CN115484070A - Security detection method and security detection device for encrypted file - Google Patents

Security detection method and security detection device for encrypted file Download PDF

Info

Publication number
CN115484070A
CN115484070A CN202211027716.1A CN202211027716A CN115484070A CN 115484070 A CN115484070 A CN 115484070A CN 202211027716 A CN202211027716 A CN 202211027716A CN 115484070 A CN115484070 A CN 115484070A
Authority
CN
China
Prior art keywords
encrypted file
detected
file
encrypted
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211027716.1A
Other languages
Chinese (zh)
Inventor
许祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CLP Cloud Digital Intelligence Technology Co Ltd
Original Assignee
CLP Cloud Digital Intelligence Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CLP Cloud Digital Intelligence Technology Co Ltd filed Critical CLP Cloud Digital Intelligence Technology Co Ltd
Priority to CN202211027716.1A priority Critical patent/CN115484070A/en
Publication of CN115484070A publication Critical patent/CN115484070A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a security detection method and a security detection device for an encrypted file, wherein the security detection method comprises the following steps: acquiring an encrypted file to be detected and context data of the encrypted file to be detected; acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected; decrypting the encrypted file to be detected by an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected; and carrying out security detection on the plaintext object file. The security detection method and the security detection device for the encrypted file can effectively solve the problem that the file is sent in an encrypted file mode so as to bypass file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.

Description

Security detection method and security detection device for encrypted file
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to a security detection method and a security detection apparatus for an encrypted file.
Background
Generally, in the field of mailbox security, the field of flow threat detection, the field of application security, and the like, if an attacker directly sends a malicious file (such as a backdoor executable file and the like) in a mail (or an application upload and the like), the malicious file is often extracted to perform detection such as static sample killing, dynamic analysis and the like (not limited to virus detection, but also data leakage and the like), and if the attacker encrypts and compresses an original file by using a compression encryption technology and attaches a decryption secret code to send the original file, the original file cannot be obtained for detection by static detection, dynamic analysis and the like, various detection means can be effectively bypassed, such a scenario has seriously affected security detection capability, and a technology capable of detecting such encrypted attachments is urgently needed.
Disclosure of Invention
The invention provides a security detection method and a security detection device for an encrypted file, aiming at solving the technical problem of how to perform security detection on an encrypted attachment.
The security detection method of the encrypted file according to the embodiment of the invention comprises the following steps:
acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and carrying out security detection on the plaintext target file.
According to some embodiments of the invention, the encrypted file to be detected comprises: mail attachments, traffic reduction files and application uploading files.
In some embodiments of the present invention, when the encrypted file to be detected is the email attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is the flow restoration file, the acquired context data includes: analyzing associated text data by the front protocol and the back protocol of the flow reduction file;
when the encrypted file to be detected is the application upload file, the acquired context data includes: and uploading the file description information.
According to some embodiments of the present invention, the encryption mode and the password of the encrypted file to be detected are obtained by the intelligent detection service based on the context data and the encrypted file to be detected by using a preset algorithm.
In some embodiments of the present invention, when the encryption manner and the password cannot be obtained by the smart detection service, the encryption manner and the password are obtained by the rule detection service using a preset matching rule.
According to some embodiments of the invention, the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the file to be encrypted is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
In some embodiments of the present invention, the preset matching rule includes: and acquiring the password by adopting a regular extraction rule.
According to some embodiments of the invention, when the encryption mode cannot be acquired through the rule detection service, the encryption mode of the encrypted file to be detected is determined by traversing the preset decryption method library.
In some embodiments of the present invention, when the password cannot be obtained through the rule detection service, the password of the encrypted file to be detected is determined by traversing a preset password library.
According to the security detection device of the encrypted file of the embodiment of the invention, the security detection device is used for executing the security detection method of the encrypted file, and the security detection device comprises:
the data docking module is used for acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module is used for acquiring the encryption mode and the password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module is used for decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and the safety detection module is used for carrying out safety detection on the plaintext target file.
The security detection method and the security detection device for the encrypted file can effectively solve the problem that the file is sent in an encrypted file mode so as to bypass file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
Drawings
FIG. 1 is a flow chart of a method for security detection of encrypted files according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a security detection method for an encrypted file according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a security detection apparatus for an encrypted file according to an embodiment of the present invention.
Reference numerals:
the security detection device 100 is provided with a security detection device,
the system comprises a data docking module 10, a detection module 20, a decryption module 30 and a safety detection module 40.
Detailed Description
To further illustrate the technical means and effects of the present invention adopted to achieve the predetermined purposes, the present invention is described in detail below with reference to the accompanying drawings and preferred embodiments.
The description of the method flow in the present specification and the steps of the flow chart in the drawings of the present specification are not necessarily strictly performed by the step numbers, and the execution order of the method steps may be changed. Moreover, certain steps may be omitted, multiple steps may be combined into one step execution, and/or a step may be broken down into multiple step executions.
As shown in fig. 1, a method for detecting security of an encrypted file according to an embodiment of the present invention includes:
s100, acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
s200, acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
s300, decrypting the encrypted file to be detected through an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected;
s400, carrying out security detection on the plaintext object file.
According to the security detection method of the encrypted file, the problem that the file detection is bypassed by sending the file in an encrypted file mode can be effectively solved. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
According to some embodiments of the invention, the encrypted file to be detected comprises: mail attachments, flow reduction files and application uploading files. It should be noted that, the encrypted file to be detected is only an example, and the security of other types of encrypted files to be detected can be detected according to the present invention.
In some embodiments of the present invention, when the encrypted file to be detected is an email attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is a flow reduction file, the acquired context data includes: analyzing associated text data by a protocol before and after the flow reduction file;
when the encrypted file to be detected is an application upload file, the acquired context data includes: and uploading the file description information.
In addition, it should be noted that, when the encrypted file to be detected is a file of another type, the context data of the file of the corresponding type is obtained.
According to some embodiments of the invention, the encryption mode and the password of the encrypted file to be detected are obtained by the intelligent detection service by adopting a preset algorithm based on the context data and the encrypted file to be detected. For example, the preset algorithm may employ an NLP algorithm. It is to be understood that the present invention is not limited to the algorithm model used, and various standard algorithm models can be used to identify the encryption scheme and the password. Therefore, the encryption type and the password of the encrypted file to be detected can be automatically acquired.
In some embodiments of the present invention, when the encryption mode and the password cannot be obtained by the smart detection service, the encryption mode and the password are obtained by the rule detection service using a preset matching rule. It should be noted that the rule detection service is a supplement to the intelligent detection service, and when the encryption mode and the password of the encrypted file to be detected cannot be obtained through the intelligent detection service, the encryption type and the password of the encrypted file to be detected can be automatically obtained through the rule detection service.
According to some embodiments of the invention, the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the encrypted file to be detected is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
In some embodiments of the invention, the preset matching rule comprises: and acquiring the password by adopting a regular extraction rule. For example: (password | password) |? \\ b extracts capture group 3 as cryptographic data. It should be noted that the above regular extraction rule is only an example for facilitating understanding of the scheme of the present invention, and in practical use, the regular extraction rule may be selected and set according to actual requirements.
According to some embodiments of the invention, when the encryption mode cannot be acquired through the rule detection service, the preset decryption method library is traversed to determine the encryption mode of the encrypted file to be detected. For example, the preset decryption method library may include all supported decryption algorithms, and when the encryption mode cannot be acquired through both the intelligent detection service and the rule detection service, all supported decryption algorithms may be traversed to determine the encryption mode.
In some embodiments of the present invention, when the password cannot be obtained through the rule detection service, the preset password library is traversed to determine the password of the encrypted file to be detected. For example, a custom-added password may be preset in the preset password library, and the password of the encrypted file to be detected is determined by traversing all the passwords.
As shown in fig. 3, according to the security detection apparatus 100 for an encrypted file according to an embodiment of the present invention, the security detection apparatus 100 is used for executing the security detection method for an encrypted file as described above, and the security detection apparatus 100 includes: data docking module 10, detection module 20, decryption module 30, and security detection module 40.
The data docking module 10 is configured to obtain an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module 20 is configured to obtain an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module 30 is configured to decrypt the encrypted file to be detected through an encryption mode and a password to obtain a plaintext target file corresponding to the encrypted file to be detected;
the security detection module 40 is used for performing security detection on the plaintext object file.
According to the security detection device 100 for the encrypted file, the problem that the file detection is bypassed by sending the file in an encrypted file mode can be effectively solved. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
The security detection method of an encrypted file and the security detection apparatus 100 according to the present invention will be described in detail with reference to the accompanying drawings. It is to be noted that the following description is only exemplary in nature and should not be construed as specifically limiting the present invention.
1. Acquiring an encrypted file to be detected and context data thereof:
as shown in fig. 2, the present invention collects data context and corresponding encrypted file to be detected through the data docking module 10.
The context log of the system to be accessed and the corresponding encrypted file to be detected are extracted, and the relationship between the context log and the encrypted file to be detected is mapped for subsequent analysis and detection, and the following are exemplified for the context log and the encrypted file to be detected:
the context of the mail is the title and the text of the mail, and the encrypted file to be detected is the attachment of the mail (supporting self-defined configuration).
The context of the flow threat detection field is associated text data of front and back protocol analysis of an encrypted file to be detected, and the encrypted file to be detected is a flow reduction file (supporting custom configuration).
And if the security threat detection scene is applied, uploading file description information as a context log, and correspondingly uploading the attachment file as an encrypted file to be detected.
Other customizations configure access context and file data.
The DATA docking module 10 may support pushing of an active administration log of a system to be accessed, the DATA docking module 10 also supports active connection of the system to be accessed and collection of corresponding DATA, and the collected context DATA supports a custom collection mode, for example, a DATA part of an SMTP traffic protocol is designated as a file associated context, or a post DATA of a/upload.
2. Intelligent detection service:
and intelligently analyzing the received context log and the data of the encrypted file to be detected, and identifying the encryption method and the corresponding password information of the encrypted file to be detected. The following description is in a mailbox phishing scenario:
in order to bypass the detection of the malicious files in the mailbox, an attacker often transmits the malicious files in an encryption and compression manner, and then attaches decoy information and password information to the mail body, for example, the attacker sends a phishing mail body as follows:
the following is the annual terminal award information of the company, please open with the decompression software, the decompression password is: AUSjc @1223.
At the moment, the mail security check and kill cannot detect the encrypted attachment, and after the user who receives the phishing mail downloads the attachment, the user can decrypt the file by using the password, so that the malicious file is released and is attacked finally.
The intelligent detection service can identify the encryption mode and the password through algorithms such as NLP (the algorithm model used here is not limited, and various standard algorithm models can be used), and the encryption mode in the context log (the mail body) is identified as follows: compression and encryption, wherein the password is: AUSjc @1223.
3. Rule detection service:
the rule detection service can supplement the intelligent detection service, and can identify an encryption mode and a password in a self-defined rule mode, for example, three fishing mail attachment searching and killing scenes, if the mail text is as follows:
the following is the company annual terminal prize information, and the password is: AUSjc @1223.
The intelligent detection service can only output the encryption mode as follows: unknown, password: AUSjc @1223.
At this time, the service configuration may be detected by the rule as:
1. rule 1, if file suffix in (tar, zip, rar) is compression encryption;
2. if the file header is 50 b 4b 03 04 in rule 2, the encryption mode is compression encryption (detection of the magic word of the file);
3. matching rules can be configured for fields such as file names and file contents;
4. rule-based cryptographic extraction may also be performed on context-configured regular extraction rules, such as:
(password | password) |? \\ b extraction capture group 3 as cryptographic data.
4. Outputting the decrypted sample file:
and acquiring the encrypted file to be detected, the encryption mode and the password according to the process, decrypting the encrypted file to be detected by using the decryption mode and the password corresponding to the encryption mode, and acquiring a decrypted plaintext target file.
If the encryption mode is not successfully identified, all supported decryption methods can be selected to be started and traversed, the traversal mode is closed under the default condition, and the decryption module 30 supports plug-in custom development;
if the password is not successfully identified, the password traversal mode can be selected to be started, the traversal mode is in a closed state under the default condition, and after the password traversal attempt is started, a built-in password library (which can be added in a user-defined mode) is used for performing the password traversal attempt.
And finally submitting the decrypted file to a built-in threat detection module for analysis or reporting to a third-party threat detection module for analysis.
In summary, the invention establishes a mapping relation with the encrypted file to be detected by identifying the context data of the encrypted file to be detected, identifies the file encryption mode and the password information described in the context by the intelligent algorithm model and the rule model, extracts the plaintext target file for file detection, and supports traversal identification when the encryption method and the password of the encrypted file to be detected cannot be automatically identified.
The invention can effectively solve the problem that the file is sent by using an encrypted file mode to bypass the file detection. Typically, if the traditional device cannot detect the mailbox phishing scene with the attachment being the encrypted and compressed malicious file, the invention can automatically analyze the plaintext target file corresponding to the malicious encrypted and compressed packet and perform security detection.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.

Claims (10)

1. A security detection method for encrypted files is characterized by comprising the following steps:
acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
acquiring an encryption mode and a password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and carrying out security detection on the plaintext object file.
2. The method for detecting the security of the encrypted file according to claim 1, wherein the encrypted file to be detected comprises: mail attachments, flow reduction files and application uploading files.
3. The method for detecting the security of the encrypted file according to claim 2, wherein when the encrypted file to be detected is the mail attachment, the obtained context data includes: mail title and mail body content;
when the encrypted file to be detected is the flow restoration file, the acquired context data includes: analyzing associated text data by the front protocol and the back protocol of the flow reduction file;
when the to-be-detected encrypted file is the application upload file, the acquired context data includes: and uploading the file description information.
4. The security detection method for the encrypted file according to claim 1, wherein an encryption mode and a password of the encrypted file to be detected are obtained by an intelligent detection service using a preset algorithm based on the context data and the encrypted file to be detected.
5. The method for detecting the security of the encrypted file according to claim 4, wherein when the encryption mode and the password cannot be obtained by the smart detection service, the encryption mode and the password are obtained by a rule detection service using a preset matching rule.
6. The method for detecting the security of the encrypted file according to claim 5, wherein the preset matching rule comprises:
if the suffix of the encrypted file to be detected is judged to be one of tar, zip and rar, the encryption mode is judged to be compression encryption;
and if the file header of the encrypted file to be detected is judged to be 50 b 03 04, judging that the encryption mode is compression encryption.
7. The method for detecting the security of the encrypted file according to claim 5, wherein the preset matching rule comprises: and acquiring the password by adopting a regular extraction rule.
8. The method for detecting the security of the encrypted file according to claim 5, wherein when the encryption mode cannot be obtained through a rule detection service, a preset decryption method library is traversed to determine the encryption mode of the encrypted file to be detected.
9. The method for detecting the security of the encrypted file according to claim 5, wherein when the password cannot be obtained through the rule detection service, the password of the encrypted file to be detected is determined by traversing a preset password library.
10. A security detection apparatus for an encrypted file, the security detection apparatus being configured to perform the method of detecting security of an encrypted file according to any one of claims 1 to 9, the security detection apparatus comprising:
the data docking module is used for acquiring an encrypted file to be detected and context data of the encrypted file to be detected;
the detection module is used for acquiring the encryption mode and the password of the encrypted file to be detected based on the context data and the encrypted file to be detected;
the decryption module is used for decrypting the encrypted file to be detected through the encryption mode and the password to obtain a plaintext target file corresponding to the encrypted file to be detected;
and the safety detection module is used for carrying out safety detection on the plaintext target file.
CN202211027716.1A 2022-08-25 2022-08-25 Security detection method and security detection device for encrypted file Pending CN115484070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211027716.1A CN115484070A (en) 2022-08-25 2022-08-25 Security detection method and security detection device for encrypted file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211027716.1A CN115484070A (en) 2022-08-25 2022-08-25 Security detection method and security detection device for encrypted file

Publications (1)

Publication Number Publication Date
CN115484070A true CN115484070A (en) 2022-12-16

Family

ID=84421347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211027716.1A Pending CN115484070A (en) 2022-08-25 2022-08-25 Security detection method and security detection device for encrypted file

Country Status (1)

Country Link
CN (1) CN115484070A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117336100A (en) * 2023-11-27 2024-01-02 湖南湘科智慧科技有限公司 Data processing method and device based on escort service multiparty flattened communication

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117336100A (en) * 2023-11-27 2024-01-02 湖南湘科智慧科技有限公司 Data processing method and device based on escort service multiparty flattened communication
CN117336100B (en) * 2023-11-27 2024-02-23 湖南湘科智慧科技有限公司 Data processing method and device based on escort service multiparty flattened communication

Similar Documents

Publication Publication Date Title
US11146572B2 (en) Automated runtime detection of malware
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
CN109525558B (en) Data leakage detection method, system, device and storage medium
TWI678616B (en) File detection method, device and system
US10387648B2 (en) Ransomware key extractor and recovery system
RU2680736C1 (en) Malware files in network traffic detection server and method
CN113705619A (en) Malicious traffic detection method, system, computer and medium
US20150143454A1 (en) Security management apparatus and method
CN113542253B (en) Network flow detection method, device, equipment and medium
US10033761B2 (en) System and method for monitoring falsification of content after detection of unauthorized access
US20130145483A1 (en) System And Method For Processing Protected Electronic Communications
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
CN106919811A (en) File test method and device
CN109800574A (en) Computer Virus Detection Method and system based on cryptographic algorithm analysis
CN111783092B (en) Malicious attack detection method and system for communication mechanism between Android applications
CN106341819A (en) Phishing WiFi identification system and method based on honeypot technology
CN111581621A (en) Data security processing method, device, system and storage medium
CN104486292B (en) A kind of control method of ERM secure access, apparatus and system
CN115484070A (en) Security detection method and security detection device for encrypted file
CN115499844A (en) Mobile terminal information safety protection system and method
CN108965251A (en) A kind of safe mobile phone guard system that cloud combines
CN114039774B (en) Blocking method, detection method and device for malicious PE program
JP2006094258A (en) Terminal device, its policy forcing method, and its program
WO2003021402A2 (en) Network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination