Trojan detection method and device, electronic equipment, medium and program product
By acquiring the deserialized instruction text sequence of a deep learning model and constructing risk analysis prompts, and then interacting with a Trojan detection model, the problem of difficulty in identifying complex Trojan behaviors in existing technologies is solved. This achieves efficient and low-cost model detection, improving detection accuracy and real-time performance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- INDUSTRIAL AND COMMERCIAL BANK OF CHINA
- Filing Date
- 2025-08-15
- Publication Date
- 2026-06-02
Smart Images

Figure CN122133141A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the fields of big data technology and artificial intelligence technology, specifically to the application of large models in information security and fintech, and more specifically to a Trojan detection method, device, equipment, medium and program product. Background Technology
[0002] With the widespread application of artificial intelligence technology, the demand for deep learning models in the financial industry continues to grow. Due to high model training costs and long development cycles, financial institutions generally adopt a method of importing pre-trained models from external sources and fine-tuning them. However, pre-trained models pose security risks during distribution and loading. Attackers can exploit security vulnerabilities in the serialization protocols of deep learning frameworks to embed malicious instructions into model files, creating Trojans. Once such model files are loaded, they may inadvertently trigger security events such as arbitrary code execution and sensitive file reading, posing a potential threat to business systems.
[0003] Currently, traditional Trojan detection methods mostly rely on regular expression matching rules to achieve feature recognition. However, due to limitations in expressive power and contextual understanding, they struggle to effectively detect complex or mutated malicious instructions. Furthermore, the maintenance and updating costs of regular expression rules are high, failing to meet the financial industry's requirements for high reliability and accuracy in model supply chain security. Summary of the Invention
[0004] In view of the above problems, this application provides methods, apparatus, equipment, media and program products for Trojan detection.
[0005] According to a first aspect of this application, a Trojan detection method is provided, the method comprising: acquiring a target model file; obtaining a deserialized instruction text sequence based on the target model file; constructing risk analysis prompts based on the deserialized instruction text sequence using an instruction analysis agent; interacting with a Trojan detection model using the instruction analysis agent based on the deserialized instruction text sequence and the risk analysis prompts to obtain a risk discrimination result; and generating a Trojan detection result for the target model file based on the risk discrimination result.
[0006] According to an embodiment of this application, the training process of the Trojan detection model includes at least one of the following: fine-tuning a pre-trained language model based on multi-source training corpus, wherein the multi-source training corpus includes historical deserialization instruction samples, and at least one of Trojan injection behavior samples, open-source model samples of injected Trojans, and actual attack logs; fine-tuning a pre-trained language model based on training corpus containing risk behavior labels, wherein the risk behavior labels include at least one of command execution, file access, environment variable invocation, and network reconnection behavior.
[0007] According to an embodiment of this application, the interaction between the instruction analysis agent and the Trojan detection model based on the deserialized instruction text sequence and the risk analysis prompt includes: for each deserialized instruction text sequence, the instruction analysis agent interacts with the Trojan detection model for the first time based on the risk analysis prompt to obtain a risk discrimination label, wherein the risk discrimination label includes at least a risk level and a corresponding discrimination value; and in response to the discrimination value not meeting a preset condition, the instruction analysis agent and the Trojan detection model are triggered to perform an Nth interaction until the discrimination value meets the preset condition, where N is a positive integer greater than 1.
[0008] According to an embodiment of this application, obtaining the risk discrimination result includes: in response to the discrimination value meeting a preset condition, obtaining a target risk discrimination label, wherein the target risk discrimination label includes the risk level, and at least one of risk category, risk source, and discrimination reason summary; generating natural language text to explain the risk discrimination logic based on the target risk discrimination label; and associating the target risk discrimination label with the natural language text to obtain a target risk discrimination result for each deserialization instruction text sequence.
[0009] According to an embodiment of this application, obtaining a deserialization instruction text sequence based on the target model file includes: identifying and disassembling the structure of the target model file to extract deserialization instruction information; identifying the serialization protocol type of the deserialization instruction information; parsing the binary data in the deserialization instruction information based on the serialization protocol type; and converting the binary data into the deserialization instruction text sequence.
[0010] According to an embodiment of this application, the step of constructing risk analysis prompts based on the deserialized instruction text sequence using an instruction analysis agent includes: identifying the contextual semantic information of the deserialized instruction text sequence; extracting prompt factors based on the contextual semantic information; determining the model framework type of the target model file; and constructing the risk analysis prompts based on the prompt factors and the model framework type, wherein the risk analysis prompts include at least one of instruction context summary, risk concern tags, and execution intent statements.
[0011] According to an embodiment of this application, the method further includes: during the Nth interaction, the instruction analysis agent adjusts the risk analysis prompt word according to the risk discrimination label of the N-1th interaction, wherein the adjustment includes adding the context of the preceding and following instructions, introducing risk explanation summary information, and modifying the task instruction objective.
[0012] According to an embodiment of this application, the method further includes: obtaining a corresponding target risk discrimination result in response to the discrimination value of each deserialization instruction text sequence in the target model file meeting a preset condition; and aggregating multiple target risk discrimination results to obtain the risk discrimination result.
[0013] A second aspect of this application provides a Trojan detection device, the device comprising: a file acquisition module, configured to: acquire a target model file and obtain a deserialized instruction text sequence based on the target model file; a prompt word construction module, configured to: construct risk analysis prompt words based on the deserialized instruction text sequence using an instruction analysis agent; a risk discrimination module, configured to: interact with a Trojan detection model using the instruction analysis agent based on the deserialized instruction text sequence and the risk analysis prompt words to obtain a risk discrimination result; and a Trojan detection module, configured to: generate a Trojan detection result for the target model file based on the risk discrimination result.
[0014] According to embodiments of this application, the file acquisition module can also be used to identify and disassemble the structure of the target model file, extract deserialization instruction information; identify the serialization protocol type of the deserialization instruction information, parse the binary data in the deserialization instruction information based on the serialization protocol type; and convert the binary data into the deserialization instruction text sequence.
[0015] According to embodiments of this application, the prompt word construction module can also be used to identify the contextual semantic information of the deserialized instruction text sequence, extract prompt factors based on the contextual semantic information; determine the model frame type of the target model file; and construct the risk analysis prompt words based on the prompt factors and the model frame type, wherein the risk analysis prompt words include at least one of instruction context summary, risk concern tags, and execution intent statements.
[0016] According to an embodiment of this application, the risk discrimination module can also be used to, for each deserialized instruction text sequence, utilize the instruction analysis agent to perform a first interaction with the Trojan detection model based on the risk analysis prompt words to obtain a risk discrimination label, wherein the risk discrimination label includes at least a risk level and a corresponding discrimination value; and in response to the discrimination value not meeting a preset condition, trigger the instruction analysis agent and the Trojan detection model to perform an Nth interaction until the risk level meets the preset condition, where N is a positive integer greater than 1.
[0017] According to embodiments of this application, the risk discrimination module can also be used to obtain a target risk discrimination label in response to the discrimination value meeting preset conditions. The target risk discrimination label includes the risk level, and at least one of risk category, risk source, and discrimination reason summary; generate natural language text to explain the risk discrimination logic based on the target risk discrimination label; and associate the target risk discrimination label with the natural language text to obtain a target risk discrimination result for each deserialization instruction text sequence.
[0018] According to an embodiment of this application, the risk discrimination module can also be used to adjust the risk analysis prompt words based on the risk discrimination label of the N-1th interaction during the Nth interaction. The adjustment includes at least one of adding the context of the preceding and following instructions, introducing risk explanation summary information, and modifying the task instruction objective.
[0019] According to embodiments of this application, the risk discrimination module can also be used to obtain the corresponding target risk discrimination result in response to the discrimination value of each deserialization instruction text sequence in the target model file meeting a preset condition; and to aggregate multiple target risk discrimination results to obtain the risk discrimination result.
[0020] According to embodiments of this application, the Trojan detection device may further include a training module. The training module can be used to fine-tune a pre-trained language model based on multi-source training corpora, wherein the multi-source training corpora include historical deserialization instruction samples, and at least one of Trojan injection behavior samples, open-source model samples of injected Trojans, and actual attack logs; and to fine-tune the pre-trained language model based on training corpora containing risk behavior labels, wherein the risk behavior labels include at least one of command execution, file access, environment variable invocation, and network reconnection behavior.
[0021] A fourth aspect of this application also provides a computer-readable storage medium having a computer program or instructions stored thereon, which, when executed by a processor, implement the steps of the above-described method.
[0022] The fifth aspect of this application also provides a computer program product, including a computer program or instructions that, when executed by a processor, implement the steps of the above-described method.
[0023] According to the embodiments of this application, by statically extracting deserialization instructions from model files and constructing semantic prompts, high-resource-intensive operations such as actual model loading and sandbox execution are avoided, making the overall detection process more lightweight. This is suitable for rapid screening scenarios before large-scale model storage, reducing operation and maintenance and resource costs. At the same time, through the collaborative interaction between the intelligent agent and the large language model, complex Trojan behaviors such as structural variations, contextual confusion, or indirect calls can be identified, improving the detection accuracy of unknown threats and variant attacks, and facilitating the realization of a more real-time and responsive automated detection process. Attached Figure Description
[0024] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:
[0025] Figure 1 The illustrations depict application scenarios of the Trojan detection method, apparatus, device, medium, and program products according to embodiments of this application.
[0026] Figure 2 A flowchart illustrating a Trojan detection method according to an embodiment of this application is shown schematically.
[0027] Figure 3 The flowchart schematically illustrates a method for fine-tuning a Trojan detection model according to some exemplary embodiments of this application;
[0028] Figure 4 A flowchart illustrating a method for obtaining risk assessment results according to some exemplary embodiments of this application is shown schematically;
[0029] Figure 5 A schematic diagram illustrating the structure of a Trojan detection device according to an embodiment of this application is shown; and
[0030] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a Trojan detection method according to an embodiment of this application. Detailed Implementation
[0031] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.
[0032] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.
[0033] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.
[0034] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).
[0035] First, the technical terms used in this article are explained and clarified as follows.
[0036] Deserialization instructions are executable code segments or sequences of operations nested within deep learning model files and invoked during the model loading process (deserialization) to reconstruct the model structure and parameter objects. They are not the model weight data itself, but rather executable instructions or structured object definition information that guide the model framework to reconstruct the computation graph, construct variables, and perform initialization operations during loading. They are typically contained within the serialized structure of the model file.
[0037] With the increasing penetration of artificial intelligence technology in the financial industry, deep learning models are widely used in several key business scenarios, such as intelligent risk control, credit assessment, fraud detection, and customer profiling. Because financial operations place high demands on the real-time performance, accuracy, and generalization ability of models, the development cycle and cost have become key factors restricting their widespread adoption. To accelerate the development process and reduce resource consumption, financial institutions generally adopt a strategy of introducing pre-trained models provided by open-source communities or third-party platforms, and then fine-tuning them in conjunction with their own business data.
[0038] However, while the use of pre-trained models brings convenience, it also introduces new security risks. In current mainstream deep learning frameworks, model parameters and structures are typically saved and loaded using specific serialization protocols. Attackers can exploit security vulnerabilities in the parsing mechanism of these protocols during model file loading to implant malicious instructions into the model file, creating a model trojan. When the corrupted model file is loaded into the target system, it may execute illegal code in a non-explicit manner during model initialization, loading, or invocation, triggering high-risk behaviors such as arbitrary code execution, system command issuance, sensitive file reading and writing, and network reconnection, causing serious consequences such as business interruption or data leakage.
[0039] Especially in the financial industry, model deployment environments are often highly coupled with core systems, involving highly sensitive data such as user identity, fund flows, and account status. Once a Trojan model is introduced, attackers may be able to bypass traditional external protection mechanisms and directly achieve privilege escalation and system manipulation within the model's execution path. This poses a wide-ranging threat, is highly concealed, and is difficult to trace. Therefore, model supply chain security is a key issue that the financial industry needs to focus on.
[0040] Currently, mainstream model-based Trojan detection technologies mainly rely on rule-based matching methods based on static features, such as using regular expressions to identify key instructions, dangerous function calls, and abnormal coding structures in model files. However, this type of method has the following limitations: First, regular expression matching lacks the ability to understand the semantics and contextual logic of instructions, making it difficult to effectively identify malicious instructions that have been mutated through obfuscation, packing, and rearrangement. Second, the detection capability is heavily dependent on predefined rules, resulting in insufficient detection capability for unknown Trojan samples. In addition, the maintenance and updating of rules must be done manually, making it difficult to adapt to the pressure of strategy updates brought about by the rapid evolution of attack methods, and lacking stability and scalability in the long run.
[0041] Based on this, embodiments of this application provide a Trojan detection method, including: acquiring a target model file; obtaining a deserialized instruction text sequence based on the target model file; constructing risk analysis prompts based on the deserialized instruction text sequence using an instruction analysis agent; interacting with a Trojan detection model using the instruction analysis agent based on the deserialized instruction text sequence and the risk analysis prompts to obtain a risk discrimination result; and generating a Trojan detection result for the target model file based on the risk discrimination result. According to embodiments of this application, by statically extracting deserialized instructions from the model file and constructing semantic prompts, high-resource-intensive operations such as actual model loading and sandbox execution are avoided, resulting in a lighter overall detection process. This is suitable for rapid screening scenarios before large-scale model storage, reducing operation and maintenance and resource costs. Simultaneously, through the collaborative interaction between the agent and a large language model, complex Trojan behaviors such as structural variations, contextual obfuscation, or indirect calls can be identified, improving the detection accuracy of unknown threats and variant attacks, and facilitating a more real-time and responsive automated detection process.
[0042] It should be noted that the Trojan detection methods, devices, equipment, media, and program products defined in this application specifically relate to the application of large-scale models in the fields of information security and fintech. They can be used in the fields of big data technology and artificial intelligence technology, as well as in the fintech field, and in various other fields besides big data technology, artificial intelligence technology, and fintech. The application fields of the Trojan detection methods, devices, equipment, media, and program products provided in the embodiments of this application are not limited.
[0043] In the technical solution of this application, the user information (including but not limited to user personal information, user image information, user device information, such as location information) and data (including but not limited to data used for analysis, stored data, and displayed data) involved are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of related data all comply with relevant laws, regulations, and standards, take necessary confidentiality measures, do not violate public order and good morals, and provide corresponding operation entry points for users to choose to authorize or refuse.
[0044] In scenarios involving automated decision-making using personal information, the methods, devices, and systems provided in this application all offer users corresponding entry points for choosing to agree to or reject the automated decision-making results. If the user chooses to reject, the process proceeds to the expert decision-making stage. Here, "automated decision-making" refers to the activity of automatically analyzing and evaluating an individual's behavioral habits, interests, or economic, health, and credit status through computer programs, and then making a decision. Here, "expert decision-making" refers to the activity of making decisions by personnel who specialize in a particular field, possess specialized experience, knowledge, and skills, and have reached a certain level of professional expertise.
[0045] Figure 1 The illustration shows an application scenario of the Trojan detection method, apparatus, device, medium, and program product according to embodiments of this application.
[0046] like Figure 1 As shown, application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 serves as a medium for providing a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired or wireless communication links, or fiber optic cables, etc.
[0047] Users can use the first terminal device 101, the second terminal device 102, and the third terminal device 103 to interact with the server 105 via the network 104 to receive or send messages, etc. Various communication client applications can be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social media platform software, etc. (for example only).
[0048] The first terminal device 101, the second terminal device 102, and the third terminal device 103 can be various electronic devices with displays and support web browsing, including but not limited to smartphones, tablets, laptops, and desktop computers.
[0049] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using the first terminal device 101, the second terminal device 102, and the third terminal device 103 (this is just an example). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.
[0050] It should be noted that the Trojan detection method provided in this application embodiment can generally be executed by server 105. Correspondingly, the Trojan detection device provided in this application embodiment can generally be located in server 105. The Trojan detection method provided in this application embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105. Correspondingly, the Trojan detection device provided in this application embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105.
[0051] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.
[0052] The following will be based on Figure 1 The described scene, through Figures 2-4 The Trojan detection method of the disclosed embodiments is described in detail.
[0053] Figure 2 A flowchart illustrating a Trojan detection method according to an embodiment of this application is shown.
[0054] like Figure 2 As shown, the Trojan detection method 200 of this embodiment includes operations S210 to S240.
[0055] In operation S210, a target model file is obtained, and a deserialization instruction text sequence is obtained based on the target model file.
[0056] In the embodiments of this application, the operation of obtaining the target model file and extracting the deserialized instruction text sequence from it can construct textual instruction inputs that can be used for subsequent risk analysis without loading the model file. The target model file can be a model parameter file generated by any type of deep learning development platform, and its internal structure can include model building information, parameter configuration, instruction control logic, and auxiliary metadata.
[0057] After receiving the target model file submitted by the user, the system can identify its structure and determine the serialization protocol type used. Serialization protocol types can include general object serialization formats, custom structured model storage formats, or intermediate representation structures for graph computation. After identifying the file's serialization format, a parsing mechanism adapted to that protocol can be used to locate and extract control information segments related to the model construction process from the target model file; these segments contain instruction data used to reconstruct the computation graph structure, variable states, and module initialization processes.
[0058] To accommodate various possible model storage formats, a layered parsing strategy can be employed. For example, the structural meta-sections of the file can be identified first, the sub-sections containing control logic can be located, and content can be distinguished by combining field identifier information or binary header markers. Alternatively, the target model file can be logically decomposed, separating parameter segments, structural segments, and control instruction segments, and extracting the segment information containing deserialization behavior separately as the input to be tested.
[0059] After initial extraction, the control instructions can be reverse-parsed based on the identified serialization protocol type to extract semantically relevant information such as executable paths, key function call expressions, and object reconstruction logic. For model files represented using low-level languages or intermediate code, the system can first parse them into abstract syntactic structures or intermediate formats, and then further map them into deserialized instruction text sequences. These deserialized instruction text sequences can be presented as fragments of standard natural language or programming language, preserving sufficient semantic integrity for subsequent understanding and analysis by larger language models.
[0060] In some embodiments, to improve processing efficiency and adapt to a wide range of formats, the system may also pre-configure a set of model file structure templates. Using pattern matching or binary structure learning algorithms, it can perform speculative parsing of files with undefined formats, identify regions that may carry control logic, and attempt to reconstruct their logical structure. During this process, it must be ensured that all operations are completed without actually executing the model file to prevent the triggering of potential malicious code.
[0061] In operation S220, the instruction analysis agent constructs risk analysis prompts based on the deserialized instruction text sequence.
[0062] In the embodiments of this application, the instruction analysis agent has the ability to perform structured parsing and semantic understanding, and can identify and abstract key elements in the deserialized instruction text.
[0063] For example, the instruction analysis agent can identify the type of instruction (such as module loading, function call, object restoration, etc.) and analyze its dependencies among preceding and following instructions, extracting contextual semantic information that may affect risk assessment. Combining this contextual semantic information, the instruction analysis agent can generate prompts describing the purpose of the instruction, such as "This instruction is used to restore an external module and execute its initialization logic" or "This path construction may depend on external input." These prompts not only enhance the large language model's ability to perceive risk intent but also improve the interpretability of the detection output.
[0064] For example, during the construction of risk analysis prompts, the instruction analysis agent can adapt to the semantic features of different model files. For instance, when the target object comes from a graph computation-driven model storage format, the risk analysis prompts might focus on control dependency paths and operator behavior descriptions; for object serialization-intensive files, the prompts might focus on the use of restoration functions, dynamic attribute calls, or built-in modules. To achieve this adaptability, a model framework type identifier can be introduced to assist the risk analysis prompt generation logic in adjusting the prompt structure and focus, thereby guiding the Trojan detection model to make more accurate semantic judgments.
[0065] For example, risk analysis prompts can support multi-granularity generation strategies. In the initial discrimination phase, the instruction analysis agent can construct a concise prompt structure centered on the instruction itself. When the risk level returned by the Trojan detection model is uncertain or has low confidence, the system can trigger a prompt upgrade process, automatically expanding the prompt content and adding richer context, known attack feature templates, or semantic guidance to enhance the discrimination effect of subsequent interactions. For instance, an original instruction "Construct object x" can be summarized in the initial prompt as "This instruction defines an object," while in the upgraded prompt, it might be expanded to "The object defined by this instruction contains a custom recovery function, which may trigger system command execution through the __***__ path."
[0066] In some embodiments, the prompt may also include explicit risk concern tags to prompt the Trojan detection model to focus on specific behavioral dimensions, such as "This instruction involves system path construction and may pose a path traversal risk" or "This instruction calls external network resources and may lead to information leakage," thereby not only improving the risk guidance capability of the instruction, but also facilitating subsequent structured output and report generation.
[0067] In operation S230, based on the deserialized instruction text sequence and the risk analysis prompt words, the instruction analysis agent interacts with the Trojan detection model to obtain the risk judgment result.
[0068] In the embodiments of this application, the instruction analysis agent is not only responsible for scheduling the processing flow of each instruction, but also for organizing the model input content according to the generated risk analysis prompts, guiding the Trojan detection model to focus on the key behavioral intentions and potential risk points of the instructions.
[0069] During the interaction, the instruction analysis agent can sequentially process the deserialized instruction text sequence in a step-by-step manner. For each instruction to be judged, the instruction analysis agent will combine the instruction and its corresponding risk analysis prompt as input pairs and submit them to the Trojan detection model for risk analysis. The Trojan detection model can be a large language model with semantic understanding capabilities. During the fine-tuning process, it has learned a large amount of data containing instruction execution semantics, attack sample patterns, and malicious behavior characteristics. Therefore, it can identify risky behaviors related to command execution, sensitive path access, environment variable invocation, and dynamic code construction from the input content.
[0070] For example, the instruction analysis agent might construct the following interactive content for a given instruction: "Please analyze whether the following deserialization instruction has a security risk: 'Restore object and set attribute value __***__'. This instruction is located in the core section of the model construction logic, and the above text contains environment variable loading behavior." Based on this content, the Trojan detection model can generate a structured discrimination output, such as "Risk Level: Medium". After receiving this discrimination result, the instruction analysis agent can use it as the corresponding risk discrimination result and decide whether to trigger further interaction.
[0071] For instruction sequences with complex structures or covert behaviors, the instruction analysis agent can also organize interactions at the instruction group level, merging multiple context-related instructions into a single analysis segment, and prompting the Trojan detection model to identify whether it constitutes a combined attack chain or behavioral path. For example, a continuous instruction segment containing path concatenation, file opening, and anomaly masking may collectively constitute file operation-type Trojan logic. The instruction analysis agent can construct a prompt such as: "The following instructions constitute a continuous operation sequence; is there any path abuse or sensitive resource access behavior?"
[0072] It should be noted that in actual deployment, the interaction between the instruction analysis agent and the Trojan detection model can be conducted via local API calls or within a secure sandbox, ensuring that no instruction body in the model file is executed, thus achieving highly secure static risk analysis. Simultaneously, the risk labels and explanatory information output by the model during the interaction process can be collected in a structured manner for subsequent report generation, rule learning, or feedback training.
[0073] In operation S240, a Trojan detection result is generated for the target model file based on the risk discrimination result.
[0074] After risk assessment is completed, the system can obtain the risk assessment results corresponding to each deserialized instruction text sequence in the target model file. Each result can include, for example, risk level (e.g., high, medium, low), risk type (e.g., command injection, path access, dynamic construction), risk source location (e.g., function call, attribute setting path), and assessment reasoning or explanatory text. Based on these results, the system can construct a unified "risk list," which can be regarded as a comprehensive scan output of potential Trojan behaviors in the model file.
[0075] In some embodiments, the number and distribution of high-risk instructions can be statistically analyzed, and combined with their logical modules or build paths, the overall risk level of the target model file can be inferred. For example, if there are multiple high-risk markers related to system calls, external resource access, or insecure reflection in the instructions, the system may directly mark the model as "blocking-level high risk" and recommend prohibiting its direct loading in the production environment. If the risk is concentrated in an isolable path or has ambiguous interpretations, the system may mark it as "requires review" or "partial risk is controllable," guiding the user to the manual review process.
[0076] During the process of generating Trojan detection results, the system can automatically generate highly readable detection reports, which can be output in various formats such as Structured JavaScript Object Notation and Hypertext Markup Language views. The reports include basic information about the model file, analysis time, detection scope, risk summary, a list of key instruction risks, and tags, levels, and explanatory summaries for each risk. For important instructions, the system can also add supplementary prompts to the report, such as "It is recommended to manually review the module initialization logic involved in this instruction" and "The detected call chain may be similar to historically known attack patterns," to enhance the report's practicality and guidance value.
[0077] Furthermore, the system can integrate user-defined business strategies and usage environments to link Trojan detection results with automatic protection strategies. For example, in the model import pipeline, if the detection result marks it as high-risk, the registration of that model file can be automatically blocked; if it is determined to be low-risk but contains sensitive calls, the model sandbox operation strategy or mandatory pre-deployment human review marking can be triggered; and for models that are determined to be completely risk-free, they can be directly approved and the audit log can be recorded.
[0078] In some embodiments, the system can also feed back the detection results to the model file repository management platform or the supply chain assessment system, supporting cross-project and cross-institutional model credibility scoring, source credibility judgment and lifecycle security marking, and building a supply chain risk prevention and control mechanism for large model distribution scenarios.
[0079] The Trojan detection method of this application will be specifically described below by way of preferred embodiments.
[0080] In the embodiments of this application, since different types of deep learning model files have significant differences in storage structure and serialization protocol, it is necessary to have the ability to perform structural identification, decomposition and parsing and content extraction for multiple model formats in order to achieve static detection preprocessing with universality and robustness.
[0081] Specifically, after receiving the target model file, a structure recognition operation can be performed to analyze the overall structure of the model file and identify and extract the deserialization instruction information.
[0082] After structural decomposition, the extracted deserialization instruction information can be further analyzed for protocol identification, i.e., determining the protocol type used during serialization of the model file. Serialization protocols may include those based on general object mapping, graph structure encoding, compression encoding, etc. The system can have a built-in protocol identification engine to accurately identify the serialization protocol type used by the model file through methods such as format signature comparison, structural feature parsing, or serialization field inference.
[0083] After identifying the specific protocol type, the binary data in the deserialized instruction information can be formatted and parsed according to the semantic rules of that protocol. For example, the raw byte stream can be decoded into semantically recognizable instruction fragments, such as module initialization, object restoration, resource path binding, and dynamic attribute registration. To improve versatility, an abstract syntax tree or structured intermediate representation can be introduced to restore complex structures to logical instruction streams.
[0084] According to embodiments of this application, the parsed instruction data can be converted into a standard text format to form a deserialized instruction text sequence for subsequent prompt word generation and risk assessment. The deserialized instruction text sequence can adopt a natural language style or a standardized instruction template format to ensure that the large language model can still understand its potential execution intent and contextual relationships without relying on the specific implementation of the framework.
[0085] In the embodiments of this application, the contextual semantic information of the deserialized instruction text sequence can be further identified based on the instruction analysis agent, and prompt factors can be extracted based on the contextual semantic information; the model frame type of the target model file can be determined; and the risk analysis prompt words can be constructed based on the prompt factors and the model frame type.
[0086] Specifically, the instruction analysis agent can analyze the relative position of each instruction in the instruction sequence, its dependencies, call chain paths, and related resource access patterns to construct a complete semantic context graph. Through semantic analysis, the instruction analysis agent can identify instruction combinations that may constitute a behavioral chain and mark potential risk clues such as control flow traversal, parameter pollution, and call redirection.
[0087] After obtaining contextual semantic information, the instruction analysis agent can further extract cue factors. Cue factors are abstract expressions of the potential risk characteristics carried by the instruction and its context, such as whether the instruction accesses external paths, whether there is user-controlled input, whether it calls high-privilege interfaces, and whether it matches historical attack patterns.
[0088] Simultaneously, the instruction analysis agent can also identify the model framework type used by the target model file. For example, it can determine whether the file belongs to a computation graph-based model, whether it uses object serialization, or whether it relies on framework-specific reflection or plugin loading mechanisms. The model framework type directly affects the way instruction semantics are parsed and executed at runtime. Therefore, incorporating this information into the prompt word construction can make the Trojan detection model more context-aware. For instance, in some model frameworks, a field calling module loading might only indicate module registration, while in another type of framework it might trigger dynamic code loading; the prompt word needs to adjust its guidance semantics accordingly.
[0089] According to embodiments of this application, the instruction analysis agent can integrate prompting factors and model framework types to generate structured risk analysis prompts, which serve as input to guide the Trojan detection model in its judgment. The risk analysis prompts may include an instruction context summary (describing the instruction's execution environment and source path), risk concern tags (identifying risk types that should be prioritized, such as path construction, command execution, and dynamic attribute writing), and an execution intent statement (summarizing the instruction's potential behavioral purpose, such as "module restoration," "dynamic injection," and "trigger callback"). The instruction analysis agent can flexibly combine the above content according to actual task scenarios to construct prompt inputs that are both generalizable and have targeted discriminative power, achieving high-precision modeling support for multiple types of potential Trojan behaviors.
[0090] Figure 3 The flowchart illustrating a method for fine-tuning a Trojan detection model according to some exemplary embodiments of this application is shown schematically.
[0091] like Figure 3 As shown, the method for fine-tuning the Trojan detection model includes operations S310 to S320.
[0092] In operation S310, the pre-trained language model is fine-tuned based on multi-source training corpus, wherein the multi-source training corpus includes historical deserialization instruction samples, as well as at least one of Trojan injection behavior samples, open-source model samples of injected Trojans, and actual attack logs.
[0093] In this embodiment, multi-source training corpora can be introduced as fine-tuning datasets to improve the large language model's ability to understand deserialization semantic structures and their potential risky intentions. The multi-source corpora can include: deserialization instruction samples collected from real-world scenarios, covering structured instruction expressions in common frameworks during model building, reconstruction, and loading; samples of known Trojan injection behaviors, such as inserting system call paths using function reconstruction mechanisms or constructing executable code injection logic, to enhance the model's ability to identify attack intentions; open-source model samples injected with Trojans can also be introduced as training references, as these samples retain the structural variation patterns used by real attackers to evade detection; and attack log fragments from actual deployment environments can also be collected, with the parts related to model loading and serialization execution preprocessed and incorporated into the corpus to construct adversarial examples that more closely resemble real-world scenarios.
[0094] In operation S320, the pre-trained language model is fine-tuned based on the training corpus containing risk behavior labels, wherein the risk behavior labels include at least one of command execution, file access, environment variable invocation, and network reconnection behavior.
[0095] In this embodiment, training corpora with explicit risk behavior labels can be introduced to perform supervised reinforcement of the large language model. Risk behavior labels can cover the most common security-sensitive operations during the deserialization stage of deep learning models, such as command execution (e.g., calling system interfaces or running external scripts), file access (e.g., opening or writing resource files in a specific directory), environment variable calls (e.g., dynamically resolving system paths and running configurations), and network reconnection behaviors (e.g., automatically initiating remote connections or uploading model status information). Through paired training with risk behavior labels and samples, the model can learn how to accurately predict the type and level of risk that may be caused based on the instruction structure and contextual features.
[0096] It should be noted that the Trojan detection model can be a semantic discrimination model built on a pre-trained language model, possessing natural language understanding and code semantic recognition capabilities. The Trojan detection model can be fine-tuned to adapt to specific tasks of deep learning model file security detection, aiming to identify potential Trojan injection behaviors in model files, especially executable risk logic hidden in deserialization instructions. In other words, the core foundation of the Trojan detection model is a large-scale language model, which already possesses broad language representation capabilities during its pre-training stage on general text and code corpora. Through task-oriented fine-tuning, it is further endowed with the specialized ability to identify deserialization behaviors and attack features.
[0097] It should be noted that operations S310 and S320 can be executed sequentially or separately. The embodiments of this application do not limit the execution order of operations S310 and S320.
[0098] In the embodiments of this application, the interaction process between the instruction analysis agent and the Trojan detection model can adopt an instruction-by-instruction, multi-round collaborative discrimination mechanism to improve the model's ability to identify complex, ambiguous, or context-dependent potential Trojan instructions. This process can perform fine-grained processing around each instruction in the deserialized instruction text sequence, combine the risk analysis prompts corresponding to the instructions, and conduct multi-round interactive risk discrimination with the Trojan detection model that has semantic understanding capabilities.
[0099] Specifically, for each deserialized instruction text sequence to be detected, an instruction analysis agent constructs the input for the first interaction based on pre-generated prompts, and submits this input to the Trojan detection model for the first risk assessment. The first interaction can be constructed using natural language or structured prompts, enabling the Trojan detection model to accurately understand the execution semantics of the instruction and its contextual features. The assessment process relies not only on the risk level returned by the Trojan detection model but also on the model's output judgment value for that level, serving as the core basis for determining whether the preset judgment conditions are met.
[0100] For example, the discriminant value can be a confidence level or semantic matching strength, represented as a floating-point number between 0 and 1. The discriminant value is introduced to avoid misjudgments or oversimplifications caused by overly coarse-grained risk level labels. Since the output of large language models may be influenced by the context of cue words, in some boundary cases, the same instruction may be labeled with different levels in different interaction rounds, or the model may not have sufficient confidence in a certain level. Therefore, the discriminant value must be higher than a preset confidence threshold (e.g., 0.70) to be considered "sufficiently discriminant" and can be directly adopted as the target risk label.
[0101] If the discrimination value is lower than the preset threshold, this process will continue until the discrimination value returned by the Trojan detection model meets the system's preset conditions. During this process, the number of interaction rounds N is a positive integer greater than 1, representing the composite judgment capability of the same instruction under multiple perspectives and contexts. The maximum value of N can be set by the system strategy to balance detection accuracy and computational cost.
[0102] Through this multi-round interaction mechanism, the system can dynamically adapt to various situations where the semantics of instructions are ambiguous, the context is incomplete, or the behavior path depends on others. This effectively reduces the false negative rate and false positive rate of the initial judgment and improves the ability to identify mutated Trojan structures, obfuscated logic, and context-coupled attack behaviors.
[0103] Furthermore, during the Nth interaction, the instruction analysis agent can dynamically adjust the risk analysis prompts used for the next round of judgment based on the risk judgment labels returned by the Trojan detection model in the previous round (i.e., the N-1th interaction), thus forming a more targeted interactive input.
[0104] Specifically, if the confidence level of the risk level fed back by the model in the (N-1)th round of interaction is insufficient, the system will infer that the current prompt word has failed to provide enough contextual information or risk feature hints, thereby guiding the instruction analysis agent to execute the prompt word reconstruction strategy.
[0105] For example, the instruction analysis agent can proactively introduce the context information of the instructions before and after the current instruction, splice or summarize it and incorporate it into the prompt word content, so as to prompt the Trojan detection model to identify the impact of cross-instruction behavior chains, execution path dependencies or pre-construction behaviors on the risk of the current instruction.
[0106] For example, the system can embed the explanatory text or discriminant summary returned by the previous model as a prompt factor into the prompt words of the next round, prompting the model to supplement its reasoning based on the previous "fuzzy judgment". For instance, if the model returns "This instruction may involve module recovery, but the source of the call is not clearly stated" in the N-1 round, then the prompt words of the next round can include "Please determine whether this module contains a custom __***__ method or calls a system command", thereby further narrowing the scope of model analysis and triggering risk identification.
[0107] For example, the instruction analysis agent can also adjust the way task instruction objectives are described. For instance, by modifying the instruction reconstruction statement, behavior type definition, or risk focus angle in the prompt, the original expression "This instruction is used to restore an object" can be updated to "This instruction may trigger a custom restoration path; is there any code injection behavior?", thus more accurately guiding the model to focus on suspicious logical points.
[0108] By optimizing multi-dimensional prompts, the instruction analysis agent can modify content and enhance semantics based on historical interaction results in each interaction with the Trojan detection model. This effectively improves the risk identification coverage in complex instruction scenarios and avoids misjudgments and omissions caused by insufficient input or semantic ambiguity, thereby enhancing the overall adaptability, flexibility and security of the system.
[0109] Figure 4 The flowchart illustrating a method for obtaining risk assessment results according to some exemplary embodiments of this application is shown schematically.
[0110] like Figure 4 As shown, the method for obtaining risk assessment results includes operations S410 to S430.
[0111] In operation S410, in response to the discrimination value meeting the preset conditions, a target risk discrimination label is obtained. The target risk discrimination label includes the risk level, and at least one of the risk category, risk source, and discrimination reason summary.
[0112] In other words, when the judgment result of any deserialization instruction meets the preset conditions, the risk features of the corresponding deserialization instruction text sequence at the semantic level can be archived and recorded.
[0113] In addition to the risk level, the target risk identification label can be dynamically filled according to the actual identification content, including risk category (such as command execution, path abuse, network backlink), risk source (such as object restoration function, dynamic attribute setting segment, external module registration path), and summary of identification reason, etc.
[0114] In operation S420, natural language text explaining the risk discrimination logic is generated based on the target risk discrimination label.
[0115] In the embodiments of this application, after obtaining the target risk discrimination label, the instruction analysis agent can semantically reorganize this structured data to construct a natural language prompt template. Subsequently, the assembled semantic content is input into a natural language generation model, which can perform reasoning based on a large language model to generate fluent and logically coherent explanatory text.
[0116] To ensure the accuracy and consistency of the generated text, the instruction analysis agent can also combine a domain template library or behavioral knowledge graph to standardize the terminology in the generated text, avoiding overly vague or semantically ambiguous content. In some embodiments, configurable interpretation granularity parameters can also be introduced to adjust the level of detail in the generated text, adapting to the understanding needs of different user roles (such as developers, security auditors, and operations personnel).
[0117] In operation S430, the target risk discrimination label is associated with the natural language text to obtain the target risk discrimination result for each deserialized instruction text sequence.
[0118] Through the judgment result generation process, the system not only has the ability to output the structure of static detection of Trojan risks, but also realizes the semantic-level result interpretation mechanism, and builds a risk expression system that integrates structure and semantics, which is conducive to risk control and compliance review of model files.
[0119] In the embodiments of this application, in order to generate Trojan detection results for the entire target model file, after completing the risk assessment of each deserialization instruction, a result aggregation operation is also required to construct a comprehensive risk assessment at the model level. Specifically, the system will first determine whether the risk assessment results corresponding to each deserialization instruction text sequence have met preset conditions, such as whether they have sufficient confidence, whether multiple rounds of interaction have been completed and the risk level is stable, and whether ambiguity or abnormal return states have been triggered.
[0120] Once the above conditions are met, the results of these completed risk assessment processes can be collected as "target risk assessment results." Each target risk assessment result may include the risk level, risk category, risk source, and optional explanatory information of the instruction.
[0121] Furthermore, aggregation operations can be performed based on the results of multiple target risk assessments to form a unified risk assessment for the entire model file. For example, aggregation strategies may include: statistically analyzing the frequency of high-risk instructions; identifying the presence of a concentrated distribution of a certain type of risk; determining whether a risk is located in a critical execution path based on the structural position of the model file; or using rule templates to identify typical attack chain combinations. The aggregation process can output a comprehensive risk label, such as "low risk - deployable," "medium risk - requires review," and "high risk - prohibited from deployment," while retaining the details of the lower-level instruction assessments to ensure the traceability and interpretability of the overall assessment.
[0122] Through the aggregation process, the system not only achieves a higher-dimensional judgment from local instruction risk to overall model security, but also provides a structured input basis for the generation of subsequent detection reports, the formulation of protection strategies, and model lifecycle management. Thus, while maintaining the granularity of detection, it improves the systematicness and practicality of risk output.
[0123] Corresponding to the above-described Trojan detection method, embodiments of this application also provide a Trojan detection device.
[0124] Figure 5 A schematic diagram of a Trojan detection device according to an embodiment of this application is shown.
[0125] like Figure 5 As shown, the Trojan detection device 500 of this embodiment includes a file acquisition module 510, a prompt word construction module 520, a risk judgment module 530, and a Trojan detection module 540.
[0126] The file acquisition module 510 can be used to acquire a target model file and obtain a deserialization instruction text sequence based on the target model file. In one embodiment, the file acquisition module 510 can be used to perform the operation S210 described above, which will not be repeated here.
[0127] The prompt word construction module 520 can be used to construct risk analysis prompt words based on the deserialized instruction text sequence using the instruction analysis agent. In one embodiment, the prompt word construction module 520 can be used to perform the operation S220 described above, which will not be repeated here.
[0128] The risk discrimination module 530 can be used to obtain risk discrimination results by interacting with the Trojan detection model using the instruction analysis agent based on the deserialized instruction text sequence and the risk analysis prompt words. In one embodiment, the risk discrimination module 530 can be used to execute the operation S230 described above, which will not be repeated here.
[0129] The Trojan detection module 540 can be used to generate Trojan detection results for the target model file based on the risk assessment results. In one embodiment, the Trojan detection module 540 can be used to perform the operation S240 described above, which will not be repeated here.
[0130] According to an embodiment of this application, the file acquisition module 510 can also be used to identify and disassemble the structure of the target model file, extract deserialization instruction information; identify the serialization protocol type of the deserialization instruction information, parse the binary data in the deserialization instruction information based on the serialization protocol type; and convert the binary data into the deserialization instruction text sequence.
[0131] According to an embodiment of this application, the prompt word construction module 520 can also be used to identify the contextual semantic information of the deserialized instruction text sequence, extract prompt factors based on the contextual semantic information; determine the model frame type of the target model file; and construct the risk analysis prompt words based on the prompt factors and the model frame type, wherein the risk analysis prompt words include at least one of instruction context summary, risk concern label, and execution intent expression.
[0132] According to an embodiment of this application, the risk discrimination module 530 can also be used to, for each deserialized instruction text sequence, utilize the instruction analysis agent to perform a first interaction with the Trojan detection model based on the risk analysis prompt words to obtain a risk discrimination label, wherein the risk discrimination label includes at least a risk level and a corresponding discrimination value; and in response to the discrimination value not meeting a preset condition, trigger the instruction analysis agent and the Trojan detection model to perform an Nth interaction until the risk level meets the preset condition, where N is a positive integer greater than 1.
[0133] According to an embodiment of this application, the risk discrimination module 530 can also be used to obtain a target risk discrimination label in response to the discrimination value meeting a preset condition. The target risk discrimination label includes the risk level, and at least one of risk category, risk source, and discrimination reason summary; generate natural language text to explain the risk discrimination logic based on the target risk discrimination label; and associate the target risk discrimination label with the natural language text to obtain a target risk discrimination result for each deserialization instruction text sequence.
[0134] According to an embodiment of this application, the risk discrimination module 530 can also be used to adjust the risk analysis prompt words based on the risk discrimination label of the N-1th interaction during the Nth interaction. The adjustment includes at least one of adding the context of the preceding and following instructions, introducing risk explanation summary information, and modifying the task instruction target.
[0135] According to an embodiment of this application, the risk discrimination module 530 can also be used to obtain the corresponding target risk discrimination result in response to the discrimination value of each deserialization instruction text sequence in the target model file meeting a preset condition; and to aggregate multiple target risk discrimination results to obtain the risk discrimination result.
[0136] According to embodiments of this application, the Trojan detection device 500 may further include a training module. The training module can be used to fine-tune a pre-trained language model based on multi-source training corpora, wherein the multi-source training corpora include historical deserialization instruction samples, and at least one of Trojan injection behavior samples, open-source model samples of injected Trojans, and actual attack logs; and to fine-tune the pre-trained language model based on training corpora containing risk behavior labels, wherein the risk behavior labels include at least one of command execution, file access, environment variable invocation, and network reconnection behavior.
[0137] According to embodiments of this application, any multiple modules among the file acquisition module 510, prompt word construction module 520, risk judgment module 530, and Trojan detection module 540 can be merged into one module, or any one of these modules can be split into multiple modules. Alternatively, at least some of the functions of one or more of these modules can be combined with at least some of the functions of other modules and implemented in one module. According to embodiments of this application, at least one of the file acquisition module 510, prompt word construction module 520, risk judgment module 530, and Trojan detection module 540 can be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), programmable logic array (PLA), system-on-a-chip, system-on-a-substrate, system-on-package, application-specific integrated circuit (ASIC), or implemented in hardware or firmware by any other reasonable means of integrating or packaging the circuitry, or implemented in any one of the three implementation methods of software, hardware, and firmware, or in a suitable combination of any of these. Alternatively, at least one of the file acquisition module 510, the prompt word construction module 520, the risk judgment module 530, and the Trojan detection module 540 can be implemented at least partially as a computer program module, which can perform corresponding functions when the computer program module is run.
[0138] Figure 6A block diagram schematically illustrates an electronic device suitable for implementing a Trojan detection method according to an embodiment of this application.
[0139] like Figure 6 As shown, an electronic device 600 according to an embodiment of this application includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage portion 608 into a random access memory (RAM) 603. The processor 601 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this application.
[0140] RAM 603 stores various programs and data required for the operation of electronic device 600. Processor 601, ROM 602, and RAM 603 are interconnected via bus 604. Processor 601 executes various operations of the method flow according to embodiments of this application by executing programs in ROM 602 and / or RAM 603. It should be noted that the programs may also be stored in one or more memories other than ROM 602 and RAM 603. Processor 601 may also execute various operations of the method flow according to embodiments of this application by executing programs stored in said one or more memories.
[0141] According to embodiments of this application, the electronic device 600 may further include an input / output (I / O) interface 605, which is also connected to a bus 604. The electronic device 600 may also include one or more of the following components connected to the input / output (I / O) interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the input / output (I / O) interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.
[0142] This application also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.
[0143] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include ROM 602 and / or RAM 603 and / or one or more memories other than ROM 602 and RAM 603 described above.
[0144] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code enables the computer system to implement the Trojan detection method provided in the embodiments of this application.
[0145] When the computer program is executed by the processor 601, it performs the functions defined in the system / apparatus of this application embodiment. According to the embodiments of this application, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0146] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.
[0147] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 609, and / or installed from the removable medium 611. When the computer program is executed by the processor 601, it performs the functions defined in the system of this application embodiment. According to the embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0148] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages include, but are not limited to, languages such as Java, C++, Python, "C", or similar programming languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0149] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0150] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.
[0151] The embodiments of this application have been described above. However, these embodiments are merely illustrative and not intended to limit the scope of this application. Although various embodiments have been described above, this does not mean that the measures in the various embodiments cannot be used advantageously in combination. Without departing from the scope of this application, those skilled in the art can make various substitutions and modifications, all of which should fall within the scope of this application.
Claims
1. A method for detecting Trojan horses, characterized in that, The method includes: Obtain the target model file, and obtain the deserialization instruction text sequence based on the target model file; The instruction analysis agent constructs risk analysis prompts based on the deserialized instruction text sequence; Based on the deserialized instruction text sequence and the risk analysis prompts, the instruction analysis agent interacts with the Trojan detection model to obtain risk assessment results; and Based on the risk assessment results, Trojan detection results are generated for the target model file.
2. The method according to claim 1, characterized in that, The training process of the Trojan detection model includes at least one of the following: Fine-tuning of a pre-trained language model based on multi-source training corpus, wherein the multi-source training corpus includes historical deserialization instruction samples, as well as at least one of Trojan injection behavior samples, open-source model samples of injected Trojans, and actual attack logs. The pre-trained language model is fine-tuned based on training corpus containing risk behavior labels, wherein the risk behavior labels include at least one of command execution, file access, environment variable invocation, and network reconnection behavior.
3. The method according to claim 1 or 2, characterized in that, The interaction between the instruction analysis agent and the Trojan detection model based on the deserialized instruction text sequence and the risk analysis prompts includes: For each deserialized instruction text sequence, the instruction analysis agent interacts with the Trojan detection model for the first time based on the risk analysis prompts to obtain a risk label. The risk label includes at least a risk level and a corresponding discrimination value. In response to the discriminant value not meeting the preset conditions, the instruction analysis agent is triggered to interact with the Trojan detection model for the Nth time until the risk level meets the preset conditions, where N is a positive integer greater than 1.
4. The method according to claim 3, characterized in that, The obtained risk assessment results include: In response to the judgment value meeting the preset conditions, a target risk judgment label is obtained. The target risk judgment label includes the risk level, and at least one of the risk category, risk source, and judgment reason summary. Generate natural language text to explain the risk discrimination logic based on the target risk discrimination label; and The target risk discrimination label is associated with the natural language text to obtain the target risk discrimination result for each deserialized instruction text sequence.
5. The method according to claim 1, 2, or 4, characterized in that, The process of obtaining the deserialization instruction text sequence based on the target model file includes: The structure of the target model file is identified and deconstructed to extract deserialization instruction information; Identify the serialization protocol type of the deserialization instruction information, and parse the binary data in the deserialization instruction information based on the serialization protocol type; and The binary data is converted into the deserialization instruction text sequence.
6. The method according to claim 1, 2, or 4, characterized in that, The process of constructing risk analysis prompts based on the deserialized instruction text sequence using an instruction analysis agent includes: Identify the contextual semantic information of the deserialized instruction text sequence, and extract prompt factors based on the contextual semantic information; Determine the model framework type of the target model file; and Based on the aforementioned prompting factors and the aforementioned model framework type, the risk analysis prompts are constructed, and the risk analysis prompts include at least one of the following: instruction context summary, risk concern tags, and execution intent statement.
7. The method according to claim 3, characterized in that, The method further includes: During the Nth interaction, the instruction analysis agent adjusts the risk analysis prompt based on the risk discrimination label of the (N-1)th interaction. The adjustment includes at least one of adding the context of the preceding and following instructions, introducing risk explanation summary information, and modifying the task instruction objective.
8. The method according to claim 3, characterized in that, The method further includes: In response to the fact that the discrimination values of each deserialization instruction text sequence in the target model file meet preset conditions, the corresponding target risk discrimination result is obtained; and The risk discrimination results of multiple targets are aggregated to obtain the risk discrimination result.
9. A Trojan horse detection device, characterized in that, The device includes: The file acquisition module is used to: acquire a target model file and obtain a deserialization instruction text sequence based on the target model file; The prompt word construction module is used to: construct risk analysis prompt words based on the deserialized instruction text sequence using the instruction analysis agent; The risk assessment module is used to: based on the deserialized instruction text sequence and the risk analysis prompts, interact with the Trojan detection model using the instruction analysis agent to obtain risk assessment results; and The Trojan detection module is used to generate Trojan detection results for the target model file based on the risk assessment results.
10. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 8.
11. A computer-readable storage medium having a computer program or instructions stored thereon, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.
12. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.