CN116861429B - Malicious detection method, device, equipment and medium based on sample behaviors - Google Patents

Malicious detection method, device, equipment and medium based on sample behaviors Download PDF

Info

Publication number
CN116861429B
CN116861429B CN202311131111.1A CN202311131111A CN116861429B CN 116861429 B CN116861429 B CN 116861429B CN 202311131111 A CN202311131111 A CN 202311131111A CN 116861429 B CN116861429 B CN 116861429B
Authority
CN
China
Prior art keywords
file
behavior
malicious
target
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311131111.1A
Other languages
Chinese (zh)
Other versions
CN116861429A (en
Inventor
田国新
奚广生
白富宽
孙晋超
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202311131111.1A priority Critical patent/CN116861429B/en
Publication of CN116861429A publication Critical patent/CN116861429A/en
Application granted granted Critical
Publication of CN116861429B publication Critical patent/CN116861429B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/253Fusion techniques of extracted features
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a malicious detection method, a device, equipment and a medium based on sample behaviors, which relate to the field of security detection, and the method comprises the following steps: acquiring a plurality of file behavior information of a file to be detected in a first preset time period; determining a target behavior vector of a file to be detected; inputting the target behavior vector into a target model to obtain a corresponding target file identifier; if the target file identifier is a malicious file identifier, the file to be detected is determined to be a malicious file. According to the method, the corresponding target behavior vector is obtained through the file behaviors of the file to be detected, the target behavior vector is input into the target model to obtain the corresponding target file identification, if the target file identification is the malicious file identification, the file to be detected is determined to be the malicious file, and whether the file to be detected is the malicious file or not is determined by comparing the file behaviors of the file to be detected with the malicious behaviors of the malicious sample file, so that the detection precision and the applicability are improved.

Description

Malicious detection method, device, equipment and medium based on sample behaviors
Technical Field
The present invention relates to the field of security detection, and in particular, to a method, apparatus, device, and medium for malicious detection based on sample behavior.
Background
The existing malicious file detection method is used for detecting whether files are malicious files or not by checking file attributes, digital signatures, system detection and other modes, the accuracy of the method for detecting the malicious files by detecting the file attributes is poor, false detection is easy to occur, and the malicious detection method for the files by the system detection mode is used for detecting the malicious files, so that the general system detection can only detect the malicious files aiming at single malicious types or combination of multiple malicious types, has limitation, and corresponding execution codes are designed aiming at detection of each malicious type, so that the system maintenance cost is increased.
Disclosure of Invention
In view of the above, the invention provides a malicious detection method, device, equipment and medium based on sample behavior, which at least partially solves the technical problems in the prior art that the method for detecting malicious files by detecting file attributes is poor in accuracy and easy to cause false detection, and adopts the following technical scheme:
According to one aspect of the present application, there is provided a sample behavior-based malicious detection method applied to a file detection system, the sample behavior-based malicious detection method including the steps of:
in response to receiving the file to be detected, for a first preset period of time T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is the T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline;
according to Q, determining a target behavior vector E= (E) of the file to be detected 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained;if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior;
inputting the target behavior vector E into a target model to obtain a corresponding target file identifier; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not;
If the target file identifier is a malicious file identifier, the file to be detected is determined to be a malicious file.
In an exemplary embodiment of the present application, the target behavior vector E is determined by:
acquiring target malicious behavior information list Mb= (MB) 1 ,MB 2 ,...,MB a ,...,MB b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, b; b is the number of preset target malicious behavior information; MB (MB) a Target malicious behavior information preset for the a-th; each piece of target malicious behavior information uniquely corresponds to a preset target malicious behavior;
traversing MB, if MB a If the corresponding target malicious behavior information exists in Q, E is acquired a =1; otherwise, obtain E a =0; to obtain the target behavior vector E= (E) 1 ,E 2 ,...,E a ,...,E b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein E is a And the behavior characteristics corresponding to the a-th target malicious behavior information in E.
In one exemplary embodiment of the application, the target malicious behavior information is determined by:
obtaining m malicious sample files in a second preset time period T 2 =[t 21 ,t 22 ]Obtaining a sample file behavior information set F= (F) by a plurality of file behavior information carried out internally 1 ,F 2 ,...,F j ,...,F m );F j =(F j1 ,F j2 ,...,F jd ,...,F jf(j) ) The method comprises the steps of carrying out a first treatment on the surface of the Where j=1, 2, m; d=1, 2,., f (j); f (j) is the j-th malicious sample file at T 2 The number of file behavior information performed internally; f (F) j A file behavior information list corresponding to the jth malicious sample file; f (F) jd At T for jth malicious sample file 2 The d-th file behavior information performed internally; t is t 21 <t 22 <t 11 ;(t 22 -t 21 )=(t 12 -t 11 );t 21 Is T 2 Corresponding start time; t is t 22 Is T 2 A corresponding deadline;
and F, performing deduplication processing to obtain b pieces of target malicious behavior information.
In an exemplary embodiment of the application, the object model is determined by:
obtaining malicious behavior type identifiers corresponding to m malicious sample files to obtain a malicious behavior type identifier set H= (H) 1 ,H 2 ,...,H j ,...,H m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein H is j Identifying a malicious behavior type corresponding to the jth malicious sample file;
e malicious behavior type identifiers obtained after the duplication removal processing of the H are determined to be malicious file identifiers;
obtaining m second preset behavior feature vectors G according to F 1 ,G 2 ,...,G j ,...,G m ;G j =(G j1 ,G j2 ,...,G ja ,...,G jb ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein G is j A second preset behavior feature vector corresponding to the jth malicious sample file; g ja Behavior characteristics corresponding to the a-th target malicious behavior information of the j-th malicious sample file;
traversal G j If G ja Corresponding target malicious behavior information exists in F j In (C), then G ja Is determined to be 1; otherwise, G is ja Determined to be 0;
will G j Determining a malicious behavior vector of a j-th malicious sample file;
will G j And inputting a malicious file identifier corresponding to the j-th malicious sample file into a preset model for training to obtain a target model.
In the present applicationIn an exemplary embodiment of (a) obtaining the file behavior information of a plurality of file behaviors performed by the file to be detected, a first file behavior information set q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) After the step of (a), the malicious detection method based on sample behavior further comprises the following steps:
if at T 1 When a plurality of target association files with association relation with the files to be detected are detected in the T 1 After the completion, acquiring file behavior information of a plurality of target associated files to obtain a second file behavior information set R= (R) 1 ,R 2 ,...,R g ,...,R h );R g =(R g1 ,R g2 ,...,R gk ,...,R gf(g) ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein g=1, 2,..h; k=1, 2, f (g); h is the number of target associated files; f (g) is that the g-th target associated file is in T 1 The number of file behavior information performed internally; r is R g A file behavior information list corresponding to the g-th target associated file; r is R gk For g-th target association file at T 1 The kth file behavior information of the internal process;
determining an associated behavior vector M of each target associated file according to R 1 ,M 2 ,...,M g ,...,M h The method comprises the steps of carrying out a first treatment on the surface of the Wherein, the g-th associated behavior vector M corresponding to the target associated file g According to R g Obtaining;
according to E, M 1 ,M 2 ,...,M g ,...,M h Determining a fusion behavior vector;
inputting the fusion behavior vector into a target model to obtain a corresponding fusion file identifier;
If the fusion file identifier is a malicious file identifier, determining the file to be detected and each target associated file as a malicious file.
In an exemplary embodiment of the present application, the b target malicious behavior information corresponds to u behavior monitoring policies; wherein, the behavior monitoring list N of the p-th behavior monitoring strategy p =(N p1 ,N p2 ,...,N py ,...,N pf(p) );p=1,2,...,u;y=1,2,...,f(p);f(p) The method comprises the steps that the quantity of target malicious behavior information corresponding to a p-th behavior monitoring strategy is calculated; sigma (sigma) u p=1 f(p)=b;N py Monitoring the y-th target malicious behavior information corresponding to the strategy for the p-th behavior;
after obtaining the target behavior vector E= (E 1 ,E 2 ,...,E a ,...,E b ) After the step of (a), the malicious detection method based on sample behavior further comprises the following steps:
monitoring target malicious behavior information corresponding to the file to be detected through each behavior monitoring strategy;
if at the current T 1 T of (2) 12 N in time E p1 ,N p2 ,...,N py ,...,N pf(p) The corresponding behavior features are 1, then at the next T 1 T of (2) 11 And stopping the behavior monitoring of the file to be detected by the p-th behavior monitoring strategy at the moment.
According to an aspect of the present application, there is provided a sample behavior-based malicious detection apparatus including:
the behavior acquisition module is used for, when receiving the file to be detected, in a first preset time period T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is the T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline;
the vector determination module is used for determining a target behavior vector E= (E) of the file to be detected according to Q 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained; if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior;
the identification determining module is used for inputting the target behavior vector E into the target model to obtain a corresponding target file identification; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not;
and the malicious judgment module is used for determining the file to be detected as a malicious file when the target file identifier is a malicious file identifier.
According to one aspect of the present application, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the aforementioned sample behavior-based malicious detection method.
According to one aspect of the present application, there is provided an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
The application has at least the following beneficial effects:
according to the method, the target behavior vector of the file to be detected is determined by acquiring the file behavior of the file to be detected, the target behavior vector is input into the target model to obtain the corresponding target file identification, if the target file identification is the malicious file identification, the file to be detected is determined to be the malicious file, and the target model is obtained according to the file behavior of the malicious sample file, so that the file behavior of the file to be detected is detected and compared with the combination of a plurality of malicious behaviors of the malicious sample file to determine whether the file to be detected is the malicious file, and the detection precision and the applicability are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a malicious detection method based on sample behavior according to an embodiment of the present invention;
fig. 2 is a block diagram of a malicious detection device based on sample behavior according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
A malicious detection method based on sample behaviors is applied to a file detection system, and the file detection system is used for carrying out malicious detection on a file to be detected and detecting whether the file to be detected is a malicious file or not.
As shown in fig. 1, the malicious detection method based on sample behavior includes the following steps:
step S100, in response to receiving the file to be detected, in a first preset time period T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is the T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline;
the file to be detected is a file which is received by the file detection system and is not subjected to malicious detection, after the file detection system receives the file to be detected, a plurality of file behavior information of the file to be detected is obtained, and the file to be detected is subjected to malicious detection by detecting the file behavior information of the file to be detected. Each file behavior information corresponds to a file behavior, the file behavior comprises self-starting, registry generation, scanning, encryption, information stealing and other behaviors, the file behavior comprises normal file behavior and abnormal file behavior, and the abnormal file behavior is the behavior of stealing or stealing user information or system information. And comprehensively judging whether the file to be detected executes malicious behaviors by detecting all file behaviors of the file to be detected in a first preset time period, and then judging whether the file to be detected is a malicious file.
The single file behavior of most malicious files at present appears to be normal file behavior, such as registry modification, file encryption, etc., and such file behavior may be performed within normal rights or by a user, or may be abnormal registry modification behavior or file encryption behavior triggered by a luxury file. Therefore, it cannot be determined whether it is an abnormal file behavior by judging its single file behavior. However, in order to achieve the purpose of stealing and embezzling user information, a malicious file usually performs continuous file behaviors, for example, a file is searched for the purpose of searching, and a series of file behaviors such as registry authority modification, file scanning, file encryption and the like are performed. If the file to be detected performs the above continuous file behaviors, the file to be detected has a high probability of being a file of the file to be detected. Therefore, the method and the device judge whether the file to be detected is a malicious file or not by acquiring the continuous file behaviors executed by the file to be detected and performing behavior coding on the file behaviors executed by the file to be detected.
The first preset time period is the time period of the file detection system after receiving the file to be detected, namely t 11 The time can be the time when the file detection system receives the file to be detected, or the time set by the file detection system, the file to be detected can be monitored in the server system, or the file to be detected can be placed in a sandboxAnd performing behavior monitoring. If the size of the file to be detected is smaller than the preset file size value, the behavior types performed by the file to be detected are fewer, the behavior monitoring can be directly performed in the server system, if the size of the file to be detected is larger than or equal to the preset file size value, the executable behavior types of the file to be detected are more, the file to be detected is placed in a sandbox for safety, the behavior of the file to be detected is monitored in the sandbox, and even if the file to be detected performs malicious behaviors, the server system is not damaged. And carrying out malicious detection on the file to be detected in the sandbox, and if the file to be detected is not a malicious file, moving the file to the server system from the sandbox, so that the information security of the server system is ensured.
If the file to be detected is at T 1 If no target association file exists in the file, executing step S200-step S400; if at T 1 When a plurality of target associated files having an association relationship with the file to be detected are detected, malicious detection is performed by using the file to be detected and the file behavior information of the target associated files in a first preset time period, so as to further improve the accuracy of malicious detection, and specific embodiments of using the target associated files can be referred to the description after step S200-step S400, which is not repeated herein.
Step S200, determining a target behavior vector E= (E) of the file to be detected according to Q 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained; if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior;
step S200 is a method for detecting file maliciously that the file to be detected does not have a corresponding target associated file, and determines a corresponding target behavior vector according to the file behavior of the file to be detected.
Wherein, the target behavior vector E is determined by the following steps:
step S210, obtaining a target malicious behavior information list mb= (M)B 1 ,MB 2 ,...,MB a ,...,MB b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, b; b is the number of preset target malicious behavior information; MB (MB) a Target malicious behavior information preset for the a-th; each piece of target malicious behavior information uniquely corresponds to a preset target malicious behavior;
The target malicious behavior information is known behavior information of a known malicious file preset by the invention, and the target malicious behavior information list MB is obtained by vectorizing the target malicious behavior information. The file behaviors corresponding to the same position in different feature vectors are the same, and each behavior feature in the target malicious behavior information list MB corresponds to a file behavior.
The target malicious behavior information is information corresponding to known malicious behaviors or malicious behaviors acquired through malicious sample files at present, the malicious behaviors are abnormal file behaviors, each target malicious behavior information corresponds to a behavior monitoring strategy, and the behavior monitoring strategy is a method for monitoring behaviors of files to be detected by a file detection system.
Step S220, traverse MB, if MB a If the corresponding target malicious behavior information exists in Q, E is acquired a =1; otherwise, obtain E a =0; to obtain the target behavior vector E= (E) 1 ,E 2 ,...,E a ,...,E b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein E is a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained;
the method for determining the target behavior vector is the same as the method for determining the associated behavior vector, whether the file behaviors of the file to be detected contain corresponding target malicious behaviors or not is detected, if so, the corresponding behavior characteristics in the target malicious behavior information list MB are determined to be 1, and otherwise, the corresponding behavior characteristics are determined to be 0.
Step S231, monitoring target malicious behavior information corresponding to the file to be detected through each behavior monitoring strategy;
each behavior monitoring strategy corresponds to a plurality of pieces of target malicious behavior information, namely, each behavior monitoring strategy monitors each corresponding target malicious behavior.
Step S232, if at present T 1 T of (2) 12 N in time E p1 ,N p2 ,...,N py ,...,N pf(p) The corresponding behavior features are 1, then at the next T 1 T of (2) 11 And stopping the behavior monitoring of the file to be detected by the p-th behavior monitoring strategy at the moment.
At t 12 At moment, if all target malicious behaviors corresponding to one of the behavior monitoring strategies are detected to be executed, namely the file to be detected is in T 1 And if all the target malicious behaviors corresponding to the behavior monitoring strategy are executed, the behavior monitoring strategy is stopped, so that the system computing power is reduced, the system resources are saved, and the behavior monitoring strategy is stopped.
The target malicious behavior information is determined through the following steps:
step S211, obtaining m malicious sample files in a second preset time period T 2 =[t 21 ,t 22 ]Obtaining a sample file behavior information set F= (F) by a plurality of file behavior information carried out internally 1 ,F 2 ,...,F j ,...,F m );F j =(F j1 ,F j2 ,...,F jd ,...,F jf(j) ) The method comprises the steps of carrying out a first treatment on the surface of the Where j=1, 2, m; d=1, 2,., f (j); f (j) is the j-th malicious sample file at T 2 The number of file behavior information performed internally; f (F) j A file behavior information list corresponding to the jth malicious sample file; f (F) jd At T for jth malicious sample file 2 The d-th file behavior information performed internally; t is t 21 <t 22 <t 11 ;(t 22 -t 21 )=(t 12 -t 11 );t 21 Is T 2 Corresponding start time; t is t 22 Is T 2 A corresponding deadline;
each piece of target malicious behavior information corresponds to a target malicious behavior, the target malicious behavior is determined through a malicious sample file, the malicious sample file is a known malicious file, or a malicious file in a certain statistical period, or a historical malicious file stored in a server database, and m malicious sample files are obtained in T 2 Internal file behavior, T 2 For the historical time period, since the same file behavior is executed by different malicious sample files, all the obtained file behaviors are subjected to deduplication.
And step S212, performing deduplication processing on the F to obtain b pieces of target malicious behavior information.
And obtaining b file behaviors after the file behaviors of all the malicious sample files are de-duplicated, and determining the file behaviors as target malicious behaviors, wherein the corresponding information is target malicious behavior information.
Step S300, inputting a target behavior vector E into a target model to obtain a corresponding target file identifier; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not;
After the target behavior vector is obtained, the target behavior vector is input into a target model, a corresponding target file identifier is output by the target model, and whether the file to be detected is a malicious file is judged through the target file identifier.
Wherein the target model is determined by:
step S310, malicious behavior type identifiers corresponding to m malicious sample files are obtained, and a malicious behavior type identifier set H= (H) is obtained 1 ,H 2 ,...,H j ,...,H m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein H is j Identifying a malicious behavior type corresponding to the jth malicious sample file;
each malicious sample file corresponds to a malicious behavior type identifier, the malicious behavior type identifier represents the identifier of the malicious behavior type performed by the corresponding malicious sample file, and the malicious behavior type is a malicious attack type and represents the attack means of the corresponding malicious sample file.
Step S320, determining e malicious behavior type identifiers obtained after the duplication removal processing of the H as malicious file identifiers;
correspondingly, the situation that malicious behavior type identifiers of different malicious sample files are identical can exist, duplication removal is needed, and the obtained malicious behavior type identifiers are determined to be malicious file identifiers.
Step S330, obtaining m second preset behavior feature vectors G according to F 1 ,G 2 ,...,G j ,...,G m ;G j =(G j1 ,G j2 ,...,G ja ,...,G jb ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein G is j A second preset behavior feature vector corresponding to the jth malicious sample file; g ja Behavior characteristics corresponding to the a-th target malicious behavior information of the j-th malicious sample file; g ja Corresponding target malicious behavior and E a The corresponding target malicious behaviors are the same;
presetting a second preset behavior feature vector corresponding to each malicious sample file according to file behaviors of the malicious sample files.
Step S340, traversing G j If G ja Corresponding target malicious behavior information exists in F j In (C), then G ja Is determined to be 1; otherwise, G is ja Determined to be 0;
if the file behaviors of the malicious sample file comprise target malicious behaviors, determining the behavior characteristics in the corresponding second preset behavior characteristic vector to be 1, otherwise, determining the behavior characteristics to be 0.
Step S350, G j Determining a malicious behavior vector of a j-th malicious sample file;
step S360, G j And inputting a malicious file identifier corresponding to the j-th malicious sample file into a preset model for training to obtain a target model.
Inputting each malicious behavior vector and a corresponding malicious file identifier into a preset model to train to obtain a target model, and enabling the target model to output the corresponding file identifier according to the input behavior vector.
Step S400, if the target file identifier is a malicious file identifier, determining the file to be detected as a malicious file.
And inputting the target behavior vector into a target model to obtain a target file identifier, and if the target file identifier is a malicious file identifier, indicating that the corresponding file to be detected is a malicious file.
According to the method, the target behavior vector of the file to be detected is determined by acquiring the file behavior of the file to be detected, the target behavior vector is input into the target model to obtain the corresponding target file identification, if the target file identification is the malicious file identification, the file to be detected is determined to be the malicious file, and the target model is obtained according to the file behavior of the malicious sample file, so that the file behavior of the file to be detected is detected and compared with the combination of a plurality of malicious behaviors of the malicious sample file to determine whether the file to be detected is the malicious file, and the detection precision and the applicability are improved.
Below at T 1 The details of the case of detecting a plurality of target association files having association relations with the files to be detected are described in detail:
at T 1 After the completion, acquiring file behavior information of a plurality of target associated files; determining corresponding associated behavior vectors according to file behavior information corresponding to each target associated file; determining a target behavior vector of the file to be detected according to a plurality of file behavior information corresponding to the file to be detected; obtaining a fusion behavior vector according to the target behavior vector and all the associated behavior vectors; inputting the fusion behavior vector into a target model to obtain a corresponding fusion file identifier; if the fusion file identifier is a malicious file identifier, determining the file to be detected and each target associated file as a malicious file.
The target association file is a file with association relation with the file to be detected, wherein the association relation is the relation of downloading, releasing, triggering and the like, and the file to be detected is in T 1 And if the actions such as downloading, releasing, triggering and the like are executed, and the corresponding downloading file, releasing file and triggering file are generated, the corresponding generated file is determined to be the target associated file. Because the existing malicious files have the condition of relevant information stealing, for example, the A file does not execute malicious actions such as information stealing and the like, but after the A file enters a server system, the A file executes downloading actions to generate a corresponding B file, and the B file executes malicious actions of information stealing, and because the A file only executes downloading actions, the downloading actions are not aversiveThe method is characterized in that the method comprises the steps of intercepting or detecting the first file by using a current security detection method, releasing the first file after detecting that the first file does not have malicious information, and detecting the subsequently generated file, so that the corresponding malicious detection is also carried out on the target associated file corresponding to the file to be detected.
In some embodiments, the associated behavior vector corresponding to the target association file is generated in a similar manner to the generation of the target behavior vector provided in steps S210-S220. However, when generating the associated behavior vector, the target malicious behavior information list MB in step S210-step S210 needs to be replaced with a third preset behavior feature vector related to the target associated file. Optionally, the target malicious behavior information list MB is consistent with the file behavior corresponding to the behavior feature of the third preset behavior feature vector of the target associated file.
The corresponding target associated file is known to be in T through the associated action vector 1 In each associated behavior vector, if the behavior characteristic is 1, the behavior of the file executed internally indicates that the corresponding target associated file is in T 1 The corresponding target malicious behavior is executed in the file, if the behavior characteristic is 0, the corresponding target associated file is represented in T 1 The corresponding target malicious behaviors are not executed, so that whether the corresponding target associated files execute the target malicious behaviors can be known by checking each associated behavior vector.
The fused behavior vector represents a vector of behaviors executed by the file to be detected and the target associated file together, and because the behaviors executed by the file to be detected or the single target associated file are not malicious behaviors, the behaviors after being combined are possibly malicious behaviors, so that the fused behavior vector obtained by fusing the target behavior vector and each associated behavior vector is required to be detected.
The target model is a model obtained by training according to malicious behaviors of malicious sample files, the fusion behavior vector is input into the target model, the target model outputs a fusion file identifier corresponding to the fusion behavior vector, and whether the file to be detected and the corresponding target associated file are malicious files or not is determined by verifying the fusion file identifier.
Further, in step S100 of another embodiment, obtaining a plurality of file behavior information of the file to be detected performed within the first preset time period, further includes:
step S001, obtaining file characteristics of a file to be detected;
the file characteristics comprise one or more of hash values, file structure information, MD5 values, file code characteristics and the like of the file to be detected, and whether the file to be detected is a malicious file is judged through detection of the file characteristics of the file to be detected.
Step S002, detecting file characteristics to obtain detection results corresponding to the files to be detected;
the detection of the file characteristics is preliminary detection of the file to be detected, and the detection method of the file characteristics is convenient, so that the file characteristics of the file to be detected are detected firstly, if the file to be detected is a malicious file after the detection of the file characteristics, the file to be detected is determined to be a malicious file without a subsequent detection step, the malicious detection process is simplified, if the file to be detected through the file characteristics is not a malicious file, the file characteristics of the file to be detected are indicated to be normal characteristics, and the subsequent detection step is continued.
Further, in step S002, the file feature is detected to obtain a detection result corresponding to the file to be detected, including:
step S0021, comparing the hash value, the file structure information, the MD5 value and the file code characteristic of the file to be detected with a preset abnormal hash value, a preset abnormal file structure information, a preset abnormal MD5 value and a preset abnormal file code characteristic to obtain a detection result corresponding to the file to be detected;
step S0022, if the hash value is the same as the preset abnormal hash value, or the file structure information is the same as the preset abnormal file structure information, or the MD5 value is the same as the preset abnormal MD5 value, or the file code feature is the same as the preset abnormal file code feature, the detection result indicates that the file to be detected is a malicious file; otherwise, the detection result indicates that the file to be detected is not a malicious file.
Because the number of the abnormal file features is smaller than that of the normal file features and the abnormal file features are easy to acquire, the file features of the file to be detected are compared with the abnormal file features to obtain corresponding detection results, and the abnormal file features can be called from a data storage library of a server system or can be obtained by analyzing malicious sample files.
If one of the file characteristics of the file to be detected is the same as the corresponding abnormal file characteristic, the file to be detected is a malicious file, and if all the file characteristics of the file to be detected are different from the corresponding abnormal file characteristic, the file to be detected is not a malicious file, and further, the subsequent steps are needed to detect the file to be detected, and whether the file to be detected is a malicious file is further judged.
Step S003, if the detection result corresponding to the file to be detected indicates that the file to be detected is not a malicious file, acquiring a plurality of file behavior information of the file to be detected in a first preset time period.
The present invention also provides a malicious detection device 100 based on sample behavior, as shown in fig. 2, including:
a behavior acquisition module 110 for, when receiving the file to be detected, during a first preset time period T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is the T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline;
the vector determination module 120 is configured to determine a target behavior vector e= (E) of the file to be detected according to Q 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained; if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior;
the identification determining module 130 is configured to input the target behavior vector E into the target model, to obtain a corresponding target file identification; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not;
the malicious judgment module 140 is configured to determine the file to be detected as a malicious file when the target file identifier is a malicious file identifier.
Embodiments of the present invention also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to the various exemplary embodiments of the invention as described in the specification, when said program product is run on the electronic device.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the invention described in the "exemplary methods" section of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (9)

1. A malicious detection method based on sample behavior, which is applied to a file detection system, the method comprising the following steps:
in response to receiving the file to be detected, for a first preset period of time T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline; the file behaviors corresponding to the plurality of file behavior information in the first file behavior information set are that the file to be detected is in a first preset time period T 1 A continuous file behavior of the internal execution;
according to Q, determining a target behavior vector E= (E) of the file to be detected 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained; if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior;
inputting the target behavior vector E into a target model to obtain a corresponding target file identifier; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not;
if the target file identifier is a malicious file identifier, determining the file to be detected as a malicious file;
Wherein, file behavior information of a plurality of file behaviors performed by the file to be detected is obtained to obtain a first file behavior information set q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) After the step of (a), the method further comprises:
if at T 1 If a plurality of target association files with association relation with the files to be detected are detected in the T 1 After the completion, acquiring file behavior information of a plurality of target associated files to obtain a second file behavior information set R= (R) 1 ,R 2 ,...,R g ,...,R h );R g =(R g1 ,R g2 ,...,R gk ,...,R gf(g) ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein g=1, 2,..h; k=1, 2, f (g); h is the number of the target associated files; f (g) is the g-th target associated file at T 1 The number of file behavior information performed internally; r is R g A file behavior information list corresponding to the g-th target associated file; r is R gk For g-th said target associated file at T 1 The kth file behavior information of the internal process; the file behaviors corresponding to the plurality of file behavior information in each file behavior information list of the second file behavior information set are that the target associated file corresponding to the file behavior information list is in a first preset time period T 1 A continuous file behavior of the internal execution;
determining an associated behavior vector M of each target associated file according to R 1 ,M 2 ,...,M g ,...,M h The method comprises the steps of carrying out a first treatment on the surface of the Wherein, the g-th associated behavior vector M corresponding to the target associated file g According to R g Obtaining;
according to E, M 1 ,M 2 ,...,M g ,...,M h Determining a fusion behavior vector;
inputting the fusion behavior vector into a target model to obtain a corresponding fusion file identifier;
if the fusion file identifier is a malicious file identifier, determining the file to be detected and each target associated file as a malicious file;
the obtaining the file behavior information of the file behaviors performed by the file to be detected includes:
acquiring file characteristics of a file to be detected;
detecting file characteristics to obtain a detection result corresponding to the file to be detected;
if the detection result corresponding to the file to be detected indicates that the file to be detected is not a malicious file, acquiring a plurality of file behavior information of the file to be detected in a first preset time period.
2. The method according to claim 1, characterized in that the target behavior vector E is determined by:
acquiring target malicious behavior information list Mb= (MB) 1 ,MB 2 ,...,MB a ,...,MB b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, b; b is the number of preset target malicious behavior information; MB (MB) a Target malicious behavior information preset for the a-th; each piece of target malicious behavior information uniquely corresponds to a preset target malicious behavior;
Traversing MB, if MB a If the corresponding target malicious behavior information exists in Q, E is acquired a =1; otherwise, obtain E a =0; to obtain the target behavior vector E= (E) 1 ,E 2 ,...,E a ,...,E b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein E is a And the behavior characteristics corresponding to the a-th target malicious behavior information in E.
3. The method of claim 2, wherein the target malicious behavior information is determined by:
obtaining m malicious sample files in a second preset time period T 2 =[t 21 ,t 22 ]Obtaining a sample file behavior information set F= (F) by a plurality of file behavior information carried out internally 1 ,F 2 ,...,F j ,...,F m );F j =(F j1 ,F j2 ,...,F jd ,...,F jf(j) ) The method comprises the steps of carrying out a first treatment on the surface of the Where j=1, 2, m; d=1, 2,., f (j); f (j) is the j-th malicious sample file at T 2 The number of file behavior information performed internally; f (F) j A file behavior information list corresponding to the jth malicious sample file; f (F) jd At T for jth malicious sample file 2 The d-th file behavior information performed internally; t is t 21 <t 22 <t 11 ;(t 22 -t 21 )=(t 12 -t 11 );t 21 Is T 2 Corresponding start time; t is t 22 Is T 2 A corresponding deadline;
and F, performing deduplication processing to obtain b pieces of target malicious behavior information.
4. A method according to claim 3, wherein the target model is determined by:
obtaining malicious behavior type identifiers corresponding to m malicious sample files to obtain a malicious behavior type identifier set H= (H) 1 ,H 2 ,...,H j ,...,H m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein H is j Identifying a malicious behavior type corresponding to the jth malicious sample file;
e malicious behavior type identifiers obtained after the duplication removal processing of the H are determined to be malicious file identifiers;
obtaining m second preset behavior feature vectors G according to F 1 ,G 2 ,...,G j ,...,G m ;G j =(G j1 ,G j2 ,...,G ja ,...,G jb ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein G is j A second preset behavior feature vector corresponding to the jth malicious sample file; g ja Behavior characteristics corresponding to the a-th target malicious behavior information of the j-th malicious sample file;
and training the preset model according to the G to obtain a target model.
5. The method of claim 4, wherein training the predetermined model according to G to obtain the target model comprises:
traversal G j If G ja Corresponding target malicious behavior information exists in F j In (C), then G ja Is determined to be 1; otherwise, G is ja Determined to be 0;
will G j Determining a malicious behavior vector of the j-th malicious sample file;
will G j And jth said malicious sampleThe malicious file identification corresponding to the file is input into a preset model for training, and a target model is obtained.
6. The method of claim 2, wherein b pieces of the target malicious behavior information correspond to u pieces of behavior monitoring policies; wherein, the behavior monitoring list N of the p-th behavior monitoring strategy p =(N p1 ,N p2 ,...,N py ,...,N pf(p) ) The method comprises the steps of carrying out a first treatment on the surface of the p=1, 2, u; y=1, 2, f (p); f (p) is the number of target malicious behavior information corresponding to the p-th behavior monitoring strategy; sigma (sigma) u p=1 f(p)=b;N py Monitoring the y-th target malicious behavior information corresponding to the strategy for the p-th behavior;
at the obtained target behavior vector e= (E 1 ,E 2 ,...,E a ,...,E b ) After the step of (a), the method further comprises:
monitoring target malicious behavior information corresponding to the file to be detected through each behavior monitoring strategy;
if at the current T 1 T of (2) 12 N in time E p1 ,N p2 ,...,N py ,...,N pf(p) The corresponding behavior features are 1, then at the next T 1 T of (2) 11 And stopping behavior monitoring of the p-th behavior monitoring strategy on the file to be detected at the moment.
7. A sample behavior-based malicious detection device, comprising:
the behavior acquisition module is used for, when receiving the file to be detected, in a first preset time period T 1 After the completion, acquiring file behavior information of a plurality of file behaviors performed by the file to be detected to obtain a first file behavior information set Q= (Q) 1 ,Q 2 ,...,Q i ,...,Q n ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2, n; n is the T of the file to be detected 1 The number of file actions performed internally; q (Q) i For the file to be detected at T 1 File behavior information of the ith file behavior performed internally; t (T) 1 =[t 11 ,t 12 ];t 11 <t 12 ;t 11 Is T 1 Corresponding start time, and t 11 Not earlier than the time of receiving the file to be detected; t is t 12 Is T 1 A corresponding deadline; if at T 1 When a plurality of target association files with association relation with the files to be detected are detected in the T 1 After the completion, acquiring file behavior information of a plurality of target associated files to obtain a second file behavior information set R= (R) 1 ,R 2 ,...,R g ,...,R h );R g =(R g1 ,R g2 ,...,R gk ,...,R gf(g) ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein g=1, 2,..h; k=1, 2, f (g); h is the number of target associated files; f (g) is that the g-th target associated file is in T 1 The number of file behavior information performed internally; r is R g A file behavior information list corresponding to the g-th target associated file; r is R gk For g-th target association file at T 1 The kth file behavior information of the internal process; the file behaviors corresponding to the plurality of file behavior information in the first file behavior information set are that the file to be detected is in a first preset time period T 1 A continuous file behavior of the internal execution; the file behaviors corresponding to the plurality of file behavior information in each file behavior information list of the second file behavior information set are that the target associated file corresponding to the file behavior information list is in a first preset time period T 1 A continuous file behavior of the internal execution;
the vector determination module is used for determining a target behavior vector E= (E) of the file to be detected according to Q 1 ,E 2 ,...,E a ,...,E b );E a The behavior characteristics corresponding to the a-th target malicious behavior information in E are obtained; if E a The value of =1 is expressed in T 1 E is carried out on the file to be detected during the period a Corresponding target malicious behavior; if E a The expression of =0 is represented by T 1 During which the file to be detected is not subjected to E a Corresponding target malicious behavior; determining the associated behavior vector M of each target associated file according to R 1 ,M 2 ,...,M g ,...,M h The method comprises the steps of carrying out a first treatment on the surface of the Wherein, the g-th target associated file corresponds to the associated behavior vector M g According to R g Obtaining; according to E, M 1 ,M 2 ,...,M g ,...,M h Determining a fusion behavior vector;
the identification determining module is used for inputting the target behavior vector E into the target model to obtain a corresponding target file identification; the target model is obtained by training according to file behaviors of malicious sample files; the target file identifier is used for identifying whether the file to be detected is a malicious file or not; inputting the fusion behavior vector into a target model to obtain a corresponding fusion file identifier;
the malicious judgment module is used for determining the file to be detected as a malicious file when the target file identifier is a malicious file identifier, and determining the file to be detected and each target associated file as a malicious file when the fusion file identifier is a malicious file identifier.
8. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, wherein the at least one instruction or the at least one program is loaded and executed by a processor to implement the method of any one of claims 1-6.
9. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 8.
CN202311131111.1A 2023-09-04 2023-09-04 Malicious detection method, device, equipment and medium based on sample behaviors Active CN116861429B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311131111.1A CN116861429B (en) 2023-09-04 2023-09-04 Malicious detection method, device, equipment and medium based on sample behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311131111.1A CN116861429B (en) 2023-09-04 2023-09-04 Malicious detection method, device, equipment and medium based on sample behaviors

Publications (2)

Publication Number Publication Date
CN116861429A CN116861429A (en) 2023-10-10
CN116861429B true CN116861429B (en) 2023-12-08

Family

ID=88223824

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311131111.1A Active CN116861429B (en) 2023-09-04 2023-09-04 Malicious detection method, device, equipment and medium based on sample behaviors

Country Status (1)

Country Link
CN (1) CN116861429B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN105740707A (en) * 2016-01-20 2016-07-06 北京京东尚科信息技术有限公司 Malicious file identification method and device
CN110399720A (en) * 2018-12-14 2019-11-01 腾讯科技(深圳)有限公司 A kind of method and relevant apparatus of file detection
CN111460446A (en) * 2020-03-06 2020-07-28 奇安信科技集团股份有限公司 Malicious file detection method and device based on model
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN116578537A (en) * 2023-07-12 2023-08-11 北京安天网络安全技术有限公司 File detection method, readable storage medium and electronic device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210334371A1 (en) * 2020-04-26 2021-10-28 Bluedon Information Security Technologies Corp. Malicious File Detection Technology Based on Random Forest Algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN105740707A (en) * 2016-01-20 2016-07-06 北京京东尚科信息技术有限公司 Malicious file identification method and device
CN110399720A (en) * 2018-12-14 2019-11-01 腾讯科技(深圳)有限公司 A kind of method and relevant apparatus of file detection
CN111460446A (en) * 2020-03-06 2020-07-28 奇安信科技集团股份有限公司 Malicious file detection method and device based on model
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN116578537A (en) * 2023-07-12 2023-08-11 北京安天网络安全技术有限公司 File detection method, readable storage medium and electronic device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于文本嵌入特征表示的恶意软件家族分类;张涛;王俊峰;;四川大学学报(自然科学版)(03);全文 *

Also Published As

Publication number Publication date
CN116861429A (en) 2023-10-10

Similar Documents

Publication Publication Date Title
CN110929259B (en) Process security verification white list generation method and device
US10839074B2 (en) System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
CN109995523B (en) Activation code management method and device and activation code generation method and device
CN110324416B (en) Download path tracking method, device, server, terminal and medium
CN116861430B (en) Malicious file detection method, device, equipment and medium
CN116881913B (en) Staged malicious file detection method, device, equipment and medium
CN116305290A (en) System log security detection method and device, electronic equipment and storage medium
KR101228902B1 (en) Cloud Computing-Based System for Supporting Analysis of Malicious Code
US11003772B2 (en) System and method for adapting patterns of malicious program behavior from groups of computer systems
CN116861429B (en) Malicious detection method, device, equipment and medium based on sample behaviors
CN116861428B (en) Malicious detection method, device, equipment and medium based on associated files
CN115964701A (en) Application security detection method and device, storage medium and electronic equipment
CN112751782B (en) Flow switching method, device, equipment and medium based on multi-activity data center
US9088604B1 (en) Systems and methods for treating locally created files as trustworthy
CN117009962B (en) Anomaly detection method, device, medium and equipment based on effective label
CN117034261B (en) Exception detection method and device based on identifier, medium and electronic equipment
CN116506222B (en) Safety protection system
CN117077138B (en) Anomaly detection method, system, medium and equipment based on browser
CN117056927B (en) Method, device, equipment and medium for determining malicious process based on instruction
CN116975934B (en) File security detection method and system
US11574049B2 (en) Security system and method for software to be input to a closed internal network
CN117056939A (en) Application system software component safety detection method, device and medium
CN114491666A (en) File checking method and device and computer readable storage medium
CN115037531A (en) Unauthorized access vulnerability detection method, device and system
CN116962086A (en) File security detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant