Static detection is the earliest text detection method, and it is still widely used since its birth. But in fact, the effect of static detection depends on the extraction of text features, and the dimension of the features directly determines the false positive rate and the false negative rate. The mainstream static detection methods have the characteristics of fast detection speed, good universality (cross-platform, cross-version, cross-language, etc.), and low implementation cost (in theory, as long as it is a black sample, rules can be written to cover it); however, due to the lack of Lexical and grammatical constraints are more prone to false positives, and at the same time, lack of adversarial and technical barriers makes this type of detection algorithm difficult to detect when it encounters packed, encrypted, and obfuscated samples, and cannot form a differentiated advantage.
When the static feature extraction of malicious text is accurate enough, it is easier to detect. However, attackers usually use code obfuscation (packing, encoding, encryption) to hinder the extraction of features, so it is necessary to dynamically run and run all features for detection. The dynamic detection algorithm is technically difficult, and can implement more advanced and complex detection techniques. At the same time, due to real execution, the malicious code conforms to syntax and lexical constraints, and false positives are extremely low without forced intervention. However, since real execution requires simulation and custom design of the entire operating environment, there are problems of high cost, low detection efficiency, and poor compatibility. At the same time, when encountering the problem of version fragmentation, it is also a tedious thing to adapt to different versions of the sandbox. The sandbox solution also introduces new confrontation problems, such as branch confrontation, time confrontation, network confrontation, etc.
During this presentation, the audience will hear the following:
- Cloud Intrusion Attack Skills and Advanced Attack Utilization Skills.
- The dilemma of traditional detection schemes (static matching, dynamic sandbox) in malicious text detection.
- Simulate the implementation of malicious text detection.
- How to use the external ecology to improve the detection water level.