Search

CN-121980562-A - Detection method, device, medium and equipment for spreading malicious codes aiming at game module

CN121980562ACN 121980562 ACN121980562 ACN 121980562ACN-121980562-A

Abstract

The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, a medium, and a device for detecting a malicious code transmitted by a game module. When a Mod folder is identified to write a new module file, pre-detecting the module file, identifying the source of the module file, carrying out file analysis on the module file according to the risk level corresponding to the file source mark to obtain an analysis file, and carrying out file risk matching detection on the analysis file through a malicious code feature library, wherein the malicious code feature library is a local preset feature library. The method has the advantages that a full-flow malicious code protection system for a user to obtain a game module by himself is constructed, channel risk pre-grading is achieved through module file source marks, and initial malicious invasion is blocked by means of multi-dimensional static feature extraction and malicious code feature library comparison.

Inventors

  • GAO ZELIN
  • LIU JIANAN
  • ZHAO CHAO
  • XIAO XINGUANG

Assignees

  • 安天科技集团股份有限公司

Dates

Publication Date
20260505
Application Date
20251203

Claims (10)

  1. 1. A detection method for spreading malicious codes to a game module is characterized in that when a Mod folder is identified to be written into a new module file, the front detection is carried out on the module file; identifying a file source of the module, and marking a corresponding risk level according to the file source; Carrying out file analysis on the module file according to the risk level to obtain an analysis file; carrying out file risk matching detection on the analysis file through a malicious code feature library; the malicious code feature library is a local preset feature library.
  2. 2. The method of claim 1, wherein identifying the source of the document, marking the corresponding risk level based on the source of the document, comprises: Matching corresponding detection flows according to the risk level; If the file source is an unverified website, marking the file source as a high-risk channel, and triggering an enhanced detection flow; if the file source is an unofficial mirror website, marking the file source as a risk channel, and triggering a standard detection flow; if the file source is an official website, the file source is marked as a low-risk channel, and the simplified detection flow is triggered.
  3. 3. The method of claim 1, wherein the performing file parsing of the module file based on the risk level comprises; Analyzing the module file into an executable file, a script file, a resource file and a configuration file; And performing differential detection on the executable file, the script file, the resource file and the configuration file, and extracting the characteristics in a multi-dimension way to obtain the file characteristics.
  4. 4. The method of claim 3, wherein the file risk match detection comprises: and carrying out file risk matching detection on the file features through the malicious code feature library.
  5. 5. A detection apparatus for spreading malicious code to a game module, comprising: The front detection module is used for performing front detection on the module file when the Mod folder is identified to be written into the new module file; the risk level confirmation module is used for identifying the source of the module file and marking the corresponding risk level according to the source of the file; The file analysis module is used for carrying out file analysis on the module file to obtain an analysis file; the file matching module is used for carrying out file risk matching detection on the analysis file through the malicious code feature library; the main processing module is used for realizing parameter input, acquisition and function configuration of the read-write identification module, the file analysis module and the data matching module.
  6. 6. The apparatus of claim 5, wherein identifying the source of the document, marking the corresponding risk level based on the source of the document, comprises: Matching corresponding detection flows according to the risk level; If the file source is an unverified website, marking the file source as a high-risk channel, and triggering an enhanced detection flow; if the file source is an unofficial mirror website, marking the file source as a risk channel, and triggering a standard detection flow; if the file source is an official website, the file source is marked as a low-risk channel, and the simplified detection flow is triggered.
  7. 7. The apparatus of claim 5, wherein the means for performing file parsing of the module file based on the risk level comprises; Analyzing the module file into an executable file, a script file, a resource file and a configuration file; And performing differential detection on the executable file, the script file, the resource file and the configuration file, and extracting the characteristics in a multi-dimension way to obtain the file characteristics.
  8. 8. The method of claim 7, wherein the file risk match detection comprises: and carrying out file risk matching detection on the file features through the malicious code feature library.
  9. 9. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program loaded and executed by a processor to implement the method of any one of claims 1-4.
  10. 10. An electronic device comprising a processor and the non-transitory computer-readable storage medium of claim 9.

Description

Detection method, device, medium and equipment for spreading malicious codes aiming at game module Technical Field The present invention relates to the field of malicious code detection and network security protection, and in particular, to a method, an apparatus, a medium, and a device for detecting a malicious code transmitted by a game module. The protection capability for multi-stage malicious attacks and the local protection mechanism for the self-acquisition module of the user are optimized. Background With the vigorous development of the game industry, game modules (Mod) are popular with players as an important way to enhance game playability. The player can obtain the module files by himself through various channels such as forums, social groups, third-party storage platforms and the like, and manually place the module files into a Mod folder of a game to finish installation, and the non-platform obtaining mode becomes the mainstream. Industry data shows that over 70% of modules propagate through unofficial platforms, but are thus also disaster areas for malicious attacks. In a plurality of recently occurring attack events, malicious organizations distribute malicious codes disguised as legal modules through channels such as a code warehouse, a cloud storage link and the like to form a multi-stage attack chain, and specially steal sensitive data such as account credentials, payment information, and encrypted currency wallets of players, thereby bringing serious threat to player information security. Currently, detection of malicious code transmitted by a game module is mainly dependent on traditional antivirus software and firewall technology. The technology generally adopts a characteristic code matching mode to scan the file, but has obvious limitations that on one hand, a non-platform module which is acquired by a user by self lacks front-end detection in an uploading stage, on the other hand, a malicious module usually adopts a reverse Virtual Machine (VM) and reverse analysis technology, the file format is various, a traditional tool is difficult to deeply analyze, and in addition, the prior art is difficult to cover the full-flow monitoring of the operation of the module from local acquisition, and cannot cope with multi-stage progressive attack, so that a large number of malicious modules which are installed by self bypass detection. Therefore, research and development of a detection and protection technology which can adapt to a user's self-acquisition module scene, cover a local whole process and have high accuracy and real-time performance becomes a problem to be solved urgently in the current network security field. Disclosure of Invention In order to solve the technical problem, the invention provides a detection method for spreading malicious codes aiming at a game module, and when a Mod folder is identified to be written into a new module file, the front detection is carried out on the module file; identifying a file source of the module, and marking a corresponding risk level according to the file source; Carrying out file analysis on the module file according to the risk level to obtain an analysis file; carrying out file risk matching detection on the analysis file through a malicious code feature library; the malicious code feature library is a local preset feature library. Further, identifying a file source, and marking a corresponding risk level according to the file source, including: Matching corresponding detection flows according to the risk level; If the file source is an unverified website, marking the file source as a high-risk channel, and triggering an enhanced detection flow; if the file source is an unofficial mirror website, marking the file source as a risk channel, and triggering a standard detection flow; if the file source is an official website, the file source is marked as a low-risk channel, and the simplified detection flow is triggered. Further, performing file analysis on the module file according to the risk level, including; Analyzing the module file into an executable file, a script file, a resource file and a configuration file; And performing differential detection on the executable file, the script file, the resource file and the configuration file, and extracting the characteristics in a multi-dimension way to obtain the file characteristics. Further, the file risk matching detection includes: and carrying out file risk matching detection on the file features through the malicious code feature library. The embodiment of the invention provides a detection device for spreading malicious codes aiming at a game module, which comprises the following steps: The front detection module is used for performing front detection on the module file when the Mod folder is identified to be written into the new module file; the risk level confirmation module is used for identifying the source of the module file and marking the corresponding risk level according to the