CN115484070A - Security detection method and security detection device for encrypted file - Google Patents
Security detection method and security detection device for encrypted file Download PDFInfo
- Publication number
- CN115484070A CN115484070A CN202211027716.1A CN202211027716A CN115484070A CN 115484070 A CN115484070 A CN 115484070A CN 202211027716 A CN202211027716 A CN 202211027716A CN 115484070 A CN115484070 A CN 115484070A
- Authority
- CN
- China
- Prior art keywords
- encrypted file
- detected
- file
- encrypted
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a security detection method and a security detection device for an encrypted file, wherein the security detection method comprises the following steps: acquiring an encrypted file to be detected and context data of the encrypted file to be detected; acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected; decrypting the encrypted file to be detected by an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected; and carrying out security detection on the plaintext object file. The security detection method and the security detection device for the encrypted file can effectively solve the problem that the file is sent in an encrypted file mode so as to bypass file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
Description
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to a security detection method and a security detection apparatus for an encrypted file.
Background
Generally, in the field of mailbox security, the field of flow threat detection, the field of application security, and the like, if an attacker directly sends a malicious file (such as a backdoor executable file and the like) in a mail (or an application upload and the like), the malicious file is often extracted to perform detection such as static sample killing, dynamic analysis and the like (not limited to virus detection, but also data leakage and the like), and if the attacker encrypts and compresses an original file by using a compression encryption technology and attaches a decryption secret code to send the original file, the original file cannot be obtained for detection by static detection, dynamic analysis and the like, various detection means can be effectively bypassed, such a scenario has seriously affected security detection capability, and a technology capable of detecting such encrypted attachments is urgently needed.
Disclosure of Invention
The invention provides a security detection method and a security detection device for an encrypted file, aiming at solving the technical problem of how to perform security detection on an encrypted attachment.
The security detection method of the encrypted file according to the embodiment of the invention comprises the following steps:
acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and carrying out security detection on the plaintext target file.
According to some embodiments of the invention, the encrypted file to be detected comprises: mail attachments, traffic reduction files and application uploading files.
In some embodiments of the present invention, when the encrypted file to be detected is the email attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is the flow restoration file, the acquired context data includes: analyzing associated text data by the front protocol and the back protocol of the flow reduction file;
when the encrypted file to be detected is the application upload file, the acquired context data includes: and uploading the file description information.
According to some embodiments of the present invention, the encryption mode and the password of the encrypted file to be detected are obtained by the intelligent detection service based on the context data and the encrypted file to be detected by using a preset algorithm.
In some embodiments of the present invention, when the encryption manner and the password cannot be obtained by the smart detection service, the encryption manner and the password are obtained by the rule detection service using a preset matching rule.
According to some embodiments of the invention, the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the file to be encrypted is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
In some embodiments of the present invention, the preset matching rule includes: and acquiring the password by adopting a regular extraction rule.
According to some embodiments of the invention, when the encryption mode cannot be acquired through the rule detection service, the encryption mode of the encrypted file to be detected is determined by traversing the preset decryption method library.
In some embodiments of the present invention, when the password cannot be obtained through the rule detection service, the password of the encrypted file to be detected is determined by traversing a preset password library.
According to the security detection device of the encrypted file of the embodiment of the invention, the security detection device is used for executing the security detection method of the encrypted file, and the security detection device comprises:
the data docking module is used for acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module is used for acquiring the encryption mode and the password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module is used for decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and the safety detection module is used for carrying out safety detection on the plaintext target file.
The security detection method and the security detection device for the encrypted file can effectively solve the problem that the file is sent in an encrypted file mode so as to bypass file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
Drawings
FIG. 1 is a flow chart of a method for security detection of encrypted files according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a security detection method for an encrypted file according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a security detection apparatus for an encrypted file according to an embodiment of the present invention.
Reference numerals:
the security detection device 100 is provided with a security detection device,
the system comprises a data docking module 10, a detection module 20, a decryption module 30 and a safety detection module 40.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined purposes, the present invention is described in detail below with reference to the accompanying drawings and preferred embodiments.
The description of the method flow in the present specification and the steps of the flow chart in the drawings of the present specification are not necessarily strictly performed by the step numbers, and the execution order of the method steps may be changed. Moreover, certain steps may be omitted, multiple steps may be combined into one step execution, and/or a step may be broken down into multiple step executions.
As shown in fig. 1, a method for detecting security of an encrypted file according to an embodiment of the present invention includes:
s100, acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
s200, acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
s300, decrypting the encrypted file to be detected through an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected;
s400, carrying out security detection on the plaintext object file.
According to the security detection method of the encrypted file, the problem that the file detection is bypassed by sending the file in an encrypted file mode can be effectively solved. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
According to some embodiments of the invention, the encrypted file to be detected comprises: mail attachments, flow reduction files and application uploading files. It should be noted that, the encrypted file to be detected is only an example, and the security of other types of encrypted files to be detected can be detected according to the present invention.
In some embodiments of the present invention, when the encrypted file to be detected is an email attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is a flow reduction file, the acquired context data includes: analyzing associated text data by a protocol before and after the flow reduction file;
when the encrypted file to be detected is an application upload file, the acquired context data includes: and uploading the file description information.
In addition, it should be noted that, when the encrypted file to be detected is a file of another type, the context data of the file of the corresponding type is obtained.
According to some embodiments of the invention, the encryption mode and the password of the encrypted file to be detected are obtained by the intelligent detection service by adopting a preset algorithm based on the context data and the encrypted file to be detected. For example, the preset algorithm may employ an NLP algorithm. It is to be understood that the present invention is not limited to the algorithm model used, and various standard algorithm models can be used to identify the encryption scheme and the password. Therefore, the encryption type and the password of the encrypted file to be detected can be automatically acquired.
In some embodiments of the present invention, when the encryption mode and the password cannot be obtained by the smart detection service, the encryption mode and the password are obtained by the rule detection service using a preset matching rule. It should be noted that the rule detection service is a supplement to the intelligent detection service, and when the encryption mode and the password of the encrypted file to be detected cannot be obtained through the intelligent detection service, the encryption type and the password of the encrypted file to be detected can be automatically obtained through the rule detection service.
According to some embodiments of the invention, the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the encrypted file to be detected is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
In some embodiments of the invention, the preset matching rule comprises: and acquiring the password by adopting a regular extraction rule. For example: (password | password) |? \\ b extracts capture group 3 as cryptographic data. It should be noted that the above regular extraction rule is only an example for facilitating understanding of the scheme of the present invention, and in practical use, the regular extraction rule may be selected and set according to actual requirements.
According to some embodiments of the invention, when the encryption mode cannot be acquired through the rule detection service, the preset decryption method library is traversed to determine the encryption mode of the encrypted file to be detected. For example, the preset decryption method library may include all supported decryption algorithms, and when the encryption mode cannot be acquired through both the intelligent detection service and the rule detection service, all supported decryption algorithms may be traversed to determine the encryption mode.
In some embodiments of the present invention, when the password cannot be obtained through the rule detection service, the preset password library is traversed to determine the password of the encrypted file to be detected. For example, a custom-added password may be preset in the preset password library, and the password of the encrypted file to be detected is determined by traversing all the passwords.
As shown in fig. 3, according to the security detection apparatus 100 for an encrypted file according to an embodiment of the present invention, the security detection apparatus 100 is used for executing the security detection method for an encrypted file as described above, and the security detection apparatus 100 includes: data docking module 10, detection module 20, decryption module 30, and security detection module 40.
The data docking module 10 is configured to obtain an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module 20 is configured to obtain an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module 30 is configured to decrypt the encrypted file to be detected through an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected;
the security detection module 40 is used for performing security detection on the plaintext object file.
According to the security detection device 100 for the encrypted file, the problem that the file detection is bypassed by sending the file in an encrypted file mode can be effectively solved. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
The security detection method of an encrypted file and the security detection apparatus 100 according to the present invention will be described in detail with reference to the accompanying drawings. It is to be noted that the following description is only exemplary in nature and should not be construed as specifically limiting the present invention.
1. Acquiring an encrypted file to be detected and context data thereof:
as shown in fig. 2, the present invention collects data context and corresponding encrypted file to be detected through the data docking module 10.
The context log of the system to be accessed and the corresponding encrypted file to be detected are extracted, and the relationship between the context log and the encrypted file to be detected is mapped for subsequent analysis and detection, and the following are exemplified for the context log and the encrypted file to be detected:
the context of the mail is the title and the text of the mail, and the encrypted file to be detected is the attachment of the mail (supporting self-defined configuration).
The context of the flow threat detection field is associated text data of front and back protocol analysis of an encrypted file to be detected, and the encrypted file to be detected is a flow reduction file (supporting custom configuration).
And if the security threat detection scene is applied, uploading file description information as a context log, and correspondingly uploading the attachment file as an encrypted file to be detected.
Other customizations configure access context and file data.
The DATA docking module 10 may support pushing of an active administration log of a system to be accessed, the DATA docking module 10 also supports active connection of the system to be accessed and collection of corresponding DATA, and the collected context DATA supports a custom collection mode, for example, a DATA part of an SMTP traffic protocol is designated as a file associated context, or a post DATA of a/upload.
2. Intelligent detection service:
and intelligently analyzing the received context log and the data of the encrypted file to be detected, and identifying the encryption method and the corresponding password information of the encrypted file to be detected. The following description is in a mailbox phishing scenario:
in order to bypass the detection of the malicious files in the mailbox, an attacker often transmits the malicious files in an encryption and compression manner, and then attaches decoy information and password information to the mail body, for example, the attacker sends a phishing mail body as follows:
the following is the annual terminal award information of the company, please open with the decompression software, the decompression password is: AUSjc @1223.
At the moment, the mail security check and kill cannot detect the encrypted attachment, and after the user who receives the phishing mail downloads the attachment, the user can decrypt the file by using the password, so that the malicious file is released and is attacked finally.
The intelligent detection service can identify the encryption mode and the password through algorithms such as NLP (the algorithm model used here is not limited, and various standard algorithm models can be used), and the encryption mode in the context log (the mail body) is identified as follows: compression and encryption, wherein the password is: AUSjc @1223.
3. Rule detection service:
the rule detection service can supplement the intelligent detection service, and can identify an encryption mode and a password in a self-defined rule mode, for example, three fishing mail attachment searching and killing scenes, if the mail text is as follows:
the following is the company annual terminal prize information, and the password is: AUSjc @1223.
The intelligent detection service can only output the encryption mode as follows: unknown, password: AUSjc @1223.
At this time, the service configuration may be detected by the rule as:
1. rule 1, if file suffix in (tar, zip, rar) is compression encryption;
2. if the file header is 50 b 4b 03 04 in rule 2, the encryption mode is compression encryption (detection of the magic word of the file);
3. matching rules can be configured for fields such as file names and file contents;
4. rule-based cryptographic extraction may also be performed on context-configured regular extraction rules, such as:
(password | password) |? \\ b extraction capture group 3 as cryptographic data.
4. Outputting the decrypted sample file:
and acquiring the encrypted file to be detected, the encryption mode and the password according to the process, decrypting the encrypted file to be detected by using the decryption mode and the password corresponding to the encryption mode, and acquiring a decrypted plaintext target file.
If the encryption mode is not successfully identified, all supported decryption methods can be selected to be started and traversed, the traversal mode is closed under the default condition, and the decryption module 30 supports plug-in custom development;
if the password is not successfully identified, the password traversal mode can be selected to be started, the traversal mode is in a closed state under the default condition, and after the password traversal attempt is started, a built-in password library (which can be added in a user-defined mode) is used for performing the password traversal attempt.
And finally submitting the decrypted file to a built-in threat detection module for analysis or reporting to a third-party threat detection module for analysis.
In summary, the invention establishes a mapping relation with the encrypted file to be detected by identifying the context data of the encrypted file to be detected, identifies the file encryption mode and the password information described in the context by the intelligent algorithm model and the rule model, extracts the plaintext target file for file detection, and supports traversal identification when the encryption method and the password of the encrypted file to be detected cannot be automatically identified.
The invention can effectively solve the problem that the file is sent by using an encrypted file mode to bypass the file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.
Claims (10)
1. A security detection method for encrypted files is characterized by comprising the following steps:
acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and carrying out security detection on the plaintext object file.
2. The method for detecting the security of the encrypted file according to claim 1, wherein the encrypted file to be detected comprises: mail attachments, flow reduction files and application uploading files.
3. The method for detecting the security of the encrypted file according to claim 2, wherein when the encrypted file to be detected is the mail attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is the flow restoration file, the acquired context data includes: analyzing associated text data by the front protocol and the back protocol of the flow reduction file;
when the to-be-detected encrypted file is the application upload file, the acquired context data includes: and uploading the file description information.
4. The security detection method for the encrypted file according to claim 1, wherein an encryption mode and a password of the encrypted file to be detected are obtained by an intelligent detection service using a preset algorithm based on the context data and the encrypted file to be detected.
5. The method for detecting the security of the encrypted file according to claim 4, wherein when the encryption mode and the password cannot be obtained by the smart detection service, the encryption mode and the password are obtained by a rule detection service using a preset matching rule.
6. The method for detecting the security of the encrypted file according to claim 5, wherein the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the encrypted file to be detected is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
7. The method for detecting the security of the encrypted file according to claim 5, wherein the preset matching rule comprises: and acquiring the password by adopting a regular extraction rule.
8. The method for detecting the security of the encrypted file according to claim 5, wherein when the encryption mode cannot be obtained through a rule detection service, a preset decryption method library is traversed to determine the encryption mode of the encrypted file to be detected.
9. The method for detecting the security of the encrypted file according to claim 5, wherein when the password cannot be obtained through the rule detection service, the password of the encrypted file to be detected is determined by traversing a preset password library.
10. A security detection apparatus for an encrypted file, the security detection apparatus being configured to perform the method of detecting security of an encrypted file according to any one of claims 1 to 9, the security detection apparatus comprising:
the data docking module is used for acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module is used for acquiring the encryption mode and the password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module is used for decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and the safety detection module is used for carrying out safety detection on the plaintext target file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211027716.1A CN115484070A (en) | 2022-08-25 | 2022-08-25 | Security detection method and security detection device for encrypted file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211027716.1A CN115484070A (en) | 2022-08-25 | 2022-08-25 | Security detection method and security detection device for encrypted file |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115484070A true CN115484070A (en) | 2022-12-16 |
Family
ID=84421347
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211027716.1A Pending CN115484070A (en) | 2022-08-25 | 2022-08-25 | Security detection method and security detection device for encrypted file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115484070A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117336100A (en) * | 2023-11-27 | 2024-01-02 | 湖南湘科智慧科技有限公司 | Data processing method and device based on escort service multiparty flattened communication |
-
2022
- 2022-08-25 CN CN202211027716.1A patent/CN115484070A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117336100A (en) * | 2023-11-27 | 2024-01-02 | 湖南湘科智慧科技有限公司 | Data processing method and device based on escort service multiparty flattened communication |
CN117336100B (en) * | 2023-11-27 | 2024-02-23 | 湖南湘科智慧科技有限公司 | Data processing method and device based on escort service multiparty flattened communication |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11146572B2 (en) | Automated runtime detection of malware | |
US10872151B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
TWI678616B (en) | File detection method, device and system | |
US10387648B2 (en) | Ransomware key extractor and recovery system | |
RU2680736C1 (en) | Malware files in network traffic detection server and method | |
CN113705619A (en) | Malicious traffic detection method, system, computer and medium | |
US20150143454A1 (en) | Security management apparatus and method | |
CN113542253B (en) | Network flow detection method, device, equipment and medium | |
US10033761B2 (en) | System and method for monitoring falsification of content after detection of unauthorized access | |
US20130145483A1 (en) | System And Method For Processing Protected Electronic Communications | |
CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
WO2018076697A1 (en) | Method and apparatus for detecting zombie feature | |
CN106919811A (en) | File test method and device | |
CN109800574A (en) | Computer Virus Detection Method and system based on cryptographic algorithm analysis | |
CN111783092B (en) | Malicious attack detection method and system for communication mechanism between Android applications | |
CN106341819A (en) | Phishing WiFi identification system and method based on honeypot technology | |
CN111581621A (en) | Data security processing method, device, system and storage medium | |
CN104486292B (en) | A kind of control method of ERM secure access, apparatus and system | |
CN115484070A (en) | Security detection method and security detection device for encrypted file | |
CN115499844A (en) | Mobile terminal information safety protection system and method | |
CN108965251A (en) | A kind of safe mobile phone guard system that cloud combines | |
CN114039774B (en) | Blocking method, detection method and device for malicious PE program | |
JP2006094258A (en) | Terminal device, its policy forcing method, and its program | |
WO2003021402A2 (en) | Network security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |