CN114338102B - Security detection method, security detection device, electronic equipment and storage medium - Google Patents
Security detection method, security detection device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114338102B CN114338102B CN202111529078.9A CN202111529078A CN114338102B CN 114338102 B CN114338102 B CN 114338102B CN 202111529078 A CN202111529078 A CN 202111529078A CN 114338102 B CN114338102 B CN 114338102B
- Authority
- CN
- China
- Prior art keywords
- rule
- detected
- detection result
- detection
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 179
- 238000000034 method Methods 0.000 claims description 31
- 230000007717 exclusion Effects 0.000 claims description 25
- 230000001419 dependent effect Effects 0.000 claims description 17
- 230000009471 action Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 235000013490 limbo Nutrition 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a security detection method, a security detection device, electronic equipment and a storage medium, and relates to the technical field of computer security. The safety detection method comprises the following steps: acquiring an object to be detected and a plurality of rule models required for carrying out safety detection on the object to be detected; splitting the rule models to obtain a plurality of rules contained in the rule models; detecting the object to be detected by utilizing the rules to obtain a detection result of each rule; and obtaining a detection result corresponding to each rule model according to the detection result of each rule. The embodiment of the invention has low occupation of computational resources and high detection efficiency, and is particularly suitable for detection scenes with large data volume.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a security detection method, a security detection device, an electronic device, and a storage medium.
Background
In the field of network security, detection of threats and abnormal behaviors is usually based on rule detection models, the traditional rule detection models are usually asynchronous and match with a plurality of rule models (rule groups), each rule model is composed of a plurality of rules (judging conditions), the rule models are relatively independent, the rule models serve as detection units, detection is carried out by each rule model respectively, detection results are finally recovered uniformly, and comprehensive analysis is carried out to give detection conclusion. However, the traditional safety detection method based on the rule detection model has high computational power resource occupation and low detection efficiency, because when a plurality of rule models have repeated rules or a large number of rules hit, but the rule models may not hit, a large number of inefficient calculations are generated. And when the rule is modified, added or deleted, all data of the history need to be re-detected once, so that the method is difficult to be suitable for the detection scene of the current large data volume.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a security detection method, apparatus, electronic device, and storage medium with low occupation of computing power resources and high detection efficiency.
In a first aspect, an embodiment of the present invention provides a security detection method, including:
acquiring an object to be detected and a plurality of rule models required for carrying out safety detection on the object to be detected;
splitting the rule models to obtain a plurality of rules contained in the rule models;
detecting the object to be detected by utilizing the rules to obtain a detection result of each rule;
and obtaining a detection result corresponding to each rule model according to the detection result of each rule.
With reference to the first aspect, in an implementation manner of the first aspect, the acquiring the object to be detected and the plurality of rule models required for performing security detection on the object to be detected includes:
acquiring the type of an object to be detected;
and acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
With reference to the first aspect, in another implementation manner of the first aspect, the detecting the object to be detected using the plurality of rules, to obtain a detection result of each rule includes:
traversing the rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if so, skipping over the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
With reference to the first aspect, in a further implementation manner of the first aspect, if the foregoing is true, skipping the current rule includes:
acquiring a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
and setting the detection result of the current rule to be an opposite detection result according to the known detection result.
With reference to the first aspect, in a further implementation manner of the first aspect, the detecting the object to be detected using the plurality of rules, to obtain a detection result of each rule includes:
according to a prestored rule dependency relationship table, rules which need to depend on other rule detection results are arranged behind the dependent rules;
traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
With reference to the first aspect, in a further implementation manner of the first aspect, the obtaining, according to the detection result of each rule, a detection result corresponding to each rule model includes:
for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and carrying out hash operation on the combined results to obtain hash values;
and judging whether the hash value is equal to a preset hash value, and if so, indicating that the rule model is hit.
In a second aspect, an embodiment of the present invention provides a security detection device, including:
the first acquisition module is used for acquiring an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
the splitting module is used for splitting the rule models to obtain rules contained in the rule models;
the detection module is used for detecting the object to be detected by utilizing the rules to obtain a detection result of each rule;
and the second acquisition module is used for acquiring the detection result corresponding to each rule model according to the detection result of each rule.
With reference to the second aspect, in an implementation manner of the second aspect, the first obtaining module includes:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
With reference to the second aspect, in another implementation manner of the second aspect, the detection module includes:
the first traversing unit is used for traversing the rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if yes, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
With reference to the second aspect, in a further implementation manner of the second aspect, the first traversing unit includes:
the obtaining subunit is used for obtaining a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule to be an opposite detection result according to the known detection result.
With reference to the second aspect, in a further implementation manner of the second aspect, the detection module includes:
the ordering unit is used for arranging rules which need to depend on other rule detection results after the dependent rules according to a prestored rule dependency relation table;
and the second traversing unit is used for traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
With reference to the second aspect, in a further implementation manner of the second aspect, the second obtaining module includes:
the combination unit is used for sequentially combining detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined results to obtain hash values;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing any of the methods described above.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs executable by one or more processors to implement any of the methods described above.
According to the security detection method, the security detection device, the electronic equipment and the storage medium, firstly, an object to be detected and a plurality of rule models required for performing security detection on the object to be detected are obtained, then the rule models are split to obtain a plurality of rules contained in the rule models, the object to be detected is detected by the rule models to obtain a detection result of each rule, and finally, the detection result corresponding to each rule model is obtained according to the detection result of each rule. In this way, the embodiment of the invention takes the rule (judging condition) as the minimum unit, instead of taking the rule model (rule group) as the minimum unit in the prior art, when a plurality of rule models have repeated rules or the rule is hit in a large number, but the rule model may not hit, the problem that the same rule needs to be detected for a plurality of times in the plurality of rule models can be solved, and the embodiment of the invention only needs to detect once, thereby effectively avoiding a large number of inefficient calculations; and when the rule is modified, added or deleted, all rule models are not required to be redetected for one time, and only the changed specific rule is required to be redetected. Therefore, the method and the device have the advantages of low computational resource occupation and high detection efficiency, solve the problems of resource occupation and efficiency caused by excessive rule models or frequent rule modification in the traditional method, and are particularly suitable for detection scenes with large data volume.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a security detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a security detection device according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an embodiment of the electronic device of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In one aspect, an embodiment of the present invention provides a security detection method, as shown in fig. 1, where the method in this embodiment may include:
step 101: acquiring an object to be detected and a plurality of rule models required for carrying out safety detection on the object to be detected;
as an alternative embodiment, the obtaining the object to be detected and the plurality of rule models required for the security detection of the object to be detected (step 101) may include:
step 1011: acquiring the type of an object to be detected;
in this step, the types of the objects to be detected include, but are not limited to, files, software codes, behavior actions (such as reading and writing to memory, reading and writing to files, accessing a network, accessing a local machine), and the like.
Step 1012: and acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
In this step, a plurality of rule models are selected from the existing rule detection models/rule engines according to different types of objects to be detected.
Taking an object to be detected as a file as an example, a plurality of rule models are screened out as shown in the following table 1.
TABLE 1
In Table 1, there are 11 rule models in total for determining threats to be present in a file, including: suspicious self-decompressed files, suspicious macro documents, lux software, counterfeit system programs, suspicious execution files, LPK virus infection, file binding, and the like.
As can be seen from table 1, the rule models of the conventional rule detection model all include a plurality of rules/judgment conditions, and repeated judgment conditions (for example, whether the file format is an executable file or not is required to be judged in the rule models corresponding to the serial numbers 4-6 and 8-11 in table 1) occur in the rule models, so that the same judgment conditions need to be detected multiple times in the detection models, so that the occupation of computing power resources is too high and the detection efficiency is too low. The subsequent steps of the embodiment of the invention can effectively solve the problem.
Step 102: splitting the rule models to obtain a plurality of rules contained in the rule models;
in this step, taking the rule model corresponding to the serial number 1 in table 1 as an example, two rules are obtained after splitting, which are respectively: the number of file names for the self-decompression and decompression execution file formats is equal to 2.
Step 103: detecting the object to be detected by utilizing the rules to obtain a detection result of each rule;
as an optional embodiment, the detecting the object to be detected using the plurality of rules to obtain a detection result of each rule (step 103) may include:
step 1031: traversing the rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if so, skipping over the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
In this step, mutually exclusive means: and when one rule hit state is determined, the other rule cannot be hit necessarily, and the rule A and the rule B are mutually exclusive rules. Mutual exclusion may be the case in many ways, for example:
1. two rules belong to different fields of detection rules, for example:
rule A. Whether it is an executable file;
rule b, whether mail protocol is;
2. the results after two rule hits are mutually exclusive, for example:
rule a < file extension > is montserver lux software;
rule B < file extension > is odveta luxo software;
rule C < file extension > is limbo lux software;
rule D < file extension > is Lazarus luxo software;
therefore, a rule mutual exclusion relation table can be pre-established and stored by utilizing mutual exclusion relation among rules, when an object to be detected is detected, the rules are optimized by utilizing the rule mutual exclusion relation table (for example, A, B two mutual exclusion rules hit A and B cannot hit A, then the mutual exclusion rule B is not needed to be detected after the rule A is detected), a large amount of operation resources can be reduced, the occupation of calculation resources is further reduced, and the detection efficiency is improved.
In step 1031, if yes, skipping the current rule may include:
step 10311: acquiring a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
step 10312: and setting the detection result of the current rule to be an opposite detection result according to the known detection result.
In the steps 10311-10312, if the detection result of the rule having the mutual exclusion relation is known for the current rule, the detection result of the current rule can be directly set as the opposite detection result without detection, thereby reducing the occupation of computing power resources and improving the detection efficiency.
As another optional embodiment, the detecting the object to be detected using the plurality of rules (step 103) may further include:
step 1031': according to a prestored rule dependency relationship table, rules which need to depend on other rule detection results are arranged behind the dependent rules;
in this step, the dependency means: two rules have precedence dependencies, for example:
rule a. Whether it is a mail protocol;
rule B, whether there is an attachment in the mail;
as can be seen from the above example, rule B depends on rule a, rule B needs to be executed after a hit of rule a, and this step performs a sorting process on the rule having a dependency relationship for such a case, that is, the rule (rule B) which needs to depend on the detection result of other rules is discharged after being depended on rule (rule a).
Step 1032': traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
In the step, if the current rule does not have the dependent rule, the current rule can be normally utilized to detect the object to be detected, and a detection result of the current rule is obtained; if the current rule has the dependent rule and is hit by the dependent rule, the current rule detection can be performed, namely the object to be detected is detected by the current rule, and the detection result of the current rule is obtained; if the current rule has the dependent rule but is not hit by the dependent rule, the current rule is skipped without detecting the current rule, or the detection result of the current rule is directly set as the miss.
In the steps 1031'-1032', the rule dependency relationship table can be pre-established and stored by utilizing the dependency relationship among the rules, and when the object to be detected is detected, the rule is optimized by utilizing the rule dependency relationship table, so that the occupation of computational resources is further reduced, and the detection efficiency is improved.
Step 104: and obtaining a detection result corresponding to each rule model according to the detection result of each rule.
In the step, the detection results of the rules contained in each rule model are combined, and the detection result corresponding to each rule model can be obtained.
As an optional embodiment, the obtaining, according to the detection result of each rule, a detection result corresponding to each rule model (step 104) may include:
step 1041: for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and carrying out hash operation on the combined results to obtain hash values;
in this step, the detection result may be normalized, for example, composed of a rule unique ID (e.g. aaf8c91cd 5) +hit flag 0/1 (0 indicates miss, 1 indicates hit), so that one detection result may be aaf8c91cd50 (last 0 indicates miss); to facilitate combining the plurality of test results, the plurality of test results may be connected by a connector "-". In the step, hash operation is performed on the combined result of the detection results, so that the situation that the result is too long and comparison is not facilitated due to more related rules is avoided.
Step 1042: and judging whether the hash value is equal to a preset hash value, and if so, indicating that the rule model is hit.
In this step, the preset hash value is used to represent hit of the rule model, and when all rules in the rule model hit, the detection results of all rules are combined to obtain a combined result, and hash operation is performed on the combined result to obtain the combined result. In this step, if the hash value is not equal to the preset hash value, it indicates that the rule model is not hit.
The steps 1041-1042 can efficiently obtain the detection result of each rule model, and then comprehensively analyze the detection result to obtain the detection conclusion of the object to be detected.
In summary, according to the security detection method provided by the embodiment of the invention, firstly, an object to be detected and a plurality of rule models required for performing security detection on the object to be detected are obtained, then the rule models are split to obtain a plurality of rules contained in the rule models, then the object to be detected is detected by using the rule models to obtain a detection result of each rule, and finally, according to the detection result of each rule, a detection result corresponding to each rule model is obtained. In this way, the embodiment of the invention takes the rule (judging condition) as the minimum unit, instead of taking the rule model (rule group) as the minimum unit in the prior art, when a plurality of rule models have repeated rules or the rule is hit in a large number, but the rule model may not hit, the problem that the same rule needs to be detected for a plurality of times in the plurality of rule models can be solved, and the embodiment of the invention only needs to detect once, thereby effectively avoiding a large number of inefficient calculations; and when the rule is modified, added or deleted, all rule models are not required to be redetected for one time, and only the changed specific rule is required to be redetected. Therefore, the method and the device have the advantages of low computational resource occupation and high detection efficiency, solve the problems of resource occupation and efficiency caused by excessive rule models or frequent rule modification in the traditional method, and are particularly suitable for detection scenes with large data volume.
In another aspect, an embodiment of the present invention provides a security detection device, as shown in fig. 2, where the security detection device may include:
a first obtaining module 11, configured to obtain an object to be detected and a plurality of rule models required for performing security detection on the object to be detected;
a splitting module 12, configured to split the rule models to obtain a plurality of rules contained in the rule models;
the detection module 13 is configured to detect the object to be detected by using the plurality of rules, so as to obtain a detection result of each rule;
and the second obtaining module 14 is configured to obtain a detection result corresponding to each rule model according to the detection result of each rule.
The device of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and are not described here again.
Preferably, the first obtaining module 11 includes:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
Preferably, the detection module 13 includes:
the first traversing unit is used for traversing the rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if yes, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule.
Preferably, the first traversing unit includes:
the obtaining subunit is used for obtaining a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule to be an opposite detection result according to the known detection result.
Preferably, the detection module 13 includes:
the ordering unit is used for arranging rules which need to depend on other rule detection results after the dependent rules according to a prestored rule dependency relation table;
and the second traversing unit is used for traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
Preferably, the second obtaining module 14 includes:
the combination unit is used for sequentially combining detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined results to obtain hash values;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
The embodiment of the present invention further provides an electronic device, fig. 3 is a schematic structural diagram of an embodiment of the electronic device of the present invention, and may implement a flow of the embodiment of fig. 1 of the present invention, as shown in fig. 3, where the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for performing the method described in any of the method embodiments described above.
The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of the executable program code may be referred to in the description of the embodiment of fig. 1 of the present invention, which is not repeated herein.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
Embodiments of the present invention also provide a computer readable storage medium having stored therein a computer program which, when executed by a processor, implements the method steps of any of the method embodiments described above.
Embodiments of the present invention also provide an application program that is executed to implement the method provided by any of the method embodiments of the present invention.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part. For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A security detection method, comprising:
acquiring an object to be detected and a plurality of rule models required for carrying out safety detection on the object to be detected;
splitting the rule models to obtain a plurality of rules contained in the rule models;
detecting the object to be detected by utilizing the rules to obtain a detection result of each rule;
obtaining a detection result corresponding to each rule model according to the detection result of each rule;
the detecting the object to be detected by using the rules to obtain a detection result of each rule includes: traversing the rules, judging whether the object to be detected is detected by using a rule with a mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if so, skipping over the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule;
or detecting the object to be detected by using the rules to obtain a detection result of each rule, including: according to a prestored rule dependency relationship table, rules which need to depend on other rule detection results are arranged behind the dependent rules; traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
2. The method according to claim 1, wherein the obtaining the object to be detected and the plurality of rule models required for security detection of the object to be detected comprises:
acquiring the type of an object to be detected;
and acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
3. The method of claim 1, wherein if yes, skipping the current rule comprises:
acquiring a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
and setting the detection result of the current rule to be an opposite detection result according to the known detection result.
4. A method according to any one of claims 1 to 3, wherein the obtaining, according to the detection result of each rule, a detection result corresponding to each rule model includes:
for each rule model, sequentially combining detection results of a plurality of rules contained in the rule model, and carrying out hash operation on the combined results to obtain hash values;
and judging whether the hash value is equal to a preset hash value, and if so, indicating that the rule model is hit.
5. A security detection device, comprising:
the first acquisition module is used for acquiring an object to be detected and a plurality of rule models required by safety detection of the object to be detected;
the splitting module is used for splitting the rule models to obtain rules contained in the rule models;
the detection module is used for detecting the object to be detected by utilizing the rules to obtain a detection result of each rule;
the second acquisition module is used for obtaining a detection result corresponding to each rule model according to the detection result of each rule;
the detection module comprises: the first traversing unit is used for traversing the rules, judging whether the object to be detected is detected by using the rule with the mutual exclusion relation with the current rule according to a prestored rule mutual exclusion relation table, if yes, skipping the current rule, and if not, detecting the object to be detected by using the current rule to obtain a detection result of the current rule;
or, the detection module includes: the ordering unit is used for arranging rules which need to depend on other rule detection results after the dependent rules according to a prestored rule dependency relation table; and the second traversing unit is used for traversing the rules in sequence, judging whether the dependent rule of the current rule hits or not, if yes, detecting the object to be detected by using the current rule to obtain a detection result of the current rule, and if not, skipping the current rule.
6. The apparatus of claim 5, wherein the first acquisition module comprises:
the first acquisition unit is used for acquiring the type of the object to be detected;
and the second acquisition unit is used for acquiring a plurality of rule models required for carrying out safety detection on the object to be detected according to the type.
7. The apparatus of claim 5, wherein the first traversal unit comprises:
the obtaining subunit is used for obtaining a known detection result of the rule with the mutual exclusion relation with the current rule for detecting the object to be detected;
and the setting subunit is used for setting the detection result of the current rule to be an opposite detection result according to the known detection result.
8. The apparatus of any of claims 5-7, wherein the second acquisition module comprises:
the combination unit is used for sequentially combining detection results of a plurality of rules contained in each rule model and carrying out hash operation on the combined results to obtain hash values;
and the judging unit is used for judging whether the hash value is equal to a preset hash value or not, and if so, the rule model is hit.
9. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of any of the preceding claims 1-4.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529078.9A CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111529078.9A CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338102A CN114338102A (en) | 2022-04-12 |
| CN114338102B true CN114338102B (en) | 2024-03-19 |
Family
ID=81051264
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111529078.9A Active CN114338102B (en) | 2021-12-14 | 2021-12-14 | Security detection method, security detection device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338102B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115589330B (en) * | 2022-11-09 | 2023-03-24 | 北京邮电大学 | Safety detection device and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN109543942A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Data verification method, device, computer equipment and storage medium |
| CN111524008A (en) * | 2020-04-16 | 2020-08-11 | 天使方舟有限公司 | Rule engine and modeling method thereof, modeling device and instruction processing method |
| CN112801667A (en) * | 2021-01-21 | 2021-05-14 | ***股份有限公司 | Real-time transaction abnormity detection method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868571B (en) * | 2012-08-07 | 2015-04-08 | 华为技术有限公司 | Method and device for rule matching |
-
2021
- 2021-12-14 CN CN202111529078.9A patent/CN114338102B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234524A (en) * | 2018-04-02 | 2018-06-29 | 广州广电研究院有限公司 | Method, apparatus, equipment and the storage medium of network data abnormality detection |
| CN109543942A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Data verification method, device, computer equipment and storage medium |
| CN111524008A (en) * | 2020-04-16 | 2020-08-11 | 天使方舟有限公司 | Rule engine and modeling method thereof, modeling device and instruction processing method |
| CN112801667A (en) * | 2021-01-21 | 2021-05-14 | ***股份有限公司 | Real-time transaction abnormity detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338102A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110474900B (en) | Game protocol testing method and device | |
| CN115174250B (en) | Network asset security assessment method and device, electronic equipment and storage medium | |
| CN110652728B (en) | Game resource management method and device, electronic equipment and storage medium | |
| CN114338102B (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN114372297A (en) | Method and device for verifying file integrity based on message digest algorithm | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| CN110874310B (en) | Terminal behavior monitoring method and device, electronic equipment and storage medium | |
| CN110737894B (en) | Composite document security detection method and device, electronic equipment and storage medium | |
| CN108334778B (en) | Virus detection method, device, storage medium and processor | |
| CN113987489A (en) | Method and device for detecting unknown threat of network, electronic equipment and storage medium | |
| CN111027071B (en) | Threat program full-behavior association analysis method and device | |
| CN110611675A (en) | Vector magnitude detection rule generation method and device, electronic equipment and storage medium | |
| CN110801630A (en) | Cheating program determining method, device, equipment and storage medium | |
| CN113672923B (en) | Security detection method and device, electronic equipment and storage medium | |
| CN110704744A (en) | Method and device for recommending target object to user and electronic equipment | |
| CN111797392B (en) | Method, device and storage medium for controlling infinite analysis of derivative files | |
| CN112784253B (en) | File system information acquisition method and device, electronic equipment and storage medium | |
| CN114070638B (en) | Computer system security defense method and device, electronic equipment and medium | |
| CN111695116B (en) | Evidence obtaining method and device based on Rootkit of kernel layer of Linux system | |
| CN116010927A (en) | Digital signature certificate detection method and device | |
| CN110866253B (en) | Threat analysis method and device, electronic equipment and storage medium | |
| CN114064981A (en) | Reverse shell process detection method and device, electronic equipment, computer storage medium and program product | |
| CN114417331A (en) | Method and device for determining virus characteristic credibility, electronic equipment and storage medium | |
| CN114329464A (en) | Anti-virus engine detection method and device, electronic equipment and storage medium | |
| CN115935349A (en) | Sample file security vulnerability detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |