CN116015727A - Method and device for determining attack direction of malicious document and electronic equipment - Google Patents

Method and device for determining attack direction of malicious document and electronic equipment Download PDF

Info

Publication number
CN116015727A
CN116015727A CN202211537386.0A CN202211537386A CN116015727A CN 116015727 A CN116015727 A CN 116015727A CN 202211537386 A CN202211537386 A CN 202211537386A CN 116015727 A CN116015727 A CN 116015727A
Authority
CN
China
Prior art keywords
attack
keywords
malicious
malicious document
attack direction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211537386.0A
Other languages
Chinese (zh)
Inventor
邢洋
李石磊
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202211537386.0A priority Critical patent/CN116015727A/en
Publication of CN116015727A publication Critical patent/CN116015727A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application discloses a method, a device and electronic equipment for determining the attack direction of a malicious document, relates to the technical field of network security, and is invented for determining the industry direction of attack of the malicious document and providing detection capability for effectively revealing the malicious behavior of the industry network environment. The method comprises the following steps: extracting keywords of malicious documents; calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule; comparing the specific gravity value with an attack threshold value of the first attack direction; and if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, determining that the first attack direction is the attack direction aimed by the malicious document. The application is applicable to threat detection.

Description

Method and device for determining attack direction of malicious document and electronic equipment
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, an electronic device, and a readable storage medium for determining an attack direction of a malicious document.
Background
With the rapid development of internet technology, various novel attack techniques are layered endlessly, some use phishing websites to launch attacks, some adopt puddle attacks, some directly send phishing mails to induce receivers to enter vats, and the like. Among various attacks, the technique of using malicious documents to attack is often called frequent attack, and is often one of attack modes of the body channel of an attacker. However, the current detection method for the document can only judge whether the document is malicious or not, but cannot detect information such as the industry direction attacked by the malicious document, so that the industry direction attacked by the malicious document is determined, and the detection capability can be provided for revealing the malicious behavior of the industry network environment.
How to determine the industry direction of a malicious document attack is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of this, the embodiments of the present application provide a method, an apparatus, an electronic device, and a readable storage medium for determining an attack direction of a malicious document, which can determine an industry direction of attack of the malicious document, and provide a detection capability for effectively revealing a malicious behavior of an industry network environment.
In a first aspect, an embodiment of the present application provides a method for determining an attack direction of a malicious document, including: extracting keywords of malicious documents; calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule; comparing the specific gravity value with an attack threshold value of the first attack direction; and if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, determining that the first attack direction is the attack direction aimed by the malicious document.
According to a specific implementation manner of the embodiment of the present application, the extracting the keywords of the malicious document includes: preprocessing the malicious document; and extracting keywords of the preprocessed malicious document to obtain the keywords of the malicious document.
According to a specific implementation manner of the embodiment of the present application, the calculating, according to a preset rule, a specific gravity value of a keyword in the malicious document in a first attack direction includes: matching the keywords of the malicious document with preset keywords in the first attack direction, and determining target keywords in the first attack direction; the target keywords in the first attack direction are keywords matched with the keywords of the malicious document in preset keywords in the first attack direction; and determining the specific gravity value of the keywords of the malicious document according to a preset rule and the weight value of the target keywords.
According to a specific implementation manner of the embodiment of the present application, the keywords of the malicious document and the target keywords are one or more respectively; the determining the specific gravity value of the keywords of the malicious document according to the preset rule and the weight value of the target keywords comprises the following steps: extracting the weight value of the target keyword, and taking the weight value of the target keyword or the sum of the weight values of the target keywords as the specific gravity value of the keywords of the malicious document; or extracting the weight value of the target keyword, and taking the weighted value of the target keyword or the sum value added after weighting the weight value of each target keyword as the specific gravity value of the keyword of the malicious document.
According to a specific implementation manner of the embodiment of the present application, the matching the keyword of the malicious document with the preset keyword in the first attack direction includes: matching the keywords of the malicious document with keywords in a first attack direction in a preset recognition library; the preset identification library comprises various attack directions, keywords of various attack directions, weights of the keywords of various attack directions and attack thresholds of various attack directions.
According to a specific implementation manner of the embodiment of the application, the preset recognition library is determined according to the following steps: acquiring a malicious document in a known attack direction, and extracting keywords of the malicious document in the known attack direction; according to the keywords of the malicious documents under each known attack direction, determining the weight value of the keywords of the malicious documents under each known attack direction according to the importance degree of each known attack direction; determining an attack threshold value of each known attack direction according to the weight value of the keyword of the malicious document under each known attack direction; and determining the preset identification library according to each known attack direction, the keyword of the malicious document under each known attack direction, the weight value of the keyword of the malicious document under each known attack direction and the attack threshold value of each known attack direction.
According to a specific implementation manner of the embodiment of the present application, the attack direction includes: industry category or entity type.
In a second aspect, an embodiment of the present application provides a device for determining an attack direction of a malicious document, and an extraction module, configured to extract keywords of the malicious document; the calculating module is used for calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule; a comparison module, configured to compare the specific gravity value with an attack threshold value of the first attack direction; and the determining module is used for determining that the first attack direction is the attack direction aimed by the malicious document if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction.
In a third aspect, an embodiment of the present application provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is configured to perform the method for determining the attack direction of the malicious document according to any one of the foregoing implementations.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the method for determining a direction of attack of a malicious document according to any one of the foregoing implementations.
According to the method, the device, the electronic equipment and the readable storage medium for determining the attack direction of the malicious document, the specific gravity value of the keyword in the malicious document in the first attack direction is calculated according to the preset rule, the specific gravity value is compared with the attack threshold value of the first attack direction, if the specific gravity value is greater than or equal to the attack threshold value of the first attack direction, the first attack direction can be determined to be the attack direction aimed by the malicious document, the industry direction attacked by the malicious document can be determined through implementation of the method, and the detection capability is provided for effectively revealing the malicious behavior of the industrial network environment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for determining an attack direction of a malicious document according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for determining a direction of attack of a malicious document according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for determining a direction of attack of a malicious document according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an apparatus for determining an attack direction of a malicious document according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below with reference to the accompanying drawings. It should be understood that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, based on the embodiments herein, which would be apparent to one of ordinary skill in the art without making any inventive effort, are intended to be within the scope of the present application.
In order that those skilled in the art will better understand the technical concepts, embodiments and advantages of the examples of the present application, a detailed description will be given below by way of specific examples.
The method for determining the attack direction of the malicious document can determine the industry direction of the attack of the malicious document, and provides detection capability for effectively revealing the malicious behavior of the industry network environment.
Fig. 1 is a flowchart of a method for determining an attack direction of a malicious document according to an embodiment of the present application, as shown in fig. 1, where the method for determining an attack direction of a malicious document according to the embodiment may include:
s101, extracting keywords of malicious documents.
When a malicious document attacks a certain field (attack direction), keywords related to the attack direction appear in the document, for example, the keywords of the education industry can be "education department", "teacher", and the like.
The number of keywords of the extracted malicious document may be one or a plurality.
S102, calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule.
The first attack direction may be one of a plurality of attack directions. The attack direction is the attack field or the attack industry.
According to a preset rule, the specific gravity value of the keywords in the malicious document in the first attack direction can be calculated, and preparation is made for determining the attack direction aimed by the malicious document.
S103, comparing the specific gravity value with an attack threshold value of the first attack direction.
The attack threshold of the first attack direction may be a preset value.
Comparing the specific gravity value of the keywords in the malicious document in the first attack direction with the attack threshold value of the first attack direction.
S104, if the specific gravity value is larger than or equal to an attack threshold value of the first attack direction, determining that the first attack direction is the attack direction aimed by the malicious document.
And under the condition that the specific gravity value is larger than or equal to an attack threshold value of the first attack direction, determining that the first attack direction is the attack direction aimed by the malicious document.
It will be appreciated that in the case where the specific gravity value is smaller than the attack threshold value of the first attack direction, the first attack direction is not the attack direction for which the malicious document is directed.
According to the embodiment, the keyword of the malicious document is extracted, the specific gravity value of the keyword in the malicious document in the first attack direction is calculated according to the preset rule, the specific gravity value is compared with the attack threshold value of the first attack direction, if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, the first attack direction can be determined to be the attack direction aimed by the malicious document, the industry direction attacked by the malicious document can be determined through implementation of the method, and the detection capability is provided for effectively revealing the malicious behavior of the industrial network environment.
A further embodiment of the present application, which is substantially the same as the above embodiment, is different in that the extracting keywords of the malicious document (S101) of the present embodiment may include:
s101a, preprocessing malicious documents.
The preprocessing may include format recognition, unpacking, unshelling, and/or splitting, among others. Preprocessing the malicious document to generate an operable document so as to extract keywords.
S101b, extracting keywords of the preprocessed malicious document to obtain keywords of the malicious document.
And extracting keywords from the preprocessed malicious documents according to documents with different file formats such as pdf, office and the like.
In order to facilitate determining the specific gravity value of the keyword in the malicious document in the first attack direction, another embodiment of the present application, which is substantially the same as the above embodiment, is different in that according to a preset rule, calculating the specific gravity value of the keyword in the malicious document in the first attack direction (S102) may include:
s102a, matching the keywords of the malicious document with preset keywords in a first attack direction, and determining target keywords in the first attack direction.
In this embodiment, the target keyword in the first attack direction is a keyword that matches a keyword of the malicious document among preset keywords in the first attack direction.
The first attack direction may include a plurality of preset keywords, and the extracted keywords of the malicious document are matched with the preset keywords in the first attack direction, for example, the preset keywords in the first attack direction are respectively
A, B, C and D, the extracted keywords of the malicious document are A and C, so that the related 5 keywords of the extracted malicious document are A and C matched with the preset keywords in the first attack direction are A and C in A, B, C and D respectively,
the preset keywords A and C in the first attack direction are target keywords in the first attack direction.
S102b, determining the specific gravity value of the keywords of the malicious document according to the preset rule and the weight value of the target keywords.
In this embodiment, the preset keywords a and C in the first attack direction have weight values, respectively, and since the keywords a and C extracted from the 0 malicious document match the preset keywords a and C in the first attack direction, in this way,
the weight values of the preset keywords a and C in the first attack direction may be correspondingly determined as the weight values of the keywords a and C extracted from the malicious document.
And determining the specific gravity value of the keywords of the malicious document according to the weight values of the keywords A and C of the malicious document according to a preset rule.
5 to simplify the computation, in some examples, the keywords and target keywords of the malicious document are one or more, respectively.
The keywords of the malicious document can be one, and the target keywords can be one; the number of keywords of the malicious document may be plural, and the number of target keywords may be plural.
In this embodiment, determining the specific gravity value of the keyword 0 of the malicious document according to the preset rule and the weight value of the target keyword (S102 b) may include:
A. and extracting the weight value of the target keyword, and taking the weight value of the target keyword or the sum of the weight values of the target keywords as the specific gravity value of the keywords of the malicious document.
When the number of keywords of the malicious document is one and the number of target keywords is one, the weight value of the weighted target keywords is used as the specific weight value of the keywords of the malicious document.
And 5, under the condition that a plurality of keywords of the malicious document are provided and a plurality of target keywords are provided, taking the sum of the weight values of the target keywords with the weight as the specific gravity value of the keywords of the malicious document, namely directly adding the weight values of the target keywords to obtain the sum as the specific gravity value of the keywords of the malicious document.
To make the calculation result more accurate, in some examples, the weight value of the target keyword is extracted, and the weighted value of the weight value of the target keyword or the sum value added after weighting the weight values of the respective target keywords is used as the specific gravity value of the keywords of the malicious document.
And under the condition that the number of the keywords of the malicious document is one and the number of the target keywords is one, weighting the weight value of the extracted target keywords with a preset weight value, and taking the obtained value as the specific gravity value of the keywords of the malicious document.
When a plurality of keywords of a malicious document are provided and a plurality of target keywords are provided, the weight values of the target keywords are weighted, and the sum obtained by the weighting is added to be used as the specific gravity value of the keywords of the malicious document.
In some examples, matching the keywords of the malicious document with the preset keywords in the first attack direction may include:
B. and matching the keywords of the malicious document with the keywords in the first attack direction in a preset recognition library.
In this embodiment, the preset recognition library includes each attack direction, keywords of each attack direction, weights of the keywords of each attack direction, and attack thresholds of each attack direction, so that the attack direction of the malicious document can be determined by matching the keywords with the preset recognition library and then according to the specific gravity value of the keywords and the attack thresholds of the attack directions.
In some examples, the preset recognition library may be determined according to the following steps:
s105, acquiring a malicious document under a known attack direction, and extracting keywords of the malicious document under the known attack direction.
Keyword content extraction is performed on malicious documents with known attack directions, including, but not limited to, pdf content extraction and office content extraction.
S106, determining the weight value of the keyword of the malicious document in each known attack direction according to the importance degree of the malicious document in each known attack direction.
According to the importance degree of the keywords in the attack direction, statistical analysis is carried out, the weight value of the keywords is calculated, specifically, for a certain known industry such as the education industry, the education industry comprises N malicious documents such as word documents, keywords related to the education industry such as keywords of education parts, teachers, students and the like are extracted from the malicious documents, and the weight of the keywords is calculated as follows: taking the keyword of the education part as an example, the number of times of occurrence of the education part in N malicious documents is 100 times, the probability of occurrence of the keyword in N malicious documents, namely p1=100/N, can be calculated, and the probability can be used as the weight value of the keyword in the education industry; the weight of the keyword may also be determined by the probability that the keyword appears at different threat levels, for example, N malicious documents are classified according to threat levels, for example, the threat levels are classified into five levels, the number of malicious documents classified into the first level is 1000, in the level, the probability of the "education part" appearing 50 times in the level is p2=50/1000, and according to this, the probability of the "education part" appearing in other levels may be calculated, for example, the probability of the "education part" appearing in the third level is p3, and the probability of the keyword "education part" is p4=p2×1+p3×3.
In order to consider the importance of the keywords from different dimensions, the two calculation methods can be further combined to determine the weight value of the keywords, and the "education portion" is still taken as an example, and the weight value of the "education portion" is w=p1×p4.
S107, determining an attack threshold value of each known attack direction according to the weight value of the keyword of the malicious document under each known attack direction.
Taking one attack direction as an example, calculating the average value of the weight values of the keywords in the attack direction, and taking the average value as an attack threshold value of the attack direction.
S108, determining a preset recognition library according to known attack directions, keywords of malicious documents under the known attack directions, weight values of the keywords of the malicious documents under the known attack directions and attack thresholds of the known attack directions.
And (2) determining a preset recognition library according to the results of the steps S105-S107, so that the preset recognition library comprises all attack directions, keywords of all attack directions, weights of the keywords of all attack directions and attack thresholds of all attack directions, and providing technical preparation for determining the attack directions of malicious documents.
In some examples, the attack direction may include: industry category or entity type.
Industry categories may be categorized into telecommunications, banking, transportation, hydropower, and the like. Entity types include types of business units, national institutions, and the like.
That is, the method for determining the attack direction of the malicious document according to the embodiment of the application can be applied to each attack direction so as to find potential threats in different attack directions. The method can be applied to the following scenes:
referring to fig. 2, taking an example of a judicial department suffering from phishing network attacks, the hacking process is as follows:
step 1: by utilizing the phishing mail mode, an office malicious document attachment is sent to a worker of the judicial system.
Step 2: the judicial personnel opens the surface normal office document.
Step 3: the office malicious document releases malicious codes to the system through macro codes, and the execution malicious codes 5 establish a backdoor to collect system information.
Step 4: after collecting the system information, the collected sensitive data is stolen through remote connection, the purpose of secret stealing is achieved, and the system monitoring is continuously carried out through a back door.
By extracting the keyword content, constructing a domain keyword recognition library (preset recognition library), and using a multimode matching judgment algorithm (the method for determining the attack direction of the malicious document in the above embodiment), a potential threat of 0 in the judicial system is found.
The following describes the embodiments of the present application in detail with reference to a specific example.
Referring to fig. 3, the method for determining the attack direction of a malicious document according to the present embodiment may include:
s01: collecting known malicious document samples;
collecting malicious compound document samples in known families and attack fields, and preparing for keyword extraction.
5S02: preprocessing malicious document samples;
preprocessing operations such as format recognition, unpacking, unshelling, splitting and the like are carried out on collected malicious documents, knowledge information such as attack fields, judging results, virus names, core behaviors and the like of the documents are extracted, and malicious document sets in different fields are formed.
S03: extracting the keyword content of a malicious document sample, and constructing a keyword recognition library;
0 performs keyword content extraction based on a set of malicious documents of known domain, including but not limited to pdf content extraction, office content extraction, and the like. And then generating a keyword recognition library according to the extracted content, carrying out statistical analysis according to the representative degree of the keywords in the industrial field, and calculating the weight value of the keywords. Finally, threshold values of keyword libraries in different fields are obtained according to probability statistical analysis, and a foundation is laid for multimode matching judgment.
S04: preprocessing an input malicious document;
preprocessing operation is carried out on the input detection document, and a preprocessed operable document is generated.
S05: extracting keywords of malicious documents;
and extracting document keywords such as pdf or office according to different file formats for the preprocessed detection document.
S06: multimode match decision detection.
And extracting classified keywords from the input malicious documents based on the keyword recognition library, and acquiring weights corresponding to the keywords from the recognition library. And then weighting the keywords to obtain the specific gravity value. And finally comparing the malicious document with a threshold value of a domain keyword library, and judging that the malicious document is an attack aiming at the domain if the malicious document is larger than or equal to the threshold value.
According to the method, keywords can be effectively extracted aiming at malicious documents, further effective detection is carried out through the constructed keyword recognition library instead of relying on known rules, the field aimed by the malicious threats can be effectively detected, potential threats in network environments in different fields can be effectively found, and the defect that the traditional detection method cannot detect threat attack fields is overcome.
According to the embodiment, the keyword of the malicious document is extracted, the specific gravity value of the keyword in the malicious document in the first attack direction is calculated according to the preset rule, the specific gravity value is compared with the attack threshold value of the first attack direction, if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, the first attack direction can be determined to be the attack direction aimed by the malicious document, the industry direction attacked by the malicious document can be determined through implementation of the method, and the detection capability is provided for effectively revealing the malicious behavior of the industrial network environment. When the keywords of the malicious document are extracted, the malicious document can be preprocessed, and the keywords of the preprocessed malicious document are extracted, so that the keyword extraction efficiency of the malicious document can be improved. In order to conveniently determine the specific gravity value of the keyword in the malicious document in the first attack direction, the keyword of the malicious document is matched with a preset keyword in the first attack direction, the target keyword in the first attack direction is determined, the specific gravity value of the keyword of the malicious document is determined according to a preset rule and the weight value of the target keyword, when the specific gravity of the keyword is determined specifically, the weight value of the target keyword or the sum of the weight values of the target keywords can be extracted to be used as the specific gravity value of the keyword of the malicious document, and the weighted value of the target keyword or the sum of the weight values of the target keywords can be used as the specific gravity value of the keyword of the malicious document. When the keyword of the malicious document is matched with the preset keyword in the first attack direction, the keyword of the malicious document can be matched with the keyword in the first attack direction in a preset recognition library, the preset recognition library can be used for determining the preset recognition library according to the obtained malicious document in the known attack direction and extracting the keyword of the malicious document in the known attack direction, the weight value of the keyword of the malicious document in the known attack direction is determined according to the importance degree of the keyword of the malicious document in the known attack direction, the attack threshold value of the known attack direction is set, and the attack direction in the embodiment of the application can comprise industry types or entity types according to the known attack direction, the keyword of the malicious document in the known attack direction, the weight value of the keyword of the malicious document in the known attack direction and the attack threshold value of the known attack direction.
The device for determining the attack direction of the malicious document can determine the industry direction of the attack of the malicious document, and provides detection capability for effectively revealing the malicious behavior of the industry network environment.
Fig. 4 is a schematic structural diagram of an apparatus for determining an attack direction of a malicious document according to an embodiment of the present application, as shown in fig. 4, where the apparatus for determining an attack direction of a malicious document according to the embodiment includes: an extraction module 11, configured to extract keywords of a malicious document; a calculating module 12, configured to calculate a specific gravity value of a keyword in the malicious document in a first attack direction according to a preset rule; a comparing module 13, configured to compare the specific gravity value with an attack threshold value of the first attack direction; a determining module 14, configured to determine that the first attack direction is the attack direction for the malicious document if the specific gravity value is greater than or equal to the attack threshold of the first attack direction.
The device of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and are not described here again.
According to the device, the keyword of the malicious document is extracted, the specific gravity value of the keyword in the malicious document in the first attack direction is calculated according to the preset rule, the specific gravity value is compared with the attack threshold value of the first attack direction, if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, the first attack direction can be determined to be the attack direction aimed by the malicious document, the industry direction attacked by the malicious document can be determined through implementation of the method, and the detection capability is provided for effectively revealing the malicious behavior of the industrial network environment.
As an optional embodiment, the extraction module is specifically configured to: preprocessing the malicious document; and extracting keywords of the preprocessed malicious document to obtain the keywords of the malicious document.
As an alternative embodiment, the computing module includes: the first determining submodule is used for matching the keywords of the malicious document with the preset keywords in the first attack direction and determining target keywords in the first attack direction; the target keywords in the first attack direction are keywords matched with the keywords of the malicious document in preset keywords in the first attack direction; and the second determining submodule is used for determining the specific gravity value of the keywords of the malicious document according to a preset rule and the weight value of the target keywords.
As an optional implementation manner, the keywords of the malicious document and the target keywords are one or more respectively; the second determining sub-module is specifically configured to: extracting the weight value of the target keyword, and taking the weight value of the target keyword or the sum of the weight values of the target keywords as the specific gravity value of the keywords of the malicious document; or extracting the weight value of the target keyword, and taking the weighted value of the target keyword or the sum value added after weighting the weight value of each target keyword as the specific gravity value of the keyword of the malicious document.
As an alternative embodiment, the first determining sub-module is specifically configured to: matching the keywords of the malicious document with keywords in a first attack direction in a preset recognition library; the preset identification library comprises various attack directions, keywords of various attack directions, weights of the keywords of various attack directions and attack thresholds of various attack directions.
As an alternative embodiment, the device is specifically further configured to: acquiring a malicious document in a known attack direction, and extracting keywords of the malicious document in the known attack direction; according to the keywords of the malicious documents under each known attack direction, determining the weight value of the keywords of the malicious documents under each known attack direction according to the importance degree of each known attack direction; determining an attack threshold value of each known attack direction according to the weight value of the keyword of the malicious document under each known attack direction; and determining the preset identification library according to each known attack direction, the keyword of the malicious document under each known attack direction, the weight value of the keyword of the malicious document under each known attack direction and the attack threshold value of each known attack direction.
As an alternative embodiment, the attack direction includes: industry category or entity type.
The device of the above embodiment may be used to implement the technical solution of the above method embodiment, and its implementation principle and technical effects are similar, and are not repeated here.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application, as shown in fig. 5, may include: the processor 62 and the memory 63 are arranged on the circuit board 64, wherein the circuit board 64 is arranged in a space surrounded by the shell 61; a power supply circuit 65 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 63 is for storing executable program code; the processor 62 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 63, so as to perform any of the methods for determining the attack direction of the malicious document provided in the foregoing embodiments, so that corresponding beneficial technical effects can be achieved, which have been described in detail above and will not be repeated herein.
Such electronic devices exist in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily intended to provide voice and data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
Accordingly, embodiments of the present application further provide a computer readable storage medium, where one or more programs are stored, where the one or more programs may be executed by one or more processors, so as to implement any one of the methods for determining an attack direction of a malicious document provided in the foregoing embodiments, and thus, corresponding technical effects may also be achieved, which have been described in detail above and will not be repeated herein.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of each unit/module may be implemented in one or more pieces of software and/or hardware when implementing the present application.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for determining the direction of attack of a malicious document, comprising:
extracting keywords of malicious documents;
calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule;
comparing the specific gravity value with an attack threshold value of the first attack direction;
and if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction, determining that the first attack direction is the attack direction aimed by the malicious document.
2. The method of claim 1, wherein extracting keywords of a malicious document comprises:
preprocessing the malicious document;
and extracting keywords of the preprocessed malicious document to obtain the keywords of the malicious document.
3. The method according to claim 1, wherein calculating the specific gravity value of the keyword in the malicious document in the first attack direction according to the preset rule includes:
matching the keywords of the malicious document with preset keywords in the first attack direction, and determining target keywords in the first attack direction; the target keywords in the first attack direction are keywords matched with the keywords of the malicious document in preset keywords in the first attack direction;
and determining the specific gravity value of the keywords of the malicious document according to a preset rule and the weight value of the target keywords.
4. A method according to claim 3, wherein the keywords of the malicious document and the target keywords are one or more, respectively;
the determining the specific gravity value of the keywords of the malicious document according to the preset rule and the weight value of the target keywords comprises the following steps:
extracting the weight value of the target keyword, and taking the weight value of the target keyword or the sum of the weight values of the target keywords as the specific gravity value of the keywords of the malicious document; or alternatively, the process may be performed,
and extracting the weight value of the target keyword, and taking the weighted value of the target keyword or the sum value added after weighting the weight value of each target keyword as the specific gravity value of the keyword of the malicious document.
5. A method according to claim 3, wherein matching the keywords of the malicious document with the preset keywords in the first attack direction comprises:
matching the keywords of the malicious document with keywords in a first attack direction in a preset recognition library; the preset identification library comprises various attack directions, keywords of various attack directions, weights of the keywords of various attack directions and attack thresholds of various attack directions.
6. The method of claim 5, wherein the preset recognition library is determined according to the steps of:
acquiring a malicious document in a known attack direction, and extracting keywords of the malicious document in the known attack direction;
according to the keywords of the malicious documents under each known attack direction, determining the weight value of the keywords of the malicious documents under each known attack direction according to the importance degree of each known attack direction;
determining an attack threshold value of each known attack direction according to the weight value of the keyword of the malicious document under each known attack direction;
and determining the preset identification library according to each known attack direction, the keyword of the malicious document under each known attack direction, the weight value of the keyword of the malicious document under each known attack direction and the attack threshold value of each known attack direction.
7. The method of claim 1, wherein the attack direction comprises: industry category or entity type.
8. An apparatus for determining a direction of attack for a malicious document, comprising:
the extraction module is used for extracting keywords of the malicious document;
the calculating module is used for calculating the specific gravity value of the keywords in the malicious document in the first attack direction according to a preset rule;
a comparison module, configured to compare the specific gravity value with an attack threshold value of the first attack direction;
and the determining module is used for determining that the first attack direction is the attack direction aimed by the malicious document if the specific gravity value is larger than or equal to the attack threshold value of the first attack direction.
9. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor runs a program corresponding to executable program code by reading the executable program code stored in the memory for performing the method of determining the direction of attack of a malicious document as claimed in any of the preceding claims 1-7.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of determining a direction of attack of a malicious document of any of the preceding claims 1-7.
CN202211537386.0A 2022-12-02 2022-12-02 Method and device for determining attack direction of malicious document and electronic equipment Pending CN116015727A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211537386.0A CN116015727A (en) 2022-12-02 2022-12-02 Method and device for determining attack direction of malicious document and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211537386.0A CN116015727A (en) 2022-12-02 2022-12-02 Method and device for determining attack direction of malicious document and electronic equipment

Publications (1)

Publication Number Publication Date
CN116015727A true CN116015727A (en) 2023-04-25

Family

ID=86036195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211537386.0A Pending CN116015727A (en) 2022-12-02 2022-12-02 Method and device for determining attack direction of malicious document and electronic equipment

Country Status (1)

Country Link
CN (1) CN116015727A (en)

Similar Documents

Publication Publication Date Title
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
Azeez et al. Identifying phishing attacks in communication networks using URL consistency features
CN110868377B (en) Method and device for generating network attack graph and electronic equipment
CN109831459B (en) Method, device, storage medium and terminal equipment for secure access
Ramesh et al. Identification of phishing webpages and its target domains by analyzing the feign relationship
CN115174250B (en) Network asset security assessment method and device, electronic equipment and storage medium
CN113297840A (en) Malicious traffic account detection method, device, equipment and storage medium
Kumar et al. Mlspd-machine learning based spam and phishing detection
CN110659493A (en) Method and device for generating threat alarm mode, electronic equipment and storage medium
CN107070845B (en) System and method for detecting phishing scripts
Queiroz et al. Eavesdropping hackers: Detecting software vulnerability communication on social media using text mining
Zhou et al. Phishing Sites Detection from a Web Developer's Perspective Using Machine Learning.
CN111030974A (en) APT attack event detection method, device and storage medium
CN111027065B (en) Leucavirus identification method and device, electronic equipment and storage medium
CN110611675A (en) Vector magnitude detection rule generation method and device, electronic equipment and storage medium
CN114528552B (en) Security event association method based on loopholes and related equipment
CN111800391B (en) Port scanning attack detection method and device, electronic equipment and storage medium
CN114338109B (en) Flow detection method and device, electronic equipment and computer readable storage medium
CN115935358A (en) Malicious software identification method and device, electronic equipment and storage medium
CN116015727A (en) Method and device for determining attack direction of malicious document and electronic equipment
CN114417883B (en) Data processing method, device and equipment
Noh et al. Phishing Website Detection Using Random Forest and Support Vector Machine: A Comparison
CN113987489A (en) Method and device for detecting unknown threat of network, electronic equipment and storage medium
CN109214212A (en) Information leakage protection method and device
Garje et al. Detecting phishing websites using machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination