[go: up one dir, main page]

CN114238983A - Threat analysis method, device, equipment and storage medium in confidential environment - Google Patents

Threat analysis method, device, equipment and storage medium in confidential environment Download PDF

Info

Publication number
CN114238983A
CN114238983A CN202111505242.2A CN202111505242A CN114238983A CN 114238983 A CN114238983 A CN 114238983A CN 202111505242 A CN202111505242 A CN 202111505242A CN 114238983 A CN114238983 A CN 114238983A
Authority
CN
China
Prior art keywords
threat
analyzed
threat analysis
file
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111505242.2A
Other languages
Chinese (zh)
Other versions
CN114238983B (en
Inventor
马建伟
高喜宝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202111505242.2A priority Critical patent/CN114238983B/en
Publication of CN114238983A publication Critical patent/CN114238983A/en
Application granted granted Critical
Publication of CN114238983B publication Critical patent/CN114238983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)
  • Automatic Analysis And Handling Materials Therefor (AREA)

Abstract

本发明提供了一种涉密环境中的威胁分析方法、装置、设备及存储介质,其中方法包括:在涉密环境中预先安装可信威胁分析工具;利用所述可信威胁分析工具,确定待分析的未知文件的文件类型;根据预先设定的处理规则,对所述未知文件进行处理,得到待分析源;利用预先生成的威胁分析规则对所述待分析源进行威胁分析,得到威胁分析结果。本方案,能够自动对涉密环境进行威胁分析,提高分析准确率和分析效率。

Figure 202111505242

The present invention provides a threat analysis method, device, device and storage medium in a secret-related environment, wherein the method includes: pre-installing a trusted threat analysis tool in the secret-related environment; The file type of the analyzed unknown file; process the unknown file according to preset processing rules to obtain the source to be analyzed; use the pre-generated threat analysis rules to perform threat analysis on the source to be analyzed to obtain a threat analysis result . This solution can automatically perform threat analysis on secret-related environments, and improve analysis accuracy and analysis efficiency.

Figure 202111505242

Description

Threat analysis method, device, equipment and storage medium in confidential environment
Technical Field
The embodiment of the invention relates to the technical field of security detection, in particular to a threat analysis method, a threat analysis device, threat analysis equipment and a storage medium in a confidential environment.
Background
With the increasing risk of network security, the security-related environment has not been able to achieve threat blocking through simple physical isolation. The existing network attack can realize high-intensity and high-frequency permeation and utilization of the confidential environment of the isolation network through various attack modes, and finally achieves the purpose of obtaining confidential information in the confidential environment.
In the face of the increasing threat, the threat analysis is often needed to be carried out on the confidential environment, and the threat analysis and identification are generally carried out manually at present on the particularity of the confidential environment. The manual method has low accuracy and low analysis efficiency.
Disclosure of Invention
Based on the problem that the mode accuracy and the analysis efficiency of manually carrying out threat analysis on the confidential environment are low, the embodiment of the invention provides a threat analysis method, a threat analysis device, threat analysis equipment and a storage medium in the confidential environment, which can automatically carry out threat analysis on the confidential environment and improve the analysis accuracy and the analysis efficiency.
In a first aspect, an embodiment of the present invention provides a method for threat analysis in a confidential environment, including:
a trusted threat analysis tool is pre-installed in a confidential environment;
determining the file type of the unknown file to be analyzed by utilizing the trusted threat analysis tool;
processing the unknown file according to a preset processing rule to obtain a source to be analyzed;
and carrying out threat analysis on the source to be analyzed by utilizing a pre-generated threat analysis rule to obtain a threat analysis result.
Preferably, the file type of the unknown file is an executable file;
the processing the unknown file to obtain a source to be analyzed includes: converting the executable file into a disassembling code and a hexadecimal code and extracting a characteristic character string in the executable file to obtain the disassembling code, the hexadecimal code and the characteristic character string which are used as a source to be analyzed;
the threat analysis of the source to be analyzed by using the pre-generated threat analysis rule comprises the following steps: and performing threat matching on the disassembled codes, the hexadecimal codes and the characteristic character strings based on a pre-generated yara rule, and determining whether threat behaviors can be matched.
Preferably, before the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rule, the method further includes:
and converting the disassembling code into a pseudo code, and determining the pseudo code as the source to be analyzed.
Preferably, the file type of the unknown file is a script file;
the processing the unknown file to obtain a source to be analyzed includes: obtaining script contents in the script file, and determining the script contents as a source to be analyzed;
the threat analysis of the source to be analyzed by using the pre-generated threat analysis rule comprises the following steps: and carrying out algorithm matching on the algorithms contained in the script content based on a pre-generated algorithm detection rule, if algorithm matching exists, restoring the algorithms contained in the script content, determining whether an encrypted threat file exists, and determining a matched threat behavior according to the threat file.
Preferably, the file type of the unknown file is a process characteristic analysis software package file;
the processing the unknown file to obtain a source to be analyzed includes: acquiring the flow in the process characteristic analysis software package file, and determining the flow as a source to be analyzed;
the threat analysis of the source to be analyzed by using the pre-generated threat analysis rule comprises the following steps: and carrying out flow reduction on the flow based on a pre-generated snort rule, and determining whether threat behaviors exist based on the reduced flow.
Preferably, after the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rule, the method further includes:
and after the threat behaviors are determined to be matched, determining attack technical points corresponding to the matched threat behaviors, and determining the matched threat behaviors and the corresponding attack technical points as threat analysis results.
Preferably, the first and second electrodes are formed of a metal,
before the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rule, the method further includes: loading the source to be analyzed on a display interface;
after the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rule, the method further includes: and receiving manually determined and input threat behaviors based on the to-be-analyzed source loaded on the display interface, and updating the threat analysis rule according to the manually input threat behaviors and the threat behaviors matched with the threat analysis rule.
In a second aspect, an embodiment of the present invention further provides a threat analysis apparatus in a confidential environment, including: a trusted threat analysis tool pre-installed in a confidential environment; wherein the trusted threat analysis tool comprises:
the file type determining unit is used for determining the file type of the unknown file to be analyzed;
the to-be-analyzed source determining unit is used for processing the unknown file according to a preset processing rule to obtain a to-be-analyzed source;
and the threat analysis unit is used for carrying out threat analysis on the source to be analyzed by utilizing a pre-generated threat analysis rule to obtain a threat analysis result.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a threat analysis method, a device, equipment and a storage medium in a confidential environment, wherein after a trusted threat analysis tool is obtained, the trusted threat analysis tool is installed in the confidential environment, threat analysis can be performed on unknown files in the confidential environment, the file types of the unknown files can be identified in the threat analysis process, different processing can be performed on the unknown files of different file types, and threat analysis is performed on a source to be analyzed obtained after the processing by using a threat analysis rule, so that the automatic analysis process in the confidential environment is realized, and the analysis accuracy and the analysis efficiency are improved compared with manual analysis.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart of a threat analysis method in a confidential environment according to an embodiment of the present invention;
FIG. 2 is a diagram of a hardware architecture of a computing device according to an embodiment of the present invention;
fig. 3 is a structural diagram of a threat analysis apparatus in a confidential environment according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As mentioned above, due to the special characteristics of the security-related environment, some existing analysis software, such as IDA (Interactive Disassembler), olydbg (assembly analysis debugger), etc., cannot be used in the security-related environment. The reasons mainly include: firstly, the analysis software can only analyze single type of threats and cannot realize overall threat analysis; secondly, the analysis software is not domestic credible software and can bring unknown threat factors to a confidential environment when being used in the confidential environment; and thirdly, the operating system of the confidential environment generally uses a domestic operating system, and appropriate trusted software is not available for the moment. For the above reasons, threat analysis is currently performed manually in a confidential environment. In order to improve the detection efficiency and the detection accuracy, credible threat analysis software can be developed aiming at the confidential environment so as to realize the integral threat analysis on the confidential environment.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for threat analysis in a confidential environment, where the method includes:
step 100, pre-installing an obtained trusted threat analysis tool in a confidential environment;
step 102, determining the file type of the unknown file to be analyzed by using the trusted threat analysis tool;
104, processing the unknown file according to a preset processing rule to obtain a source to be analyzed;
and 106, carrying out threat analysis on the source to be analyzed by utilizing a pre-generated threat analysis rule to obtain a threat analysis result.
In the embodiment of the invention, after the trusted threat analysis tool is obtained, the trusted threat analysis tool is installed in a confidential environment, the threat analysis can be carried out on unknown files in the confidential environment, the file types of the unknown files can be identified in the threat analysis process, different processing can be carried out on the unknown files of different file types, and the threat analysis rule is utilized to carry out the threat analysis on the source to be analyzed obtained after the processing, so that the automatic analysis process in the confidential environment is realized, and the analysis accuracy and the analysis efficiency are improved compared with manual analysis.
The manner in which the various steps shown in fig. 1 are performed is described below.
First, at step 100, the obtained trusted threat analysis tool is pre-installed in the confidential environment.
In the embodiment of the invention, the type of the operating system corresponding to the confidential environment can be a domestic operating system and a controllable operating system. The domestic operating system is developed based on an open source Linux system, such as the winning bid kylin, the winning bid kylin and the like; the controllable operating system is an operating system that has been detected to be free of malicious threats.
Because the existing analysis software is not domestic trusted software, in the embodiment of the invention, the type of the operating system corresponding to the confidential environment is subjected to adaptive coding to obtain the trusted threat analysis tool, and the threat analysis tool is a threat analysis tool obtained by self-coding, so that the threat analysis tool is trusted and can be applied to the confidential environment. The trusted threat analysis tool is installed in a classified environment for threat analysis in the classified environment.
Then, in step 102, the file type of the unknown file to be analyzed is determined by using the trusted threat analysis tool.
Since the confidential environment is physically isolated, the unknown file is copied into the confidential environment by means of an optical disc or the like, and since the threat situation of the unknown file is unknown, the threat analysis needs to be performed by using a trusted threat analysis tool.
In the embodiment of the invention, the trusted threat analysis tool may include a file identification module for identifying the file type of the unknown file. Specifically, the method for determining the file type of the unknown file to be analyzed in this step may include at least two types:
the first way, the identification is directly based on the suffix of the unknown file.
In the second mode, the head characteristics of the unknown file are utilized for analysis and identification.
In the first approach, suffixes for different file types are different, e.g.,. exe is an executable file and. doc is a document file. However, it is preferable to perform the authentication in the second manner, considering that the suffix of the document can be changed, and the type of the document is authenticated by the suffix of the document, and the authentication result may be different from the true type of the document.
In the second mode, the file with different file types has different header characteristics, and the real file type can be obtained by detecting the header characteristics of the file. And the file type is identified through the header characteristics of the file, so that not only the file type but also an applicable operating system of the file can be identified. For example, the file type can be identified as an executable file, and whether the executable file is a PE file applied to Windows, an ELF file applied to Linux, or an APK file applied to an android operating system.
In one embodiment of the present invention, in addition to the file types of the executable files, at least the following file types can be identified: script files, process characteristic analysis software package files.
If the file type of the unknown file cannot be identified, the unknown file is indicated to have a large threat, and the unknown file can be isolated to ensure the safety of a confidential environment.
And finally, explaining 104 'processing the unknown file according to a preset processing rule to obtain a source to be analyzed' and 106 'performing threat analysis on the source to be analyzed by using a pre-generated threat analysis rule to obtain a threat analysis result'.
As per step 102, the file types may include at least: executable files, script files, and process characterization software package files. Since different file types need to be processed in different ways, the following describes step 104 and step 106 for the above three file types respectively.
The first file type is an executable file.
For executable files, this step 104 may include: and converting the executable file into a disassembling code and a hexadecimal code, and extracting the characteristic character string in the executable file to obtain the disassembling code, the hexadecimal code and the characteristic character string which are used as a source to be analyzed.
Then step 106 may include: and performing threat matching on the disassembled codes, the hexadecimal codes and the characteristic character strings based on a pre-generated yara rule, and determining whether threat behaviors can be matched.
The disassembling is a process of converting a machine language into assembly language codes, and vulnerability analysis can be performed based on the disassembly codes by converting an executable file into the disassembly codes.
The characteristic character strings can comprise sensitive characters, sensitive paths, Chinese characters and the like, character string characteristics can be formed in the yara rule based on the characteristic character strings, codes in the executable file are matched based on the character string characteristics, and the character strings matched with the character string characteristics are determined to be the characteristic character strings and extracted.
Because the disassembly code, the hexadecimal code and the characteristic character string represent different degrees of information richness, threat matching can be performed in combination when threat matching is performed on the disassembly code, the hexadecimal code and the characteristic character string in step 106. Specifically, when threat matching is performed on any one of the disassembled code, the hexadecimal code and the characteristic character string to be analyzed, if a suspicious threat behavior is matched, the position of the suspicious threat behavior in the current source to be analyzed is located, corresponding positions of other sources to be analyzed are determined based on the position of the current source to be analyzed, relevant information at the corresponding positions of the other sources to be analyzed is obtained, and threat matching is further performed based on the relevant information to determine whether the suspicious threat behavior is a real threat behavior. The method can more accurately analyze the real threat behavior of the executable file, and prevent the detection of the real threat behavior from being missed and influencing the accuracy of the threat analysis result because a single language code cannot express the complete threat characteristics.
For example, when threat matching is performed on the disassembly code, if the matched threat characteristic cannot be directly determined as a true threat behavior, the matched behavior is determined as a suspicious threat behavior, the position of the suspicious threat behavior in the disassembly code is located, so that the corresponding position of the position in the hexadecimal code can be determined, relevant information (such as context information) at the corresponding position in the hexadecimal code is further threat matched with the relevant information, and if the threat characteristic is matched, the suspicious threat behavior is determined as the true threat behavior.
In an embodiment of the present invention, since the disassembly code is a machine code, there may be a problem that understanding and learning of the machine code are not comprehensive enough, so that the disassembly code may be converted into a pseudo code, the pseudo code is determined as the source to be analyzed, and threat analysis is performed simultaneously with the disassembly code, the hexadecimal code, and the characteristic character string, so as to further improve accuracy of threat analysis. The pseudo code may be one or more of the Pascal, C, and Java languages, among others.
The second type of file is a script file.
For script files, this step 104 may include: and acquiring script contents in the script file, and determining the script contents as a source to be analyzed.
Then step 106 may include: and carrying out algorithm matching on the algorithms contained in the script content based on a pre-generated algorithm detection rule, if algorithm matching exists, restoring the algorithms contained in the script content, determining whether an encrypted threat file exists, and determining a matched threat behavior according to the threat file.
The script is a programming language, the script content in the script file can be directly acquired, and the algorithm contained in the script content can be analyzed. In some malicious attack situations, a threat file is encrypted, and the encrypted threat file is embedded into a script, so that algorithms contained in script contents are matched by using preset algorithms contained in algorithm detection rules, if algorithm matching exists, the matched algorithm can be restored, whether the threat file is encrypted or not is determined according to the restored algorithm, and if the threat file is encrypted, the matched threat behavior is determined according to the threat file.
The third file type is a process characterization software package file.
For a process characterization software package file (PCAP), this step 104 may include: and acquiring the flow in the process characteristic analysis software package file, and determining the flow as a source to be analyzed.
Then step 106 may include: and carrying out flow reduction on the flow based on a pre-generated snort rule, and determining whether threat behaviors exist based on the reduced flow.
After traffic included in the process characteristic analysis software package file is subjected to traffic restoration, analysis of common protocols, such as http protocol, can be performed to determine whether threat behaviors such as malicious instructions, file transmission to an external server, and downloading of confidential files are included.
Regardless of the type of the unknown file, after the threat behaviors are determined to be matched, attack technical points corresponding to the matched threat behaviors are determined, and the matched threat behaviors and the corresponding attack technical points are determined as threat analysis results. In particular, the ATT & CK attack framework can be utilized to determine attack technology points for each threat behavior. By determining the matched threat behaviors and the corresponding attack technical points as threat analysis results, threat analysis results with more dimensions can be rapidly output.
In addition, the threat analysis rule is formed by extracting features after manually analyzing threat behaviors in a classified environment, in order to ensure that the threat analysis rule is continuously detected, in one embodiment of the invention, after a source to be analyzed is obtained, the source to be analyzed can be loaded on a display interface, the source to be analyzed loaded on the display interface is manually analyzed, when the threat behaviors are manually determined, the threat behaviors are input on the display interface, the manually determined and input threat behaviors are received on the basis of the source to be analyzed loaded on the display interface, and the threat analysis rule is updated according to the manually input threat behaviors and the threat behaviors matched with the threat analysis rule.
Specifically, the features of the threat behaviors may be further extracted by using the manually input threat behaviors except the threat behaviors matched by the threat analysis rule, so that the threat analysis rule is updated by using the extracted features.
Furthermore, the credible threat analysis tool can be linked with other products, such as intelligence, dynamic sandbox and other auxiliary analysis besides the threat analysis, and generates an analysis report together with the result of the auxiliary analysis and the result of the threat analysis according to a document template. Before generating the analysis report, a preview report can be generated for the analyst to confirm.
As shown in fig. 2 and 3, an embodiment of the present invention provides a threat analysis apparatus in a confidential environment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, a hardware architecture diagram of a computing device in which a threat analysis apparatus in a confidential environment is provided according to an embodiment of the present invention is shown, where the computing device in which the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2. Taking a software implementation as an example, as shown in fig. 3, as a logical apparatus, a CPU of a computing device in which the apparatus is located reads a corresponding computer program in a non-volatile memory into a memory to run. The threat analysis apparatus in a confidential environment provided by this embodiment includes: a trusted threat analysis tool pre-installed in a confidential environment; wherein the trusted threat analysis tool comprises:
a file type determining unit 301, configured to determine a file type of an unknown file to be analyzed;
a to-be-analyzed source determining unit 302, configured to process the unknown file according to a preset processing rule, so as to obtain a to-be-analyzed source;
and the threat analysis unit 303 is configured to perform threat analysis on the source to be analyzed by using a pre-generated threat analysis rule to obtain a threat analysis result.
In an embodiment of the present invention, the file type of the unknown file is an executable file;
the to-be-analyzed source determining unit 302 is specifically configured to convert the executable file into a disassembling code and a hexadecimal code, and extract a characteristic character string in the executable file, so as to obtain the disassembling code, the hexadecimal code, and the characteristic character string serving as a to-be-analyzed source;
the threat analysis unit 303 is specifically configured to perform threat matching on the disassembled code, the hexadecimal code, and the characteristic character string based on a pre-generated yara rule, and determine whether a threat behavior can be matched.
In an embodiment of the present invention, the to-be-analyzed source determining unit 302 is further configured to convert the disassembled code into a pseudo code, and determine the pseudo code as the to-be-analyzed source.
In an embodiment of the present invention, the file type of the unknown file is a script file;
the to-be-analyzed source determining unit 302 is specifically configured to acquire script content in the script file, and determine the script content as a to-be-analyzed source;
the threat analysis unit 303 is specifically configured to perform algorithm matching on the algorithms included in the script content based on a pre-generated algorithm detection rule, if algorithm matching exists, restore the algorithms included in the script content and determine whether an encrypted threat file exists, and determine a matched threat behavior according to the threat file.
In an embodiment of the present invention, the file type of the unknown file is a process characteristic analysis software package file;
the to-be-analyzed source determining unit 302 is specifically configured to obtain traffic included in the process characteristic analysis software package file, and determine the traffic as a to-be-analyzed source;
the threat analysis unit 303 is specifically configured to perform traffic restoration on the traffic based on a pre-generated snort rule, and determine whether a threat behavior exists based on the restored traffic.
In an embodiment of the present invention, the threat analysis unit 303 is further configured to determine attack technology points corresponding to the matched threat behaviors after determining that the threat behaviors are matched, and determine the matched threat behaviors and the corresponding attack technology points as threat analysis results.
In an embodiment of the present invention, the threat analysis unit 303 is further configured to load the source to be analyzed on a display interface; and receiving manually determined and input threat behaviors based on the to-be-analyzed source loaded on the display interface, and updating the threat analysis rule according to the manually input threat behaviors and the threat behaviors matched with the threat analysis rule.
It is to be understood that the illustrated configuration of the embodiments of the present invention is not intended to be a specific limitation on a threat analysis apparatus in a classified environment. In other embodiments of the invention, a threat analysis apparatus in a classified environment may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides computing equipment which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize the threat analysis method in the confidential environment in any embodiment of the invention.
The embodiment of the invention also provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the processor is enabled to execute the threat analysis method in the confidential environment in any embodiment of the invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in one embodiment of the invention, after the trusted threat analysis tool is obtained, the trusted threat analysis tool is installed in a confidential environment, threat analysis can be performed on unknown files in the confidential environment, the file types of the unknown files can be identified in the threat analysis process, different processing can be performed on the unknown files of different file types, and threat analysis can be performed on the to-be-analyzed source obtained after processing by using the threat analysis rule, so that the automatic analysis process in the confidential environment is realized, and the analysis accuracy and the analysis efficiency are improved compared with manual analysis.
2. In one embodiment of the invention, by combining the disassembled code, the hexadecimal code and the characteristic character string for threat matching, the real threat behavior of the executable file can be analyzed more accurately, and the situation that the detection of the real threat behavior is missed and the accuracy of a threat analysis result is influenced because a single language code cannot express the complete threat characteristic is prevented.
3. In one embodiment of the invention, the threat analysis is carried out simultaneously with the disassembling code, the hexadecimal code and the characteristic character string by converting the disassembling code into the pseudo code and determining the pseudo code as a source to be analyzed, so as to further improve the accuracy of the threat analysis.
4. In one embodiment of the invention, attack technical points of each threat behavior are determined by utilizing an ATT & CK attack framework, and the matched threat behavior and the corresponding attack technical points are determined as threat analysis results, so that threat analysis results with more dimensions can be rapidly output.
5. In one embodiment of the invention, the source to be analyzed is loaded on the display interface, the source to be analyzed loaded on the display interface is manually analyzed, and the threat analysis rule is updated by using the threat behavior manually analyzed, so that the continuous detection of the threat analysis rule can be ensured.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1.一种涉密环境中的威胁分析方法,其特征在于,包括:1. a threat analysis method in a classified environment, is characterized in that, comprises: 在涉密环境中预先安装可信威胁分析工具;Pre-installed trusted threat analysis tools in classified environments; 利用所述可信威胁分析工具,确定待分析的未知文件的文件类型;Using the trusted threat analysis tool, determine the file type of the unknown file to be analyzed; 根据预先设定的处理规则,对所述未知文件进行处理,得到待分析源;According to a preset processing rule, the unknown file is processed to obtain the source to be analyzed; 利用预先生成的威胁分析规则对所述待分析源进行威胁分析,得到威胁分析结果。Threat analysis is performed on the source to be analyzed by using a pre-generated threat analysis rule to obtain a threat analysis result. 2.根据权利要求1所述的方法,其特征在于,所述未知文件的文件类型为可执行文件;2. The method according to claim 1, wherein the file type of the unknown file is an executable file; 所述对所述未知文件进行处理,得到待分析源,包括:将所述可执行文件转换为反汇编代码、十六进制代码以及提取所述可执行文件中的特征字符串,得到作为待分析源的反汇编代码、十六进制代码和特征字符串;The processing of the unknown file to obtain the source to be analyzed includes: converting the executable file into disassembly code, hexadecimal code, and extracting characteristic strings in the executable file to obtain the source to be analyzed. Analyze the source's disassembly code, hexadecimal code and feature strings; 所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析,包括:基于预先生成的yara规则对所述反汇编代码、十六进制代码和特征字符串进行威胁匹配,确定是否可匹配到威胁行为。The threat analysis of the source to be analyzed by using the pre-generated threat analysis rules includes: performing threat matching on the disassembled code, the hexadecimal code and the characteristic string based on the pre-generated yara rules to determine whether the matched to threatening behavior. 3.根据权利要求2所述的方法,其特征在于,在所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析之前,还包括:3. The method according to claim 2, wherein before the threat analysis is performed on the source to be analyzed by using a pre-generated threat analysis rule, the method further comprises: 将所述反汇编代码转换为伪代码,并将所述伪代码确定为所述待分析源。The disassembly code is converted into pseudocode, and the pseudocode is determined as the source to be analyzed. 4.根据权利要求1所述的方法,其特征在于,所述未知文件的文件类型为脚本文件;4. The method according to claim 1, wherein the file type of the unknown file is a script file; 所述对所述未知文件进行处理,得到待分析源,包括:获取所述脚本文件中的脚本内容,将所述脚本内容确定为待分析源;The processing of the unknown file to obtain the source to be analyzed includes: acquiring script content in the script file, and determining the script content as the source to be analyzed; 所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析,包括:基于预先生成的算法检测规则对所述脚本内容中包含的算法进行算法匹配,若存在算法匹配,将所述脚本内容中包含的算法进行还原并确定是否存在加密的威胁文件,并根据所述威胁文件确定匹配到的威胁行为。The performing threat analysis on the source to be analyzed by using the pre-generated threat analysis rules includes: performing algorithm matching on the algorithms included in the script content based on the pre-generated algorithm detection rules, and if there is an algorithm matching, the script The algorithm contained in the content restores and determines whether there is an encrypted threat file, and determines the matched threat behavior according to the threat file. 5.根据权利要求1所述的方法,其特征在于,所述未知文件的文件类型为过程特性分析软件包文件;5. The method according to claim 1, wherein the file type of the unknown file is a process characteristic analysis software package file; 所述对所述未知文件进行处理,得到待分析源,包括:获取所述过程特性分析软件包文件中的流量,将所述流量确定为待分析源;The processing of the unknown file to obtain the source to be analyzed includes: acquiring the flow in the process characteristic analysis software package file, and determining the flow as the source to be analyzed; 所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析,包括:基于预先生成的snort规则对所述流量进行流量还原,并基于还原后的流量确定是否存在威胁行为。The performing threat analysis on the source to be analyzed by using the pre-generated threat analysis rules includes: performing traffic restoration on the traffic based on the pre-generated snort rules, and determining whether there is a threat behavior based on the restored traffic. 6.根据权利要求1-5中任一所述的方法,其特征在于,在所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析之后,还包括:6. The method according to any one of claims 1-5, wherein after the threat analysis is performed on the source to be analyzed by using a pre-generated threat analysis rule, the method further comprises: 当确定匹配到威胁行为后,确定匹配到的各威胁行为对应的攻击技术点,将匹配到的威胁行为和对应的攻击技术点确定为威胁分析结果。After it is determined that the threat behavior is matched, the attack technology point corresponding to each matched threat behavior is determined, and the matched threat behavior and the corresponding attack technology point are determined as the threat analysis result. 7.根据权利要求1-5中任一所述的方法,其特征在于,7. The method according to any one of claims 1-5, characterized in that, 在所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析之前,还包括:将所述待分析源加载到显示界面上;Before the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rule, the method further includes: loading the source to be analyzed on a display interface; 所述利用预先生成的威胁分析规则对所述待分析源进行威胁分析之后,还包括:基于显示界面上加载的所述待分析源,接收人工确定并输入的威胁行为,并根据人工输入的威胁行为和所述威胁分析规则匹配到的威胁行为,对所述威胁分析规则进行更新。After the threat analysis is performed on the source to be analyzed by using the pre-generated threat analysis rules, the method further includes: based on the source to be analyzed loaded on the display interface, receiving manually determined and input threat behaviors, and according to the manually input threat behavior. The behavior and the threat behavior matched by the threat analysis rule are updated, and the threat analysis rule is updated. 8.一种涉密环境中的威胁分析装置,其特征在于,包括:预先安装在涉密环境中的可信威胁分析工具;其中,所述可信威胁分析工具,包括:8. A threat analysis device in a classified environment, comprising: a trusted threat analysis tool preinstalled in a classified environment; wherein the trusted threat analysis tool includes: 文件类型确定单元,用于确定待分析的未知文件的文件类型;a file type determination unit for determining the file type of the unknown file to be analyzed; 待分析源确定单元,用于根据预先设定的处理规则,对所述未知文件进行处理,得到待分析源;a source to be analyzed determining unit, configured to process the unknown file according to a preset processing rule to obtain a source to be analyzed; 威胁分析单元,用于利用预先生成的威胁分析规则对所述待分析源进行威胁分析,得到威胁分析结果。A threat analysis unit, configured to perform threat analysis on the source to be analyzed by using a pre-generated threat analysis rule to obtain a threat analysis result. 9.一种计算设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器执行所述计算机程序时,实现如权利要求1-7中任一项所述的方法。9. A computing device comprising a memory and a processor, wherein a computer program is stored in the memory, and when the processor executes the computer program, the method according to any one of claims 1-7 is implemented. 10.一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-7中任一项所述的方法。10. A computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is caused to perform the method of any one of claims 1-7.
CN202111505242.2A 2021-12-10 2021-12-10 Threat analysis method, device, equipment and storage medium in confidential environment Active CN114238983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111505242.2A CN114238983B (en) 2021-12-10 2021-12-10 Threat analysis method, device, equipment and storage medium in confidential environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111505242.2A CN114238983B (en) 2021-12-10 2021-12-10 Threat analysis method, device, equipment and storage medium in confidential environment

Publications (2)

Publication Number Publication Date
CN114238983A true CN114238983A (en) 2022-03-25
CN114238983B CN114238983B (en) 2025-03-28

Family

ID=80754598

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111505242.2A Active CN114238983B (en) 2021-12-10 2021-12-10 Threat analysis method, device, equipment and storage medium in confidential environment

Country Status (1)

Country Link
CN (1) CN114238983B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941337A (en) * 2022-12-13 2023-04-07 奇安信网神信息技术(北京)股份有限公司 Data analysis method, device, electronic equipment and storage medium
CN119293781A (en) * 2024-08-22 2025-01-10 珠海华发金融科技研究院有限公司 A review decision system and method based on high-risk system operation

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090249484A1 (en) * 2008-03-26 2009-10-01 Fraser Howard Method and system for detecting restricted content associated with retrieved content
CN108446559A (en) * 2018-02-13 2018-08-24 北京兰云科技有限公司 A kind of recognition methods of APT tissue and device
CN109255238A (en) * 2018-08-24 2019-01-22 成都网思科平科技有限公司 terminal threat detection and response method and engine
US20190166154A1 (en) * 2017-11-30 2019-05-30 Bank Of America Corporation System for information security threat assessment based on data history
CN110198303A (en) * 2019-04-26 2019-09-03 北京奇安信科技有限公司 Threaten the generation method and device, storage medium, electronic device of information
CN110955893A (en) * 2019-11-22 2020-04-03 杭州安恒信息技术股份有限公司 Malicious file threat analysis platform and malicious file threat analysis method
CN111885041A (en) * 2020-07-17 2020-11-03 福建奇点时空数字科技有限公司 Attack scene reconstruction method based on honeypot threat data
CN112583773A (en) * 2019-09-30 2021-03-30 奇安信安全技术(珠海)有限公司 Unknown sample detection method and device, storage medium and electronic device
KR20210092464A (en) * 2020-01-16 2021-07-26 주식회사 윈스 Apparatus and method for analyzing network traffic using artificial intelligence
CN113225356A (en) * 2021-07-08 2021-08-06 广东云智安信科技有限公司 TTP-based network security threat hunting method and network equipment
CN113632083A (en) * 2020-03-09 2021-11-09 丰立有限公司 System and method for detecting data anomalies by analyzing the morphology of known and/or unknown cyber-security threats

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090249484A1 (en) * 2008-03-26 2009-10-01 Fraser Howard Method and system for detecting restricted content associated with retrieved content
US20190166154A1 (en) * 2017-11-30 2019-05-30 Bank Of America Corporation System for information security threat assessment based on data history
CN108446559A (en) * 2018-02-13 2018-08-24 北京兰云科技有限公司 A kind of recognition methods of APT tissue and device
CN109255238A (en) * 2018-08-24 2019-01-22 成都网思科平科技有限公司 terminal threat detection and response method and engine
CN110198303A (en) * 2019-04-26 2019-09-03 北京奇安信科技有限公司 Threaten the generation method and device, storage medium, electronic device of information
CN112583773A (en) * 2019-09-30 2021-03-30 奇安信安全技术(珠海)有限公司 Unknown sample detection method and device, storage medium and electronic device
CN110955893A (en) * 2019-11-22 2020-04-03 杭州安恒信息技术股份有限公司 Malicious file threat analysis platform and malicious file threat analysis method
KR20210092464A (en) * 2020-01-16 2021-07-26 주식회사 윈스 Apparatus and method for analyzing network traffic using artificial intelligence
CN113632083A (en) * 2020-03-09 2021-11-09 丰立有限公司 System and method for detecting data anomalies by analyzing the morphology of known and/or unknown cyber-security threats
CN111885041A (en) * 2020-07-17 2020-11-03 福建奇点时空数字科技有限公司 Attack scene reconstruction method based on honeypot threat data
CN113225356A (en) * 2021-07-08 2021-08-06 广东云智安信科技有限公司 TTP-based network security threat hunting method and network equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
佚名: "Yara入门——如何通过Yara规则匹配CobaltStrike恶意样本", pages 1 - 32, Retrieved from the Internet <URL:《网页在线公开:https://www.anquanke.com/post/id/211501》> *
谭安芬等: "构建UNIX主机安全系统", 《电子工程师》, vol. 31, no. 4, 15 April 2005 (2005-04-15), pages 3 *
费宗莲: "动态威胁防御系统", 《计算机安全》, no. 7, 5 July 2005 (2005-07-05), pages 1 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941337A (en) * 2022-12-13 2023-04-07 奇安信网神信息技术(北京)股份有限公司 Data analysis method, device, electronic equipment and storage medium
CN119293781A (en) * 2024-08-22 2025-01-10 珠海华发金融科技研究院有限公司 A review decision system and method based on high-risk system operation

Also Published As

Publication number Publication date
CN114238983B (en) 2025-03-28

Similar Documents

Publication Publication Date Title
JP6088713B2 (en) Vulnerability discovery device, vulnerability discovery method, and vulnerability discovery program
US11288376B2 (en) Identifying hard-coded secret vulnerability inside application source code
US8468605B2 (en) Identifying security vulnerability in computer software
US10313370B2 (en) Generating malware signatures based on developer fingerprints in debug information
WO2018060461A1 (en) Detecting malicious scripts
US10110559B1 (en) System and method for web application firewall tunneling
CN114238983B (en) Threat analysis method, device, equipment and storage medium in confidential environment
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US10880316B2 (en) Method and system for determining initial execution of an attack
Yang et al. Detecting android malware with intensive feature engineering
CN109522683B (en) Software tracing method, system, computer equipment and storage medium
US11574049B2 (en) Security system and method for software to be input to a closed internal network
US12373730B2 (en) Programmable feature extractor
CN112905534B (en) Sample analysis method and device based on sandbox environment
JP7494917B2 (en) Program analysis device, program analysis method, and program
WO2016095671A1 (en) Method and device for processing application-based message
US11886584B2 (en) System and method for detecting potentially malicious changes in applications
RU2757330C1 (en) Method for identifying inconsistent use of the resources of a user computing apparatus
CN120524479B (en) Processing method, device, equipment, medium and program product of confusion script
Verma Insecure Deserialization Detection in Python
Cassagne et al. Following the obfuscation trail: identifying and exploiting obfuscation signatures in malicious code
CN116304221B (en) Document information security detection method and device, electronic equipment and storage medium
US9723015B2 (en) Detecting malware-related activity on a computer
US12511388B1 (en) System and method for operating system memory forensics
Rahman et al. Dynamic Forensic Analysis of CryptBot Malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant