CN115935431A - White list generation method and device of risk detection engine - Google Patents
White list generation method and device of risk detection engine Download PDFInfo
- Publication number
- CN115935431A CN115935431A CN202310012757.1A CN202310012757A CN115935431A CN 115935431 A CN115935431 A CN 115935431A CN 202310012757 A CN202310012757 A CN 202310012757A CN 115935431 A CN115935431 A CN 115935431A
- Authority
- CN
- China
- Prior art keywords
- file
- candidate
- files
- trusted
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 125
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000001914 filtration Methods 0.000 claims abstract description 24
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 3
- 241000700605 Viruses Species 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 241001397173 Kali <angiosperm> Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The disclosure provides a white list generation method and device of a risk detection engine, wherein the method comprises the following steps: acquiring a file package issued by at least one trusted issuer, and extracting a plurality of candidate files from the file package; aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file; based on the update detection result of each candidate file, filtering risk files of the candidate files to obtain a target credible file; and generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a white list generation method and apparatus for a risk detection engine.
Background
The risk detection engine can provide a risk detection service for the file, can compare the detected file with a virus sample stored in a virus library, and judges whether the file has a virus and information such as the type, family and risk behavior corresponding to the virus. Because the types and the quantity of the viruses are huge and the viruses are continuously updated, more and more virus samples exist in a virus library, more and more times of comparison are needed when each file is detected, and the time required by risk detection is longer and longer. For this reason, the risk detection engine usually deploys a white list of trusted files, and when the detected file is a trusted file in the white list, the detected file is directly determined to be safe. Generally, the white list of the risk detection engine requires manual deployment by a user, and is dependent on personal experience of the user, so that not only is deployment efficiency low, but also errors are easy to occur.
Disclosure of Invention
The embodiment of the disclosure at least provides a white list generation method and device of a risk detection engine.
In a first aspect, an embodiment of the present disclosure provides a white list generation method for a risk detection engine, including:
acquiring a file package issued by at least one trusted issuer, and extracting a plurality of candidate files from the file package;
aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
based on the update detection result of each candidate file, filtering risk files of the candidate files to obtain a target credible file;
and generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
In an optional implementation manner, the performing update detection on the candidate file to obtain an update detection result of the candidate file includes:
acquiring a file update log of a trusted publisher corresponding to the candidate file;
and performing update detection on the candidate file based on the file update log to obtain an update detection result of the candidate file.
In an optional implementation manner, the performing risk file filtering on the multiple candidate files based on the update detection result of each candidate file includes:
marking the candidate files with the corresponding update files as risk files;
and removing the marked risk files from the candidate files to obtain the target credible file.
In an alternative embodiment, before removing the marked risk file from the plurality of candidate files, the method further comprises:
acquiring a vulnerability file list corresponding to the trusted publisher; the vulnerability file list indicates files which are issued by the trusted publisher and have security vulnerabilities;
and marking the candidate files matched with the vulnerability file list in the candidate files as risk files.
In an alternative embodiment, before removing the marked risk file from the plurality of candidate files, the method further comprises:
for any of the candidate files, determining whether the file type of the candidate file is matched with a target risk type;
and marking the candidate files with the file types matched with the target risk types as risk files.
In an alternative embodiment, before removing the marked risk file from the plurality of candidate files, the method further comprises:
and for any one of the candidate files, performing signature verification on the candidate file, and marking the candidate file which fails the signature verification as a risk file.
In an optional embodiment, after generating a trusted file white list corresponding to the risk detection engine, the method further includes:
updating and tracking each trusted file indicated in the trusted file white list, and acquiring a new version file corresponding to the trusted file after version updating of the trusted file exists;
and updating the white list of the trusted files based on the new version of files.
In an alternative embodiment, the trusted publisher includes at least one of:
a trusted operating system publisher, a trusted application publisher, and a trusted application store.
In a second aspect, an embodiment of the present disclosure further provides a white list generation apparatus for a risk detection engine, including:
the extraction module is used for acquiring a file package issued by at least one trusted issuer and extracting a plurality of candidate files from the file package;
the detection module is used for updating and detecting the candidate file aiming at any one candidate file to obtain an updating and detecting result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
the filtering module is used for filtering risk files of the candidate files based on the update detection result of each candidate file to obtain target credible files;
and the generating module is used for generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
In an optional implementation manner, the detection module is specifically configured to:
acquiring a file update log of a trusted publisher corresponding to the candidate file;
and performing update detection on the candidate file based on the file update log to obtain an update detection result of the candidate file.
In an alternative embodiment, the filtration module is specifically configured to:
marking the candidate files with the corresponding update files as risk files;
and removing the marked risk files from the candidate files to obtain the target credible file.
In an alternative embodiment, the filtering module is further configured to, before removing the marked risk file from the plurality of candidate files:
acquiring a vulnerability file list corresponding to the trusted publisher; the vulnerability file list indicates files which are issued by the trusted issuer and have security vulnerabilities;
and marking the candidate files matched with the vulnerability file list in the plurality of candidate files as risk files.
In an alternative embodiment, the filtering module is further configured to, before removing the marked risk file from the plurality of candidate files:
for any of the candidate files, determining whether the file type of the candidate file is matched with a target risk type;
and marking the candidate files with the file types matched with the target risk types as risk files.
In an alternative embodiment, before the filtering module removes the marked risk file from the plurality of candidate files, the filtering module is further configured to:
and for any one of the candidate files, performing signature verification on the candidate file, and marking the candidate file which fails the signature verification as a risk file.
In an optional embodiment, after generating the trusted file white list corresponding to the risk detection engine, the generating module is further configured to:
updating and tracking each trusted file indicated in the trusted file white list, and acquiring a new version file corresponding to the trusted file after version updating of the trusted file exists;
and updating the white list of the trusted files based on the new version of files.
In an alternative embodiment, the trusted publisher includes at least one of:
a trusted operating system publisher, a trusted application publisher, and a trusted application store.
In a third aspect, this disclosure provides a computer device, a processor, and a memory, where the memory stores machine-readable instructions executable by the processor, and the processor is configured to execute the machine-readable instructions stored in the memory, and when the machine-readable instructions are executed by the processor, the machine-readable instructions, when executed by the processor, perform the steps of the first aspect or any one of the possible implementations of the first aspect.
In a fourth aspect, this disclosure also provides a computer-readable storage medium having a computer program stored thereon, where the computer program is executed to perform the steps in the first aspect or any one of the possible implementation manners of the first aspect.
For the description of the effects of the white list generation apparatus, the computer device, and the computer readable storage medium of the risk detection engine, reference is made to the description of the white list generation method of the risk detection engine, and details are not repeated here.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the technical aspects of the disclosure.
According to the method and the device for generating the white list of the risk detection engine, the file issued by the trusted issuer is used as the candidate file, so that the probability of the risk file in the candidate file is greatly reduced, on the basis, the candidate file is updated and detected, and then the candidate file is filtered based on the updating and detecting result, so that the candidate file with a lower version and possibly having a risk vulnerability is eliminated, the target trusted file is obtained, the target trusted file is finally utilized to generate the white list of the updateable file corresponding to the risk detection engine, so that the automation of the generation of the white list is realized, and the accuracy of the generated white list is improved.
In order to make the aforementioned objects, features and advantages of the present disclosure more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required for use in the embodiments will be briefly described below, and the drawings herein incorporated in and forming a part of the specification illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the technical solutions of the present disclosure. It is appreciated that the following drawings depict only certain embodiments of the disclosure and are therefore not to be considered limiting of its scope, for those skilled in the art will be able to derive additional related drawings therefrom without the benefit of the inventive faculty.
FIG. 1 illustrates a flow diagram of a white list generation method of a risk detection engine provided by some embodiments of the present disclosure;
FIG. 2 illustrates a schematic diagram of a white list generation apparatus of a risk detection engine provided by some embodiments of the present disclosure;
FIG. 3 illustrates a schematic diagram of a computer device provided by some embodiments of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, not all of the embodiments. The components of embodiments of the present disclosure, as generally described and illustrated herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present disclosure is not intended to limit the scope of the disclosure, as claimed, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the disclosure without making any creative effort, shall fall within the protection scope of the disclosure.
In order to solve the technical problems of low deployment efficiency and low accuracy caused by the fact that a white list of a risk detection engine needs to be deployed manually in the prior art, the disclosure provides a white list generation method of the risk detection engine, wherein files issued by a trusted publisher are used as candidate files, the probability of risk files appearing in the candidate files is greatly reduced, on the basis, the candidate files are updated and detected, then the candidate files are filtered based on the updated and detected results, so that the candidate files with lower versions and possibly having risk leaks are eliminated, a target trusted file is obtained, and finally a new file white list corresponding to the risk detection engine is generated by using the target trusted file, so that the white list generation automation is realized, and the accuracy of the generated white list is improved.
The above drawbacks are the results of the inventor after practical and careful study, and therefore, the discovery process of the above problems and the solutions proposed by the present disclosure in the following description should be the contribution of the inventor to the present disclosure in the course of the present disclosure.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
To facilitate understanding of the present embodiment, first, a method for generating a white list of a risk detection engine disclosed in the embodiments of the present disclosure is described in detail, where an execution subject of the method for generating a white list of a risk detection engine provided in the embodiments of the present disclosure is generally a computer device with certain computing capability, and the computer device includes: terminal equipment or servers or other processing devices. In some possible implementations, the white list generation method of the risk detection engine may be implemented by a processor calling computer-readable instructions stored in a memory.
The white list generation method of the risk detection engine provided by the embodiment of the disclosure is described below by taking an execution subject as a server.
Referring to fig. 1, a flowchart of a white list generation method of a risk detection engine provided in the embodiment of the present disclosure is shown, where the method includes steps S101 to S104, where:
s101, obtaining a file package issued by at least one trusted issuer, and extracting a plurality of candidate files from the file package.
The trusted publisher refers to a publisher of the trusted application program and/or the trusted operating system, the publisher of the trusted application program may be a provider of the application program or an application store, and the publisher of the operating system may be a provider of the operating system. The method can screen the currently existing publishers to obtain trusted publishers, and exemplarily, for the publishers of the operating systems, the trusted publishers, such as the publishers of the operating systems such as Windows, macOS, linux, etc., can be screened from the publishers of a plurality of available operating systems according to the use occupation condition of each operating system; the publisher of the application program can be screened according to the dimensions of the number of users, the number of downloads, the popularity and the like of the application program or an application store.
In general, the screened trusted publisher has high credibility and does not carry viruses, however, the publisher itself may receive hacking attacks, and files to be published by the publisher may be poisoned, so that whether the publisher has history of receiving hacking attacks can be judged first, the publisher which has received hacking attacks is excluded first, and then screening of the trusted publisher is performed.
Furthermore, the publisher of the hacking tool can be excluded in advance, and the security of the trusted publisher is further improved.
For example, for a file package of an operating system, which may be in an ISO format, an img format, and the like, the file package may be mounted first, and then the mounted file package is subjected to file extraction, or directly decompressed, and candidate files are extracted from the decompressed files; the file package of the application program is usually a software installation package, for example, the software installation package applied under the desktop operating system may be in a self-decompression exe format, an exe format made by a compression tool, an MSI/MSIX format, a CAB format, and the like, the software installation package under the mobile operating system may include an apk format, a xapk format, a dex format, an aab format, and the like, the software installation package under the iOS operating system may be in an ipa format, a pxl format, a deb format, a dmg format, and the like, the software installation package under the Linux operating system may include an rpm format, a deb format, a snap format, and the like, and the software installation package may be decompressed by a decompression manner matching the format of the software installation package, and then the candidate file may be extracted from the decompressed file.
S102, aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file.
After obtaining a plurality of candidate files, update detection can be performed on the candidate files, the update detection can determine whether the candidate files have corresponding update files, usually, files issued by a trusted issuer do not contain viruses, but the files may still have security vulnerabilities and are easily attacked by the viruses, the issuer can also maintain the files after issuing the files, and repair the security vulnerabilities existing in the files, and the issuer usually repairs the security vulnerabilities by using an update package, so that whether the candidate files have the security vulnerabilities or not can be known by performing update detection on the candidate files.
When a publisher of a file publishes an update package, a file update log is usually generated, information of the file with update is recorded, namely the file update log, the file update log of a trusted publisher corresponding to a candidate file can be obtained, and the candidate file is updated and detected based on the file update log, so that a detection result of the candidate file is obtained.
During update detection, the identification information of the candidate file may be searched from the file update log, and if the identification information corresponding to the candidate file is searched, it may be determined that the candidate file has a corresponding update file.
In specific implementation, a vulnerability database may be maintained, the vulnerability database may store the identification information of the identified update file, and when performing update detection, the vulnerability database may be searched first, and if the update file of the candidate file does not exist in the vulnerability database, the vulnerability database may be searched from the file update log.
S103, based on the updating detection result of each candidate file, risk file filtering is carried out on the candidate files to obtain a target credible file.
After the update detection result of the candidate file is obtained, the update detection result can be used to filter the risk file of the candidate file, and the candidate file with the update file (that is, the candidate file with the security vulnerability) is filtered out, so as to obtain the target trusted file.
In a specific implementation process, the candidate file with the updated file may be marked as a risk file, and then the marked risk file is removed from the candidate file to obtain a target trusted file.
Before removing the risk files from the candidate files, screening other types of risk files continuously, for example, obtaining a vulnerability file list corresponding to a trusted publisher; the vulnerability file list can indicate files which are issued by a trusted publisher and have security vulnerabilities, and the vulnerability file list can be issued by the trusted publisher or can be constructed and maintained by a server for updating and detecting.
Further, for some specific types of files such as a hacker tool class, there may be risks, such as an expletb type, a metasploit type, a map type, a zmap type, etc., or files under a hacker-specific operating system kali feedback, etc., which may be set as target risk types, and it may be determined whether candidate files match these target risk types, and the candidate files matching the risk types are also marked as risk files.
In general, some candidate files carry signature information of corresponding publishers, signature authentication can be performed on the candidate files, if the signature authentication passes, the candidate files can be considered as not tampered and are files published by the corresponding publishers, if the signature authentication does not pass, it is indicated that the candidate files may not be files published by a trusted publisher or files are tampered, and the candidate files which do not pass the signature authentication can be marked as risk files.
Therefore, after the risk files are removed, the accuracy of the obtained target credible file is higher.
And S104, generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
In this step, identification information of each target trusted file may be determined, and a trusted file white list corresponding to the risk detection engine may be generated by using the identification information to represent the target trusted file corresponding to the target trusted file, where the trusted file white list may record identification information of each target trusted file.
The identification information needs to reflect data of the target trusted file as a whole, and should be a unique identification, that is, one identification information can only represent one target trusted file, so that a hash Algorithm and/or an information Digest Algorithm (MD 5) may be used to calculate the target trusted file, and an obtained hash value and/or MD5 value is used as the identification information.
After obtaining the trusted file white list, the trusted file white list may be used in risk detection for files. For example, the identification information of the file to be detected may be determined first, and the identification information of the file to be detected is searched in the trusted file white list, if the file to be detected is successfully searched, the file is directly used as the trusted file, and if the file to be detected is not successfully searched, the risk detection engine is used for performing risk detection on the file to be detected.
The identification information of the file to be detected can adopt a determination method the same as that of the target trusted file.
Generally, some unknown risk vulnerabilities may exist in a newly released file, and correspondingly, a previously determined target trusted file may also have risk vulnerabilities, so that a trusted file white list needs to be updated, a trusted publisher publishes a new update file package after discovering a new risk vulnerability, can acquire the newly released update file package, extracts a new trusted file from the update file package, updates an original trusted file white list, deletes identification information of an old version of the target trusted file from the trusted file white list, and adds identification information of the new trusted file to the trusted file white list, thereby realizing automatic update of the trusted file white list.
After the new trusted file is extracted from the update file package, the new trusted file can be filtered by using the above method of marking the risk file, so that the accuracy of the white list of the trusted file is improved.
In order to obtain the new version files of each trusted file indicated in the trusted file white list, the trusted file can be updated and tracked, and the new version files of the trusted file can be obtained after the release version of the trusted file is updated.
For example, an application program or an operating system corresponding to each trusted file may be simulated to run, so as to invoke the corresponding update logic thereof to perform update detection.
For example, for an operating system, a patch package of the operating system may be obtained, and a new version of a file is directly downloaded by using a patch directory; for the application program, the update package can be directly obtained from an official download channel of a publisher corresponding to the application program, or the update package can be obtained through update detection of the update page.
The white list generation method of the risk detection engine provided by the embodiment of the disclosure acquires a file package issued by at least one trusted publisher, and extracts a plurality of candidate files from the file package; aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file; based on the update detection result of each candidate file, performing risk file filtering on the candidate files to obtain a target credible file; and generating a trusted file white list corresponding to a risk detection engine based on the target trusted file. The file issued by the trusted issuer is used as the candidate file, so that the probability of the occurrence of the risk file in the candidate file is greatly reduced, on the basis, the candidate file is updated and detected, and then the candidate file is filtered based on the update and detection result, so that the candidate file with a lower version and possibly existing risk loopholes is eliminated, the target trusted file is obtained, and finally, the target trusted file is used for generating the renewable file white list corresponding to the risk detection engine, so that the automation of the generation of the white list is realized, and the accuracy of the generated white list is improved.
It will be understood by those of skill in the art that in the above method of the present embodiment, the order of writing the steps does not imply a strict order of execution and does not impose any limitations on the implementation, as the order of execution of the steps should be determined by their function and possibly inherent logic.
Based on the same inventive concept, the embodiment of the present disclosure further provides a white list generation apparatus of a risk detection engine corresponding to the white list generation method of the risk detection engine, and as the principle of the apparatus in the embodiment of the present disclosure for solving the problem is similar to the white list generation method of the risk detection engine in the embodiment of the present disclosure, the implementation of the apparatus may refer to the implementation of the method, and repeated details are omitted.
Referring to fig. 2, a schematic diagram of generating a white list of a risk detection engine according to an embodiment of the present disclosure includes:
the extracting module 210 is configured to obtain a file package issued by at least one trusted issuer, and extract a plurality of candidate files from the file package;
the detection module 220 is configured to perform update detection on any one of the candidate files to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
a filtering module 230, configured to perform risk file filtering on the multiple candidate files based on the update detection result of each candidate file, so as to obtain a target trusted file;
a generating module 240, configured to generate a trusted file white list corresponding to the risk detection engine based on the target trusted file.
The method and the device have the advantages that the files issued by the trusted issuers are used as the candidate files, the probability of the occurrence of the risk files in the candidate files is greatly reduced, on the basis, the candidate files are updated and detected, the candidate files are filtered based on the updating and detecting results, the candidate files with the lower versions possibly having risk leaks are removed, the target trusted file is obtained, the target trusted file is finally used for generating the newable file white list corresponding to the risk detection engine, accordingly, the automation of the generation of the white list is achieved, and the accuracy of the generated white list is improved.
In an optional implementation manner, the detection module 220 is specifically configured to:
acquiring a file update log of a trusted publisher corresponding to the candidate file;
and performing update detection on the candidate file based on the file update log to obtain an update detection result of the candidate file.
In an optional implementation manner, the filtering module 230 is specifically configured to:
marking the candidate files with the corresponding update files as risk files;
and removing the marked risk files from the candidate files to obtain the target credible file.
In an alternative embodiment, the filtering module 230 is further configured to, before removing the marked risk file from the plurality of candidate files:
acquiring a vulnerability file list corresponding to the trusted publisher; the vulnerability file list indicates files which are issued by the trusted publisher and have security vulnerabilities;
and marking the candidate files matched with the vulnerability file list in the plurality of candidate files as risk files.
In an alternative embodiment, the filtering module 230 is further configured to, before removing the marked risk file from the plurality of candidate files:
for any of the candidate files, determining whether the file type of the candidate file is matched with a target risk type;
and marking the candidate files with the file types matched with the target risk types as risk files.
In an alternative embodiment, before the filtering module 230 removes the marked risk file from the plurality of candidate files, it is further configured to:
and for any one of the candidate files, performing signature verification on the candidate file, and marking the candidate file which fails the signature verification as a risk file.
In an optional embodiment, after generating the trusted file white list corresponding to the risk detection engine, the generating module 240 is further configured to:
updating and tracking each trusted file indicated in the trusted file white list, and acquiring a new version file corresponding to the trusted file after the version of the trusted file is updated;
and updating the white list of the trusted files based on the new version of files.
In an alternative embodiment, the trusted publisher includes at least one of:
a trusted operating system publisher, a trusted application publisher, and a trusted application store.
The description of the processing flow of each module in the device and the interaction flow between the modules may refer to the related description in the above method embodiments, and will not be described in detail here.
An embodiment of the present disclosure further provides a computer device, as shown in fig. 3, which is a schematic structural diagram of the computer device provided in the embodiment of the present disclosure, and includes:
a processor 31 and a memory 32; the memory 32 stores machine-readable instructions executable by the processor 31, the processor 31 is configured to execute the machine-readable instructions stored in the memory 32, and when the machine-readable instructions are executed by the processor 31, the processor 31 performs the following steps:
acquiring a file package issued by at least one trusted issuer, and extracting a plurality of candidate files from the file package;
aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
based on the update detection result of each candidate file, performing risk file filtering on the candidate files to obtain a target credible file;
and generating a trusted file white list corresponding to a risk detection engine based on the target trusted file.
In an optional implementation manner, in the instructions executed by the processor 31, the performing update detection on the candidate file to obtain an update detection result of the candidate file includes:
acquiring a file update log of a trusted publisher corresponding to the candidate file;
and performing update detection on the candidate file based on the file update log to obtain an update detection result of the candidate file.
In an alternative embodiment, in the instructions executed by the processor 31, the risk file filtering on the plurality of candidate files based on the update detection result of each candidate file includes:
marking the candidate files with the corresponding update files as risk files;
and removing the marked risk file from the plurality of candidate files to obtain the target credible file.
In an alternative embodiment, before removing the marked risk file from the plurality of candidate files, the instructions executed by the processor 31 further include:
acquiring a vulnerability file list corresponding to the trusted publisher; the vulnerability file list indicates files which are issued by the trusted issuer and have security vulnerabilities;
and marking the candidate files matched with the vulnerability file list in the candidate files as risk files.
In an alternative embodiment, before removing the marked risk file from the plurality of candidate files, the instructions executed by the processor 31 further include:
for any of the candidate files, determining whether the file type of the candidate file is matched with a target risk type;
and marking the candidate files with the file types matched with the target risk types as risk files.
In an alternative embodiment, before the processor 31 executes the instructions to remove the marked risk file from the plurality of candidate files, the method further comprises:
and performing signature verification on any candidate file, and marking the candidate file which fails the signature verification as a risk file.
In an optional implementation manner, after generating the trusted file white list corresponding to the risk detection engine, the instructions executed by the processor 31 further include:
updating and tracking each trusted file indicated in the trusted file white list, and acquiring a new version file corresponding to the trusted file after the version of the trusted file is updated;
and updating the white list of the trusted files based on the new version of files.
In an alternative embodiment, the processor 31 executes instructions in which the trusted issuer includes at least one of:
a trusted operating system publisher, a trusted application publisher, and a trusted application store.
The storage 32 includes a memory 321 and an external storage 322; the memory 321 is also referred to as an internal memory, and temporarily stores operation data in the processor 31 and data exchanged with the external memory 322 such as a hard disk, and the processor 31 exchanges data with the external memory 322 via the memory 321.
For the specific execution process of the instruction, reference may be made to the steps of the white list generation method of the risk detection engine in the embodiment of the present disclosure, and details are not described here again.
The embodiments of the present disclosure further provide a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program performs the steps of the white list generation method of the risk detection engine in the above method embodiments. The storage medium may be a volatile or non-volatile computer-readable storage medium.
An embodiment of the present disclosure further provides a computer program product, where the computer program product carries a program code, and an instruction included in the program code may be used to execute the step of the white list generation method of the risk detection engine in the foregoing method embodiment.
The computer program product may be implemented by hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK), or the like.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the system and the apparatus described above may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again. In the several embodiments provided in the present disclosure, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in software functional units and sold or used as a stand-alone product, may be stored in a non-transitory computer-readable storage medium executable by a processor. Based on such understanding, the technical solutions of the present disclosure, which are essential or part of the technical solutions contributing to the prior art, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present disclosure. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are merely specific embodiments of the present disclosure, which are used for illustrating the technical solutions of the present disclosure and not for limiting the same, and the scope of the present disclosure is not limited thereto, and although the present disclosure is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: those skilled in the art can still make modifications or changes to the embodiments described in the foregoing embodiments, or make equivalent substitutions for some of the technical features, within the technical scope of the disclosure; such modifications, changes and substitutions do not depart from the spirit and scope of the embodiments disclosed herein, and they should be construed as being included therein. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (11)
1. A white list generation method of a risk detection engine is characterized by comprising the following steps:
acquiring a file package issued by at least one trusted issuer, and extracting a plurality of candidate files from the file package;
aiming at any one candidate file, carrying out update detection on the candidate file to obtain an update detection result of the candidate file; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
based on the update detection result of each candidate file, performing risk file filtering on the candidate files to obtain a target credible file;
and generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
2. The method according to claim 1, wherein the performing update detection on the candidate file to obtain an update detection result of the candidate file comprises:
acquiring a file update log of a trusted publisher corresponding to the candidate file;
and performing update detection on the candidate file based on the file update log to obtain an update detection result of the candidate file.
3. The method of claim 1, wherein said risk file filtering said plurality of candidate files based on said update detection result of each of said candidate files comprises:
marking the candidate files with the corresponding update files as risk files;
and removing the marked risk file from the plurality of candidate files to obtain the target credible file.
4. The method of claim 3, wherein prior to removing the flagged risk file from the plurality of candidate files, the method further comprises:
acquiring a vulnerability file list corresponding to the trusted publisher; the vulnerability file list indicates files which are issued by the trusted publisher and have security vulnerabilities;
and marking the candidate files matched with the vulnerability file list in the candidate files as risk files.
5. The method of claim 3, wherein prior to removing the flagged risk file from the plurality of candidate files, the method further comprises:
for any of the candidate files, determining whether the file type of the candidate file is matched with a target risk type;
and marking the candidate files with the file types matched with the target risk types as risk files.
6. The method of claim 3, wherein prior to removing the flagged risk file from the plurality of candidate files, the method further comprises:
and for any one of the candidate files, performing signature verification on the candidate file, and marking the candidate file which fails the signature verification as a risk file.
7. The method of claim 1, wherein after generating a whitelist of trusted files corresponding to a risk detection engine, the method further comprises:
updating and tracking each trusted file indicated in the trusted file white list, and acquiring a new version file corresponding to the trusted file after version updating of the trusted file exists;
and updating the white list of the trusted files based on the new version of files.
8. The method of claim 1, wherein the trusted publisher comprises at least one of:
a trusted operating system publisher, a trusted application publisher, and a trusted application store.
9. An apparatus for white list generation for a risk detection engine, comprising:
the extraction module is used for acquiring a file package issued by at least one trusted issuer and extracting a plurality of candidate files from the file package;
the detection module is used for updating and detecting the candidate files aiming at any one of the candidate files to obtain the updating and detecting results of the candidate files; the update detection result indicates whether an update file corresponding to the candidate file exists or not; the update file is an update version of the candidate file;
the filtering module is used for filtering risk files of the candidate files based on the update detection result of each candidate file to obtain target credible files;
and the generating module is used for generating a trusted file white list corresponding to the risk detection engine based on the target trusted file.
10. A computer device, comprising: a processor, a memory storing machine-readable instructions executable by the processor, the processor to execute machine-readable instructions stored in the memory, the machine-readable instructions, when executed by the processor, the processor to perform the steps of the method of whitelist generation for a risk detection engine of any of claims 1-8.
11. A computer-readable storage medium, having stored thereon a computer program, which, when executed by a computer device, performs the steps of the method of white list generation for a risk detection engine according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310012757.1A CN115935431A (en) | 2023-01-05 | 2023-01-05 | White list generation method and device of risk detection engine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310012757.1A CN115935431A (en) | 2023-01-05 | 2023-01-05 | White list generation method and device of risk detection engine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115935431A true CN115935431A (en) | 2023-04-07 |
Family
ID=86650972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310012757.1A Pending CN115935431A (en) | 2023-01-05 | 2023-01-05 | White list generation method and device of risk detection engine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935431A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9304980B1 (en) * | 2007-10-15 | 2016-04-05 | Palamida, Inc. | Identifying versions of file sets on a computer system |
| CN111914249A (en) * | 2020-08-11 | 2020-11-10 | 北京珞安科技有限责任公司 | Program white list generation method, program updating method and device |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
| CN113568841A (en) * | 2021-08-18 | 2021-10-29 | 支付宝(杭州)信息技术有限公司 | Risk detection method, device and equipment for applet |
| CN114253579A (en) * | 2021-12-20 | 2022-03-29 | 杭州安恒信息技术股份有限公司 | Software updating method, device and medium based on white list mechanism |
-
2023
- 2023-01-05 CN CN202310012757.1A patent/CN115935431A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9304980B1 (en) * | 2007-10-15 | 2016-04-05 | Palamida, Inc. | Identifying versions of file sets on a computer system |
| CN111914249A (en) * | 2020-08-11 | 2020-11-10 | 北京珞安科技有限责任公司 | Program white list generation method, program updating method and device |
| CN112417437A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Trusted cloud platform based program white list generation method |
| CN113568841A (en) * | 2021-08-18 | 2021-10-29 | 支付宝(杭州)信息技术有限公司 | Risk detection method, device and equipment for applet |
| CN114253579A (en) * | 2021-12-20 | 2022-03-29 | 杭州安恒信息技术股份有限公司 | Software updating method, device and medium based on white list mechanism |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5694473B2 (en) | Repackaging application analysis system and method through risk calculation | |
| US9619650B2 (en) | Method and device for identifying virus APK | |
| EP2807598B1 (en) | Identifying trojanized applications for mobile environments | |
| CN112395616B (en) | Vulnerability processing method and device and computer equipment | |
| KR101582601B1 (en) | Method for detecting malignant code of android by activity string analysis | |
| KR20170068814A (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
| KR20160109870A (en) | System and method of fast searching of android malware | |
| KR20130134790A (en) | Method and system for storing the integrity information of application, method and system for checking the integrity of application | |
| EP2998902A1 (en) | Method and apparatus for processing file | |
| Brierley et al. | Persistence in linux-based iot malware | |
| CN111611592A (en) | Big data platform security assessment method and device | |
| CN106709281B (en) | Patch granting and acquisition methods, device | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| US10032022B1 (en) | System and method for self-protecting code | |
| CN116868193A (en) | Firmware component identification and vulnerability assessment | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| Adithyan et al. | Reverse engineering and backdooring router firmwares | |
| CN115935431A (en) | White list generation method and device of risk detection engine | |
| KR102415494B1 (en) | Emulation based security analysis method for embedded devices | |
| CN109002710B (en) | Detection method, detection device and computer readable storage medium | |
| CN116127453A (en) | APT attack detection method, system, device, medium and equipment | |
| CN115935356A (en) | Software security testing method, system and application | |
| CN106445807B (en) | Application installation package detection method and device for intelligent terminal | |
| JP5941745B2 (en) | Application analysis apparatus, application analysis system, and program | |
| KR20220014852A (en) | System and method for application verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230407 |
|
| RJ01 | Rejection of invention patent application after publication |