Server malicious program detection method based on code characteristics and flow behaviors

A malicious program and detection method technology, applied in the field of malicious program detection, can solve problems such as incomplete coverage of regular expressions, false negatives and false positives, and undetectable server backdoor programs, achieving the effect of improving detection efficiency and accuracy

Inactive Publication Date: 2021-03-16
SICHUAN CHANGHONG ELECTRIC CO LTD
View PDF5 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] 1. Static detection: Traditional static detection is based on the matching of feature databases. This kind of matching based on characteristic characters is generally realized through regular expressions. The coverage of regular expressions is not complete after matching, which will cause certain false positives and false positives. And attackers can easily evade this type of detection by using obfuscation
[0005] 2. Dynamic detection: After the server backdoor program file is uploaded to the server, the characteristics displayed when the attacker executes the server backdoor program file are called dynamic features, but only the behavior of uploading or accessing the server backdoor program can be detected. It cannot detect existing and unused server backdoor programs in the website, and there are certain false negatives and false positives
[0006] To sum up: the existing server backdoor program detection methods have incomplete coverage, high false positive and false negative rates, and cannot detect unknown server backdoor programs.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Server malicious program detection method based on code characteristics and flow behaviors

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0043] Such as figure 1 As shown, a server-side malicious program detection method based on code features and traffic behavior, this method combines code features and malicious traffic behavior, first extracts code features and traffic behavior, and then uses relief algorithm to optimize the features, Combine into a new feature set, and finally use the decision tree method to learn and train to establish a server-side backdoor program detection model, detect the server-side backdoor program and output the results. Technical solutions include the following:

[0044] 1. Information collection: Collect all backdoor program samples shared by open source communities at home and abroad, extract function features and hash values, and establish a malicious program sample library.

[0045] 2. Feature extraction: build the simulation environment required for backdoor program file communication, use the simulated client to communicate with the backdoor program, use wireshark to capture ...

Embodiment 2

[0052] Such as figure 1 As shown, a server-side malicious program detection method based on code characteristics and traffic behavior, including:

[0053] 1. Collect server-side backdoor program samples;

[0054] Server backdoor program sample collection: Under normal circumstances, there are relatively few server backdoor program samples. You can collect server backdoor programs and match static rules by sorting out malicious sample libraries uploaded by communities such as github.

[0055] 2. Extract code features: extract the code features of backdoor program samples obtained from public platforms.

[0056] Code features: Mainly refers to the longest string length, file overlap index, file compression ratio, non-alphanumeric character proportion, high-risk function (command execution, operation file read and write, encryption and decryption related functions) proportion as input features, Form the sample set S1.

[0057] 3. Extract traffic behavior: Simulate the operatin...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a server malicious program detection method based on code characteristics and flow behaviors, which comprises the following steps: collecting a server backdoor program sample,extracting function characteristics, taking a hash value, and establishing a malicious program sample library; extracting code features and flow behavior vectors; performing feature optimization to obtain a new feature set; feature training: taking the new feature set as a training sample set for feature training, taking a labeling result as expected output, and training a classifier; and comprehensively judging and inputting the to-be-detected sample code characteristics and the flow behaviors into the classifier, judging whether the to-be-detected sample code characteristics and the flow behaviors are malicious programs or not, and outputting a result. According to the invention, the efficiency and accuracy of server backdoor program detection are improved.

Description

technical field [0001] The invention relates to the technical field of malicious program detection, in particular to a server-side malicious program detection method based on code features and traffic behavior. Background technique [0002] With the continuous confrontation between the offensive and defensive sides, in the past, the server backdoor programs were mainly script files such as asp, jsp, php, etc., which can also be called a web page backdoor program. Now, in addition to web page backdoor programs, based on powershell, bash File, elf, exe and other binary executable program fileless landing attack schemes are also quietly popular. After the attacker exploits the vulnerability to gain control of the server, he usually puts the server backdoor program file and the normal script file in the web directory of the website server together. Then use the browser to access the server backdoor program file, obtain the server backdoor program command execution environment, a...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/566
Inventor 张攀李逸萧武军成
Owner SICHUAN CHANGHONG ELECTRIC CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap