file for single behavior matching;
the multi-behavior joint matching rule file construction module is used for constructing a multi-behavior joint matching rule file based on behavior parameter Boolean expression rules;
the analysis module is used for analyzing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors;
the single row is a matching module which is used for sequentially matching the plurality of analyzed behaviors one by utilizing a malicious behavior rule file;
and the multi-behavior matching module is used for performing multi-behavior joint matching on the basis of sequentially matching the behaviors one by one.
Through the technical scheme, the invention can achieve the following beneficial effects:
1) The invention supports single behavior matching, and mainly comprises the following steps: the matched fields cover key fields in the original behavior, including behavior names, parameters, return values, etc.; the matched description information supports splicing of the predefined character strings and key fields in the original behaviors, wherein the key fields comprise behavior names, parameters, return values and the like; matching and supporting multiple algorithms such as regular expression comparison, character string length comparison, numerical comparison and the like; the rule file is compatible with the existing rule format, and supports custom rules and extension rule entries; the rule file supports a macro definition function.
2) The invention supports multi-behavior matching, and mainly comprises the following steps: multiple behavior joint matching based on behavior parameter boolean expression rules and behavior repetition number matching are supported.
3) Through single behavior matching analysis and multi-behavior joint matching analysis, the original malicious behavior characteristic data can be rapidly matched, and behaviors are classified according to typical behavior characteristics of malicious software in the industry. The invention realizes the process from single-row sequential matching to multi-row joint matching, has high accuracy and is easy to popularize.
Drawings
FIG. 1 is a flow chart of a multi-behavior joint matching method of the present invention based on behavior parameter Boolean expression rules.
Fig. 2 is a schematic diagram of description information of the boolean expression calculation result in an embodiment.
Detailed Description
The technical scheme of the invention is described in detail below with reference to the accompanying drawings:
in order to facilitate understanding of the invention, the embodiment performs the joint matching of the Boolean expression on two behaviors in the xml behavior file output by the sandbox. In this embodiment, as shown in fig. 1, a multi-behavior joint matching method based on a behavior parameter boolean expression rule is implemented, which includes the steps of:
1) The method comprises the steps of constructing malicious behavior rule files through analysis of xml behavior files output by a large number of dynamic sandboxes; and analyzing the xml behavior file and the malicious behavior rule file containing information such as behavior parameter rules based on an xml analysis technology.
In this embodiment, the method for constructing the malicious behavior rule file is: executing a large number of malicious samples, intercepting API behaviors and corresponding parameters of all samples by using Hook (Hook) technology, statistically analyzing intercepted data, and constructing a malicious behavior rule file according to the definition of the API behaviors by the industry.
2) And performing matching analysis of single malicious behaviors, namely converting the xml behavior file into a rule expression by using the malicious behavior rule file. And selecting two behaviors of a downlink and a CreateProcess in the xml behavior file as analysis objects, and completing the sequential matching of the two behaviors from the xml behavior file to the malicious behavior rule file. The rule files formulated according to the names, parameters, return values and the like of the two behaviors of the downlink file and the CreateProcess are matched and converted into rule expression taking the rule files as standards.
3) And constructing the expression form of the basic element of the behavior in the Boolean expression. The behavior basic elements in the boolean expression are expressed in the following form:
%{${API_INDEX}-${ARG_INDEX}}
wherein,% represents a prefix placeholder matching the behavior parameters, $ represents a placeholder for a sequence number identification, api_index represents a sequence number in the current behavior sequence, arg_index represents a sequence number of the current behavior parameters.
4) Based on the combination of logical operators such as% { $ { API_INDEX } - $ { ARG_INDEX } }, or/not/and the like and in/not in member operators in the expression of the Boolean expression in the step 3), a Boolean expression rule based on the joint matching of multiple behaviors of behavior parameters is constructed. Wherein, or represents OR operation; non represents a non-operation; and represents and operates; in represents that a value is found in a specified sequence and returns True, otherwise, false; non in indicates that no value is found in the specified sequence back to True, otherwise return to False.
In this embodiment, the behavior DownloadFile is behavior 1, the behavior CreateProcess is behavior 2, and the boolean expression rule for jointly matching the two behaviors is formulated as follows: "% {1-2} in% {2-1 }) or (% {2-1} in% {1-2 }).
5) A multi-behavior joint matching rule file is constructed, and the rule file needs to contain the names (DownloadFile, createProcess) of the matched multi-behaviors, the Boolean expression rules (% {1-2} in% {2-1 }) or (% {2-1} in% {1-2 }) of the multi-behavior joint matching based on behavior parameters, and information of related descriptions (the Trojan program% {1-2} is downloaded from a network and successfully executed).
6) Based on the lxml analysis technology, the multi-behavior joint matching rule file is analyzed, and names of a plurality of behaviors, boolean expressions for expressing the association relation of a plurality of behavior parameters and information of related descriptions are extracted.
7) And (3) performing sequential matching on the single behaviors based on regular matching, namely performing sequential matching on the single behaviors by utilizing regular matching according to the behavior names and the behavior parameter information extracted in the step (6). In this embodiment, the two behaviors named DownloadFile, createProcess are sequentially matched and replaced according to the corresponding behavior names and parameters in the rule expression in step 2).
8) The result of the multi-behavior joint matching boolean expression, such as the python built-in function eval, is calculated using built-in functions in the programming language library. The present embodiment calculates the result of the boolean expression of the multi-behavior joint match after the matching in step 7) by using the python internal function eval, that is, the multi-behavior joint match result.
The step is to complete the multi-behavior joint matching on the basis of the sequential matching of the behaviors one by one in the step 7). The behavior parameter values in the Boolean expressions which are the joint matches are replaced by the parameter values matched in the xml behavior file in the step 7), the replaced character string expressions are executed through the built-in functions of the programming function library, and a matching result (namely, the values of the character string expressions are returned, if True, successful description information is returned).
9) After the 8 steps are finished, if the joint matching of a plurality of behaviors is successful (the calculation result of the Boolean expression is true), the description information appointed in the rule can be obtained; if the multi-behavior joint matching is unsuccessful (the boolean expression calculation result is false), the description information specified in the rule is no longer output. After the implementation of this example is completed, the calculation result of the boolean expression is true, so as to obtain the description information shown in fig. 2, and end the analysis.
In the step 1), the parsing functions of the xml behavior file and the malicious behavior rule file need to be extended: the macro definition parsing function is supported, the parsing function of adding a new rule file independent of an existing rule file is supported, and two files (an xml behavior file and a malicious behavior rule file) need to contain behavior expressions of a plurality of behaviors for joint matching analysis. The domain matched by the matching analysis of the single malicious behavior needs to cover key fields in the original behavior, including behavior names, parameters, return values and the like. The matching analysis of the single malicious behavior needs to include: multiple algorithms such as regular expression comparison, character string length comparison, numerical comparison and the like are supported; supporting single behavior matching, behavior repetition number matching and other methods; the matched description information needs to support the splicing of the predefined character string and the key fields in the original behavior, wherein the key fields comprise behavior names, parameters, return values and the like.
In the step 2), the invention supports the transformation of the behavior file into the rule expression according to the malicious behavior rule file constructed in the step 1). The malicious behavior rule file can comprehensively summarize behaviors and behavior parameters related to the malicious software, and provide favorable conditions for behavior analysis of the malicious software.
In the step 3), the invention constructs the basic element expression form in the Boolean expression based on the sequence number and the information of the behavior parameters in the behavior sequence in the malicious behavior rule file constructed in the step 1), and fully and effectively expresses the characteristic attribute of the basic element in the malicious behavior rule file. The basic element expression form in the Boolean expression needs to support the expression of all parameters of the behavior file, and covers the serial numbers of behaviors in the behavior sequence and the serial number information of the behavior parameters.
In the step 4), the invention constructs a multi-behavior joint matching rule based on the Boolean expression, and the behavior information is jointly expressed through a logic operator. The boolean expression rule for multi-behavior joint matching needs to include: compatible with the rule file format constructed in the step 1), and supports custom rules and extension rule entries; macro definition extensions are supported.
In the step 5), the invention constructs a sample of the multi-behavior joint matching rule file, and covers the names of the matched multi-behaviors, the Boolean expressions based on the behavior parameters, the related description and other information. The multi-behavior joint matching rule file only standardizes expression formats of behaviors and behavior parameters, and has good expansibility (for example, the joint matching rule based on the 2 behaviors of the sample can be added to the joint matching rule of the N behaviors).
The multi-behavior joint matching rule file in the step 5) is independent of the malicious behavior rule file constructed in the step 1), wherein the related description based on the behavior parameters needs to support the splicing of the behavior parameters and the character strings.
And 6) analyzing the multi-behavior joint matching rule file independently of the xml analysis technology in the step 1), and analyzing information in the multi-behavior rule file by adopting the lxml analysis technology.
The premise of the built-in functions in the programming language library for multi-behavior joint matching in the step 8) is based on the Boolean expression rule of the invention.
Based on the same inventive concept, another embodiment of the present invention provides a multi-behavior joint matching device based on a behavior parameter boolean expression rule using the method of the present invention, which includes:
the malicious behavior rule file construction module is used for constructing a malicious behavior rule file for single behavior matching;
the multi-behavior joint matching rule file construction module is used for constructing a multi-behavior joint matching rule file based on behavior parameter Boolean expression rules;
the analysis module is used for analyzing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors;
the single row is a matching module which is used for sequentially matching the plurality of analyzed behaviors one by utilizing a malicious behavior rule file;
and the multi-behavior matching module is used for performing multi-behavior joint matching on the basis of sequentially matching the behaviors one by one.
Wherein the specific implementation of each module is referred to the previous description of the method of the present invention.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device (computer, server, smart phone, etc.) comprising a memory storing a computer program configured to be executed by the processor, and a processor, the computer program comprising instructions for performing the steps in the inventive method.
Based on the same inventive concept, another embodiment of the present invention provides a computer readable storage medium (e.g., ROM/RAM, magnetic disk, optical disk) storing a computer program which, when executed by a computer, implements the steps of the inventive method.
In summary, the behavior parameter boolean expression rule-based multi-behavior joint matching method and device provided by the invention can be used for rapidly matching the original malicious behavior feature data and whether the plurality of behaviors have a correlation relationship based on boolean expression rules or not for an analyst in the field, and classifying the behaviors according to typical behavior characteristics of the malicious software in the industry. The invention deepens the research and analysis depth of the malicious behaviors and can more efficiently analyze various attributes and characteristics of the malicious behaviors.
The above-described embodiments are only for illustrating the technical spirit and features of the present invention, and it is intended that those skilled in the art can fully understand the content of the present invention and implement it according to the embodiments, but the present invention is not limited to the embodiments, i.e., various equivalent changes or modifications within the spirit and scope of the present invention are still within the scope of the present invention. The scope of the invention is defined by the claims.
Claims (6)
1. The multi-behavior joint matching method based on the behavior parameter Boolean expression rule is characterized by comprising the following steps of:
constructing a malicious behavior rule file for single behavior matching;
constructing a multi-behavior joint matching rule file based on a behavior parameter Boolean expression rule;
analyzing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors;
sequentially matching the analyzed multiple behaviors one by using a malicious behavior rule file;
on the basis of sequentially matching a plurality of behaviors one by one, performing multi-behavior joint matching;
the construction of the multi-behavior joint matching rule file based on the behavior parameter Boolean expression rule comprises the following steps:
constructing an expression form of a behavior basic element in a Boolean expression;
based on the expression form of the behavior basic element, constructing a Boolean expression rule based on the joint matching of behavior parameters;
constructing a multi-behavior joint matching rule file by utilizing a Boolean expression rule of multi-behavior joint matching;
the expression form of the behavior basic elements in the Boolean expression is as follows:
%{${API_INDEX}-${ARG_INDEX}}
showing the sequence number of the current behavior in the behavior sequence, wherein ARG_INDEX represents the sequence number of the current behavior parameter;
the expression form based on the behavior basic elements constructs a Boolean expression rule based on the behavior parameter multi-behavior joint matching, which comprises the following steps:
based on the expression form of the behavior basic element in the Boolean expression and the combination of the or/not/and logic operator and the in/not in member operator, constructing a Boolean expression rule based on the behavior parameter multi-behavior joint matching;
the multi-behavior joint matching is performed on the basis of sequentially matching the behaviors one by one, and the method comprises the following steps:
replacing the behavior parameter values in the Boolean expression with the behavior parameter values obtained by sequentially matching the behaviors one by one;
and executing the replaced character string expression through built-in functions in the programming language library to obtain a matching result.
2. The method of claim 1, wherein parsing the multi-behavior joint matching rule file to obtain information about the plurality of behaviors comprises:
and resolving names of multiple behaviors, boolean expressions of multiple behavior parameters and related description information in the multiple behavior joint matching rule file based on an lxml resolving technology.
3. The method according to claim 1, wherein the sequentially matching the parsed plurality of behaviors one by one using the malicious behavior rule file includes:
converting the behavior file into a rule expression by using a malicious behavior rule file;
based on regular matching, names and parameters of a plurality of behaviors are sequentially matched one by utilizing corresponding behavior names and parameters in the rule expression.
4. A multi-behavior joint matching device based on the boolean expression rule of behavior parameters using the method of any one of claims 1-3, characterized in that it comprises:
the malicious behavior rule file construction module is used for constructing a malicious behavior rule file for single behavior matching;
the multi-behavior joint matching rule file construction module is used for constructing a multi-behavior joint matching rule file based on behavior parameter Boolean expression rules;
the analysis module is used for analyzing the multi-behavior joint matching rule file to obtain related information of a plurality of behaviors;
the single row is a matching module which is used for sequentially matching the plurality of analyzed behaviors one by utilizing a malicious behavior rule file;
and the multi-behavior matching module is used for performing multi-behavior joint matching on the basis of sequentially matching the behaviors one by one.
5. An electronic device comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the method of any of claims 1-3.
6. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a computer, implements the method of any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110166489.XA CN113032779B (en) | 2021-02-04 | 2021-02-04 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110166489.XA CN113032779B (en) | 2021-02-04 | 2021-02-04 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113032779A CN113032779A (en) | 2021-06-25 |
| CN113032779B true CN113032779B (en) | 2024-01-02 |
Family
ID=76460269
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110166489.XA Active CN113032779B (en) | 2021-02-04 | 2021-02-04 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113032779B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8555385B1 (en) * | 2011-03-14 | 2013-10-08 | Symantec Corporation | Techniques for behavior based malware analysis |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
| CN105138575A (en) * | 2015-07-29 | 2015-12-09 | 百度在线网络技术(北京)有限公司 | Analysis method and device of voice text string |
| CN106469218A (en) * | 2016-09-08 | 2017-03-01 | 中国科学院信息工程研究所 | A kind of Boolean expression storage based on bitmap, matching process and system |
| CN107273745A (en) * | 2017-04-21 | 2017-10-20 | 中国科学院软件研究所 | A kind of dynamic analysing method of the malicious code of dynamic link library form |
| CN107341399A (en) * | 2016-04-29 | 2017-11-10 | 阿里巴巴集团控股有限公司 | Assess the method and device of code file security |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN109684832A (en) * | 2017-10-19 | 2019-04-26 | 卡巴斯基实验室股份制公司 | The system and method for detecting malicious file |
| CN111241546A (en) * | 2020-01-12 | 2020-06-05 | 苏州浪潮智能科技有限公司 | Malicious software behavior detection method and device |
| CN112287015A (en) * | 2020-10-14 | 2021-01-29 | 北京易观智库网络科技有限公司 | Image generation system, image generation method, electronic device, and storage medium |
| CN112307478A (en) * | 2020-11-30 | 2021-02-02 | 深信服科技股份有限公司 | Script virus detection method, system, electronic equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9721086B2 (en) * | 2013-03-15 | 2017-08-01 | Advanced Elemental Technologies, Inc. | Methods and systems for secure and reliable identity-based computing |
-
2021
- 2021-02-04 CN CN202110166489.XA patent/CN113032779B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8555385B1 (en) * | 2011-03-14 | 2013-10-08 | Symantec Corporation | Techniques for behavior based malware analysis |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
| CN105138575A (en) * | 2015-07-29 | 2015-12-09 | 百度在线网络技术(北京)有限公司 | Analysis method and device of voice text string |
| CN107341399A (en) * | 2016-04-29 | 2017-11-10 | 阿里巴巴集团控股有限公司 | Assess the method and device of code file security |
| CN106469218A (en) * | 2016-09-08 | 2017-03-01 | 中国科学院信息工程研究所 | A kind of Boolean expression storage based on bitmap, matching process and system |
| CN107273745A (en) * | 2017-04-21 | 2017-10-20 | 中国科学院软件研究所 | A kind of dynamic analysing method of the malicious code of dynamic link library form |
| CN107688743A (en) * | 2017-08-14 | 2018-02-13 | 北京奇虎科技有限公司 | The determination method and system of a kind of rogue program |
| CN109684832A (en) * | 2017-10-19 | 2019-04-26 | 卡巴斯基实验室股份制公司 | The system and method for detecting malicious file |
| CN111241546A (en) * | 2020-01-12 | 2020-06-05 | 苏州浪潮智能科技有限公司 | Malicious software behavior detection method and device |
| CN112287015A (en) * | 2020-10-14 | 2021-01-29 | 北京易观智库网络科技有限公司 | Image generation system, image generation method, electronic device, and storage medium |
| CN112307478A (en) * | 2020-11-30 | 2021-02-02 | 深信服科技股份有限公司 | Script virus detection method, system, electronic equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 恶意程序动态行为分析关键技术研究;王乐乐;《中国博士学位论文全文数据库信息科技辑》(第12期);I139-17 * |
| 面向网络入侵检测的串匹配算法优化;杨天龙;《中国博士学位论文全文数据库信息科技辑》(第02期);I139-2 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113032779A (en) | 2021-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107704265B (en) | Configurable rule generation method for service flow | |
| CN107644323B (en) | Intelligent auditing system for business flow | |
| US8972372B2 (en) | Searching code by specifying its behavior | |
| CN108595583A (en) | Dynamic chart class page data crawling method, device, terminal and storage medium | |
| CN105488697A (en) | Potential customer mining method based on customer behavior characteristics | |
| KR101617696B1 (en) | Method and device for mining data regular expression | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| CN113139192B (en) | Third party library security risk analysis method and system based on knowledge graph | |
| CN112148343B (en) | Rule issuing method and device and terminal equipment | |
| US20200250015A1 (en) | Api mashup exploration and recommendation | |
| CN112307478A (en) | Script virus detection method, system, electronic equipment and storage medium | |
| Nam et al. | Marble: Mining for boilerplate code to identify API usability problems | |
| CN111581638A (en) | Security analysis method and device for open source software | |
| CN111813803A (en) | Statement block execution plan generation method, device, equipment and storage medium | |
| EP3816814A1 (en) | Crux detection in search definitions | |
| CN113032779B (en) | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule | |
| JP6244274B2 (en) | Correlation rule analysis apparatus and correlation rule analysis method | |
| US9754033B2 (en) | Optimizing web crawling through web page pruning | |
| Guan et al. | Code property graph-based vulnerability dataset generation for source code detection | |
| Tang et al. | Helping code reviewer prioritize: Pinpointing personal data and its processing | |
| CN115906086A (en) | Method, system and storage medium for detecting webpage backdoor based on code attribute graph | |
| Yang et al. | Pruning the ast with hunks to speed up tree differencing | |
| CN110990271A (en) | Code performance detection method, device, equipment and storage medium | |
| Semenov et al. | Obfuscated Code Quality Measurement | |
| Kimball et al. | A Method and Tool for Automated Induction of Relations from Quantitative Performance Logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |