Unlock instant, AI-driven research and patent intelligence for your innovation.

Method and apparatus for determining exploit sample files

A file and vulnerability technology, applied in the network field, can solve problems such as inability to effectively detect vulnerability exploit codes

Active Publication Date: 2022-05-20
TENCENT TECH (SHENZHEN) CO LTD
View PDF7 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] Embodiments of the present invention provide a method and device for determining exploit sample files, to at least solve the problem that existing exploit sample detection cannot effectively detect deformed and confused exploit codes, and there is a large problem with some unknown exploit samples. limited technical issues

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and apparatus for determining exploit sample files
  • Method and apparatus for determining exploit sample files
  • Method and apparatus for determining exploit sample files

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0053] According to the embodiment of the present invention, there is also provided a method embodiment for determining a vulnerability exploit sample file. It should be noted that the steps shown in the flow chart of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions , and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

[0054] The method embodiment provided in Embodiment 1 of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. figure 1 A block diagram of a hardware structure of a computer terminal (or mobile device) for realizing a method for determining a vulnerability exploit sample file is shown. Such as figure 1 As shown, the computer terminal 10 (or mobile device 10) may include one or more (shown by 102a, 102b, ..., 102n i...

Embodiment 2

[0114] refer to Figure 6 As shown, the embodiment of the present disclosure also provides a device 50 for determining a vulnerability exploit sample file, and the device 50 corresponds to the method described in Embodiment 1. refer to Figure 6 As shown, the device 50 includes: a collection module 51, configured to search for suspicious files related to the exploit behavior within a predetermined time before the exploit behavior in response to the detected exploit behavior; an analysis module 52, configured to analyze Analyzing the behavior chain associated with the suspicious file, wherein the behavior chain includes a collection of behaviors associated with the suspicious file; and a determining module 53, configured to determine from the suspicious file the trigger exploit Behavioral exploit sample files.

[0115] Further, the analysis module 52 includes: a file information determination module, configured to determine the file information associated with the suspicious ...

Embodiment 3

[0121] refer to Figure 7 As shown, this embodiment also provides a device 60 for determining vulnerability exploit sample files, and the device 60 corresponds to the method described in Embodiment 1.

[0122] refer to Figure 7 As shown, the device 60 includes: a processor 62; and a memory 61, connected to the processor 62, used to provide the processor 62 with instructions for processing the following processing steps: in response to a detected exploit behavior, find Suspicious files related to exploiting behavior within a predetermined time before the behavior; based on the detected suspicious files, analyzing a behavior chain associated with the suspicious files, wherein the behavior chain includes a collection of behaviors associated with the suspicious files; and based on As a result of analyzing the behavior chain, the suspicious file is identified as a vulnerability exploit sample file that triggers the vulnerability exploit behavior.

[0123] Optionally, the operati...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a device for determining sample files for exploiting loopholes. Wherein, the method includes: in response to the detected exploit behavior, searching for suspicious files related to the exploit behavior within a predetermined time before the exploit behavior; analyzing a behavior chain associated with the suspicious file, wherein the behavior chain includes A collection of behaviors associated with the suspicious file; and based on an analysis result of analyzing the behavior chain, determining a vulnerability exploitation sample file that triggers a vulnerability exploitation behavior from the suspicious files. The invention solves the technical problem that existing loophole sample detection cannot effectively detect deformed and confused loophole utilization codes, and has great limitations on some unknown loophole utilization samples.

Description

technical field [0001] The present invention relates to the field of network technology, in particular to a method and equipment for determining a sample file for exploiting a loophole. Background technique [0002] At present, the commonly used vulnerability detection methods are mainly based on the binary features of known exploit codes. At present, there are three main types: vulnerability feature-based detection, exploit feature-based detection, and attack feature-based detection. [0003] 1) Detection based on vulnerability characteristics: After understanding the means and technical details of vulnerability exploitation behaviors, study the necessary conditions for triggering attacks, and analyze the corresponding identification rules, such as buffer overflow detection, directory traversal detection, remote command injection detection, remote file inclusion detection, etc.; [0004] 2) Exploit-based feature detection: analyze unique features from the exploit program a...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/57
CPCG06F21/577
Inventor 王健程虎王容强蒋洪伟
Owner TENCENT TECH (SHENZHEN) CO LTD