[go: up one dir, main page]

CN112395613B - Static feature library loading method, device and equipment - Google Patents

Static feature library loading method, device and equipment Download PDF

Info

Publication number
CN112395613B
CN112395613B CN201910755844.XA CN201910755844A CN112395613B CN 112395613 B CN112395613 B CN 112395613B CN 201910755844 A CN201910755844 A CN 201910755844A CN 112395613 B CN112395613 B CN 112395613B
Authority
CN
China
Prior art keywords
instruction execution
execution sequence
module
memory
sequence characteristics
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910755844.XA
Other languages
Chinese (zh)
Other versions
CN112395613A (en
Inventor
王明广
徐贵斌
杨晓东
游勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Original Assignee
Qianxin Safety Technology Zhuhai Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Safety Technology Zhuhai Co Ltd, Qax Technology Group Inc filed Critical Qianxin Safety Technology Zhuhai Co Ltd
Priority to CN201910755844.XA priority Critical patent/CN112395613B/en
Publication of CN112395613A publication Critical patent/CN112395613A/en
Application granted granted Critical
Publication of CN112395613B publication Critical patent/CN112395613B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application discloses a loading method, a loading device and loading equipment of a static feature library, relates to the technical field of network security, and can solve the problem that a large-capacity rule library occupies memory and CPU resources when a kernel is loaded. The method comprises the following steps: receiving a static feature library file to be loaded; extracting instruction execution sequence characteristics corresponding to the key process module information from the static characteristic library file; and loading the extracted instruction execution sequence characteristics into a memory corresponding to the kernel. The method and the device are suitable for loading processing of the static feature library.

Description

静态特征库的加载方法、装置及设备Loading method, device and device for static signature library

技术领域technical field

本申请涉及网络安全技术领域,尤其是涉及到一种静态特征库的加载方法、装置及设备。The present application relates to the technical field of network security, and in particular, to a method, apparatus and device for loading a static signature library.

背景技术Background technique

互联网信息化发达的当代,网络黑客攻击事件越来越多,黑客攻击手段也在不断演化。黑客可利用漏洞使得软件进程实现一些攻击事件,因此,为了更好的约束软件进程合法事件的执行,可利用定义权限集的方式,限制软件进程所能执行的事件。With the development of Internet informatization, there are more and more cyber hacker attacks, and hacker attack methods are constantly evolving. Hackers can use vulnerabilities to make software processes realize some attack events. Therefore, in order to better restrict the execution of legitimate events of software processes, the way of defining permission sets can be used to limit the events that software processes can execute.

目前,可将静态指令执行序列特征库加载到内存中,然后内核获取程序执行时对应的指令执行序列,并与该静态特征库中预设正常行为的指令执行序列进行匹配,以便及时发现是否存在攻击事件。然而,内核所使用的系统内存资源有限,无法满足大容量静态特征库的加载需求,并且一次性加载过多容量的静态特征库也会占用过多的内存及CPU等系统资源。At present, the static instruction execution sequence signature library can be loaded into the memory, and then the kernel obtains the corresponding instruction execution sequence when the program is executed, and matches it with the instruction execution sequence of the preset normal behavior in the static signature library, so as to find out whether there is in time. attack event. However, the system memory resources used by the kernel are limited, which cannot meet the loading requirements of large-capacity static feature libraries, and loading a large-capacity static feature library at one time will also occupy too much system resources such as memory and CPU.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本申请提供了一种静态特征库的加载方法、装置及设备,主要目的在于解决大容量静态特征库在内核加载时所需占用的内存及CPU资源的技术问题。In view of this, the present application provides a method, apparatus and device for loading a static signature library, which mainly aims to solve the technical problem of the memory and CPU resources occupied by a large-capacity static signature library when the kernel is loaded.

根据本申请的一个方面,提供了一种静态特征库的加载方法,该方法包括:According to an aspect of the present application, a method for loading a static signature library is provided, the method comprising:

接收需要加载的静态特征库文件;Receive the static signature library file to be loaded;

从所述静态特征库文件中提取与关键进程模块信息对应的指令执行序列特征;Extract the instruction execution sequence feature corresponding to the key process module information from the static feature library file;

将提取到的所述指令执行序列特征加载到与内核对应的内存中。Loading the extracted instruction execution sequence features into the memory corresponding to the kernel.

可选的,所述从所述静态特征库文件中提取与关键进程模块信息对应的指令执行序列特征之前,所述方法还包括:Optionally, before extracting the instruction execution sequence feature corresponding to the key process module information from the static feature library file, the method further includes:

若已经缓存过所述静态特征库文件,则取消对所述静态特征库文件进行重复性缓存;If the static signature library file has been cached, cancel the repetitive caching of the static signature library file;

所述从所述静态特征库文件中提取与所述关键进程模块信息对应的指令执行序列特征,具体包括:The extracting the instruction execution sequence feature corresponding to the key process module information from the static feature library file specifically includes:

若没有缓存过所述静态特征库文件,则对所述静态特征库文件进行缓存并解析,得到内核能够识别的结构化数据;If the static signature library file has not been cached, cache and parse the static signature library file to obtain structured data that can be identified by the kernel;

从所述结构化数据中提取所述指令执行序列特征。The instruction execution sequence feature is extracted from the structured data.

可选的,所述从所述结构化数据中提取所述指令执行序列特征,具体包括:Optionally, the extracting the instruction execution sequence feature from the structured data specifically includes:

若所述内存中存在所述结构化数据,则取消在所述内存中加载所述指令执行序列特征;If the structured data exists in the memory, cancel loading the instruction execution sequence feature in the memory;

若所述内存中不存在所述结构化数据,则从所述结构化数据中提取所述指令执行序列特征;If the structured data does not exist in the memory, extract the instruction execution sequence feature from the structured data;

若所述内存中存在部分所述结构化数据,则从所述结构化数据中提取与所述关键进程模块信息对应的、且所述内存中不存在的指令执行序列特征。If part of the structured data exists in the memory, extracting the instruction execution sequence feature corresponding to the key process module information and not existing in the memory from the structured data.

可选的,对所述静态特征库文件进行解析,得到内核能够识别的结构化数据,具体包括:Optionally, the static signature library file is parsed to obtain structured data that can be identified by the kernel, specifically including:

对所述静态特征库文件进行解密和序列化处理,得到所述结构化数据。Decrypt and serialize the static signature library file to obtain the structured data.

可选的,所述方法还包括:Optionally, the method further includes:

实时监测新增的关键进程模块信息;Real-time monitoring of new key process module information;

从所述静态特征库文件中提取与所述新增的关键进程模块信息对应的指令执行序列特征并加载到所述内存中。The instruction execution sequence feature corresponding to the newly added key process module information is extracted from the static feature library file and loaded into the memory.

可选的,所述方法还包括:Optionally, the method further includes:

记录在所述内存中加载的指令执行序列特征被调用匹配时的时间戳;Record the timestamp when the instruction execution sequence feature loaded in the memory is called and matched;

根据所述时间戳计算所述内存中加载的指令执行序列特征,在预设统计时长内的被调用次数;Calculate, according to the timestamp, the characteristics of the execution sequence of the instructions loaded in the memory, and the number of calls within a preset statistical time period;

按照所述内存中加载的指令执行序列特征所对应的所述被调用次数和/或最后一次被调用的时间戳,对所述内存中加载的指令执行序列特征进行划分,得到热数据和冷数据;According to the number of calls and/or the timestamp of the last call corresponding to the instruction execution sequence feature loaded in the memory, the instruction execution sequence feature loaded in the memory is divided to obtain hot data and cold data ;

将所述冷数据从所述内存中删除。Delete the cold data from the memory.

可选的,所述将提取到的所述指令执行序列特征加载到与内核对应的内存中,具体包括:Optionally, the loading of the extracted instruction execution sequence features into the memory corresponding to the kernel specifically includes:

将提取到的所述指令执行序列特征,以模块为单位进行组织形成树形结构,打平后配置在内存块中,其中,在模块节点对应的指令执行序列特征匹配时进行二分查找,针对被调用次数大于预设阈值的指令执行序列特征采用平衡树形式管理。The extracted instruction execution sequence features are organized in modules to form a tree structure, and are arranged in a memory block after being flattened, wherein a binary search is performed when the instruction execution sequence features corresponding to the module nodes are matched. The characteristics of the instruction execution sequence whose call times are greater than the preset threshold are managed in the form of a balanced tree.

可选的,所述方法还包括:Optionally, the method further includes:

接收对所述内存中加载的指令执行序列特征的更新数据;receiving update data of the instruction execution sequence feature loaded in the memory;

根据所述更新数据,以模块为单位组织成子树,并替换全局树中对应的模块节点。According to the update data, the modules are organized into subtrees, and the corresponding module nodes in the global tree are replaced.

可选的,所述树形结构中模块节点对应指令执行序列特征的内存结构成线性,所述方法还包括:Optionally, the memory structure of the module node corresponding to the instruction execution sequence feature in the tree structure is linear, and the method further includes:

当需要对目标模块进行指令执行序列特征匹配时,根据所述目标模块的标识在所述树形结构中查询对应的目标模块节点;When it is necessary to perform instruction execution sequence feature matching on the target module, query the corresponding target module node in the tree structure according to the identifier of the target module;

获取所述目标模块节点对应的指令执行序列特征进行匹配识别。Obtain the instruction execution sequence feature corresponding to the target module node for matching and identification.

根据本申请的另一方面,提供了一种静态特征库的加载装置,该装置包括:According to another aspect of the present application, a device for loading a static signature library is provided, the device comprising:

接收模块,用于接收需要加载的静态特征库文件;The receiving module is used to receive the static signature library file to be loaded;

提取模块,用于从所述静态特征库文件中提取与关键进程模块信息对应的指令执行序列特征;an extraction module for extracting the instruction execution sequence feature corresponding to the key process module information from the static feature library file;

加载模块,用于将提取到的所述指令执行序列特征加载到与内核对应的内存中。The loading module is used for loading the extracted features of the instruction execution sequence into the memory corresponding to the kernel.

可选的,所述装置还包括:缓存模块;Optionally, the device further includes: a cache module;

所述缓存模块,用于若已经缓存过所述静态特征库文件,则取消对所述静态特征库文件进行重复性缓存;The caching module is configured to cancel the repetitive caching of the static signature library file if the static signature library file has been cached;

所述缓存模块,还用于若没有缓存过所述静态特征库文件,则对所述静态特征库文件进行缓存;The cache module is further configured to cache the static feature library file if the static feature library file has not been cached;

所述提取模块,具体用于对所述静态特征库文件进行解析,得到内核能够识别的结构化数据;The extraction module is specifically configured to parse the static feature library file to obtain structured data that can be identified by the kernel;

从所述结构化数据中提取所述指令执行序列特征。The instruction execution sequence feature is extracted from the structured data.

可选的,所述提取模块,具体还用于若所述内存中存在所述结构化数据,则取消在所述内存中加载所述指令执行序列特征;Optionally, the extraction module is further configured to cancel loading the instruction execution sequence feature in the memory if the structured data exists in the memory;

若所述内存中不存在所述结构化数据,则从所述结构化数据中提取所述指令执行序列特征;If the structured data does not exist in the memory, extract the instruction execution sequence feature from the structured data;

若所述内存中存在部分所述结构化数据,则从所述结构化数据中提取与所述关键进程模块信息对应的、且所述内存中不存在的指令执行序列特征。If part of the structured data exists in the memory, extracting the instruction execution sequence feature corresponding to the key process module information and not existing in the memory from the structured data.

可选的,所述提取模块,具体还用于对所述静态特征库文件进行解密和序列化处理,得到所述结构化数据。Optionally, the extraction module is further configured to decrypt and serialize the static signature library file to obtain the structured data.

可选的,所述装置还包括:Optionally, the device further includes:

监测模块,用于实时监测新增的关键进程模块信息;Monitoring module for real-time monitoring of new key process module information;

所述加载模块,还用于从所述静态特征库文件中提取与所述新增的关键进程模块信息对应的指令执行序列特征并加载到所述内存中。The loading module is further configured to extract an instruction execution sequence feature corresponding to the newly added key process module information from the static feature library file and load it into the memory.

可选的,所述装置还包括:Optionally, the device further includes:

记录模块,用于记录在所述内存中加载的指令执行序列特征被调用匹配时的时间戳;a recording module, configured to record the time stamp when the instruction execution sequence feature loaded in the memory is called and matched;

计算模块,用于根据所述时间戳计算所述内存中加载的指令执行序列特征,在预设统计时长内的被调用次数;a calculation module, configured to calculate the execution sequence characteristics of the instructions loaded in the memory according to the time stamp, and the number of times of being called within a preset statistical duration;

划分模块,用于按照所述内存中加载的指令执行序列特征所对应的所述被调用次数和/或最后一次被调用的时间戳,对所述内存中加载的指令执行序列特征进行划分,得到热数据和冷数据;A division module, configured to divide the instruction execution sequence features loaded in the memory according to the number of calls and/or the timestamp of the last call corresponding to the instruction execution sequence features loaded in the memory, to obtain Hot and cold data;

删除模块,用于将所述冷数据从所述内存中删除。A deletion module is used to delete the cold data from the memory.

可选的,所述加载模块,具体用于将提取到的所述指令执行序列特征,以模块为单位进行组织形成树形结构,打平后配置在内存块中,其中,在模块节点对应的指令执行序列特征匹配时进行二分查找,针对被调用次数大于预设阈值的指令执行序列特征采用平衡树形式管理。Optionally, the loading module is specifically used to organize the extracted instruction execution sequence features in units of modules to form a tree-like structure, and arrange them in a memory block after being leveled, wherein, in the corresponding module node When the instruction execution sequence features are matched, binary search is performed, and the instruction execution sequence features whose number of calls is greater than the preset threshold are managed in the form of a balanced tree.

可选的,所述接收模块,还用于接收对所述内存中加载的指令执行序列特征的更新数据;Optionally, the receiving module is further configured to receive update data of the instruction execution sequence feature loaded in the memory;

所述加载模块,还用于根据所述更新数据,以模块为单位组织成子树,并替换全局树中对应的模块节点。The loading module is further configured to organize into subtrees in units of modules according to the update data, and replace corresponding module nodes in the global tree.

可选的,所述树形结构中模块节点对应指令执行序列特征的内存结构成线性,所述装置还包括:Optionally, the memory structure of the module node corresponding to the instruction execution sequence feature in the tree structure is linear, and the device further includes:

匹配模块,用于当需要对目标模块进行指令执行序列特征匹配时,根据所述目标模块的标识在所述树形结构中查询对应的目标模块节点;a matching module, configured to query the corresponding target module node in the tree structure according to the identifier of the target module when the target module needs to be matched with the instruction execution sequence feature;

获取所述目标模块节点对应的指令执行序列特征进行匹配识别。Obtain the instruction execution sequence feature corresponding to the target module node for matching and identification.

依据本申请又一个方面,提供了一种存储介质,其上存储有计算机程序,所述程序被处理器执行时实现上述静态特征库的加载方法。According to yet another aspect of the present application, a storage medium is provided on which a computer program is stored, and when the program is executed by a processor, the above-mentioned method for loading a static signature library is implemented.

依据本申请再一个方面,提供了一种静态特征库加载的实体设备,包括存储介质、处理器及存储在存储介质上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述静态特征库的加载方法。According to yet another aspect of the present application, an entity device for loading a static signature library is provided, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, the processor executing the program When implementing the above-mentioned static signature library loading method.

借由上述技术方案,本申请提供的一种静态特征库的加载方法、装置及设备,与目前将接收到的静态特征库全部加载到内存的方式相比,本申请以文件来存储静态特征库,然后在内核对应的内存中只加载与关键进程模块信息所对应的指令执行序列特征。通过这种选择性的静态指令执行序列特征加载方式,无需加载静态特征库中全部的指令执行序列特征,可解决大容量静态特征库在内核加载时所需占用的内存及CPU资源的问题。With the above technical solutions, a method, device and device for loading a static signature library provided by the present application, compared with the current method of loading all the received static signature libraries into the memory, the present application uses a file to store the static signature library. , and then only load the instruction execution sequence feature corresponding to the key process module information in the memory corresponding to the kernel. Through this selective static instruction execution sequence feature loading method, there is no need to load all the instruction execution sequence features in the static signature library, which can solve the problem of memory and CPU resources occupied by the large-capacity static signature library when the kernel is loaded.

上述说明仅是本申请技术方案的概述,为了能够更清楚了解本申请的技术手段,而可依照说明书的内容予以实施,并且为了让本申请的上述和其它目的、特征和优点能够更明显易懂,以下特举本申请的具体实施方式。The above description is only an overview of the technical solution of the present application. In order to be able to understand the technical means of the present application more clearly, it can be implemented according to the content of the description, and in order to make the above-mentioned and other purposes, features and advantages of the present application more obvious and easy to understand , and the specific embodiments of the present application are listed below.

附图说明Description of drawings

此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:

图1示出了本申请实施例提供的一种静态特征库的加载方法的流程示意图;1 shows a schematic flowchart of a method for loading a static signature library provided by an embodiment of the present application;

图2示出了本申请实施例提供的另一种静态特征库的加载方法的流程示意图;FIG. 2 shows a schematic flowchart of another method for loading a static signature library provided by an embodiment of the present application;

图3示出了本申请实施例提供的模块规则的内存结构线性实例示意图;FIG. 3 shows a schematic diagram of a linear example of a memory structure of a module rule provided by an embodiment of the present application;

图4示出了本申请实施例提供的基于本方案的核心数据处理逻辑示意图;FIG. 4 shows a schematic diagram of the core data processing logic provided by the embodiment of the present application based on this solution;

图5示出了本申请实施例提供的加载规则调用处理流程示意图;FIG. 5 shows a schematic diagram of a loading rule invocation processing flow provided by an embodiment of the present application;

图6示出了本申请实施例提供的新增模块事件处理流程示意图;FIG. 6 shows a schematic diagram of a new module event processing flow diagram provided by an embodiment of the present application;

图7示出了本申请实施例提供的基于本方案的整体架构示意图;FIG. 7 shows a schematic diagram of the overall architecture based on this solution provided by an embodiment of the present application;

图8示出了本申请实施例提供的一种静态特征库的加载装置的结构示意图。FIG. 8 shows a schematic structural diagram of a device for loading a static signature library provided by an embodiment of the present application.

具体实施方式Detailed ways

下文中将参考附图并结合实施例来详细说明本申请。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Hereinafter, the present application will be described in detail with reference to the accompanying drawings and in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict.

针对解决大容量静态特征库在内核加载时所需占用的内存及CPU资源的技术问题。本实施例提供了一种静态特征库的加载方法,如图1所示,该方法包括:It is aimed at solving the technical problem of the memory and CPU resources occupied by the large-capacity static signature library when the kernel is loaded. This embodiment provides a method for loading a static signature library, as shown in FIG. 1 , the method includes:

101、接收需要加载的静态特征库文件。101. Receive a static signature library file to be loaded.

其中,静态特征库可为内核静态指令执行序列特征库。静态特征库文件中可包含各个行为(如创建进程、或加载模块、或读写文件、或读写注册表、或加载驱动等行为)正常情况下的指令执行序列。以便内核利用该静态特征库进行安全行为的指令执行序列匹配,采用非白即黑的原则,及时发现异常行为。除此之外,静态特征库文件也可包含各个行为异常情况下的指令执行序列,进而将行为对应的指令执行序列进行黑名单匹配等。The static signature library may be a kernel static instruction execution sequence signature library. The static signature library file may contain the instruction execution sequence under normal circumstances for each behavior (such as creating a process, or loading a module, or reading and writing a file, or reading and writing a registry, or loading a driver, etc.). In order for the kernel to use the static signature library to perform instruction execution sequence matching for safe behaviors, the principle of "white or black" is adopted to detect abnormal behaviors in time. In addition, the static signature library file may also include instruction execution sequences in the case of abnormal behaviors, and then perform blacklist matching on the instruction execution sequences corresponding to the behaviors.

对于本实施例的执行主体可以为用于在内核对应的内存中加载静态特征库的装置或设备,可配置在客户端侧,也可根据实际需求配置在服务端侧,而静态特征库文件可从服务器中下载获取。在本实施例中,可将接收到的静态特征库文件先进行缓存,不直接加载到内存中,特别是静态特征库文件的容量较大(如大于一定阈值)时,然后执行步骤102至103所示的过程。For this embodiment, the execution body may be an apparatus or device for loading a static signature library in the memory corresponding to the kernel, which may be configured on the client side or on the server side according to actual requirements, and the static signature library file may be Download from the server. In this embodiment, the received static signature library file can be cached first and not directly loaded into the memory, especially when the capacity of the static signature library file is large (for example, greater than a certain threshold), and then steps 102 to 103 are executed the process shown.

102、从静态特征库文件中提取与关键进程模块信息对应的指令执行序列特征。102. Extract the instruction execution sequence feature corresponding to the key process module information from the static feature library file.

其中,关键进程模块信息可根据实际业务需求预先设置,相当于需要重点关注的进程模块。例如,将系统进程模块、浏览器进程模块、文档进程模块等作为关键进程模块。Among them, the key process module information can be preset according to actual business requirements, which is equivalent to the process module that needs to be focused on. For example, a system process module, a browser process module, a document process module, etc. are used as key process modules.

103、将提取到的指令执行序列特征加载到与内核对应的内存中。103. Load the extracted instruction execution sequence feature into the memory corresponding to the kernel.

例如,从静态特征库文件中提取与系统进程模块、浏览器进程模块、文档进程模块对应的指令执行序列特征,然后加载在与内核对应的内存中,以便后续内核可针对系统进程、浏览器进程、文档进程等进程,调用相应的指令执行序列特征匹配规则进行行为异常检测。For example, the instruction execution sequence features corresponding to the system process module, browser process module, and document process module are extracted from the static feature library file, and then loaded into the memory corresponding to the kernel, so that the subsequent kernel can target the system process, browser process , document process and other processes, call the corresponding instruction execution sequence feature matching rules to detect behavior anomalies.

通过应用上述静态特征库的加载方法,以文件来存储静态特征库,然后在内核对应的内存中只加载与当前运行的关键进程模块信息所对应的指令执行序列特征。通过这种选择性的静态指令执行序列特征加载方式,无需加载静态特征库中全部的指令执行序列特征,可解决大容量静态特征库在内核加载时所需占用的内存及CPU资源的问题。By applying the above loading method of the static feature library, the static feature library is stored in a file, and then only the instruction execution sequence feature corresponding to the currently running key process module information is loaded in the memory corresponding to the kernel. Through this selective static instruction execution sequence feature loading method, there is no need to load all the instruction execution sequence features in the static signature library, which can solve the problem of memory and CPU resources occupied by the large-capacity static signature library when the kernel is loaded.

进一步的,作为上述实施例具体实施方式的细化和扩展,为了完整说明本实施例的实施过程,提供了另一种静态特征库的加载方法,如图2所示,该方法包括:Further, as a refinement and extension of the specific implementation manner of the above embodiment, in order to fully describe the implementation process of this embodiment, another method for loading a static signature library is provided, as shown in FIG. 2 , the method includes:

201、接收需要加载的静态特征库文件。201. Receive a static signature library file to be loaded.

202、判断静态特征库文件是否已经缓存过。202. Determine whether the static signature library file has been cached.

203a、若已经缓存过静态特征库文件,则取消对静态特征库文件进行重复性缓存。203a. If the static signature library file has already been cached, cancel the repetitive caching of the static signature library file.

通过这种方式可节省存储空间,以便缓存更多不同的静态特征库文件。In this way, storage space can be saved so that more different static signature library files can be cached.

与步骤203a并列的步骤203b、若没有缓存过静态特征库文件,则对静态特征库文件进行缓存并解析,得到内核能够识别的结构化数据。In step 203b parallel to step 203a, if the static signature library file has not been cached, the static signature library file is cached and parsed to obtain structured data that can be recognized by the kernel.

可选的,为了保证静态特征库文件的安全性,可对静态特征库文件事先进行加密然后再传输,相应的,步骤203b中对文件进行解析的过程可包括:对接收到的静态特征库文件进行解密和序列化处理,得到内核能够识别的结构化数据。Optionally, in order to ensure the security of the static signature library file, the static signature library file can be encrypted in advance and then transmitted. Correspondingly, the process of parsing the file in step 203b may include: the received static signature library file. Decrypt and serialize to obtain structured data that the kernel can recognize.

204b、从结构化数据中提取与关键进程模块信息对应的指令执行序列特征。204b. Extract the instruction execution sequence feature corresponding to the key process module information from the structured data.

作为一种可选方式,为了节省加载规则特征时耗费的资源,步骤204b具体可包括:若与内核对应的内存中已经存在该结构化数据,则取消在内存中加载该静态特征库文件中的指令执行序列特征;若与内核对应的内存中不存在该结构化数据,则从结构化数据中提取与关键进程模块信息对应的指令执行序列特征;若与内核对应内存中存在部分该结构化数据,则从结构化数据中提取与关键进程模块信息对应的、且该内存中不存在的指令执行序列特征。As an optional method, in order to save the resources consumed when loading the rule feature, step 204b may specifically include: if the structured data already exists in the memory corresponding to the kernel, cancel loading the static feature library file in the memory in the memory. Instruction execution sequence feature; if the structured data does not exist in the memory corresponding to the kernel, extract the instruction execution sequence feature corresponding to the key process module information from the structured data; if there is part of the structured data in the memory corresponding to the kernel , the instruction execution sequence features corresponding to the key process module information and not existing in the memory are extracted from the structured data.

对于本可选方式,为了避免加载重复性的内容,可在加载操作之前判断内存中是否已经存在该静态特征库的相应内容,如果已经存在,那么可取消加载操作,即取消在内存中加载静态特征库文件中的指令执行序列特征,进而减少加载所耗费的系统资源。For this optional method, in order to avoid loading repetitive content, it is possible to determine whether the corresponding content of the static signature library already exists in the memory before the loading operation. The instructions in the signature library file execute the sequence signature, thereby reducing the system resources consumed by loading.

在确定需要加载静态特征库中的指令执行序列特征(即匹配规则)时,首先确定需要加载系统进程模块对应的规则;然后通过客户端侧进行当前已安装浏览器和文档类的软件识别,再确定记载对应版本的规则。当相应软件版本指令序列特征库加载完成后再进行相关软件的指令序列特征匹配防护。When it is determined that the instruction execution sequence features (ie, matching rules) in the static feature library need to be loaded, first determine the rules corresponding to the system process modules that need to be loaded; then identify the currently installed browser and document software through the client side, and then Determine the rules for documenting the corresponding version. After the corresponding software version instruction sequence signature library is loaded, the instruction sequence signature matching protection of the related software is performed.

205b、将提取到的指令执行序列特征加载到与内核对应的内存中。205b. Load the extracted instruction execution sequence feature into the memory corresponding to the kernel.

由于内核对应的内存空间有限,在加载指令执行序列特征之前,需要定期或不定期的将该内存中已加载的冷数据进行删除,使得内存中保留的尽可能的都是访问频繁(经常调用)的热数据。因此作为一种可选方式,本实施例方法还可包括:记录在内存中加载的指令执行序列特征被调用匹配时的时间戳;然后根据时间戳计算内存中加载的指令执行序列特征,在预设统计时长内的被调用次数;最后按照内存中加载的指令执行序列特征所对应的被调用次数和/或最后一次被调用的时间戳,对内存中加载的指令执行序列特征进行划分,得到热数据和冷数据;以便将冷数据定时或不定时的从内存中删除。Due to the limited memory space corresponding to the kernel, before loading the instruction execution sequence feature, it is necessary to periodically or irregularly delete the loaded cold data in the memory, so that as much as possible is retained in the memory with frequent access (frequently called) thermal data. Therefore, as an optional method, the method of this embodiment may further include: recording a timestamp when the instruction execution sequence feature loaded in the memory is called and matched; then calculating the instruction execution sequence feature loaded in the memory according to the timestamp, and Set the number of calls in the statistical time period; finally, according to the number of calls corresponding to the characteristics of the execution sequence of instructions loaded in the memory and/or the timestamp of the last call, the characteristics of the execution sequence of the instructions loaded in the memory are divided to obtain the heat. Data and cold data; in order to periodically or irregularly delete cold data from memory.

基于上述冷热数据的划分方式,在后续运行使用中可逐渐演变成静态特征库的全量规则以文件形式存放。针对性能方面的优化,热数据可以尽可能的全量放在内存中,而冷数据则放在文件中,以实现按需获取。并且运行时根据现场访问频率即时调整,优胜劣汰,保证热点规则肯定都是访问最频繁的。Based on the above-mentioned division method of hot and cold data, the full set of rules that can gradually evolve into a static signature library in subsequent operations and use are stored in the form of files. For performance optimization, hot data can be placed in memory as much as possible, while cold data can be placed in files to achieve on-demand acquisition. In addition, it is adjusted in real time according to the frequency of on-site visits during operation, and the fittest will be eliminated, ensuring that the hotspot rules must be visited the most frequently.

进一步的,为了说明步骤205b的具体实施过程,示例性的,作为一种可选实现方式,步骤205b具体可包括:将提取到的指令执行序列特征,以模块为单位进行组织形成树形结构,打平后配置在内存块中,其中,在模块节点对应的指令执行序列特征匹配时进行二分查找,针对被调用次数大于预设阈值的指令执行序列特征采用平衡树形式管理。Further, in order to illustrate the specific implementation process of step 205b, exemplary, as an optional implementation manner, step 205b may specifically include: organizing the extracted instruction execution sequence features in modules to form a tree structure, After leveling, it is configured in the memory block, where binary search is performed when the instruction execution sequence features corresponding to the module nodes are matched, and the instruction execution sequence features whose number of calls is greater than the preset threshold are managed in the form of a balanced tree.

例如,静态特征库中的指令执行序列特征(匹配规则)以模块为单位进行组织,模块本质上是树形结构的,打平后放在统一放在内存块中,匹配时进行二分查找,针对超高频访问用平衡树形式管理。通过这种方式可实现规则的快速精确匹配,进而实现快速精确的安全检测。For example, the instruction execution sequence features (matching rules) in the static feature library are organized in units of modules. The modules are essentially tree-structured. After being flattened, they are placed in a unified memory block. When matching, binary search is performed. UHF access is managed in the form of a balanced tree. In this way, fast and accurate matching of rules can be achieved, thereby realizing fast and accurate security detection.

为了满足后续快速更新规则的需求,基于上述可选方式,本实施例方法进一步还可包括:首先接收对内存中加载的指令执行序列特征的更新数据;然后根据接收到的更新数据,以模块为单位组织成子树,并替换全局树中对应的模块节点。In order to meet the requirements of subsequent quick update rules, based on the above-mentioned optional manner, the method of this embodiment may further include: firstly receiving update data of the instruction execution sequence feature loaded in the memory; then according to the received update data, taking the module as the Units are organized into subtrees and replace corresponding module nodes in the global tree.

例如,规则的更新也是以模块为单位的,在应用层将静态特征库发至内核驱动后,驱动会先进行静态特征库的更新,逻辑上先组织成一个子树(实际上可能就是指向一个内存块),然后将替换全局树中对应的模块节点,此节点的添加操作对匹配的影响很小。被释放的模块节点的引用计数会在所有的匹配操作完成后归零,之后就可以进行内存释放以便节省内存空间。如果此节点本身就是冷数据,存放在文件中,则会释放相应的内存映射,并在所有的映射都释放再将文件关闭。For example, the update of rules is also based on modules. After the application layer sends the static signature library to the kernel driver, the driver will first update the static signature library, which is logically organized into a subtree (in fact, it may point to a memory block), then the corresponding module node in the global tree will be replaced, and the addition of this node will have little effect on matching. The reference count of the freed module node will be reset to zero after all matching operations are completed, after which the memory can be freed to save memory space. If the node itself is cold data and is stored in a file, the corresponding memory map will be released, and the file will be closed after all maps are released.

进一步可选的,树形结构中模块节点对应指令执行序列特征的内存结构成线性,本实施例方法还可包括:当需要对目标模块进行指令执行序列特征匹配时,根据目标模块的标识在树形结构中查询对应的目标模块节点;获取目标模块节点对应的指令执行序列特征进行匹配识别。Further optionally, the memory structure of the module node corresponding to the instruction execution sequence feature in the tree structure is linear. Query the corresponding target module node in the shape structure; obtain the instruction execution sequence feature corresponding to the target module node for matching and identification.

例如,模块规则的内存结构成线性,具体如图3所示,当发现一个新模块时,可以根据模块名称快速的找到模块对应的规则,把原来的四级索引结构,变成了二级索引结构,且地址连续,索引数速度提高数倍。For example, the memory structure of module rules is linear, as shown in Figure 3. When a new module is found, the corresponding rules of the module can be quickly found according to the module name, and the original four-level index structure can be turned into a second-level index. Structure, and the address is continuous, the index number speed is increased several times.

206b、实时监测运行过程中新增的关键进程模块信息。206b. Real-time monitoring of new key process module information in the running process.

207b、从解析得到的结构化数据中提取与新增的关键进程模块信息对应的指令执行序列特征并加载到内核对应的内存中。207b. Extract the instruction execution sequence feature corresponding to the newly added key process module information from the parsed structured data and load it into the memory corresponding to the kernel.

例如,新增的关键进程模块所对应的指令执行序列特征,如果存在于缓存文件中,则可从该文件解析得到的结构化数据中提取相应的指令执行序列特征并加载到内存中。而如果缓存文件中不存在该新增的关键进程模块所对应的指令执行序列特征,则可实时或定时请求到动态指令序列特征加载,如请求服务端来获取。规则下发到终端再调用接口加载后,内部使用文件映射来进行管理,新增模块请求到的指令序列特征加入对应的文件映射中。For example, if the instruction execution sequence feature corresponding to the newly added key process module exists in the cache file, the corresponding instruction execution sequence feature can be extracted from the structured data parsed from the file and loaded into the memory. However, if the instruction execution sequence feature corresponding to the newly added key process module does not exist in the cache file, the dynamic instruction sequence feature loading can be requested in real time or periodically, such as requesting the server to obtain it. After the rules are sent to the terminal and loaded by calling the interface, the file mapping is used internally for management, and the instruction sequence features requested by the new module are added to the corresponding file mapping.

基于上述各实施例提供的方式,对于本方案核心数据的处理逻辑具体可以为将静态特征库文件解密后得到各个指令执行序列特征(匹配规则),然后这些指令执行序列特征都会序列化后缓存一份到缓存文件,每个份包括模块规则索引头文件和指令执行序列特征数据文件,而模块规则索引头文件采用对称加密;内核可直接对缓存文件进行操作,对于模块规则索引头文件需要解密后使用,更新后又加密到磁盘文件,内核完成缓存文件的更新。内核内存中的规则可包括三部分:模块指令序列特征热索引头表、模块指令序列特征冷索引头表、模块指令序列特征热数据,且关键进程模块的匹配规则都在模块指令序列特征冷、热索引头中,模块指令序列特征冷数据可存放在缓存文件中。Based on the methods provided by the above-mentioned embodiments, the processing logic for the core data of this solution may specifically be to decrypt the static signature library file to obtain each instruction execution sequence feature (matching rule), and then these instruction execution sequence features will be serialized and then cached. Copy to the cache file, each copy includes the module rule index header file and the instruction execution sequence feature data file, and the module rule index header file adopts symmetric encryption; the kernel can directly operate the cache file, and the module rule index header file needs to be decrypted after decryption. After the update is used, it is encrypted to the disk file, and the kernel completes the update of the cache file. The rules in the kernel memory can include three parts: the module instruction sequence feature hot index header table, the module instruction sequence feature cold index header table, the module instruction sequence feature hot data, and the matching rules of key process modules are in the module instruction sequence feature cold, In the hot index header, the cold data of the module instruction sequence feature can be stored in the cache file.

例如,如图4所示,首先将规则文件(静态特征库文件)可下发内核驱动,解密文件后对于热数据分配规则结点内存、加入内核模块冷、热索引表、内核模块冷索引表加入缓存文件索引。后续的增量规则文件(更新文件)序列化后下发至内核驱动,更新内核模块热索引表以及更新相关缓存文件。除此之外,对于内核规则内存阈值进行设置,以便更新或添加规则时判断是否大于这个阈值;并且根据LRU算法将符合条件(如预定时间段内使用计数小于一定阈值、或最后一次使用时间距离当前时间大于一定时长阈值等)的热数据切换到冷数据进行释放内存。For example, as shown in Figure 4, first, the rule file (static signature library file) can be delivered to the kernel driver, and after decrypting the file, the rule node memory is allocated to the hot data, and the kernel module cold and hot index table and the kernel module cold index table are added. Add cache file index. Subsequent incremental rule files (update files) are serialized and sent to the kernel driver to update the kernel module hot index table and update related cache files. In addition, the kernel rule memory threshold is set to determine whether it is greater than this threshold when updating or adding rules; and according to the LRU algorithm, it will meet the conditions (such as the use count within a predetermined period of time is less than a certain threshold, or the distance from the last use time) Hot data whose current time is greater than a certain duration threshold, etc.) is switched to cold data to release memory.

基于图4中的实现方式,加载规则(指令执行序列特征)具体的调用处理流程可如图5所示。首先调用加载规则接口,判断加载规则类型;如果是加载规则文件,则检测是否已经加载过该文件,如果已经加载缓存过该文件,那么可取消重复缓存加载该文件,下发缓存的规则文件名到内核驱动,驱动加载已经缓存的相应规则文件,根据模块索引文件加载热数据规则到内存。Based on the implementation in FIG. 4 , the specific invocation processing flow of the loading rule (instruction execution sequence feature) may be as shown in FIG. 5 . First, call the loading rule interface to determine the type of the loading rule; if it is a loading rule file, check whether the file has been loaded. If the file has been loaded and cached, you can cancel the repeated cache loading of the file, and issue the cached rule file name To the kernel driver, the driver loads the corresponding rule file that has been cached, and loads the hot data rule to the memory according to the module index file.

如果是没有加载该文件,对该文件进行解密并序列化成线性结构,然后获取所有关键进程模块,根据索引头标记成热数据并且加密模块规则索引。依据模块索引及规则内容分别缓存文件,最后下发缓存的规则文件名到内核驱动,驱动加载相应的规则文件,根据模块索引文件加载热数据规则到内存。If the file is not loaded, the file is decrypted and serialized into a linear structure, and then all key process modules are obtained, marked as hot data according to the index header and indexed by the encryption module rules. The files are cached respectively according to the module index and rule content, and finally the cached rule file name is sent to the kernel driver, the driver loads the corresponding rule file, and loads the hot data rule to the memory according to the module index file.

在判断加载规则类型时如果是新增模块规则,则对新增模块规则文件进行序列化成线性结构,找到对应规则的缓存文件名;增量部分及对应规则文件名下发到驱动,驱动获取下发规则数据,然后更新到相应的规则缓存文件,驱动加载增量规则文件,进而实现更新数据到内存规则。When judging the type of loading rule, if it is a new module rule, serialize the new module rule file into a linear structure, and find the cache file name of the corresponding rule; the incremental part and the corresponding rule file name are sent to the driver, and the driver obtains the download The rule data is sent, and then updated to the corresponding rule cache file, the driver loads the incremental rule file, and then implements the update data to the memory rule.

对于新增模块事件处理流程具体可如图6所示,首先查找冷数据模块索引,判断新增模块是否在冷数据(缓存文件)中,如果是在冷数据中,那么找到对应缓存文件,然后利用找到的缓存文件将该新增模块对应的规则加载到内存中;如果不是在冷数据中,说明本地暂时还没有该新增模块对应的指令执行序列的匹配规则,可异步上抛到应用层,以便向服务端请求获取。For the event processing flow of the newly added module, the specific process is shown in Figure 6. First, look up the cold data module index to determine whether the new module is in the cold data (cache file). If it is in the cold data, find the corresponding cache file, and then Use the found cache file to load the rules corresponding to the new module into the memory; if it is not in the cold data, it means that there is no local matching rule for the command execution sequence corresponding to the new module, and it can be asynchronously thrown to the application layer , in order to request from the server.

为了进一步完整说明本实施例方法的具体实现过程,给出如图7所示的整体架构示意图。客户端在走安装流程时会下载或离线包中预置的防护规则(静态特征库)到指定位置。驱动控制模块在调用启动接口时会加载初始栈规则,反序列化成结构化对象,并开启异步线程收集系统所有进程的模块信息列表,再根据模块信息和规则结构化对象生成最小规则集合序列化后下发给内核驱动使用,内核接收到规则后直接反序列化成内核对象。内核在完成规则初始化后开启新增模块监控,并将新增模块事件发给应用层处理走新增模块规则更新流程。In order to further fully describe the specific implementation process of the method in this embodiment, a schematic diagram of the overall architecture as shown in FIG. 7 is given. When the client goes through the installation process, it will download the protection rules (static signature library) preset in the offline package or to the specified location. When the driver control module calls the startup interface, it will load the initial stack rules, deserialize them into structured objects, and start asynchronous threads to collect the module information list of all processes in the system, and then generate a minimum set of rules based on the module information and rule structured objects. It is sent to the kernel driver for use, and the kernel directly deserializes it into a kernel object after receiving the rules. After completing the rule initialization, the kernel starts the monitoring of new modules, and sends the new module events to the application layer to process the new module rule update process.

由于内核能使用的系统内存资源有限,而基于指令序列特征的库比一般传统的防御规则大,而应用上述本实施例方案,通过结构化数据、序列化、冷热数据处理、缓存等手段,可解决大容量规则库在内核加载所需占用的内存及CPU资源问题。以文件来存放全量规则。针对性能方面的优化,热数据可以全量放在内存中,冷数据则放在文件中,按需获取。Since the system memory resources that can be used by the kernel are limited, and the library based on the characteristics of the instruction sequence is larger than the general traditional defense rules, the above solution of this embodiment is applied, through structured data, serialization, hot and cold data processing, caching and other means. It can solve the problem of memory and CPU resources occupied by the large-capacity rule base loaded in the kernel. Store all rules in files. For performance optimization, all hot data can be stored in memory, while cold data can be stored in files and obtained on demand.

进一步的,作为图1、图2所示方法的具体实现,本实施例提供了一种静态特征库的加载装置,如图8所示,该装置包括:接收模块31、提取模块32、加载模块33。Further, as a specific implementation of the method shown in FIG. 1 and FIG. 2 , this embodiment provides a loading device for a static signature library. As shown in FIG. 8 , the device includes: a receiving module 31 , an extraction module 32 , and a loading module 33.

接收模块31,可用于接收需要加载的静态特征库文件;The receiving module 31 can be used to receive the static feature library file that needs to be loaded;

提取模块32,可用于从所述静态特征库文件中提取与关键进程模块信息对应的指令执行序列特征;The extraction module 32 can be used to extract the instruction execution sequence feature corresponding to the key process module information from the static feature library file;

加载模块33,可用于将提取到的所述指令执行序列特征加载到与内核对应的内存中。The loading module 33 can be configured to load the extracted features of the instruction execution sequence into the memory corresponding to the kernel.

在具体的应用场景中,本装置还可包括:缓存模块34;In a specific application scenario, the device may further include: a cache module 34;

所述缓存模块34,可用于若已经缓存过所述静态特征库文件,则取消对所述静态特征库文件进行重复性缓存;The caching module 34 can be configured to cancel the repetitive caching of the static signature library file if the static signature library file has been cached;

所述缓存模块34,还可用于若没有缓存过所述静态特征库文件,则对所述静态特征库文件进行缓存;The cache module 34 can also be used to cache the static feature library file if the static feature library file has not been cached;

所述提取模块32,具体可用于对所述静态特征库文件进行解析,得到内核能够识别的结构化数据;从所述结构化数据中提取所述指令执行序列特征。The extraction module 32 can be specifically configured to parse the static feature library file to obtain structured data that can be recognized by the kernel; and extract the instruction execution sequence feature from the structured data.

在具体的应用场景中,所述提取模块32,具体还可用于若所述内存中存在所述结构化数据,则取消在所述内存中加载所述指令执行序列特征;若所述内存中不存在所述结构化数据,则从所述结构化数据中提取所述指令执行序列特征;若所述内存中存在部分所述结构化数据,则从所述结构化数据中提取与所述关键进程模块信息对应的、且所述内存中不存在的指令执行序列特征。In a specific application scenario, the extracting module 32 can also be specifically configured to cancel loading of the instruction execution sequence feature in the memory if the structured data exists in the memory; If the structured data exists, extract the instruction execution sequence feature from the structured data; if part of the structured data exists in the memory, extract the key process related to the structured data from the structured data The instruction execution sequence feature that corresponds to the module information and does not exist in the memory.

在具体的应用场景中,所述提取模块32,具体还可用于对所述静态特征库文件进行解密和序列化处理,得到所述结构化数据。In a specific application scenario, the extraction module 32 may be further configured to decrypt and serialize the static signature library file to obtain the structured data.

在具体的应用场景中,本装置还包括:监测模块35;In a specific application scenario, the device further includes: a monitoring module 35;

监测模块35,可用于实时监测新增的关键进程模块信息;The monitoring module 35 can be used to monitor the newly added key process module information in real time;

所述加载模块33,还可用于从所述静态特征库文件中提取与所述新增的关键进程模块信息对应的指令执行序列特征并加载到所述内存中。The loading module 33 is further configured to extract the instruction execution sequence feature corresponding to the newly added key process module information from the static feature library file and load it into the memory.

在具体的应用场景中,本装置还包括:记录模块36、计算模块37、划分模块38、删除模块39;In a specific application scenario, the device further includes: a recording module 36, a calculation module 37, a division module 38, and a deletion module 39;

记录模块36,可用于记录在所述内存中加载的指令执行序列特征被调用匹配时的时间戳;A recording module 36, which can be used to record the time stamp when the instruction execution sequence feature loaded in the memory is called and matched;

计算模块37,可用于根据所述时间戳计算所述内存中加载的指令执行序列特征,在预设统计时长内的被调用次数;A calculation module 37, which can be used to calculate the instruction execution sequence feature loaded in the memory according to the time stamp, and the number of times of being called within a preset statistical duration;

划分模块38,可用于按照所述内存中加载的指令执行序列特征所对应的所述被调用次数和/或最后一次被调用的时间戳,对所述内存中加载的指令执行序列特征进行划分,得到热数据和冷数据;The division module 38 can be configured to divide the instruction execution sequence feature loaded in the memory according to the called times and/or the time stamp of the last call corresponding to the instruction execution sequence feature loaded in the memory, Get hot and cold data;

删除模块39,可用于将所述冷数据从所述内存中删除。The deletion module 39 can be used to delete the cold data from the memory.

在具体的应用场景中,所述加载模块33,具体可用于将提取到的所述指令执行序列特征,以模块为单位进行组织形成树形结构,打平后配置在内存块中,其中,在模块节点对应的指令执行序列特征匹配时进行二分查找,针对被调用次数大于预设阈值的指令执行序列特征采用平衡树形式管理。In a specific application scenario, the loading module 33 can specifically be used to organize the extracted instruction execution sequence features in units of modules to form a tree structure, flatten them, and arrange them in a memory block, where in the The binary search is performed when the instruction execution sequence features corresponding to the module nodes are matched, and the instruction execution sequence features whose number of calls is greater than the preset threshold are managed in the form of a balanced tree.

在具体的应用场景中,所述接收模块31,还可用于接收对所述内存中加载的指令执行序列特征的更新数据;In a specific application scenario, the receiving module 31 may also be configured to receive update data of the instruction execution sequence feature loaded in the memory;

所述加载模块33,还可用于根据所述更新数据,以模块为单位组织成子树,并替换全局树中对应的模块节点。The loading module 33 can also be used to organize subtrees in modules according to the update data, and replace corresponding module nodes in the global tree.

在具体的应用场景中,所述树形结构中模块节点对应指令执行序列特征的内存结构成线性,相应的,本装置还包括:匹配模块310;In a specific application scenario, the memory structure of the module node corresponding to the instruction execution sequence feature in the tree structure is linear, and correspondingly, the device further includes: a matching module 310;

匹配模块310,可用于当需要对目标模块进行指令执行序列特征匹配时,根据所述目标模块的标识在所述树形结构中查询对应的目标模块节点;获取所述目标模块节点对应的指令执行序列特征进行匹配识别。The matching module 310 can be used to query the corresponding target module node in the tree structure according to the identifier of the target module when the target module needs to perform instruction execution sequence feature matching; obtain the instruction execution corresponding to the target module node Sequence features for matching identification.

需要说明的是,本实施例提供的一种静态特征库的加载装置所涉及各功能单元的其它相应描述,可以参考图1、图2中的对应描述,在此不再赘述。It should be noted that, for other corresponding descriptions of the functional units involved in the apparatus for loading a static signature library provided in this embodiment, reference may be made to the corresponding descriptions in FIG. 1 and FIG. 2 , which will not be repeated here.

基于上述如图1、图2所示方法,相应的,本实施例还提供了一种存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述如图1、图2所示的静态特征库的加载方法。Based on the above methods shown in FIGS. 1 and 2 , correspondingly, the present embodiment further provides a storage medium on which a computer program is stored, and when the program is executed by a processor, the above-mentioned methods shown in FIGS. 1 and 2 are implemented. The loading method of the static signature library.

基于这样的理解,本申请的技术方案可以以软件产品的形式体现出来,该待识别软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施场景所述的方法。Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the software product to be identified can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.), Several instructions are included to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in various implementation scenarios of this application.

基于上述如图1、图2所示的方法,以及图4所示的虚拟装置实施例,为了实现上述目的,本实施例还提供了一种静态特征库加载的实体设备,具体可以为个人计算机、笔记本电脑、服务器、智能手机、平板电脑、或者其它网络设备等,该实体设备包括存储介质和处理器;存储介质,用于存储计算机程序;处理器,用于执行计算机程序以实现上述如图1、图2所示的方法。Based on the methods shown in FIG. 1 and FIG. 2 and the virtual device embodiment shown in FIG. 4 , in order to achieve the above purpose, this embodiment also provides an entity device for loading a static signature library, which may be a personal computer. , notebook computer, server, smart phone, tablet computer, or other network equipment, etc., the physical equipment includes a storage medium and a processor; a storage medium for storing computer programs; a processor for executing computer programs to achieve the above 1. The method shown in Figure 2.

可选的,该实体设备还可以包括用户接口、网络接口、摄像头、射频(RadioFrequency,RF)电路,传感器、音频电路、WI-FI模块等等。用户接口可以包括显示屏(Display)、输入单元比如键盘(Keyboard)等,可选用户接口还可以包括USB接口、读卡器接口等。网络接口可选的可以包括标准的有线接口、无线接口(如WI-FI接口)等。Optionally, the physical device may further include a user interface, a network interface, a camera, a radio frequency (Radio Frequency, RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a display screen (Display), an input unit such as a keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, and the like. Optional network interfaces may include standard wired interfaces, wireless interfaces (such as WI-FI interfaces), and the like.

本领域技术人员可以理解,本实施例提供的一种静态特征库加载的实体设备结构并不构成对该实体设备的限定,可以包括更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the physical device structure loaded by a static signature library provided in this embodiment does not constitute a limitation on the physical device, and may include more or less components, or combine some components, or different component layout.

存储介质中还可以包括操作系统、网络通信模块。操作系统是管理上述实体设备硬件和待识别软件资源的程序,支持信息处理程序以及其它待识别软件和/或程序的运行。网络通信模块用于实现存储介质内部各组件之间的通信,以及与信息处理实体设备中其它硬件和软件之间通信。The storage medium may also include an operating system and a network communication module. The operating system is a program that manages the above-mentioned physical device hardware and software resources to be identified, and supports the operation of information processing programs and other software and/or programs to be identified. The network communication module is used to realize the communication between various components in the storage medium, as well as the communication with other hardware and software in the information processing entity device.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本申请可以借助软件加必要的通用硬件平台的方式来实现,也可以通过硬件实现。通过应用本申请的技术方案,通过结构化数据、序列化、冷热数据处理、缓存等手段,可解决大容量规则库在内核加载所需占用的内存及CPU资源问题。以文件来存放全量规则。针对性能方面的优化,热数据可以全量放在内存中,冷数据则放在文件中,按需获取。From the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical solution of the present application, the problems of memory and CPU resources required for loading a large-capacity rule base in the kernel can be solved by means of structured data, serialization, hot and cold data processing, and caching. Store all rules in files. For performance optimization, all hot data can be stored in memory, while cold data can be stored in files and obtained on demand.

本领域技术人员可以理解附图只是一个优选实施场景的示意图,附图中的模块或流程并不一定是实施本申请所必须的。本领域技术人员可以理解实施场景中的装置中的模块可以按照实施场景描述进行分布于实施场景的装置中,也可以进行相应变化位于不同于本实施场景的一个或多个装置中。上述实施场景的模块可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the accompanying drawing is only a schematic diagram of a preferred implementation scenario, and the modules or processes in the accompanying drawing are not necessarily necessary to implement the present application. Those skilled in the art can understand that the modules in the device in the implementation scenario may be distributed in the device in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the implementation scenario with corresponding changes. The modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.

上述本申请序号仅仅为了描述,不代表实施场景的优劣。以上公开的仅为本申请的几个具体实施场景,但是,本申请并非局限于此,任何本领域的技术人员能思之的变化都应落入本申请的保护范围。The above serial numbers in the present application are only for description, and do not represent the pros and cons of the implementation scenarios. The above disclosures are only a few specific implementation scenarios of the present application, however, the present application is not limited thereto, and any changes that can be conceived by those skilled in the art should fall within the protection scope of the present application.

Claims (16)

1. A loading method of a static feature library is characterized by comprising the following steps:
receiving a static feature library file to be loaded;
extracting instruction execution sequence characteristics corresponding to the key process module information from the static characteristic library file;
loading the extracted instruction execution sequence characteristics into a memory corresponding to a kernel;
the loading the extracted instruction execution sequence features into a memory corresponding to a kernel specifically includes:
organizing the extracted instruction execution sequence features by taking modules as units to form a tree structure, and configuring the tree structure in a memory block after leveling, wherein binary search is carried out when the instruction execution sequence features corresponding to the module nodes are matched, and balanced tree type management is adopted for the instruction execution sequence features of which the called times are greater than a preset threshold value;
the memory structure of the instruction execution sequence characteristics corresponding to the module nodes in the tree structure is linear, and the method further comprises the following steps:
when the target module needs to be subjected to instruction execution sequence feature matching, inquiring a corresponding target module node in the tree structure according to the identification of the target module;
and acquiring the instruction execution sequence characteristics corresponding to the target module node for matching and identification.
2. The method of claim 1, wherein prior to extracting the instruction execution sequence features corresponding to the key process module information from the static feature library file, the method further comprises:
if the static characteristic library file is cached, the repeated caching of the static characteristic library file is cancelled;
the extracting of the instruction execution sequence feature corresponding to the key process module information from the static feature library file specifically includes:
if the static characteristic library file is not cached, caching and analyzing the static characteristic library file to obtain structured data which can be identified by a kernel;
and extracting the instruction execution sequence characteristics from the structured data.
3. The method according to claim 2, wherein the extracting the instruction execution sequence features from the structured data specifically comprises:
if the structured data exists in the memory, canceling the loading of the instruction execution sequence characteristics in the memory;
if the structured data does not exist in the memory, extracting the instruction execution sequence characteristics from the structured data;
and if part of the structured data exists in the memory, extracting instruction execution sequence characteristics which correspond to the key process module information and do not exist in the memory from the structured data.
4. The method according to claim 2, wherein parsing the static feature library file to obtain structured data that can be recognized by a kernel specifically comprises:
and decrypting and serializing the static feature library file to obtain the structured data.
5. The method of claim 1, further comprising:
monitoring newly added key process module information in real time;
and extracting instruction execution sequence characteristics corresponding to the newly added key process module information from the static characteristic library file and loading the instruction execution sequence characteristics into the memory.
6. The method of claim 1, further comprising:
recording a timestamp when the instruction execution sequence characteristics loaded in the memory are matched by calling;
calculating the instruction execution sequence characteristics loaded in the memory according to the timestamp, and the called times within a preset statistical time length;
dividing the instruction execution sequence characteristics loaded in the memory according to the called times and/or the last called timestamp corresponding to the instruction execution sequence characteristics loaded in the memory to obtain hot data and cold data;
and deleting the cold data from the memory.
7. The method of claim 1, further comprising:
receiving update data of the instruction execution sequence characteristics loaded in the memory;
and organizing a sub-tree by taking the module as a unit according to the updating data, and replacing the corresponding module node in the global tree.
8. An apparatus for loading a static feature library, comprising:
the receiving module is used for receiving the static feature library file needing to be loaded;
the extraction module is used for extracting instruction execution sequence characteristics corresponding to the key process module information from the static characteristic library file;
the loading module is used for loading the extracted instruction execution sequence characteristics into a memory corresponding to the kernel;
the loading module is specifically used for organizing the extracted instruction execution sequence features by taking the module as a unit to form a tree structure, and configuring the tree structure in a memory block after leveling, wherein binary search is performed when the instruction execution sequence features corresponding to the module nodes are matched, and balanced tree management is adopted for the instruction execution sequence features with the calling times larger than a preset threshold;
the memory structure of the module node corresponding to the instruction execution sequence feature in the tree structure is linear, the device further comprises:
the matching module is used for inquiring corresponding target module nodes in the tree structure according to the identification of the target module when the target module needs to be subjected to instruction execution sequence characteristic matching;
and acquiring the instruction execution sequence characteristics corresponding to the target module node for matching and identification.
9. The apparatus of claim 8, further comprising: a cache module;
the cache module is used for canceling repeated caching of the static characteristic library file if the static characteristic library file is cached;
the cache module is further configured to cache the static feature library file if the static feature library file is not cached;
the extraction module is specifically configured to analyze the static feature library file to obtain structured data that can be identified by the kernel;
and extracting the instruction execution sequence characteristics from the structured data.
10. The apparatus of claim 9,
the extracting module is specifically further configured to cancel loading of the instruction execution sequence feature in the memory if the structured data exists in the memory;
if the structured data does not exist in the memory, extracting the instruction execution sequence characteristics from the structured data;
and if part of the structured data exists in the memory, extracting instruction execution sequence characteristics which correspond to the key process module information and do not exist in the memory from the structured data.
11. The apparatus of claim 9,
the extraction module is specifically further configured to decrypt and serialize the static feature library file to obtain the structured data.
12. The apparatus of claim 8, further comprising:
the monitoring module is used for monitoring the information of the newly added key process module in real time;
and the loading module is further used for extracting the instruction execution sequence characteristics corresponding to the newly added key process module information from the static characteristic library file and loading the instruction execution sequence characteristics into the memory.
13. The apparatus of claim 8, further comprising:
the recording module is used for recording the timestamp when the instruction execution sequence characteristics loaded in the memory are called and matched;
the calculation module is used for calculating the called times of the instruction execution sequence characteristics loaded in the memory within the preset statistical duration according to the timestamp;
the dividing module is used for dividing the instruction execution sequence characteristics loaded in the memory according to the called times and/or the last called timestamp corresponding to the instruction execution sequence characteristics loaded in the memory to obtain hot data and cold data;
and the deleting module is used for deleting the cold data from the memory.
14. The apparatus of claim 8,
the receiving module is further configured to receive update data of the instruction execution sequence characteristics loaded in the memory;
and the loading module is also used for organizing a sub-tree by taking the module as a unit according to the updating data and replacing the corresponding module node in the global tree.
15. A storage medium on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of loading a static feature library according to any one of claims 1 to 7.
16. A loading device of a static feature library, comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the loading method of the static feature library according to any one of claims 1 to 7 when executing the program.
CN201910755844.XA 2019-08-15 2019-08-15 Static feature library loading method, device and equipment Active CN112395613B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910755844.XA CN112395613B (en) 2019-08-15 2019-08-15 Static feature library loading method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910755844.XA CN112395613B (en) 2019-08-15 2019-08-15 Static feature library loading method, device and equipment

Publications (2)

Publication Number Publication Date
CN112395613A CN112395613A (en) 2021-02-23
CN112395613B true CN112395613B (en) 2022-04-08

Family

ID=74601779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910755844.XA Active CN112395613B (en) 2019-08-15 2019-08-15 Static feature library loading method, device and equipment

Country Status (1)

Country Link
CN (1) CN112395613B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114242173B (en) * 2021-12-22 2023-05-16 深圳吉因加医学检验实验室 Data processing method and device for identifying microorganisms by mNGS and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035111A (en) * 2007-04-13 2007-09-12 北京启明星辰信息技术有限公司 Intelligent protocol parsing method and device
CN105426707A (en) * 2015-11-09 2016-03-23 中国电子科技集团公司第三十研究所 Instruction-level password algorithm identification method and system
CN107908963A (en) * 2018-01-08 2018-04-13 北京工业大学 A kind of automatic detection malicious code core feature method
CN109635217A (en) * 2018-12-14 2019-04-16 平安普惠企业管理有限公司 H5 page loading method, device, computer equipment and the storage medium of APP
CN109800577A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 A kind of method and device of identification escape security monitoring behavior

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8831278B2 (en) * 2010-11-30 2014-09-09 Eastman Kodak Company Method of identifying motion sickness

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035111A (en) * 2007-04-13 2007-09-12 北京启明星辰信息技术有限公司 Intelligent protocol parsing method and device
CN105426707A (en) * 2015-11-09 2016-03-23 中国电子科技集团公司第三十研究所 Instruction-level password algorithm identification method and system
CN107908963A (en) * 2018-01-08 2018-04-13 北京工业大学 A kind of automatic detection malicious code core feature method
CN109635217A (en) * 2018-12-14 2019-04-16 平安普惠企业管理有限公司 H5 page loading method, device, computer equipment and the storage medium of APP
CN109800577A (en) * 2018-12-29 2019-05-24 360企业安全技术(珠海)有限公司 A kind of method and device of identification escape security monitoring behavior

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Computational Optimization for Violent Scenes Detection;Vu Lam等;《网页在线公开:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7863039》;20170228;第1-6页 *
动态链接库输出函数的动态加载;冉林仓;《电脑编程技巧与维护》;20060904(第5期);第46-48页 *
基于虚拟机IO序列与Markov模型的异常行为检测;陈兴蜀等;《清华大学学报(自然科学版)》;20180205;第58卷(第4期);第395-410页 *

Also Published As

Publication number Publication date
CN112395613A (en) 2021-02-23

Similar Documents

Publication Publication Date Title
CN112115167B (en) Cache system hotspot data access method, device, device and storage medium
US20180285596A1 (en) System and method for managing sensitive data
CN110022558B (en) Method for encrypting and decrypting upgrade package, electronic device and storage medium
CN110287697A (en) Activity recognition, data processing method and device
CN107562915A (en) Read the method, apparatus and equipment and computer-readable recording medium of small documents
JP2017526253A (en) Method and system for facilitating terminal identifiers
US20230359628A1 (en) Blockchain-based data processing method and apparatus, device, and storage medium
CN115039082B (en) Log writing method, device, electronic device, and storage medium
CN107430555B (en) Cache and data organization for memory protection
US20190238560A1 (en) Systems and methods to provide secure storage
US10735457B2 (en) Intrusion investigation
US20210409452A1 (en) Dynamically updating rules for detecting compromised devices
US11394748B2 (en) Authentication method for anonymous account and server
CN109460406A (en) Data processing method and device
CN111803917A (en) Resource processing method and device
CN112395613B (en) Static feature library loading method, device and equipment
CN108055299A (en) Portal page push method, network access server and portal certification system
CN106878247B (en) Attack identification method and device
KR20140088962A (en) System and method for storing data in a cloud environment
US20150106884A1 (en) Memcached multi-tenancy offload
CN113132241B (en) ACL template dynamic configuration method and device
CN119475403B (en) A method and device for secure reading and writing of data in Hongmeng system equipment
CN115186255B (en) Industrial host white list extraction method and device, terminal device and storage medium
CN112512034B (en) Method and device for rapidly loading user identification card file by terminal and computer equipment
Olbort et al. Manipulating the Swap Memory for Forensic Investigation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant